berbew | b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8daca

Analysis

max time kernel
75s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-10-2024 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
Size

67KB
MD5

0d944c7dd261d0256389d613d0227110
SHA1

acbe7620cae080833b955a28f596f7b05d7b2d8b
SHA256

b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8daca
SHA512

227a426886a9a21375a35a807d1a0d7d46abb81f1d1d52525810cea10016e43c2248d08c71b4a38d36cc95960aba465c17544664a805ee750f811201cce1c67a
SSDEEP

1536:CXHB10zB3YZTlJtJNRx2MoiLZ1cgCe8uC:kB1G36DtJNRx7ZugCe8uC

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 17 IoCs

pid	Process
2112	Ciihklpj.exe
1424	Cocphf32.exe
2796	Cepipm32.exe
2660	Cgoelh32.exe
2740	Cnimiblo.exe
2544	Cagienkb.exe
2928	Cinafkkd.exe
1684	Ckmnbg32.exe
852	Cnkjnb32.exe
1040	Ceebklai.exe
2612	Cgcnghpl.exe
332	Clojhf32.exe
2196	Calcpm32.exe
2348	Ccjoli32.exe
1808	Cfhkhd32.exe
1692	Dnpciaef.exe
1220	Dpapaj32.exe

Loads dropped DLL 37 IoCs

pid	Process
1940	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
1940	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
2112	Ciihklpj.exe
2112	Ciihklpj.exe
1424	Cocphf32.exe
1424	Cocphf32.exe
2796	Cepipm32.exe
2796	Cepipm32.exe
2660	Cgoelh32.exe
2660	Cgoelh32.exe
2740	Cnimiblo.exe
2740	Cnimiblo.exe
2544	Cagienkb.exe
2544	Cagienkb.exe
2928	Cinafkkd.exe
2928	Cinafkkd.exe
1684	Ckmnbg32.exe
1684	Ckmnbg32.exe
852	Cnkjnb32.exe
852	Cnkjnb32.exe
1040	Ceebklai.exe
1040	Ceebklai.exe
2612	Cgcnghpl.exe
2612	Cgcnghpl.exe
332	Clojhf32.exe
332	Clojhf32.exe
2196	Calcpm32.exe
2196	Calcpm32.exe
2348	Ccjoli32.exe
2348	Ccjoli32.exe
1808	Cfhkhd32.exe
1808	Cfhkhd32.exe
1692	Dnpciaef.exe
1692	Dnpciaef.exe
1820	WerFault.exe
1820	WerFault.exe
1820	WerFault.exe

Drops file in System32 directory 53 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Efeckm32.dll	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Clojhf32.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Clojhf32.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Ceebklai.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Ceebklai.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Ceebklai.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Kgloog32.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Clojhf32.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Ckmnbg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1820	1220	WerFault.exe	47

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clojhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgcnghpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceebklai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Clojhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll"	Ceebklai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Clojhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cgoelh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2112	1940	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe	31
PID 1940 wrote to memory of 2112	1940	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe	31
PID 1940 wrote to memory of 2112	1940	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe	31
PID 1940 wrote to memory of 2112	1940	b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe	31
PID 2112 wrote to memory of 1424	2112	Ciihklpj.exe	32
PID 2112 wrote to memory of 1424	2112	Ciihklpj.exe	32
PID 2112 wrote to memory of 1424	2112	Ciihklpj.exe	32
PID 2112 wrote to memory of 1424	2112	Ciihklpj.exe	32
PID 1424 wrote to memory of 2796	1424	Cocphf32.exe	33
PID 1424 wrote to memory of 2796	1424	Cocphf32.exe	33
PID 1424 wrote to memory of 2796	1424	Cocphf32.exe	33
PID 1424 wrote to memory of 2796	1424	Cocphf32.exe	33
PID 2796 wrote to memory of 2660	2796	Cepipm32.exe	34
PID 2796 wrote to memory of 2660	2796	Cepipm32.exe	34
PID 2796 wrote to memory of 2660	2796	Cepipm32.exe	34
PID 2796 wrote to memory of 2660	2796	Cepipm32.exe	34
PID 2660 wrote to memory of 2740	2660	Cgoelh32.exe	35
PID 2660 wrote to memory of 2740	2660	Cgoelh32.exe	35
PID 2660 wrote to memory of 2740	2660	Cgoelh32.exe	35
PID 2660 wrote to memory of 2740	2660	Cgoelh32.exe	35
PID 2740 wrote to memory of 2544	2740	Cnimiblo.exe	36
PID 2740 wrote to memory of 2544	2740	Cnimiblo.exe	36
PID 2740 wrote to memory of 2544	2740	Cnimiblo.exe	36
PID 2740 wrote to memory of 2544	2740	Cnimiblo.exe	36
PID 2544 wrote to memory of 2928	2544	Cagienkb.exe	37
PID 2544 wrote to memory of 2928	2544	Cagienkb.exe	37
PID 2544 wrote to memory of 2928	2544	Cagienkb.exe	37
PID 2544 wrote to memory of 2928	2544	Cagienkb.exe	37
PID 2928 wrote to memory of 1684	2928	Cinafkkd.exe	38
PID 2928 wrote to memory of 1684	2928	Cinafkkd.exe	38
PID 2928 wrote to memory of 1684	2928	Cinafkkd.exe	38
PID 2928 wrote to memory of 1684	2928	Cinafkkd.exe	38
PID 1684 wrote to memory of 852	1684	Ckmnbg32.exe	39
PID 1684 wrote to memory of 852	1684	Ckmnbg32.exe	39
PID 1684 wrote to memory of 852	1684	Ckmnbg32.exe	39
PID 1684 wrote to memory of 852	1684	Ckmnbg32.exe	39
PID 852 wrote to memory of 1040	852	Cnkjnb32.exe	40
PID 852 wrote to memory of 1040	852	Cnkjnb32.exe	40
PID 852 wrote to memory of 1040	852	Cnkjnb32.exe	40
PID 852 wrote to memory of 1040	852	Cnkjnb32.exe	40
PID 1040 wrote to memory of 2612	1040	Ceebklai.exe	41
PID 1040 wrote to memory of 2612	1040	Ceebklai.exe	41
PID 1040 wrote to memory of 2612	1040	Ceebklai.exe	41
PID 1040 wrote to memory of 2612	1040	Ceebklai.exe	41
PID 2612 wrote to memory of 332	2612	Cgcnghpl.exe	42
PID 2612 wrote to memory of 332	2612	Cgcnghpl.exe	42
PID 2612 wrote to memory of 332	2612	Cgcnghpl.exe	42
PID 2612 wrote to memory of 332	2612	Cgcnghpl.exe	42
PID 332 wrote to memory of 2196	332	Clojhf32.exe	43
PID 332 wrote to memory of 2196	332	Clojhf32.exe	43
PID 332 wrote to memory of 2196	332	Clojhf32.exe	43
PID 332 wrote to memory of 2196	332	Clojhf32.exe	43
PID 2196 wrote to memory of 2348	2196	Calcpm32.exe	44
PID 2196 wrote to memory of 2348	2196	Calcpm32.exe	44
PID 2196 wrote to memory of 2348	2196	Calcpm32.exe	44
PID 2196 wrote to memory of 2348	2196	Calcpm32.exe	44
PID 2348 wrote to memory of 1808	2348	Ccjoli32.exe	45
PID 2348 wrote to memory of 1808	2348	Ccjoli32.exe	45
PID 2348 wrote to memory of 1808	2348	Ccjoli32.exe	45
PID 2348 wrote to memory of 1808	2348	Ccjoli32.exe	45
PID 1808 wrote to memory of 1692	1808	Cfhkhd32.exe	46
PID 1808 wrote to memory of 1692	1808	Cfhkhd32.exe	46
PID 1808 wrote to memory of 1692	1808	Cfhkhd32.exe	46
PID 1808 wrote to memory of 1692	1808	Cfhkhd32.exe	46

C:\Users\Admin\AppData\Local\Temp\b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe
"C:\Users\Admin\AppData\Local\Temp\b94013598f179507af0c95644bbbeb794587d5cc5be82866a61ba705c0c8dacaN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\Ciihklpj.exe
  C:\Windows\system32\Ciihklpj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\Cocphf32.exe
    C:\Windows\system32\Cocphf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\SysWOW64\Cepipm32.exe
      C:\Windows\system32\Cepipm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 144
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cfhkhd32.exe

Filesize
67KB

MD5
cf2ff9bf9907f2fc37b159cb728f76d4

SHA1
e138aaaca0c20c15655ba22e3f7cefb18c2e22a2

SHA256
ce42f8e463776d62dbd9834bff4492f567c4dd54cbf5f700f5476a4dc59a593d

SHA512
94fa58f63ed8578b3730a9d064c77b8569bb6094d06eafc2b0498619b659c94115e8e6e3ac9d27701fb8892502656d5fc7b2fefa132cb581f22bb7ef43f61d2b

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
67KB

MD5
93d950c38c63ffb433902fb34b79c40c

SHA1
517c7cf68464c5ef1798c713de2fe8a6c30702fa

SHA256
380c03c716a440d67440a67264fd0eb23fdbb56b029c3d4ce9edc4171cc17d22

SHA512
0df37219c55f3ead65928a6844e93d1e224826573475cfc4da6308eea3adf048fdd1cfcda2a16092b4bc34744cf1b99d69e58e21e1666ba56d79eb1cef1e8a42

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
67KB

MD5
d8fffc90ec1a1dbcaf13f11402ba6da5

SHA1
a271a814689aa399dd48c979508471be6d84d323

SHA256
ece5c40dd4da8882f394c59697ab345f80806742c8afd0c115c693882bb297fc

SHA512
742bf1cf5b077622ee3b33d3c2016d7346a95459181d7089a8137da0fc1624a653fa12a5d4603db0a694675a683a34de224c56307188d65eacbf0fc8bb3c4e04

Download Submit
\Windows\SysWOW64\Cagienkb.exe

Filesize
67KB

MD5
aa64a4f21df8e86720b91ad604bf4a21

SHA1
a8e64a569eaede49702dc3c49a6cf865b207f4c9

SHA256
6b650cae316d222a3d02d09ce472aeff0f744e1fc199d55fd488dbafe8011e6a

SHA512
0dd8044731cf36abed4fa32765acfb22dc856148705025c41e8ca2eb25befdda84bf2e242e1ffc24141951da525be7ceab8e3c839d31b80e3248e9b8559b75b0

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
67KB

MD5
896f9d1b8e35fb5f7a021c09ae901915

SHA1
4c6540ccb5e2495a937644f33ccaa81b7d4b4e3d

SHA256
a5d8ea7cd2eb8e24a907fa3074eb29bea1ec2a8846023d20a5e5bf40ebd065f6

SHA512
8d097e8f4354f62ff89ab9fe1e1bf773a87a080ab688a8ae935e19aa76c3888a66d1c1ebebbb3b388287c7a5fd06dc77814ca4fab7b885f0ed564bffbf9d3685

Download Submit
\Windows\SysWOW64\Ccjoli32.exe

Filesize
67KB

MD5
aed95517145fbbadfc9a1b2b9dbce86b

SHA1
569606a6879ec8d15727e99d89686f90cfb03dd6

SHA256
5f2b1be59413f417418027c1ce08a2c9f091401a700bf83ff47da786fd917f3d

SHA512
0651ea7a3431d5b03d0aed0b827a55e74deb55b2152df5a30e1b927025ba889e854ea28aad9ac7d5caf9728c0018b5e33a0224923b7a8ab887e89563076b2f1d

Download Submit
\Windows\SysWOW64\Ceebklai.exe

Filesize
67KB

MD5
c4ab80ae6dcf65355bd8d56e12d7b4ff

SHA1
a996c357ec2ae5a4cc5d42b0e1e0c9f058f70b02

SHA256
5dec39870cbd1605f4a98b2c86f0fae7a1cfd3b46bc67ea8f2736fa6816fd2ba

SHA512
882f9e7f761b320ab399c2ad9ca8d8c89be3fa7d1d804cfd20f7327f7a7a73a586088cfb3638ca25bcc7b625bb0a9b9120ff8ea6b06d429cc05c7d31ab2dc407

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
67KB

MD5
90a7bf93eca874d0dbb22fd702c1eb92

SHA1
06cf48e26d69fbacbf33fee759e2724943134bc3

SHA256
66821f810fe2790cdd839dd081d573273c064f41165b4ab0367fa2e89441e51f

SHA512
78b1123a0d3bdb4aeeb35e5ce1bcb1f7ff7c2bf3d25160401ab9a72f6504a48ddd1991c492f56f85f239e1b753572b59ceaa0e2e76c855cc1fc6bd13ba8ebfd9

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
67KB

MD5
642adf8b6db8ab8d3fa277dc80c73736

SHA1
61a30754890b6817c0ede78f0a9c3ad90a4bb797

SHA256
f8aebef0016204725bf63cfff4b5769b5864114ab498275643b81d94b197ab18

SHA512
2bae0888b39a5140577faa746acf57ffceaceb8a3c33cfaa40c26c22a708eaed1e6d51ee0b59b55bdf11a1cfdb97825142275df03e742f6ec57888eeb2a0a5d2

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
67KB

MD5
29afddc8b436a410a68025dfbe3352ab

SHA1
285823418e0735a0064acaa445070072e413e65a

SHA256
c23ae686babc725c63a62891c3b3528ee93c4fab4a64e3503a3810335deedca4

SHA512
081f5eec55cc756d6f9fe95818e0ae6e5d5c5af4652b5dfdcf7e1943852b37a714cf4af2e54f824fd14210ecbe21ff9f306f1574622acea6c3269465041c1ac3

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
67KB

MD5
0b122ee0aafecb5c3140bf8dfff5e44d

SHA1
fe85508f8cbba87236e036c8940d438eaec49c1e

SHA256
2e49fcbb4f8010577af1873e93f2f0bb9d5f29d7db86a6040c1253ba3545e0dc

SHA512
53c04f630bd416f1f0b5172f303c4a1280d47303454ce5f11e67b97327a723614284c6022d9dcf33621b24701a762ca54e085101b8dad4ec62f42563b8134d01

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
67KB

MD5
4f94997ed8496fde6b763b4b7c717034

SHA1
fe2d7d830ee20808f3ee0363f271955976c8da8d

SHA256
d6bcb80ef1acf7420025a4c94241bbc3ad07348bbf24a5a16d67de8e9e3c93d0

SHA512
230ee7901acdf32c49efc9f939e1dc3d11335953da013daa894943cb9d5bcb483d484495eb5c31805dfcd58663c924b42a5daabff2aa0708125fcad14c5168fe

Download Submit
\Windows\SysWOW64\Clojhf32.exe

Filesize
67KB

MD5
1552550b928a4823d9315339e58ae9e7

SHA1
58944bc95c143591c79aa32bf86c2ba770d36861

SHA256
5ebaab4ff4c39cd77ed57557d3aee9c26214f3bd4b86d2f7fdb3389efd84bd25

SHA512
f745bd94ace558ca16657431a3709934c5c6038d3f8f0369a3034fe9afb38f9a2c005a4808586d503434ca45d9b86364590da998ba4567a4d232cecf3f878142

Download Submit
\Windows\SysWOW64\Cnimiblo.exe

Filesize
67KB

MD5
a6e1d7724942fd3f155a9362fc48aa94

SHA1
1da5d83f8d9218ebb0155853de71043ade0feee8

SHA256
ee8cf230dd6455baee488c9071d3640e7e73d2b4aa4a462dcb109f46c6327e8f

SHA512
a02430c58cf514c7eb72aefe9d6dfd902ed655979dc206b6ab24eeb1ffc5c073843eecbce47237d12bc8f37e95e3f4d6f2cb9f03a612dd9ceba626971c55c00f

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
67KB

MD5
497b0e0a8b712c3f326db2ad68685ee2

SHA1
0e4b090d88f49eaf251e21bda5273e197085840b

SHA256
e5db29543eb3505a494de37e904d3270ed95047d32a2c5936b5940bda0b352e7

SHA512
181c9b0ee488cbf4b4d16e91d406c50e52c87859f31f8059f259b64a344acd686d79539d2793162d5349756275fc0802fa22d56f11799896fcd35331dc42a407

Download Submit
\Windows\SysWOW64\Cocphf32.exe

Filesize
67KB

MD5
74d7fbf17a2615cb9219b108b522623a

SHA1
1b1fc98e80e9e65b9c57583faf066580feaae79f

SHA256
0b815d5f313ef47cca5f0e9d1430d00f7f158fc9fd21def3299c2d1d1366cf94

SHA512
78f3bbef6d00438b190d0b477f4e3ef0cd1e2637c671a64847a9bdd7e5d4d9e7dd23d9e97ec4c827579a6b1b29a177adc1276ad686613d1a678092408d58ebdc

Download Submit
\Windows\SysWOW64\Dnpciaef.exe

Filesize
67KB

MD5
98159c97f8c7e20a313bf2f025bfbd4a

SHA1
09c51a64df84907069d55c11ba8e10439e729eff

SHA256
feec3b74fb3634b1408be35cc6643c35b0d6677efabe9fbae80419247627171e

SHA512
76a7794bdd8d0fd9fd1acb7d13696c7c13416d620d5340f46e8b197e333fe603114fb0ff7232783858df1a55ba05abc9e8597fb97878e9c5e135148d41eda867

Download Submit
memory/332-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/852-129-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/1040-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-147-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1220-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1220-244-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1424-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1684-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1684-112-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1692-224-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1692-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-202-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1808-209-0x0000000000280000-0x00000000002BC000-memory.dmp

Filesize
240KB

Download
memory/1940-243-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1940-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1940-11-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/1940-12-0x0000000000250000-0x000000000028C000-memory.dmp

Filesize
240KB

Download
memory/2112-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-14-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2112-21-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2196-182-0x00000000002D0000-0x000000000030C000-memory.dmp

Filesize
240KB

Download
memory/2196-174-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2196-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-191-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2544-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2612-156-0x0000000000440000-0x000000000047C000-memory.dmp

Filesize
240KB

Download
memory/2660-238-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2660-55-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-76-0x00000000002E0000-0x000000000031C000-memory.dmp

Filesize
240KB

Download
memory/2740-237-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2740-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-239-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-41-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-53-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2928-241-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-94-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-101-0x0000000000300000-0x000000000033C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads