berbew | e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
Size

93KB
MD5

d4d4bf89766325b811495993d6f84db4
SHA1

bae3080657317b025b1dcbbf480841ed5d86e2c8
SHA256

e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634
SHA512

df502227ee4737bb4d4a062c513bbd0305bda0428c2fa2eac8dc25933df7e10742e05edcd711c6d6d06b0a8a15279630d279ea0d68113844b2e42986ba302c32
SSDEEP

1536:EhRP1ukv/uC9D4JFz9azjsI9Kwr1DaYfMZRWuLsV+1j:2NuWtD2FZSjn9KwrgYfc0DV+1j

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdenafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 17 IoCs

pid	Process
2500	Bdcifi32.exe
2800	Bfdenafn.exe
2848	Bchfhfeh.exe
2708	Bmpkqklh.exe
2584	Boogmgkl.exe
2616	Bjdkjpkb.exe
2968	Coacbfii.exe
2268	Cmedlk32.exe
2816	Cbblda32.exe
1864	Ckjamgmk.exe
1224	Cagienkb.exe
1944	Ckmnbg32.exe
2316	Cnkjnb32.exe
3024	Cjakccop.exe
1708	Cmpgpond.exe
2232	Djdgic32.exe
1288	Dpapaj32.exe

Loads dropped DLL 37 IoCs

pid	Process
824	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
824	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
2500	Bdcifi32.exe
2500	Bdcifi32.exe
2800	Bfdenafn.exe
2800	Bfdenafn.exe
2848	Bchfhfeh.exe
2848	Bchfhfeh.exe
2708	Bmpkqklh.exe
2708	Bmpkqklh.exe
2584	Boogmgkl.exe
2584	Boogmgkl.exe
2616	Bjdkjpkb.exe
2616	Bjdkjpkb.exe
2968	Coacbfii.exe
2968	Coacbfii.exe
2268	Cmedlk32.exe
2268	Cmedlk32.exe
2816	Cbblda32.exe
2816	Cbblda32.exe
1864	Ckjamgmk.exe
1864	Ckjamgmk.exe
1224	Cagienkb.exe
1224	Cagienkb.exe
1944	Ckmnbg32.exe
1944	Ckmnbg32.exe
2316	Cnkjnb32.exe
2316	Cnkjnb32.exe
3024	Cjakccop.exe
3024	Cjakccop.exe
1708	Cmpgpond.exe
1708	Cmpgpond.exe
2232	Djdgic32.exe
2232	Djdgic32.exe
1172	WerFault.exe
1172	WerFault.exe
1172	WerFault.exe

Drops file in System32 directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Bfdenafn.exe	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Ogdjhp32.dll	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Coacbfii.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Coacbfii.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Bdcifi32.exe	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
File opened for modification	C:\Windows\SysWOW64\Bfdenafn.exe	Bdcifi32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Cmedlk32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Djdgic32.exe
File created	C:\Windows\SysWOW64\Oaoplfhc.dll	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Coacbfii.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Bdcifi32.exe	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bfdenafn.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Bchfhfeh.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Coacbfii.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Dnbamjbm.dll	Bdcifi32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bfdenafn.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cmpgpond.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1172	1288	WerFault.exe	47

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdenafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coacbfii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll"	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Cmedlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll"	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdjhp32.dll"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdenafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdcifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Coacbfii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coacbfii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdgic32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2500	824	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe	31
PID 824 wrote to memory of 2500	824	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe	31
PID 824 wrote to memory of 2500	824	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe	31
PID 824 wrote to memory of 2500	824	e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe	31
PID 2500 wrote to memory of 2800	2500	Bdcifi32.exe	32
PID 2500 wrote to memory of 2800	2500	Bdcifi32.exe	32
PID 2500 wrote to memory of 2800	2500	Bdcifi32.exe	32
PID 2500 wrote to memory of 2800	2500	Bdcifi32.exe	32
PID 2800 wrote to memory of 2848	2800	Bfdenafn.exe	33
PID 2800 wrote to memory of 2848	2800	Bfdenafn.exe	33
PID 2800 wrote to memory of 2848	2800	Bfdenafn.exe	33
PID 2800 wrote to memory of 2848	2800	Bfdenafn.exe	33
PID 2848 wrote to memory of 2708	2848	Bchfhfeh.exe	34
PID 2848 wrote to memory of 2708	2848	Bchfhfeh.exe	34
PID 2848 wrote to memory of 2708	2848	Bchfhfeh.exe	34
PID 2848 wrote to memory of 2708	2848	Bchfhfeh.exe	34
PID 2708 wrote to memory of 2584	2708	Bmpkqklh.exe	35
PID 2708 wrote to memory of 2584	2708	Bmpkqklh.exe	35
PID 2708 wrote to memory of 2584	2708	Bmpkqklh.exe	35
PID 2708 wrote to memory of 2584	2708	Bmpkqklh.exe	35
PID 2584 wrote to memory of 2616	2584	Boogmgkl.exe	36
PID 2584 wrote to memory of 2616	2584	Boogmgkl.exe	36
PID 2584 wrote to memory of 2616	2584	Boogmgkl.exe	36
PID 2584 wrote to memory of 2616	2584	Boogmgkl.exe	36
PID 2616 wrote to memory of 2968	2616	Bjdkjpkb.exe	37
PID 2616 wrote to memory of 2968	2616	Bjdkjpkb.exe	37
PID 2616 wrote to memory of 2968	2616	Bjdkjpkb.exe	37
PID 2616 wrote to memory of 2968	2616	Bjdkjpkb.exe	37
PID 2968 wrote to memory of 2268	2968	Coacbfii.exe	38
PID 2968 wrote to memory of 2268	2968	Coacbfii.exe	38
PID 2968 wrote to memory of 2268	2968	Coacbfii.exe	38
PID 2968 wrote to memory of 2268	2968	Coacbfii.exe	38
PID 2268 wrote to memory of 2816	2268	Cmedlk32.exe	39
PID 2268 wrote to memory of 2816	2268	Cmedlk32.exe	39
PID 2268 wrote to memory of 2816	2268	Cmedlk32.exe	39
PID 2268 wrote to memory of 2816	2268	Cmedlk32.exe	39
PID 2816 wrote to memory of 1864	2816	Cbblda32.exe	40
PID 2816 wrote to memory of 1864	2816	Cbblda32.exe	40
PID 2816 wrote to memory of 1864	2816	Cbblda32.exe	40
PID 2816 wrote to memory of 1864	2816	Cbblda32.exe	40
PID 1864 wrote to memory of 1224	1864	Ckjamgmk.exe	41
PID 1864 wrote to memory of 1224	1864	Ckjamgmk.exe	41
PID 1864 wrote to memory of 1224	1864	Ckjamgmk.exe	41
PID 1864 wrote to memory of 1224	1864	Ckjamgmk.exe	41
PID 1224 wrote to memory of 1944	1224	Cagienkb.exe	42
PID 1224 wrote to memory of 1944	1224	Cagienkb.exe	42
PID 1224 wrote to memory of 1944	1224	Cagienkb.exe	42
PID 1224 wrote to memory of 1944	1224	Cagienkb.exe	42
PID 1944 wrote to memory of 2316	1944	Ckmnbg32.exe	43
PID 1944 wrote to memory of 2316	1944	Ckmnbg32.exe	43
PID 1944 wrote to memory of 2316	1944	Ckmnbg32.exe	43
PID 1944 wrote to memory of 2316	1944	Ckmnbg32.exe	43
PID 2316 wrote to memory of 3024	2316	Cnkjnb32.exe	44
PID 2316 wrote to memory of 3024	2316	Cnkjnb32.exe	44
PID 2316 wrote to memory of 3024	2316	Cnkjnb32.exe	44
PID 2316 wrote to memory of 3024	2316	Cnkjnb32.exe	44
PID 3024 wrote to memory of 1708	3024	Cjakccop.exe	45
PID 3024 wrote to memory of 1708	3024	Cjakccop.exe	45
PID 3024 wrote to memory of 1708	3024	Cjakccop.exe	45
PID 3024 wrote to memory of 1708	3024	Cjakccop.exe	45
PID 1708 wrote to memory of 2232	1708	Cmpgpond.exe	46
PID 1708 wrote to memory of 2232	1708	Cmpgpond.exe	46
PID 1708 wrote to memory of 2232	1708	Cmpgpond.exe	46
PID 1708 wrote to memory of 2232	1708	Cmpgpond.exe	46

C:\Users\Admin\AppData\Local\Temp\e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe
"C:\Users\Admin\AppData\Local\Temp\e2f00bb82f399bf3a6d1a06cef3ba85a006be9cbc062eeda10c1a8bd88052634.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\Bdcifi32.exe
  C:\Windows\system32\Bdcifi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\Bfdenafn.exe
    C:\Windows\system32\Bfdenafn.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\Bchfhfeh.exe
      C:\Windows\system32\Bchfhfeh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2616
        
        C:\Windows\SysWOW64\Coacbfii.exe
        
        C:\Windows\system32\Coacbfii.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 144
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cmpgpond.exe

Filesize
93KB

MD5
605f86ed6713fc618e350c536b0808a9

SHA1
0c9c1151c978cac9895c504942400182a20ee038

SHA256
1e190a31bc7c5e94d8243805155cd6bd652e050832c72f7e3a35cc07cbdcb8a4

SHA512
9ed7475f0ee10952ef18d26ac9fca277bddd3ac66a93f99366a9d565415a9dc5109375a57af4546e8199ff708212185b33b4d333172e259f2a3971ffeafdf20f

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
93KB

MD5
dd0ef2a4407abfba5fb712253f3fd770

SHA1
bf760aacc7d2881fa43fe79490998e531be63e0c

SHA256
991db880c446f3aec074432e7d9a3329532fa3034b4bcc5ee0e31cac373c512d

SHA512
d6c2ed989ef993f41b23a1639d0b91401d0bed8ad45945939bf4d38380fcf87f6b0f6bca5aadc2ef691c4ea5ae7d4a304acee4b73219213d14a79bebb681b82e

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
93KB

MD5
633d0600a5dec393be1a86c1ac535d05

SHA1
b55ab62f48b739436f2509a1d115e0309e766851

SHA256
c04beae3615a7283a4bdc57548be0763e8c28851d99bb515ac7b5d72f6a87e92

SHA512
143500fad5937169715f42a46b2eb72d36ebaad4dd5d63add91df8cf7862de6bc15d5973e667aa85f3115bd84cfd0449662086b4dd9fdf6e57a71b4c43221a86

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
93KB

MD5
64da4d63380d53d8b6021462e04dcb97

SHA1
4f94179022d762ca3ba35cfc4fc027d345c26ce9

SHA256
42e4f4015f09de54e3f4decc239b3263b03e1ea421f864051b2e0fab1c8cbca7

SHA512
50f172081c5e76de0c470a6bd2d550df1ab23ef1462dea8b4a662ef39d8b1b5c0f457dea94bcefeb910368d0bdfe2a6dfbfefba120d75c19a2286c56d459182c

Download Submit
\Windows\SysWOW64\Bdcifi32.exe

Filesize
93KB

MD5
49c2dc6ebfcf326e3872d6ee290d80f0

SHA1
b518867a008d861f43c29a44710a050c17dd160e

SHA256
3430ccf2f71cb795cbb4645288d8d24a332e33a704ccfce6d0e60cfcd215772c

SHA512
455923ffe33d5cecb9f2b03f01664400dcdaa6838cfb4b3d8a610cb030f0ae402b3ca8b5bd1c3215998200fb989384bff90ecea656b9855d91f3a20fd14194c8

Download Submit
\Windows\SysWOW64\Bfdenafn.exe

Filesize
93KB

MD5
63c0ad580368100289d0b602c8ceb261

SHA1
57d5dc8f35133ebcfe31b8d6005e79a0513f539d

SHA256
ae19c1720026b59a34dc160c5027e09f5dee05695ce70fc4015c2870956a8ecc

SHA512
0197b49289bd8d7174f3720be107b0bf3d2df4f5254684ea51ec2300daf575669b03040939a5251586bb9f6199f401c6e9207e2bca1b96d62c565a47e574cb02

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
93KB

MD5
61246aa95da6f96b20ebfec123eb8013

SHA1
5656cb17f4fe4b4ea9af28f0ddfeab10917acb70

SHA256
35c60b53dbb119f3431e277f7008f41d48b48a01f2477906b3475dbfd34707a1

SHA512
ec43069f2695e0a841b4fde4b3310252fd7bbfbd89b6a499c20ff718cfe85291b9ade34829beb037dbaeb8cf443403e3d61930aa72205cf1dd8e990958c4e23f

Download Submit
\Windows\SysWOW64\Bmpkqklh.exe

Filesize
93KB

MD5
75cb9b8558d56a6767fc004709428dbf

SHA1
f0fb3c2b98d1e09a48288299c8d96154495be8ab

SHA256
7160fa1a34fe372d2b61133934c9946d80e3a105bbe1a8503b9685ce96bfeb8d

SHA512
48f51ee74d6820cccae92c370691801db115d798241c570f7c1bd0a586c454525c7df39fe963ef252f0423276f57b0c9d2d51888a44c9ab88f2b62946bfe1ce7

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
93KB

MD5
e35b231201d4eff46040cdb8b9092031

SHA1
6ee14b9f3b669465e52c9ac0b5f50f8e5574f7b2

SHA256
1eae50b0fc1aaccd9461b02fe1b85627b47b62a921e2ef36296bc1e96fcce911

SHA512
056bd36a79a0761545682db01903c0ce125b90b4abfdb9538b7641a3f48620e20368c634f096e19692dad69bbfcf7d624637be98ecf159029f0b782229aaca63

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
93KB

MD5
728e942550ae6c366c80faf7059620d4

SHA1
a969e0828fcf0ce28361e69bee9e1ef0ca9eace6

SHA256
60d29278b732a678c535e266a9209206a4cc465cbfe2b1cabfd163163b4d4268

SHA512
3f87f80a3d7c6a67096081db10b00f8657f11d35aef5c3877eb49ade077391cc537f3b13069bc3f4903db15d7342aef9b492052c58cae5acab1124f1f9d2312f

Download Submit
\Windows\SysWOW64\Cbblda32.exe

Filesize
93KB

MD5
2310ad74360088b6371cabd15caf3773

SHA1
5cfa498a8647a75d71de3a7cdda416dedf7b1282

SHA256
187ee0f7939cbb6670db35a0af4de955167d375637e7efc1f04180f71adc0121

SHA512
aea0f6a8fe98dcf4d3f8c65175e59a2d153fe0bd31fc866a71cca1ca4074712ed7b38efae1986f3e1419369b802973fe9eca39ae92d9f2f61f835928ed101426

Download Submit
\Windows\SysWOW64\Cjakccop.exe

Filesize
93KB

MD5
88f63861817327aa5fd763cde2e1e934

SHA1
0792dd3f2da8e823f32303cbd100d0a2f73316ca

SHA256
404799705f5d67114ed8110eb7d2f65c037564ea51f0fdfa2ba643ca02fa6b3c

SHA512
5771cc96e8d8c93c9a241bf8c73184326e6fffe24a6852b25be6e95570f3587cbdb58aaf423c9054e9c1287874386881f37b744be84d489de5ec37b0d5921d27

Download Submit
\Windows\SysWOW64\Ckjamgmk.exe

Filesize
93KB

MD5
8b8010cb8689d3c023d73a2c1ef2ca9d

SHA1
689488a2562fb7143488925444a9e6339e304f2f

SHA256
e2606f5323ef746bd6e20f78c8ed24f224d01608bd09a99dc70af41a0c625f02

SHA512
311a99ff8e14d6331a9be41d83a7ae26d0cce83d872cfa641262f4b742b002cfb2683430f9ca9d51822e20ffce25883002a4c7b943091f832e353df970c43d69

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
93KB

MD5
efe8432ab1714b096c7c2943ab76ac82

SHA1
e653df517618b8fe30eb4a02825ead2297cc6686

SHA256
d6fcb1ea6ce11edcd4a5d93728e28c803ed39c87d80090eafd96d4401cd94aef

SHA512
2ec55c07a7d76ccc2089f664e66f1f7c7a3a5bc5be7060755a296b7b6c81c0d94f85eb9f048b4e73bf536f528e1fb45d247bfb4e4de30810df3c3a1e7d7aa647

Download Submit
\Windows\SysWOW64\Cmedlk32.exe

Filesize
93KB

MD5
567eb5ce37dfb4276b73fd684a7759b5

SHA1
9b7fc045c7a5474ac35d1fed8929eb3bf907aa82

SHA256
da15dec4450271e65feedfb201212798ac9dc8f3e908af9b5e29519a59a26dc8

SHA512
279057fc9ea07cb60f278d449bb0ee28534628847df161744d84c6f10f112845e9c9a5c687c47960ab039f276ed811c0d14fb10629d855deae7684073f43f714

Download Submit
\Windows\SysWOW64\Coacbfii.exe

Filesize
93KB

MD5
cec79148eb4d5386f0b3762ed190801d

SHA1
7fc0e6cb751616ac4ad8bae0d4c78c77af57d002

SHA256
940f88d51454a54eb3b006615e0ec2d71de4c0e85be955370d249da2453d29c6

SHA512
8085a4ce2d8a78f078c9272ccf5857541bfe0a4d1e1eef0863319fde29933187bcb3e8d2149cbc982072ee3ee599c9f020ce35f1a397391dede6c67a7353ffdf

Download Submit
\Windows\SysWOW64\Djdgic32.exe

Filesize
93KB

MD5
508ce93742038019b58aa430be683705

SHA1
282f807d1d4cc5af56c6dc50a230263d849de5d2

SHA256
2c78025552b778a6c9cc30772d2e5f9507007c8ae6fc376cae263c4f5d7561fe

SHA512
3e110ce59a0e3f16e681a1693d96c521d1114b3d85a89ad10992209c814c767052a3577a0da89fcc72f7a72d8b24ccb4e1ae4cb0b23c0eb18a622d241f6727c0

Download Submit
memory/824-18-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/824-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-17-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/824-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-187-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2316-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2500-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-75-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2584-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-80-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2584-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-95-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2616-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2800-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-131-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2848-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-104-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2968-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-110-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3024-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads