berbew | d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
Size

77KB
MD5

58bc53c3c65fac79f40aa0da4306dd79
SHA1

110dbe0054fcafe8ad719d871d0f5aa4a47dc0c0
SHA256

d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32
SHA512

ec2ab1c964a7f51e5b18d1f29a6d565c88a7112ee742f0f0fc0bba5be18d734a039119d95b7562861137bc3c9bf5497e0d3232b594602a344cba6eb4e6e3e2bc
SSDEEP

1536:Z2EKsvl0v6/u+i3J+IpPhmOOCGDqEb4SlAyPQt1/2Lt3Twfi+TjRC/D:L/3qgShdOCbEb4wQwNwf1TjYD

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinfhigl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdkgocpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 17 IoCs

pid	Process
2716	Bajomhbl.exe
2812	Blobjaba.exe
2864	Bonoflae.exe
1424	Balkchpi.exe
320	Bdkgocpm.exe
2644	Bjdplm32.exe
2204	Bejdiffp.exe
2344	Bfkpqn32.exe
1596	Bobhal32.exe
1824	Cpceidcn.exe
2944	Cfnmfn32.exe
1188	Ckiigmcd.exe
2436	Cpfaocal.exe
1992	Cinfhigl.exe
2268	Clmbddgp.exe
468	Cgbfamff.exe
300	Ceegmj32.exe

Loads dropped DLL 38 IoCs

pid	Process
2860	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
2860	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
2716	Bajomhbl.exe
2716	Bajomhbl.exe
2812	Blobjaba.exe
2812	Blobjaba.exe
2864	Bonoflae.exe
2864	Bonoflae.exe
1424	Balkchpi.exe
1424	Balkchpi.exe
320	Bdkgocpm.exe
320	Bdkgocpm.exe
2644	Bjdplm32.exe
2644	Bjdplm32.exe
2204	Bejdiffp.exe
2204	Bejdiffp.exe
2344	Bfkpqn32.exe
2344	Bfkpqn32.exe
1596	Bobhal32.exe
1596	Bobhal32.exe
1824	Cpceidcn.exe
1824	Cpceidcn.exe
2944	Cfnmfn32.exe
2944	Cfnmfn32.exe
1188	Ckiigmcd.exe
1188	Ckiigmcd.exe
2436	Cpfaocal.exe
2436	Cpfaocal.exe
1992	Cinfhigl.exe
1992	Cinfhigl.exe
2268	Clmbddgp.exe
2268	Clmbddgp.exe
468	Cgbfamff.exe
468	Cgbfamff.exe
2376	WerFault.exe
2376	WerFault.exe
2376	WerFault.exe
2376	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eignpade.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Bjpdmqog.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cinfhigl.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Fcohbnpe.dll	Balkchpi.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Cgbfamff.exe	Clmbddgp.exe
File created	C:\Windows\SysWOW64\Lbonaf32.dll	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe
File created	C:\Windows\SysWOW64\Hocjoqin.dll	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Bjdplm32.exe	Bdkgocpm.exe
File created	C:\Windows\SysWOW64\Fpcopobi.dll	Bdkgocpm.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Clmbddgp.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Eelloqic.dll	Cinfhigl.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bjdplm32.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Ckiigmcd.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
File created	C:\Windows\SysWOW64\Bdkgocpm.exe	Balkchpi.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Cgbfamff.exe	Clmbddgp.exe
File opened for modification	C:\Windows\SysWOW64\Balkchpi.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Ckiigmcd.exe
File created	C:\Windows\SysWOW64\Mblnbcjf.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cgbfamff.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Clmbddgp.exe	Cinfhigl.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Balkchpi.exe	Bonoflae.exe
File opened for modification	C:\Windows\SysWOW64\Ckiigmcd.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cinfhigl.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cgbfamff.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2376	300	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bonoflae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdplm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfaocal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clmbddgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajomhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiigmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinfhigl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgbfamff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balkchpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdkgocpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hocjoqin.dll"	Bonoflae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpdmqog.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiigmcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bjdplm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgbfamff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbonaf32.dll"	Clmbddgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgbfamff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clmbddgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcohbnpe.dll"	Balkchpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiigmcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mblnbcjf.dll"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eelloqic.dll"	Cinfhigl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjdplm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balkchpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcopobi.dll"	Bdkgocpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bfkpqn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2716	2860	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe	30
PID 2860 wrote to memory of 2716	2860	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe	30
PID 2860 wrote to memory of 2716	2860	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe	30
PID 2860 wrote to memory of 2716	2860	d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe	30
PID 2716 wrote to memory of 2812	2716	Bajomhbl.exe	31
PID 2716 wrote to memory of 2812	2716	Bajomhbl.exe	31
PID 2716 wrote to memory of 2812	2716	Bajomhbl.exe	31
PID 2716 wrote to memory of 2812	2716	Bajomhbl.exe	31
PID 2812 wrote to memory of 2864	2812	Blobjaba.exe	32
PID 2812 wrote to memory of 2864	2812	Blobjaba.exe	32
PID 2812 wrote to memory of 2864	2812	Blobjaba.exe	32
PID 2812 wrote to memory of 2864	2812	Blobjaba.exe	32
PID 2864 wrote to memory of 1424	2864	Bonoflae.exe	33
PID 2864 wrote to memory of 1424	2864	Bonoflae.exe	33
PID 2864 wrote to memory of 1424	2864	Bonoflae.exe	33
PID 2864 wrote to memory of 1424	2864	Bonoflae.exe	33
PID 1424 wrote to memory of 320	1424	Balkchpi.exe	34
PID 1424 wrote to memory of 320	1424	Balkchpi.exe	34
PID 1424 wrote to memory of 320	1424	Balkchpi.exe	34
PID 1424 wrote to memory of 320	1424	Balkchpi.exe	34
PID 320 wrote to memory of 2644	320	Bdkgocpm.exe	35
PID 320 wrote to memory of 2644	320	Bdkgocpm.exe	35
PID 320 wrote to memory of 2644	320	Bdkgocpm.exe	35
PID 320 wrote to memory of 2644	320	Bdkgocpm.exe	35
PID 2644 wrote to memory of 2204	2644	Bjdplm32.exe	36
PID 2644 wrote to memory of 2204	2644	Bjdplm32.exe	36
PID 2644 wrote to memory of 2204	2644	Bjdplm32.exe	36
PID 2644 wrote to memory of 2204	2644	Bjdplm32.exe	36
PID 2204 wrote to memory of 2344	2204	Bejdiffp.exe	37
PID 2204 wrote to memory of 2344	2204	Bejdiffp.exe	37
PID 2204 wrote to memory of 2344	2204	Bejdiffp.exe	37
PID 2204 wrote to memory of 2344	2204	Bejdiffp.exe	37
PID 2344 wrote to memory of 1596	2344	Bfkpqn32.exe	38
PID 2344 wrote to memory of 1596	2344	Bfkpqn32.exe	38
PID 2344 wrote to memory of 1596	2344	Bfkpqn32.exe	38
PID 2344 wrote to memory of 1596	2344	Bfkpqn32.exe	38
PID 1596 wrote to memory of 1824	1596	Bobhal32.exe	39
PID 1596 wrote to memory of 1824	1596	Bobhal32.exe	39
PID 1596 wrote to memory of 1824	1596	Bobhal32.exe	39
PID 1596 wrote to memory of 1824	1596	Bobhal32.exe	39
PID 1824 wrote to memory of 2944	1824	Cpceidcn.exe	40
PID 1824 wrote to memory of 2944	1824	Cpceidcn.exe	40
PID 1824 wrote to memory of 2944	1824	Cpceidcn.exe	40
PID 1824 wrote to memory of 2944	1824	Cpceidcn.exe	40
PID 2944 wrote to memory of 1188	2944	Cfnmfn32.exe	41
PID 2944 wrote to memory of 1188	2944	Cfnmfn32.exe	41
PID 2944 wrote to memory of 1188	2944	Cfnmfn32.exe	41
PID 2944 wrote to memory of 1188	2944	Cfnmfn32.exe	41
PID 1188 wrote to memory of 2436	1188	Ckiigmcd.exe	42
PID 1188 wrote to memory of 2436	1188	Ckiigmcd.exe	42
PID 1188 wrote to memory of 2436	1188	Ckiigmcd.exe	42
PID 1188 wrote to memory of 2436	1188	Ckiigmcd.exe	42
PID 2436 wrote to memory of 1992	2436	Cpfaocal.exe	43
PID 2436 wrote to memory of 1992	2436	Cpfaocal.exe	43
PID 2436 wrote to memory of 1992	2436	Cpfaocal.exe	43
PID 2436 wrote to memory of 1992	2436	Cpfaocal.exe	43
PID 1992 wrote to memory of 2268	1992	Cinfhigl.exe	44
PID 1992 wrote to memory of 2268	1992	Cinfhigl.exe	44
PID 1992 wrote to memory of 2268	1992	Cinfhigl.exe	44
PID 1992 wrote to memory of 2268	1992	Cinfhigl.exe	44
PID 2268 wrote to memory of 468	2268	Clmbddgp.exe	45
PID 2268 wrote to memory of 468	2268	Clmbddgp.exe	45
PID 2268 wrote to memory of 468	2268	Clmbddgp.exe	45
PID 2268 wrote to memory of 468	2268	Clmbddgp.exe	45

C:\Users\Admin\AppData\Local\Temp\d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe
"C:\Users\Admin\AppData\Local\Temp\d4f37e2a2cb714a4e3400fd64d5726af258ad10b764ae8955c5a479f5abf5c32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\SysWOW64\Bajomhbl.exe
  C:\Windows\system32\Bajomhbl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\Blobjaba.exe
    C:\Windows\system32\Blobjaba.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Bonoflae.exe
      C:\Windows\system32\Bonoflae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\SysWOW64\Balkchpi.exe
        
        C:\Windows\system32\Balkchpi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Windows\SysWOW64\Bdkgocpm.exe
        
        C:\Windows\system32\Bdkgocpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Bjdplm32.exe
        
        C:\Windows\system32\Bjdplm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\Ckiigmcd.exe
        
        C:\Windows\system32\Ckiigmcd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Cpfaocal.exe
        
        C:\Windows\system32\Cpfaocal.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Cinfhigl.exe
        
        C:\Windows\system32\Cinfhigl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Clmbddgp.exe
        
        C:\Windows\system32\Clmbddgp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Cgbfamff.exe
        
        C:\Windows\system32\Cgbfamff.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 300 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
77KB

MD5
77e5bc9f3287f98e41979df0542d33c9

SHA1
172d6edec84f3d23192295b8e5c490cbb3f4316d

SHA256
57b814fa40a790aac1403fd4bdcc909ecf79fb86b51518311ee05ea7fd6982d5

SHA512
434aaffc4f77421c7099a7f0b85ab2aaacf6e12e89de37c602cd9484a5c478ffc4f4aa2e00bbd2c56dfa425370c59a4684e48e923691b81f0c9b56c9eac352d9

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
77KB

MD5
82ed343810100656a3e1c2c591bf30a5

SHA1
ea733f01a890bcee59389edf715f64c0c5c2282a

SHA256
384ee96a92ad3f72e159154ee2fed15e4d3dc2513c84364dc13ea2d059a11672

SHA512
d02565b438b1b450abe6fab90e9341c57d9d1ce3a3bee7c60e9e530e452d8fac5e35e16eab2b649e2cddf42df17d8116836ec43cb34161c1eda87872bc1ce187

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
77KB

MD5
094247994eef151dfbdc6bfab81e4019

SHA1
862c9f2747164b26220cd81fdd3b1e8b5f324985

SHA256
9e7165013eefb4c1872d446688fa492000acdc04cb2cec4b86d8d12b8a1a8d16

SHA512
5e1da693b4eb1e1271252bc9000b70149675d9b370d73257d5322434ae56c0ea184a6f6ff278c6ef96fc38e921e0ea643db2c3bd48cc0a3139ab87f46a1af02b

Download Submit
\Windows\SysWOW64\Balkchpi.exe

Filesize
77KB

MD5
14b59e9374c38153dda12a39f48f51f4

SHA1
65e710b5026cd09fecfa1efc40cf71abb8abad19

SHA256
b80cf243ee28efaf4b234142582a2e26998136b6fc43de7fe31714a6e03cbcc6

SHA512
99839da9d59fdc6ec8935f1740038e691248dbd9759f90bf048537711379bb7ac57f4b892b13f8c3eb61389c5f1da15cbe619e26429f685ea5f24c5b2760153d

Download Submit
\Windows\SysWOW64\Bdkgocpm.exe

Filesize
77KB

MD5
077c208be9a2b47fa3eff09b2c8fbaca

SHA1
29352fdce207bbddade014e8e1ee34d12fc957d6

SHA256
0c6f91af3ddcc5d4323699204e86c58c0fe8dc09ecc13aa01e11f49da5bd9a98

SHA512
43e199ac7e4849bc0d88113d0a33d3e30818da63272527871a748cf5dee961043d967bf332df2f5668b172716bcb77d4e50686cc81cf658354ea08259746dab1

Download Submit
\Windows\SysWOW64\Bejdiffp.exe

Filesize
77KB

MD5
cc9271b4ec315fb9cbb2c97af19e85ce

SHA1
258630397040a299d05374c21023a612f2f5cc22

SHA256
016638b4d18f025b133dd24190a175a459069dda665474fec25c7668792c104d

SHA512
23c6ac6f7f721c9400289f040610eca9790239e5da5176e62df3d27aa25a074e89c55ae182072c3eba2a870f3fa0b602600a315c9f3e04de17e66e4538ce6824

Download Submit
\Windows\SysWOW64\Bfkpqn32.exe

Filesize
77KB

MD5
39846f93e3bead21f86ea6858c431ad3

SHA1
14af1a287bc927bb0e6a422fc310286832933d11

SHA256
c5e5e29701ec776e05efa514802cb5da1cbbb73b087374e1a9d696b04a276c5b

SHA512
7a4aff8f78f6839ad29120e7ee61ae9036f4a23e3bd526a29251438796ea45bd1f23ccdad8606b39b7d9476ede7a174777b5d82fb1d620633cf5e8318f796b18

Download Submit
\Windows\SysWOW64\Bjdplm32.exe

Filesize
77KB

MD5
01fdb46279d265d04a45ed1d9bebd09c

SHA1
c0209684ef57b5e7bed2e6395088fff1a11b38b2

SHA256
95d1a7bfd4325e3a4ed33ef5f7799f456e5e19b50c14d72b840be1877476e3ef

SHA512
7bc58440ad3f03fa956b27d9ffad77ddead7a3b1345b34c1b37edec46a6425c1409de374519412a6e02331353709034c7fc1e67aad4bc49851cbc121b49080cb

Download Submit
\Windows\SysWOW64\Bobhal32.exe

Filesize
77KB

MD5
06a4284a218eb910a1a0f88c2d99de05

SHA1
e7f5872a58b8f2b9eab3b53739d87960a8856276

SHA256
819585fc0aca17b6c84e50fe21ba82141018e2fbba002d6596c461082b9696c8

SHA512
52217cb2a0955056a14181c70be0b462592464d4e3c61af150587128eab8c22b66f7a6311e24edd8ae853d83f523a0b8721211a1c7e2ff5c1a2775d212d71693

Download Submit
\Windows\SysWOW64\Bonoflae.exe

Filesize
77KB

MD5
1c9204c6d5ec2822bb9cee035b89cebe

SHA1
3e0597f96e0e704c97e7d3c0c4395a7b71aaf85d

SHA256
a7c58908281c234573110c09e8f616d11df038793a7a9df1531cbd92ea74cfc7

SHA512
17da9650030f56d53bd7d96028ee9858ae6a81c08ac554130988ea00b2e2db46ede7df94dc8051f55ef730abeb60e2b07088e9c6fcd8be753ffe5d62b8351c1f

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
77KB

MD5
4ca592cfdb91add10340e3dc8e584f9f

SHA1
c8fa2d8365892c2a4a0c6ebeb1ceb832c103bd1c

SHA256
6ad5cf0fa1fed8970ca9901eadca4c05eed4419cf33a1dea6f28db9ced6f0b50

SHA512
5d0df1a9018d94d60b46c8c0075a674ba6e71f8d9e60d89508ae91e5487cb9ba7fba4a31576f6bb57710a32a9d798277988a200cf24a03e817b0462a03fbc43b

Download Submit
\Windows\SysWOW64\Cgbfamff.exe

Filesize
77KB

MD5
81f1fd3206845c402da2cb7dc18579d8

SHA1
243bcd9e7161efc7161cf282ae1ed0ec6ea5aadc

SHA256
f853525d605028b45c70df7b3ddcd6cc015a1d960083646fae93300e18d585a5

SHA512
c342918d1c1f3cf606341402da610f0a3131b7a5acfebe20e712db3cfc29db0bb1a6b36f69679dd0d6998e6054f7a2aa4a52b4e95fd788fdfe2cd0b633ecc14c

Download Submit
\Windows\SysWOW64\Cinfhigl.exe

Filesize
77KB

MD5
c3efef199f5f77479e25d76af1c6d4d6

SHA1
b23c9730cbbedfe0e27feb85fd6b6c6e9f4f25e7

SHA256
40a2ab3b1546a2f5ac701f0ecdc583f0ec6fff21f3942ce2e66013e17e330a1f

SHA512
df07beee085966f3ee2d03048a00ddf15223b6f8a7054918095f5389fb93d33b2e62e87b240ff7f88da5dc2f32b2a135edd6ac62cb9acfe752283b9924c7b4ab

Download Submit
\Windows\SysWOW64\Ckiigmcd.exe

Filesize
77KB

MD5
817d71bd1f699949d65930515f6bf19a

SHA1
a86c41a52c497252126ebbb5ba002419046c0e8c

SHA256
287d44069db58d53240767eb22fac37dcbdc672decde45bfa5a658c3c91eaa71

SHA512
cfa81f6d53bc6b6e5acdf832f345ccdb5e28777903492f11b18720cc567b22be84872ad039b31c1a9775557e7bfef57f5a134fe79308030c16b1be922aef9b4e

Download Submit
\Windows\SysWOW64\Clmbddgp.exe

Filesize
77KB

MD5
a2518b740e42262737cdc7b9a447e9a5

SHA1
1a15b0340331ccf0aff631a396a0ffdd8967ee00

SHA256
2709b12a4aca90603526189ecc3d84c1555d46611b8a4f79adbd2b006b015a3a

SHA512
19545b481976c65d2ceba4e1b1178a97ad968397f295cc241731bcb95b3417a3d3f7b931f10bb27c0411a91b4b27861fe7ab50440a64d6194b1d3388c1dce152

Download Submit
\Windows\SysWOW64\Cpceidcn.exe

Filesize
77KB

MD5
71a52530480f302b1848693d7eb60272

SHA1
864f218bc706648c2d166497d4cd813dfd1a26f2

SHA256
3ce2d556e6e132e8ae57ccde3f9b7b4ef5a22ddbb11861c91f7369a03292d56c

SHA512
5a7f89df4dc392ae731e5a68263c92be96d74526dab5076b062ee114b7bc7ec4769ce5e1852a68b342f035d685159b5e3b5e1e6efe70e384ce7e51df1d909231

Download Submit
\Windows\SysWOW64\Cpfaocal.exe

Filesize
77KB

MD5
9253a4bd39087143f0f42dad563ecd3a

SHA1
0af4261e3ce33019a1572de5819985134cfee68c

SHA256
ce4ce29f5a10aa9874035d63d67315291bc2444201d448425911d44f02e33c57

SHA512
8d9541a895d69dca549a48f35ecb3fc1a4fe6e7948f2949f48f048ec8f3b0c8acc9ad2d3507f6ad28f9b87848040e82edbeb47a9419bebbb5b0af2aff461388c

Download Submit
memory/300-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/300-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/320-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/320-78-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/320-66-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1188-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1424-58-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-119-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1992-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2204-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-210-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2268-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-183-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2436-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-91-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2644-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-39-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2812-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-12-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2860-11-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2864-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-153-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads