berbew | 0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/03/2025, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
Size

777KB
MD5

ac13777c64c63de72404f862a705c5d1
SHA1

228b68229e3dd649e455f0a5a7f6204b7f0c2f74
SHA256

0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759
SHA512

b1d28d597e4bcff00cd18eba07327e2fe1796161f10321dfea588f12fcd8da126ae89bdc219ca3c27bbdd92d3ac04485dd28d8f1525be66e18da5c74c5d9b639
SSDEEP

12288:Q0c8nl7VRMsa5TugZKS9sUvkclI0/RTObN+9LuBoT7b2v4XrGB6i/1:Qonl7V9U91RlI0/RTOR+96o77i/1

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://tat-neftbank.ru/kkq.php

http://tat-neftbank.ru/wcmd.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bocolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cclkfdnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpgljfbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bldcpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cklmgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cclkfdnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfadgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bldcpf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cklmgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfadgq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bocolb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fidoim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cafecmlj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjfccn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpgljfbl.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 17 IoCs

pid	Process
2700	Bpgljfbl.exe
2592	Bfadgq32.exe
2824	Behnnm32.exe
2676	Bldcpf32.exe
2656	Bocolb32.exe
588	Cklmgb32.exe
300	Cafecmlj.exe
2864	Cclkfdnc.exe
2880	Cjfccn32.exe
1784	Djmicm32.exe
1744	Dhpiojfb.exe
2540	Ebmgcohn.exe
2280	Edkcojga.exe
1288	Ekelld32.exe
856	Effcma32.exe
1480	Fidoim32.exe
1556	Fkckeh32.exe

Loads dropped DLL 38 IoCs

pid	Process
2768	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
2768	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
2700	Bpgljfbl.exe
2700	Bpgljfbl.exe
2592	Bfadgq32.exe
2592	Bfadgq32.exe
2824	Behnnm32.exe
2824	Behnnm32.exe
2676	Bldcpf32.exe
2676	Bldcpf32.exe
2656	Bocolb32.exe
2656	Bocolb32.exe
588	Cklmgb32.exe
588	Cklmgb32.exe
300	Cafecmlj.exe
300	Cafecmlj.exe
2864	Cclkfdnc.exe
2864	Cclkfdnc.exe
2880	Cjfccn32.exe
2880	Cjfccn32.exe
1784	Djmicm32.exe
1784	Djmicm32.exe
1744	Dhpiojfb.exe
1744	Dhpiojfb.exe
2540	Ebmgcohn.exe
2540	Ebmgcohn.exe
2280	Edkcojga.exe
2280	Edkcojga.exe
1288	Ekelld32.exe
1288	Ekelld32.exe
856	Effcma32.exe
856	Effcma32.exe
1480	Fidoim32.exe
1480	Fidoim32.exe
1380	WerFault.exe
1380	WerFault.exe
1380	WerFault.exe
1380	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Odifab32.dll	Cjfccn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhpiojfb.exe	Djmicm32.exe
File opened for modification	C:\Windows\SysWOW64\Ekelld32.exe	Edkcojga.exe
File created	C:\Windows\SysWOW64\Bplpldoa.dll	Bfadgq32.exe
File opened for modification	C:\Windows\SysWOW64\Cklmgb32.exe	Bocolb32.exe
File created	C:\Windows\SysWOW64\Fahgfoih.dll	Cclkfdnc.exe
File created	C:\Windows\SysWOW64\Dhpiojfb.exe	Djmicm32.exe
File created	C:\Windows\SysWOW64\Ebmgcohn.exe	Dhpiojfb.exe
File opened for modification	C:\Windows\SysWOW64\Effcma32.exe	Ekelld32.exe
File created	C:\Windows\SysWOW64\Behnnm32.exe	Bfadgq32.exe
File created	C:\Windows\SysWOW64\Cafecmlj.exe	Cklmgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cafecmlj.exe	Cklmgb32.exe
File created	C:\Windows\SysWOW64\Cfgnhbba.dll	Cklmgb32.exe
File created	C:\Windows\SysWOW64\Cjfccn32.exe	Cclkfdnc.exe
File created	C:\Windows\SysWOW64\Effcma32.exe	Ekelld32.exe
File created	C:\Windows\SysWOW64\Iooklook.dll	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
File created	C:\Windows\SysWOW64\Bfadgq32.exe	Bpgljfbl.exe
File opened for modification	C:\Windows\SysWOW64\Edkcojga.exe	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Ekelld32.exe	Edkcojga.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File opened for modification	C:\Windows\SysWOW64\Bfadgq32.exe	Bpgljfbl.exe
File opened for modification	C:\Windows\SysWOW64\Behnnm32.exe	Bfadgq32.exe
File opened for modification	C:\Windows\SysWOW64\Bldcpf32.exe	Behnnm32.exe
File created	C:\Windows\SysWOW64\Hadfjo32.dll	Cafecmlj.exe
File created	C:\Windows\SysWOW64\Djmicm32.exe	Cjfccn32.exe
File opened for modification	C:\Windows\SysWOW64\Ebmgcohn.exe	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Clialdph.dll	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Gogcek32.dll	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Bocolb32.exe	Bldcpf32.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	Ekelld32.exe
File opened for modification	C:\Windows\SysWOW64\Fidoim32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Khknah32.dll	Effcma32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Fidoim32.exe
File created	C:\Windows\SysWOW64\Bpgljfbl.exe	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
File opened for modification	C:\Windows\SysWOW64\Bpgljfbl.exe	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
File created	C:\Windows\SysWOW64\Ilcbjpbn.dll	Bpgljfbl.exe
File created	C:\Windows\SysWOW64\Cklmgb32.exe	Bocolb32.exe
File created	C:\Windows\SysWOW64\Olkbjhpi.dll	Bocolb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjfccn32.exe	Cclkfdnc.exe
File created	C:\Windows\SysWOW64\Eaklqfem.dll	Djmicm32.exe
File created	C:\Windows\SysWOW64\Edkcojga.exe	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Bldcpf32.exe	Behnnm32.exe
File created	C:\Windows\SysWOW64\Fdlhfbqi.dll	Bldcpf32.exe
File created	C:\Windows\SysWOW64\Cclkfdnc.exe	Cafecmlj.exe
File opened for modification	C:\Windows\SysWOW64\Cclkfdnc.exe	Cafecmlj.exe
File created	C:\Windows\SysWOW64\Olfeho32.dll	Edkcojga.exe
File created	C:\Windows\SysWOW64\Fidoim32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Fidoim32.exe
File created	C:\Windows\SysWOW64\Okphjd32.dll	Behnnm32.exe
File opened for modification	C:\Windows\SysWOW64\Bocolb32.exe	Bldcpf32.exe
File opened for modification	C:\Windows\SysWOW64\Djmicm32.exe	Cjfccn32.exe

Program crash 1 IoCs

pid	pid_target	Process
1380	1556	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cklmgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cafecmlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpgljfbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behnnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cclkfdnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfadgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bocolb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebmgcohn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekelld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Effcma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fidoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Edkcojga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldcpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjfccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djmicm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhpiojfb.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkbjhpi.dll"	Bocolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilcbjpbn.dll"	Bpgljfbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpgljfbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behnnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bocolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadfjo32.dll"	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cclkfdnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll"	Effcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhfbqi.dll"	Bldcpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bldcpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odifab32.dll"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll"	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djmicm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpgljfbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfadgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bocolb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cklmgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cclkfdnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjfccn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfadgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplpldoa.dll"	Bfadgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cafecmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djmicm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iooklook.dll"	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bldcpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgnhbba.dll"	Cklmgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cafecmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gogcek32.dll"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll"	Edkcojga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okphjd32.dll"	Behnnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cklmgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll"	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Fidoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll"	Cclkfdnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebmgcohn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edkcojga.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2768 wrote to memory of 2700	2768	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe	30
PID 2768 wrote to memory of 2700	2768	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe	30
PID 2768 wrote to memory of 2700	2768	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe	30
PID 2768 wrote to memory of 2700	2768	0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe	30
PID 2700 wrote to memory of 2592	2700	Bpgljfbl.exe	31
PID 2700 wrote to memory of 2592	2700	Bpgljfbl.exe	31
PID 2700 wrote to memory of 2592	2700	Bpgljfbl.exe	31
PID 2700 wrote to memory of 2592	2700	Bpgljfbl.exe	31
PID 2592 wrote to memory of 2824	2592	Bfadgq32.exe	32
PID 2592 wrote to memory of 2824	2592	Bfadgq32.exe	32
PID 2592 wrote to memory of 2824	2592	Bfadgq32.exe	32
PID 2592 wrote to memory of 2824	2592	Bfadgq32.exe	32
PID 2824 wrote to memory of 2676	2824	Behnnm32.exe	33
PID 2824 wrote to memory of 2676	2824	Behnnm32.exe	33
PID 2824 wrote to memory of 2676	2824	Behnnm32.exe	33
PID 2824 wrote to memory of 2676	2824	Behnnm32.exe	33
PID 2676 wrote to memory of 2656	2676	Bldcpf32.exe	34
PID 2676 wrote to memory of 2656	2676	Bldcpf32.exe	34
PID 2676 wrote to memory of 2656	2676	Bldcpf32.exe	34
PID 2676 wrote to memory of 2656	2676	Bldcpf32.exe	34
PID 2656 wrote to memory of 588	2656	Bocolb32.exe	35
PID 2656 wrote to memory of 588	2656	Bocolb32.exe	35
PID 2656 wrote to memory of 588	2656	Bocolb32.exe	35
PID 2656 wrote to memory of 588	2656	Bocolb32.exe	35
PID 588 wrote to memory of 300	588	Cklmgb32.exe	36
PID 588 wrote to memory of 300	588	Cklmgb32.exe	36
PID 588 wrote to memory of 300	588	Cklmgb32.exe	36
PID 588 wrote to memory of 300	588	Cklmgb32.exe	36
PID 300 wrote to memory of 2864	300	Cafecmlj.exe	37
PID 300 wrote to memory of 2864	300	Cafecmlj.exe	37
PID 300 wrote to memory of 2864	300	Cafecmlj.exe	37
PID 300 wrote to memory of 2864	300	Cafecmlj.exe	37
PID 2864 wrote to memory of 2880	2864	Cclkfdnc.exe	38
PID 2864 wrote to memory of 2880	2864	Cclkfdnc.exe	38
PID 2864 wrote to memory of 2880	2864	Cclkfdnc.exe	38
PID 2864 wrote to memory of 2880	2864	Cclkfdnc.exe	38
PID 2880 wrote to memory of 1784	2880	Cjfccn32.exe	39
PID 2880 wrote to memory of 1784	2880	Cjfccn32.exe	39
PID 2880 wrote to memory of 1784	2880	Cjfccn32.exe	39
PID 2880 wrote to memory of 1784	2880	Cjfccn32.exe	39
PID 1784 wrote to memory of 1744	1784	Djmicm32.exe	40
PID 1784 wrote to memory of 1744	1784	Djmicm32.exe	40
PID 1784 wrote to memory of 1744	1784	Djmicm32.exe	40
PID 1784 wrote to memory of 1744	1784	Djmicm32.exe	40
PID 1744 wrote to memory of 2540	1744	Dhpiojfb.exe	41
PID 1744 wrote to memory of 2540	1744	Dhpiojfb.exe	41
PID 1744 wrote to memory of 2540	1744	Dhpiojfb.exe	41
PID 1744 wrote to memory of 2540	1744	Dhpiojfb.exe	41
PID 2540 wrote to memory of 2280	2540	Ebmgcohn.exe	42
PID 2540 wrote to memory of 2280	2540	Ebmgcohn.exe	42
PID 2540 wrote to memory of 2280	2540	Ebmgcohn.exe	42
PID 2540 wrote to memory of 2280	2540	Ebmgcohn.exe	42
PID 2280 wrote to memory of 1288	2280	Edkcojga.exe	43
PID 2280 wrote to memory of 1288	2280	Edkcojga.exe	43
PID 2280 wrote to memory of 1288	2280	Edkcojga.exe	43
PID 2280 wrote to memory of 1288	2280	Edkcojga.exe	43
PID 1288 wrote to memory of 856	1288	Ekelld32.exe	44
PID 1288 wrote to memory of 856	1288	Ekelld32.exe	44
PID 1288 wrote to memory of 856	1288	Ekelld32.exe	44
PID 1288 wrote to memory of 856	1288	Ekelld32.exe	44
PID 856 wrote to memory of 1480	856	Effcma32.exe	45
PID 856 wrote to memory of 1480	856	Effcma32.exe	45
PID 856 wrote to memory of 1480	856	Effcma32.exe	45
PID 856 wrote to memory of 1480	856	Effcma32.exe	45

C:\Users\Admin\AppData\Local\Temp\0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe
"C:\Users\Admin\AppData\Local\Temp\0909abdc84b1c7a397364baa0a89b5d183931e88f605627535593e3659614759.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Windows\SysWOW64\Bpgljfbl.exe
  C:\Windows\system32\Bpgljfbl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Bfadgq32.exe
    C:\Windows\system32\Bfadgq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\Behnnm32.exe
      C:\Windows\system32\Behnnm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2824
    - - C:\Windows\SysWOW64\Bldcpf32.exe
        
        C:\Windows\system32\Bldcpf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Bocolb32.exe
        
        C:\Windows\system32\Bocolb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Cklmgb32.exe
        
        C:\Windows\system32\Cklmgb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Cafecmlj.exe
        
        C:\Windows\system32\Cafecmlj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:300
        
        C:\Windows\SysWOW64\Cclkfdnc.exe
        
        C:\Windows\system32\Cclkfdnc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Cjfccn32.exe
        
        C:\Windows\system32\Cjfccn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Djmicm32.exe
        
        C:\Windows\system32\Djmicm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\SysWOW64\Dhpiojfb.exe
        
        C:\Windows\system32\Dhpiojfb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\Ebmgcohn.exe
        
        C:\Windows\system32\Ebmgcohn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Edkcojga.exe
        
        C:\Windows\system32\Edkcojga.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Fidoim32.exe
        
        C:\Windows\system32\Fidoim32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Behnnm32.exe

Filesize
777KB

MD5
7e5d98d2c914e99a4309e5dbe9da7d72

SHA1
c9bc14e5d68d5a2a84b209c6a2075fbd77299775

SHA256
95955fc07584cab409d26497162e8893537cf22d554e9716f9ac0691ec3c12da

SHA512
778f3d3e6ff908cc98431b7e8b7548e7355b3b8b3ce1d9e8c9e1b750e57104e617fe0fbebc7d636f00752b871d3c7417e7a62be4343754ca1c70b4236afc6ba3

Download Submit
C:\Windows\SysWOW64\Bfadgq32.exe

Filesize
777KB

MD5
69aff136c8ba5e100710c34506b725d8

SHA1
18c1de4eba226e13d89e7e705115a1eec419e89f

SHA256
ab1412ab928359a4143f02cb999e90d30937effdb617ce976644902da6f35c20

SHA512
41129f046a3c3a1e862c1850666db2a60d6ba2d6f2cec40dcc70989f8f17a2d169989260a2be8721de4132723a8d6725c1bbf95b16bbb6047f66da9a296da146

Download Submit
C:\Windows\SysWOW64\Bldcpf32.exe

Filesize
777KB

MD5
8fb2626f9f53a7b97dfe9c25d7e287b5

SHA1
2312cfbc4c25751fcb7250ed36f1857e88fdc65a

SHA256
c947f81e599054cbbde155a98ca051c3d4137d700ea892c401f0a0fcfcd80c4f

SHA512
2993442ec64bfa1882f6cb9a30d4d9dbb638e61228c7a655d967ca20ba6f291b23a6edf91403dc2d49be9aed8b90cba0b560065131731c24e3cbf253400963e4

Download Submit
C:\Windows\SysWOW64\Bocolb32.exe

Filesize
777KB

MD5
c38c063a377093217ebe1583e2a2ad03

SHA1
007e788012481fe51dd7b58367e5f094d49d8092

SHA256
c80ecfd9a25b14e9940d2a6422fbca1c1a49bcf34d1c5c713f83ddeb665a77b1

SHA512
9d9be15286f67722b15033e049cb61b6b63f439e05adcb32c050d890b0423db5bf66004466ad1ec6ac526f3cf78ba74157959fd6d10b5d6efb49514a945acc52

Download Submit
C:\Windows\SysWOW64\Cclkfdnc.exe

Filesize
777KB

MD5
4f054906531de531f8f9d246fd314218

SHA1
17a042f933c1d376d064714a89c0f99eaf7b1d1b

SHA256
b61dce8b62f4702e299465a0ce32af165c63b37848b5d86da2c525c82e827524

SHA512
9fd4c73ce3469bb27aa857d11d6615ee631c16ec13cd48ba15b7ca0f3839c65c45e96e8716ee42c6412017ab94fc7892b2c51f03144cda7df729f1a06bac2d43

Download Submit
C:\Windows\SysWOW64\Dhpiojfb.exe

Filesize
777KB

MD5
8eff186250437c5862959d541e9ba78b

SHA1
764371ffcbf96900debecd6bb4c10ae58a188527

SHA256
effbb91e21a3dbb82486194274b123051c30c4b19a2005a4cfe0eec864b55509

SHA512
b4aa1d8e3f052afbef856fa816f37d28e49fa529cebb24cca8aa5d9ed73ac645dd0adb91428a3125f9ef736cea5812acd1ad73e30daba7a6f9e4e56966e5b986

Download Submit
C:\Windows\SysWOW64\Djmicm32.exe

Filesize
777KB

MD5
909b63671635ba1b64c143474b52f109

SHA1
d85c02f6f4b14526f1873d01d80636357f098526

SHA256
c3f2ba8303170837f3f02631e84284bf2836efd94b43cbcb6f6514e01ac7718e

SHA512
b9e1b39ce78a583c015392852e837f2f5173f654436325c3bd27910e810d01541c8ba6ac36585e6986053116fdef759478d5a65ae299c822005d9d88cf0123aa

Download Submit
C:\Windows\SysWOW64\Ebmgcohn.exe

Filesize
777KB

MD5
f464b1ce7caec65d0c96e46dbf445f48

SHA1
52966960d1d14b002d0d4041a2e27f040616c2c8

SHA256
56690cf86830afbedd397273670d01ae04e993a2fa5511364d87ce9df1a8e8c5

SHA512
d20619a787e95d43ab600adc61d54329bc8cf2209fc936f4cb396b2edae175353531cca835b71604c6ae892027dba602765e0ca4ad3572a1a08adf85526de2da

Download Submit
C:\Windows\SysWOW64\Edkcojga.exe

Filesize
777KB

MD5
38a2266e3bfe94d9b7512ce0276d8e05

SHA1
5203200ee5be53ec484561ef5a312dad7cad48f7

SHA256
2f2ecb074eb652569f200267cf24e5532de4f3126d5099be054dbd9c613cbb7b

SHA512
29b2fd95c9f4e37a0c0efcde2fb22bb393e8272f243d0acff543384adac03e383ef4bc9ec7615e6982a583c340ff6290f363fb223b43291a59b4a4a7705e54eb

Download Submit
C:\Windows\SysWOW64\Ekelld32.exe

Filesize
777KB

MD5
de9926e6d95ba25695849d78a74c4084

SHA1
269e32dc20f72794608515007bfbc605c18a604b

SHA256
6aa89a992bd4b3b4eb80de78b9ddfd4e8de55e42492b5779a921437deb60f347

SHA512
db3e386edf7cc00c901a7dc586b0164cb900ee20595bdac63097080ff6396d13a930e16e1527ada306b164dadd143fbc7f1e443f04069a19635420249ab0ff98

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
777KB

MD5
423e00c190d3a5a659ba612c9a4a4317

SHA1
5eb422c5643073cedc6b426d9ab04dc5923bdcb8

SHA256
1ad0a8082d44d9166b9afca81fe6db4c732ed658ecbbe74a79fbcbc738d423ee

SHA512
82471e2cb1474283997b67df6cf94e00dc29bc7fccbba41bb141bfe32d5b5e9311a138f89bbcd23c657cacc387d29685201d29f638cc44aa0dd2e52945ad3cfe

Download Submit
\Windows\SysWOW64\Bpgljfbl.exe

Filesize
777KB

MD5
21e5ed58637cbb2f1445ad0e41361559

SHA1
4ba3e0e646232b0c36651a796d27721d45677169

SHA256
f71591296a10cc75eb6bc06a164a60c1d1e8f62dd43334f64340a9f68097e90b

SHA512
0c4e8544ff7579f4d33573968650d75b6652b68dd2139e9ced1c5b151516f3843e5e304d4fbd1e8dadfecfe34e348d76a4334df4897e420ae7551cb65dc3dce5

Download Submit
\Windows\SysWOW64\Cafecmlj.exe

Filesize
777KB

MD5
1f79066759cde44eb76ce8e134576857

SHA1
84924fa9e8d6a78ff2032f9ebedea5172230ea16

SHA256
483b955b062a468d31e2bc376fe74be8ca38f1d2cdc6a4deb9a3d567fc899ecb

SHA512
8fa429407151789b8cc9d74b2a91e00aa38fd3feac90be5b200c6c62452cd836345837138f9497b7aab3b825a6d1f863938c68c7f6a0698e4f46339fdcf1dd36

Download Submit
\Windows\SysWOW64\Cjfccn32.exe

Filesize
777KB

MD5
8f0107500c3e374a23a215850a2bed43

SHA1
fd9075be64ccf91a570b0a32f46e92de584a461d

SHA256
2a261f24a958afedaa3f8715e14814cb7431d073188d75fafd257ec91ecb23c5

SHA512
fe317d47b9d3d1c242fa0dee7f2133fa19d44031faba187e0bceed147dc98538aa094d970a410e2f7f596fd89907a8d01d5229982d89e16ac9c61104bfca9359

Download Submit
\Windows\SysWOW64\Cklmgb32.exe

Filesize
777KB

MD5
7b8c04c86ac9ab442b014977adbb3312

SHA1
9744fa4093827ffb42bb00925ef388016c088c7b

SHA256
e148841eeff1abf2c2ced418df33c40465434148d5c5f573e5317ca07b99e764

SHA512
a0ae16a7ef6d716bd0709f2511fcd59e74d0ce870b275a8183575bed9803fba58dc4db64c94c50110f50947c935e2e5b44e56af4ceadd583f80a9ac4b47d18ed

Download Submit
\Windows\SysWOW64\Effcma32.exe

Filesize
777KB

MD5
9a98c8606f2cf6a0dcb1cc5cb5cc413b

SHA1
3a6526cca9c764995641febc25590e00b01d4e19

SHA256
e7f22862ccf7c7c30e06beec134eff025847db2e71ea924814efec45cf92bdb6

SHA512
9ab5180b3535f86488ceaa1c42c2fb3a13e7955f383f6ca95b8738cf068dc6c3195995dca286b1fde7ae480dd08e641cd2356cef68aad3b97500e97b03e50464

Download Submit
\Windows\SysWOW64\Fidoim32.exe

Filesize
777KB

MD5
e0a9e8009d48e8f3d72c8cdf56d768eb

SHA1
871b8e9a359f66f330fdfc36a9c2aed6a4d0f6d1

SHA256
ef17669c85e4facbd79d16075ecf6c14f6645c51d68b358f34d8ed9a52c85bd9

SHA512
9710dba438b15c140931d470931d72edb11aad2aebc55c507387a2391e017ef3ddd590b65aecc01b84a4aaadc1fef7d0741834cbc54c13d8e790619567f334ce

Download Submit
memory/300-108-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/300-157-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/300-99-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/588-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/588-97-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/856-232-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/856-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/856-237-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1288-217-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1288-254-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1288-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1480-249-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/1480-251-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/1480-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1556-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1744-182-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1744-170-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1744-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1744-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1744-230-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1784-159-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1784-208-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1784-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1784-158-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2280-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-253-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2280-209-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2280-207-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2540-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2540-245-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2540-186-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2592-91-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2592-37-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2592-26-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-38-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2592-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-83-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2656-129-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2656-77-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2656-68-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2676-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-18-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-17-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2768-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-48-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2824-107-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2824-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-127-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2864-176-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2880-144-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2880-139-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2880-130-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2880-193-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2880-187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads