berbew | ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1

Analysis

max time kernel
95s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-01-2025 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Size

337KB
MD5

26dc676d5627f429799472e98139df8b
SHA1

1916b0ed8ee03e7aadf15958728c2727e80bfbbe
SHA256

ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1
SHA512

e6be26019d360d386b1266f2078169480425de0df5dd16566cdd16608d742e78a983a5a5a6c919410c768fc7e8ee5e3614e24caafb8b3cfba67d565e51e851d8
SSDEEP

3072:9sT3DXVo8M1e+sQPgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:GTzlYIeP1+fIyG5jZkCwi8r

Score

10^/10

berbew njrat backdoor discovery persistence trojan

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 18 IoCs

pid	Process
544	Bfhhoi32.exe
4572	Bclhhnca.exe
4060	Belebq32.exe
2264	Cfmajipb.exe
3596	Chmndlge.exe
1172	Ceqnmpfo.exe
2976	Chokikeb.exe
1656	Ceckcp32.exe
1572	Cajlhqjp.exe
3876	Cdhhdlid.exe
1688	Ddjejl32.exe
3160	Dhfajjoj.exe
4660	Dhhnpjmh.exe
4804	Dobfld32.exe
4748	Dfnjafap.exe
3824	Dfpgffpm.exe
528	Dddhpjof.exe
4480	Dmllipeg.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Belebq32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dfnjafap.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4584	4480	WerFault.exe	100

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 544	32	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe	83
PID 32 wrote to memory of 544	32	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe	83
PID 32 wrote to memory of 544	32	ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe	83
PID 544 wrote to memory of 4572	544	Bfhhoi32.exe	84
PID 544 wrote to memory of 4572	544	Bfhhoi32.exe	84
PID 544 wrote to memory of 4572	544	Bfhhoi32.exe	84
PID 4572 wrote to memory of 4060	4572	Bclhhnca.exe	85
PID 4572 wrote to memory of 4060	4572	Bclhhnca.exe	85
PID 4572 wrote to memory of 4060	4572	Bclhhnca.exe	85
PID 4060 wrote to memory of 2264	4060	Belebq32.exe	86
PID 4060 wrote to memory of 2264	4060	Belebq32.exe	86
PID 4060 wrote to memory of 2264	4060	Belebq32.exe	86
PID 2264 wrote to memory of 3596	2264	Cfmajipb.exe	87
PID 2264 wrote to memory of 3596	2264	Cfmajipb.exe	87
PID 2264 wrote to memory of 3596	2264	Cfmajipb.exe	87
PID 3596 wrote to memory of 1172	3596	Chmndlge.exe	88
PID 3596 wrote to memory of 1172	3596	Chmndlge.exe	88
PID 3596 wrote to memory of 1172	3596	Chmndlge.exe	88
PID 1172 wrote to memory of 2976	1172	Ceqnmpfo.exe	89
PID 1172 wrote to memory of 2976	1172	Ceqnmpfo.exe	89
PID 1172 wrote to memory of 2976	1172	Ceqnmpfo.exe	89
PID 2976 wrote to memory of 1656	2976	Chokikeb.exe	90
PID 2976 wrote to memory of 1656	2976	Chokikeb.exe	90
PID 2976 wrote to memory of 1656	2976	Chokikeb.exe	90
PID 1656 wrote to memory of 1572	1656	Ceckcp32.exe	91
PID 1656 wrote to memory of 1572	1656	Ceckcp32.exe	91
PID 1656 wrote to memory of 1572	1656	Ceckcp32.exe	91
PID 1572 wrote to memory of 3876	1572	Cajlhqjp.exe	92
PID 1572 wrote to memory of 3876	1572	Cajlhqjp.exe	92
PID 1572 wrote to memory of 3876	1572	Cajlhqjp.exe	92
PID 3876 wrote to memory of 1688	3876	Cdhhdlid.exe	93
PID 3876 wrote to memory of 1688	3876	Cdhhdlid.exe	93
PID 3876 wrote to memory of 1688	3876	Cdhhdlid.exe	93
PID 1688 wrote to memory of 3160	1688	Ddjejl32.exe	94
PID 1688 wrote to memory of 3160	1688	Ddjejl32.exe	94
PID 1688 wrote to memory of 3160	1688	Ddjejl32.exe	94
PID 3160 wrote to memory of 4660	3160	Dhfajjoj.exe	95
PID 3160 wrote to memory of 4660	3160	Dhfajjoj.exe	95
PID 3160 wrote to memory of 4660	3160	Dhfajjoj.exe	95
PID 4660 wrote to memory of 4804	4660	Dhhnpjmh.exe	96
PID 4660 wrote to memory of 4804	4660	Dhhnpjmh.exe	96
PID 4660 wrote to memory of 4804	4660	Dhhnpjmh.exe	96
PID 4804 wrote to memory of 4748	4804	Dobfld32.exe	97
PID 4804 wrote to memory of 4748	4804	Dobfld32.exe	97
PID 4804 wrote to memory of 4748	4804	Dobfld32.exe	97
PID 4748 wrote to memory of 3824	4748	Dfnjafap.exe	98
PID 4748 wrote to memory of 3824	4748	Dfnjafap.exe	98
PID 4748 wrote to memory of 3824	4748	Dfnjafap.exe	98
PID 3824 wrote to memory of 528	3824	Dfpgffpm.exe	99
PID 3824 wrote to memory of 528	3824	Dfpgffpm.exe	99
PID 3824 wrote to memory of 528	3824	Dfpgffpm.exe	99
PID 528 wrote to memory of 4480	528	Dddhpjof.exe	100
PID 528 wrote to memory of 4480	528	Dddhpjof.exe	100
PID 528 wrote to memory of 4480	528	Dddhpjof.exe	100

C:\Users\Admin\AppData\Local\Temp\ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe
"C:\Users\Admin\AppData\Local\Temp\ffa40455ce4f3399c04bd60994fdd0852ef7a8504d8f5a1644925fb7291320d1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:32
- C:\Windows\SysWOW64\Bfhhoi32.exe
  C:\Windows\system32\Bfhhoi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Windows\SysWOW64\Bclhhnca.exe
    C:\Windows\system32\Bclhhnca.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\Windows\SysWOW64\Belebq32.exe
      C:\Windows\system32\Belebq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3160
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 396
        20⤵
        Program crash
        
        PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4480 -ip 4480
1⤵
PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
337KB

MD5
a90dcb0ec82afef95bd1dc1e217e5f5c

SHA1
3c1e923ba931fcbf5d84cc425fb093ad7f450d62

SHA256
979859adcd26a4a15697c2c04c82a0bd5be5d8efe8778eeea374ead1e53abbec

SHA512
7bdbabb51834ecc2c363cc7256019ecbd786ed3c4f5aee7ba5a88526a52f2db3f556742fb397093994621209918c37e762dd968b48c66028a6ae42c5468c5c74

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
337KB

MD5
a77ef0b820d24eda78ca365c0eaa0eaa

SHA1
5f13308527a5574916c1c4e04404dbd883e8ffb0

SHA256
cc0a3f16118e7ee72b9acc6f20dc9924e4eba008840bd649026ad9b98ed5d62f

SHA512
e65d5bce4830449bee5b3d8528450afd2d6bb1057c5b6ca1b85f377df82eff0827e33d2f3f96df42eaa3a367ee48b938629a9b0d7c9f38fb8c99913197dafbe7

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
337KB

MD5
e18edc1d9da3225037a4a408b93316d4

SHA1
6d4402b69f907bf3ac362f26a628f164319c3b2c

SHA256
9d8cdda3898dacd338bfef324862d35b37fc3c598b5ff9db23978faee494b8c9

SHA512
020f2ed3ff86e04bc08d59612625a389bdca89902aadec3cd9c4fd781419e1c3b929b5cbde73a1d7c50fb529303cb2e4c316a6de2bf18f9374c35e8cb5d6d660

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
337KB

MD5
c9b39fb70eab19f6df14c357f2334362

SHA1
f09b3afa520e0a6e5903c153522e23f1244509cb

SHA256
95e601cdbcddc9dd3e7071222e99f6b70521ed5200b7c1a8f5e20b807ce355ab

SHA512
5ce884841786dfd0de01451f3345d0c2014fb5366d7589e980fe27258065c6dfeb9642f782f6144458ca5f5a6f19f4f877f4533d8dc7b3268f0dcdb5515c0075

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
337KB

MD5
a2ffd7e7277642bd941f33a61b813632

SHA1
00f230e0a41ffaeec2a775424ce64c5bf7b0aa4a

SHA256
3ad595fb73900082b4df1211acf22d14833986d0ab33a2aadf7a45892053099d

SHA512
4288a9ab44f3f533b69fc28392e51c8899a0c695cad7f071fbd413a3b1695388654cbc41cfba07a002c607445bc4223d85eb1a675d656112f421f7e13f1b3795

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
337KB

MD5
fd677cf8f261b5ea3575cde39ce47d7e

SHA1
d3ee97117f84537ab546364054785d9739b598d4

SHA256
ed21fe5cb68582cc4aa88509d692e93ab72e84f4d153f90d0af1810f14c5899d

SHA512
7dbcd8e0970791f16f462c071fbf43b8d21bdc71cd816b3fc2b73d145f87e664523f7294355b7ae691ae764b4ad1650916a6f4abdf06bfe1e625fb2da52d8593

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
337KB

MD5
f04086713efc29d20b9027b7e2166036

SHA1
b5dbe1d31070a4f4ae2d8c66ded69acccf709f7f

SHA256
f4de3abb77febcf0ff630297a397d39149a2ce5ed17b35a7bcdec78614b7b827

SHA512
cf4b952fc45c17afeb046edea8ceb05c5135d71914ec4f10f87e85a09b3520e6d4dd44fb0ee38207b64a21193237fe2666b2c0da9d3eda4ab34ded6a6708c100

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
337KB

MD5
741cee17223f462ae377e8c2983f76b7

SHA1
7d4b509a6200bcd1c64db39fea48bfcc0d3494d7

SHA256
2bbbd4d768ee1af62c1759c455e2d3f6dd9c3b56afe0fe2e6df3ab447a528f2a

SHA512
82f45443e6b38a52fdb91e63dc8896dc49dd88ec16d273fd80d8d8d57368139ec581d4f615dd7da10f3ff29516252fcdf4ba1004a4b51a77ec509115d6d211fc

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
337KB

MD5
92aed63cfbcacb2bb6459bd0876d12eb

SHA1
116d58e49786eb60e5b05d999a4b713625385b38

SHA256
9f1b8e8d79096fc38ceebdb0cd840a6a4861032a8f690c1498f03b1b4d21eab7

SHA512
68c9aa78ea218c1b1818204398f2ebc59e4869fd4d58658a81500df27f4c5646408025c7dac068b62d7564f1843987af914bf27f162ac15c725374098e9c607e

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
337KB

MD5
0cbd71e25b56f3123565004f3b00e4a1

SHA1
ab537f1273905ffcc3c910ee6411c80c4ad0fe05

SHA256
ae2562a5af29227a69a7d4e93772a2c434c5c7f02a1a43c9a34b2eadc232d600

SHA512
300edcd3813a6b775e528d7fec376be55577cb1b577ce62a1d2c4393163045f2fc4fdfe5b4a9d32a8d5ad04ca0a69ea73aed2acd3468ef845d117c0ee4bd483f

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
337KB

MD5
7847a09322163b0398dc1ee26ccacade

SHA1
8577761bd92a34d9627e4f099bc8cf81936e8c46

SHA256
2631c5f881537e6e4c4f1689bed8e927d7dd758e122299ef372f73c237b8cbcd

SHA512
7b576b1d02c15547c4d17233dac0331608b2b2fdbdd5744d484e9e8b26ad238a1e6b89d07dcc5a7d2bfc72b2bb699fbdffb3c7f45caee517f84bc2b801c34cd5

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
337KB

MD5
ad02bede562e557fbdd5538906530864

SHA1
8306a67c07a5fa50ce0f04775c46e76daf117e76

SHA256
410aab5444b5341c0e98f04fd2771e79baff01af0656bce21c1d68cb64c6fa3e

SHA512
1038d3d1742904b09445394dffc1a56607c0f4236950ac319cd17c5d06fedccd730d2fb08524a7004a9f68edf34a5c7efc0849ffc6ad9402705891a1662d44f1

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
337KB

MD5
bc2a6655ee6e4ef48d1b66e4c4324f03

SHA1
bea952ac0caaa7ec2b605cb5c5d688515b6a81e1

SHA256
0fc431eab3a09479942b83f78bb597a6112d481f9152c1e1e93c96815519053f

SHA512
fcd8e82e7fbf99e3b64e4367154da5107211d14aabe60d9256c41fe70304a7627a6b267761f7d671187c79e51dd0e30cee174418bd600e925d542e06e607700c

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
337KB

MD5
8f38fccacb333a3c74cfbc2f487ded52

SHA1
142fa2f85a1130f9ec5503a155ab659ce5d6fa57

SHA256
2e53274d27a51d3fa12fa020d1ad047fd2e9dea72a8a02b5b4128f833a95fb9a

SHA512
db58a0b3b3506b7753a443bc5e21f638bd93509432c786336de23ba773bbb01c03783490eef6d109e81ae28b91d0b02dcf9dac5dc6ba5a8888dc2b8124716566

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
337KB

MD5
1c3ec0cceaff12e8e002effbe25a25ca

SHA1
e842e683cc9eef91dca7852d1da38f313c17db01

SHA256
b35ee5a59d5719ce563bd2ec0680bfd3a5bdaa150da8295c800bfc63072c2e95

SHA512
b29cc5904704abb0e06798780bbfc5eb8b4ed42a517ca1f1de9d4d4e0b55ae464bb159820c2e7df9bf4022435a28d092e2489de8317d54043bf4ec84233ea0f0

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
337KB

MD5
307785d4192ec936ef17f4cfc36550ea

SHA1
5b576703dabc19de1c46f8f1f0903055714cd31f

SHA256
082f1d4e0a59e4d728ea331df6451325a543d1aa985f11deebfa6e5f64440e64

SHA512
9756e7e0f6b3d6e8092396c7fcbb53dc84079e1a57cf648940ad72eb7a98fc3d04e729a80663c531142c0b628f504f36d8576a3332f2c0cdb555b09ce1e631d2

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
337KB

MD5
0f50121fde2bc6b826dfad2083e6cd0c

SHA1
6d11bd65b134b96bcf8a4c743c4133bee3470629

SHA256
a3a4928a6a04ac65863fe4416c306c18b22d108e4a140f0946d3ad4e71a637b2

SHA512
86bc941da9bf2ba0385fbbd95ebc62f0ad70612a1dc8e1900c62c0d25a136d7f5f251506ff42e38b6905c7d1dea4fb5e4d62c848c01fabfb627ec76600299cdc

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
337KB

MD5
2a6822e29d0bf80c3f90f355d7d7bc8b

SHA1
22fbf2001b4cbc5e52b76dc390083f62c964e50e

SHA256
b93c8ba63c40dd4f8d474b9f6d768a32947f963e13715d7a82a8ec2590bd82bb

SHA512
fc8d6b68f7b5e383fb4d5f4e347415b56f5e575746cf582ad02c01aa5fa2c57a70181858a17f5ccf99a771b2cd0338ec17ff71bd452dcf88c76d97d23c9f8e74

Download Submit
memory/32-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/32-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/32-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/528-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/544-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3160-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3876-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4060-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4660-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4748-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads