berbew | ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
Size

96KB
MD5

5658c525830ed6c296339d01a55c4041
SHA1

24c5eb0a2f0bd87bbd9767533c578ee60c5c8b67
SHA256

ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040
SHA512

3b92b38c17e6b79dfbbe295144d5c1dbde4216b17f9be7a73ec4d21bc1b36a9c89cbf1e81d2fe3125008ebb50694f34f6170b52cbc9e5a5b306ef7488acfe355
SSDEEP

1536:adbdbb5HyJdMx0paOzpypV9HoayVTa7aZHeUNykj4TLbMOM6bOLXi8PmCofGy:G5ZCdGWzqRoa2SUHHN2bMDrLXfzoey

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bqgmfkhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjpaop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Clojhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcbhd32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 15 IoCs

pid	Process
864	Bqgmfkhg.exe
2956	Bjpaop32.exe
2780	Bgcbhd32.exe
2756	Bcjcme32.exe
3064	Bkegah32.exe
2800	Ciihklpj.exe
2696	Cocphf32.exe
2032	Cepipm32.exe
2008	Cpfmmf32.exe
2988	Cinafkkd.exe
2964	Cbffoabe.exe
2872	Clojhf32.exe
2440	Calcpm32.exe
2456	Djdgic32.exe
2080	Dpapaj32.exe

Loads dropped DLL 33 IoCs

pid	Process
1712	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
1712	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
864	Bqgmfkhg.exe
864	Bqgmfkhg.exe
2956	Bjpaop32.exe
2956	Bjpaop32.exe
2780	Bgcbhd32.exe
2780	Bgcbhd32.exe
2756	Bcjcme32.exe
2756	Bcjcme32.exe
3064	Bkegah32.exe
3064	Bkegah32.exe
2800	Ciihklpj.exe
2800	Ciihklpj.exe
2696	Cocphf32.exe
2696	Cocphf32.exe
2032	Cepipm32.exe
2032	Cepipm32.exe
2008	Cpfmmf32.exe
2008	Cpfmmf32.exe
2988	Cinafkkd.exe
2988	Cinafkkd.exe
2964	Cbffoabe.exe
2964	Cbffoabe.exe
2872	Clojhf32.exe
2872	Clojhf32.exe
2440	Calcpm32.exe
2440	Calcpm32.exe
2456	Djdgic32.exe
2456	Djdgic32.exe
2596	WerFault.exe
2596	WerFault.exe
2596	WerFault.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcbhd32.exe	Bjpaop32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bcjcme32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bjpaop32.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Bqgmfkhg.exe	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Bkegah32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bqgmfkhg.exe	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
File opened for modification	C:\Windows\SysWOW64\Bjpaop32.exe	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bgcbhd32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ihkhkcdl.dll	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
File created	C:\Windows\SysWOW64\Cdpkangm.dll	Bqgmfkhg.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Dfefmpeo.dll	Bjpaop32.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2596	2080	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjpaop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqgmfkhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll"	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bjpaop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bqgmfkhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjpaop32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 864	1712	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe	31
PID 1712 wrote to memory of 864	1712	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe	31
PID 1712 wrote to memory of 864	1712	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe	31
PID 1712 wrote to memory of 864	1712	ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe	31
PID 864 wrote to memory of 2956	864	Bqgmfkhg.exe	32
PID 864 wrote to memory of 2956	864	Bqgmfkhg.exe	32
PID 864 wrote to memory of 2956	864	Bqgmfkhg.exe	32
PID 864 wrote to memory of 2956	864	Bqgmfkhg.exe	32
PID 2956 wrote to memory of 2780	2956	Bjpaop32.exe	33
PID 2956 wrote to memory of 2780	2956	Bjpaop32.exe	33
PID 2956 wrote to memory of 2780	2956	Bjpaop32.exe	33
PID 2956 wrote to memory of 2780	2956	Bjpaop32.exe	33
PID 2780 wrote to memory of 2756	2780	Bgcbhd32.exe	34
PID 2780 wrote to memory of 2756	2780	Bgcbhd32.exe	34
PID 2780 wrote to memory of 2756	2780	Bgcbhd32.exe	34
PID 2780 wrote to memory of 2756	2780	Bgcbhd32.exe	34
PID 2756 wrote to memory of 3064	2756	Bcjcme32.exe	35
PID 2756 wrote to memory of 3064	2756	Bcjcme32.exe	35
PID 2756 wrote to memory of 3064	2756	Bcjcme32.exe	35
PID 2756 wrote to memory of 3064	2756	Bcjcme32.exe	35
PID 3064 wrote to memory of 2800	3064	Bkegah32.exe	36
PID 3064 wrote to memory of 2800	3064	Bkegah32.exe	36
PID 3064 wrote to memory of 2800	3064	Bkegah32.exe	36
PID 3064 wrote to memory of 2800	3064	Bkegah32.exe	36
PID 2800 wrote to memory of 2696	2800	Ciihklpj.exe	37
PID 2800 wrote to memory of 2696	2800	Ciihklpj.exe	37
PID 2800 wrote to memory of 2696	2800	Ciihklpj.exe	37
PID 2800 wrote to memory of 2696	2800	Ciihklpj.exe	37
PID 2696 wrote to memory of 2032	2696	Cocphf32.exe	38
PID 2696 wrote to memory of 2032	2696	Cocphf32.exe	38
PID 2696 wrote to memory of 2032	2696	Cocphf32.exe	38
PID 2696 wrote to memory of 2032	2696	Cocphf32.exe	38
PID 2032 wrote to memory of 2008	2032	Cepipm32.exe	39
PID 2032 wrote to memory of 2008	2032	Cepipm32.exe	39
PID 2032 wrote to memory of 2008	2032	Cepipm32.exe	39
PID 2032 wrote to memory of 2008	2032	Cepipm32.exe	39
PID 2008 wrote to memory of 2988	2008	Cpfmmf32.exe	40
PID 2008 wrote to memory of 2988	2008	Cpfmmf32.exe	40
PID 2008 wrote to memory of 2988	2008	Cpfmmf32.exe	40
PID 2008 wrote to memory of 2988	2008	Cpfmmf32.exe	40
PID 2988 wrote to memory of 2964	2988	Cinafkkd.exe	41
PID 2988 wrote to memory of 2964	2988	Cinafkkd.exe	41
PID 2988 wrote to memory of 2964	2988	Cinafkkd.exe	41
PID 2988 wrote to memory of 2964	2988	Cinafkkd.exe	41
PID 2964 wrote to memory of 2872	2964	Cbffoabe.exe	42
PID 2964 wrote to memory of 2872	2964	Cbffoabe.exe	42
PID 2964 wrote to memory of 2872	2964	Cbffoabe.exe	42
PID 2964 wrote to memory of 2872	2964	Cbffoabe.exe	42
PID 2872 wrote to memory of 2440	2872	Clojhf32.exe	43
PID 2872 wrote to memory of 2440	2872	Clojhf32.exe	43
PID 2872 wrote to memory of 2440	2872	Clojhf32.exe	43
PID 2872 wrote to memory of 2440	2872	Clojhf32.exe	43
PID 2440 wrote to memory of 2456	2440	Calcpm32.exe	44
PID 2440 wrote to memory of 2456	2440	Calcpm32.exe	44
PID 2440 wrote to memory of 2456	2440	Calcpm32.exe	44
PID 2440 wrote to memory of 2456	2440	Calcpm32.exe	44
PID 2456 wrote to memory of 2080	2456	Djdgic32.exe	45
PID 2456 wrote to memory of 2080	2456	Djdgic32.exe	45
PID 2456 wrote to memory of 2080	2456	Djdgic32.exe	45
PID 2456 wrote to memory of 2080	2456	Djdgic32.exe	45
PID 2080 wrote to memory of 2596	2080	Dpapaj32.exe	46
PID 2080 wrote to memory of 2596	2080	Dpapaj32.exe	46
PID 2080 wrote to memory of 2596	2080	Dpapaj32.exe	46
PID 2080 wrote to memory of 2596	2080	Dpapaj32.exe	46

C:\Users\Admin\AppData\Local\Temp\ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe
"C:\Users\Admin\AppData\Local\Temp\ae184cadef681213fa71ed9b1dabfbe0a3a28fcb80059f733ed18a980d2de040.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\Bqgmfkhg.exe
  C:\Windows\system32\Bqgmfkhg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\Bjpaop32.exe
    C:\Windows\system32\Bjpaop32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\Windows\SysWOW64\Bgcbhd32.exe
      C:\Windows\system32\Bgcbhd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\SysWOW64\Bcjcme32.exe
        
        C:\Windows\system32\Bcjcme32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2080 -s 144
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
96KB

MD5
264583d4375c4d188f70fbe99a664670

SHA1
2f96419c9a8b5901e93247e98e08178c4297f3ee

SHA256
01a3428d571169ae0ae89af8f472b40cf14f7fb3e6e818d5aa1d501525de6daa

SHA512
157dad3731d438de3f317718f283df33437f5a46979c6ee88f7d84e00ee7ea5c19cc47ce460516046dcc4684c914d59fff3f96651d8b09a205250480c7999167

Download Submit
C:\Windows\SysWOW64\Bnjdhe32.dll

Filesize
7KB

MD5
71d42b3d652b416f3f1726398ecb2ce6

SHA1
a90896582ccaa0ad301b388e3f9871705bd6f1d3

SHA256
b83b66a44c65622e9b1817f9e906b506a3a86f88544c7e2345dc9b950e608524

SHA512
a088f592c6ee5552223da3fd692e01709b7d15de6f6e62ddb6c72261671c3c7471366d764f2ab988f0460a356fec870f49ddd8858bf1dd0108e5d9b1bcf472e5

Download Submit
\Windows\SysWOW64\Bgcbhd32.exe

Filesize
96KB

MD5
ee8712de4be61f71caf7a6e866319502

SHA1
cf71e31b6b669f4523b68b42fc9420487b52dd74

SHA256
226046d939bc97d40287d0512325937cb8125caf4ba752f47dec939e52b799f0

SHA512
75928cc602fdd101899c1031c37c06360c518da4e3d3c16be847f2a4d4ee8dc9c13a60885282b00cf5059c667cf7ad66820e4ec8655e49b58172c2c29bf5a974

Download Submit
\Windows\SysWOW64\Bjpaop32.exe

Filesize
96KB

MD5
d770f2f642ef6ab6bbe68750065a2ce1

SHA1
d5bd7e7f0141c1de10853fe20c1967f121f99569

SHA256
0a6e559f49ca28aee034e22f9ec5a78311b133ec7995880facdb29075d14dad5

SHA512
d0c7c7b56ee5479cc95b29855c03402556559c41442f1d262ff86648d49488596dd781efaf85285450af566b6daec5ce454da0cab06924202a4dc437d156de86

Download Submit
\Windows\SysWOW64\Bkegah32.exe

Filesize
96KB

MD5
75f1b1d9da530a12d5eb146f11f82f01

SHA1
ec503b8695ebbb00f3f593518a9a8887811bf8d6

SHA256
d7f2e8528a967a80abacb4765e0d43f76c68db927a675aa8142ab4fd013ad8fe

SHA512
415e787dbff7217f5cda03363116e6a88c8e70cfa4088dc256a03bacdb0f55aeb4618f124705e83d54db3de14010362f2cd4e662799e9060157d725d0da83f8e

Download Submit
\Windows\SysWOW64\Bqgmfkhg.exe

Filesize
96KB

MD5
be0e03f353b51ed5b4fdff931aaa13a2

SHA1
0d5b7cfb2350146fcb564ee66b2130e8719c4e76

SHA256
ffcea1ce621292c22e229cec0b815fd533e2747e742de6ba12195aa7e775faae

SHA512
b9fe50c18bd4b51d9e372429be5a2ad5405b3cc3138d23230441032103eaea8d532d46a2d1a3585ff19169c14691fe88f8ee3976fed313d1ac5f6ac37558b139

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
8ecf543a643a98a0714eb40c5560f258

SHA1
5192e4c5af6750cf2ca1ed5159820131cb90e38e

SHA256
3137c2b718ff3c415b23fd1cab75512e75a9bcffa1317c487d65f872ce6f57d3

SHA512
607b044c2533fca65f7ce05a70344ac8157ebcf27d71e2e378902de6b1a408424a8892bf6547794fb845bb2697bbd760960389db6ada334a0bf8425c2862f42c

Download Submit
\Windows\SysWOW64\Cbffoabe.exe

Filesize
96KB

MD5
1c3b32f1e207aa4d2d6c62d400178291

SHA1
1670c9cab1bd894bb8ee8d63073a9dfe4454da38

SHA256
5c12ddc7a1131992221e32f7963d578ee891221fc7e77ffe344196019194dfea

SHA512
8bce2bc0d5286d36f2d05a2fe49ea172c7fc35f30f493d3c4040136960c73e54d1c102e16efad0f52525758467413a1c046121c4de559522c6947ddceff4f4c6

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
96KB

MD5
1e91c8f65284c71be0722daac677579e

SHA1
c33a53df9e532727cd66d6340bd75749c4b494fc

SHA256
c5cb081e0a6c979f9976831d9cf1ea004b4559e1fdc3ae940c9ae4baffff1f64

SHA512
11606ed78ab5aed7e9414aa63c00cd1a0e26c600895cae67f44e9c34671ba1ed860c9aaa51571bb6d627302bc87cbfe4881a6c460d7db622d7829de378ceb268

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
96KB

MD5
32e37a888b580d913167796fad8dcdc9

SHA1
086806bedd650cf716a1f37775d4848a07d6aaba

SHA256
4b4167d26465dc626c4bae7b28b1f4564e045ef7110380615b877afda7c1183c

SHA512
f087a857612e05136be38964ca22aa28e42566546374e19a1c4fede6f85ca25c8c87dfd0117b098e74cd018a0a9276c0b40c2fce13a0debe5cd4abeb1942dc13

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
96KB

MD5
2ca23941aa7597eaa3cfd39c2b41c370

SHA1
cc0451ec2a9fb2bd0ae8204065984061a9262ee5

SHA256
b437d097dcfb735434bd91038aba4672d083a2f4bca3920fd913c1039cc6f049

SHA512
516de2dc4231c62cb6529a248af2652a83f30bf46b181be3b7b8eecabe04b32c1690cd73679b7a18df573fe9aee998b97314f1044e507243b2e7115d3564d3f8

Download Submit
\Windows\SysWOW64\Clojhf32.exe

Filesize
96KB

MD5
f2094c9a303a6e12886d074f4e526686

SHA1
b2c7f57089e51f404e48f710aea5582ede54540c

SHA256
a0447f128caeffd9709d72a04a8ddbdcf061081eb3a65e4405f1b06b46ec904e

SHA512
4d21f02ff112c845634cbcf9ffa83ebdae9feedc695d2246a3532ae21aae3e25e22e1d08ecd2bdc20209a40bc88cbd6408a42b2a4758546dfb6dce05168c5007

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
96KB

MD5
dada254054ada58bd90cf04c8c877481

SHA1
80ad92bca52cb5fb85d484f70a8934793a038320

SHA256
d2287f2e511c9c75a06b996ef55726bd2360a01b28eb3e9f3f4eff7046a7a634

SHA512
7a2d77c857d1897727a99af95cabdc7ffbbce6d32e0f2b05fa2bc79becdc01771a80bf09cbddf190f6b49265694facc5236362cab0ae9a1ec6d828b6f00794d7

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
96KB

MD5
1c817406a33b758c378995804c7f1e57

SHA1
4edb104a5f129295fe82e2accb753cd06e95bb3b

SHA256
084ef184478005a378fc773ccfb5ac5ad80481e57fad083a61782eb4516323cf

SHA512
078dda877a6c4c6bbcedd6e63d52fe5a437dca8cd5265192c84be49e548d9d1aa41e9ec6ee77eb1103e06bf4143a842b1fcd76a01cb1f9cb11c5e8d42c8de325

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
96KB

MD5
5306461545d010f9750854db6678f51b

SHA1
592952aeada7eef639c9094fef9d83ff873f2c68

SHA256
18ce10d25622f188684f5f4d92a9c9d37d743cbead0bb8ace0379b514051954c

SHA512
a3ae4ad143a4656ba3a7d4fe8fbbab5d284f727a058a61b8d7066b9cea4cc0b6c74a04b1c50a5b4b0ee6ff0ec5540fd7c41a30e23b58f419ba0c58f4b8fe4dd5

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
7041a15d0ba1174f044c492e5fefef0a

SHA1
496a01d6f44e93f05bda99369024716812ea1cf2

SHA256
c07c8e3aad725fc4610827a252c38c75325324e82f3c863b26fe048620f3e322

SHA512
8b786fe010caafcfd9bef89247234ff835c721066b0d6172bd1b55564b06a3b161d28e217c1f8051f21c160e74f1d41c46dc5692e1a1be8e7f4f6365710a04a7

Download Submit
memory/864-21-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/864-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-12-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1712-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1712-8-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2008-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2008-119-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-106-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2080-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2440-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2456-197-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2696-213-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2756-54-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2756-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2756-62-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2780-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2800-88-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2800-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-166-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2872-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2872-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-41-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2956-35-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download
memory/2956-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2964-210-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2988-140-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/3064-75-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/3064-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads