berbew | c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11/03/2025, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
Size

96KB
MD5

7d23862dd4a38eee8a8f074d087fbbe5
SHA1

ffa3c914add30657742f5b8d113d4b31cd76c6a6
SHA256

c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187
SHA512

2427447daf704f0995ad96e6dde279ea93a5f5ab1720cc10c412750198f44c8560b528a9232fd776d35d8e83314515fcebabc4e8cbba547752da1d2393c65f59
SSDEEP

1536:znYuuhWSwO48bjKokrKxL6pA2Lcm7RZObZUUWaegPYAW:kNFwO48bjSSubbClUUWaeF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgaaah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpgpond.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 15 IoCs

pid	Process
2788	Ciihklpj.exe
2556	Cbblda32.exe
2844	Cepipm32.exe
2728	Cgoelh32.exe
2996	Cnimiblo.exe
1436	Cinafkkd.exe
2856	Cgaaah32.exe
2296	Caifjn32.exe
1732	Cchbgi32.exe
584	Cjakccop.exe
1604	Cmpgpond.exe
320	Calcpm32.exe
2532	Cfhkhd32.exe
2444	Dmbcen32.exe
2932	Dpapaj32.exe

Loads dropped DLL 33 IoCs

pid	Process
988	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
988	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
2788	Ciihklpj.exe
2788	Ciihklpj.exe
2556	Cbblda32.exe
2556	Cbblda32.exe
2844	Cepipm32.exe
2844	Cepipm32.exe
2728	Cgoelh32.exe
2728	Cgoelh32.exe
2996	Cnimiblo.exe
2996	Cnimiblo.exe
1436	Cinafkkd.exe
1436	Cinafkkd.exe
2856	Cgaaah32.exe
2856	Cgaaah32.exe
2296	Caifjn32.exe
2296	Caifjn32.exe
1732	Cchbgi32.exe
1732	Cchbgi32.exe
584	Cjakccop.exe
584	Cjakccop.exe
1604	Cmpgpond.exe
1604	Cmpgpond.exe
320	Calcpm32.exe
320	Calcpm32.exe
2532	Cfhkhd32.exe
2532	Cfhkhd32.exe
2444	Dmbcen32.exe
2444	Dmbcen32.exe
1708	WerFault.exe
1708	WerFault.exe
1708	WerFault.exe

Drops file in System32 directory 47 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cfhkhd32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Cfhkhd32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Kaqnpc32.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Pcaibd32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Cfhkhd32.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cgaaah32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Fkdqjn32.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Pobghn32.dll	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cmpgpond.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cmpgpond.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cgaaah32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cmpgpond.exe
File opened for modification	C:\Windows\SysWOW64\Cfhkhd32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Cgaaah32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Caifjn32.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cgaaah32.exe	Cinafkkd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1708	2932	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpgpond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhkhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgaaah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cgaaah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Cfhkhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpgpond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfhkhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 2788	988	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe	31
PID 988 wrote to memory of 2788	988	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe	31
PID 988 wrote to memory of 2788	988	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe	31
PID 988 wrote to memory of 2788	988	c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe	31
PID 2788 wrote to memory of 2556	2788	Ciihklpj.exe	32
PID 2788 wrote to memory of 2556	2788	Ciihklpj.exe	32
PID 2788 wrote to memory of 2556	2788	Ciihklpj.exe	32
PID 2788 wrote to memory of 2556	2788	Ciihklpj.exe	32
PID 2556 wrote to memory of 2844	2556	Cbblda32.exe	33
PID 2556 wrote to memory of 2844	2556	Cbblda32.exe	33
PID 2556 wrote to memory of 2844	2556	Cbblda32.exe	33
PID 2556 wrote to memory of 2844	2556	Cbblda32.exe	33
PID 2844 wrote to memory of 2728	2844	Cepipm32.exe	34
PID 2844 wrote to memory of 2728	2844	Cepipm32.exe	34
PID 2844 wrote to memory of 2728	2844	Cepipm32.exe	34
PID 2844 wrote to memory of 2728	2844	Cepipm32.exe	34
PID 2728 wrote to memory of 2996	2728	Cgoelh32.exe	35
PID 2728 wrote to memory of 2996	2728	Cgoelh32.exe	35
PID 2728 wrote to memory of 2996	2728	Cgoelh32.exe	35
PID 2728 wrote to memory of 2996	2728	Cgoelh32.exe	35
PID 2996 wrote to memory of 1436	2996	Cnimiblo.exe	36
PID 2996 wrote to memory of 1436	2996	Cnimiblo.exe	36
PID 2996 wrote to memory of 1436	2996	Cnimiblo.exe	36
PID 2996 wrote to memory of 1436	2996	Cnimiblo.exe	36
PID 1436 wrote to memory of 2856	1436	Cinafkkd.exe	37
PID 1436 wrote to memory of 2856	1436	Cinafkkd.exe	37
PID 1436 wrote to memory of 2856	1436	Cinafkkd.exe	37
PID 1436 wrote to memory of 2856	1436	Cinafkkd.exe	37
PID 2856 wrote to memory of 2296	2856	Cgaaah32.exe	38
PID 2856 wrote to memory of 2296	2856	Cgaaah32.exe	38
PID 2856 wrote to memory of 2296	2856	Cgaaah32.exe	38
PID 2856 wrote to memory of 2296	2856	Cgaaah32.exe	38
PID 2296 wrote to memory of 1732	2296	Caifjn32.exe	39
PID 2296 wrote to memory of 1732	2296	Caifjn32.exe	39
PID 2296 wrote to memory of 1732	2296	Caifjn32.exe	39
PID 2296 wrote to memory of 1732	2296	Caifjn32.exe	39
PID 1732 wrote to memory of 584	1732	Cchbgi32.exe	40
PID 1732 wrote to memory of 584	1732	Cchbgi32.exe	40
PID 1732 wrote to memory of 584	1732	Cchbgi32.exe	40
PID 1732 wrote to memory of 584	1732	Cchbgi32.exe	40
PID 584 wrote to memory of 1604	584	Cjakccop.exe	41
PID 584 wrote to memory of 1604	584	Cjakccop.exe	41
PID 584 wrote to memory of 1604	584	Cjakccop.exe	41
PID 584 wrote to memory of 1604	584	Cjakccop.exe	41
PID 1604 wrote to memory of 320	1604	Cmpgpond.exe	42
PID 1604 wrote to memory of 320	1604	Cmpgpond.exe	42
PID 1604 wrote to memory of 320	1604	Cmpgpond.exe	42
PID 1604 wrote to memory of 320	1604	Cmpgpond.exe	42
PID 320 wrote to memory of 2532	320	Calcpm32.exe	43
PID 320 wrote to memory of 2532	320	Calcpm32.exe	43
PID 320 wrote to memory of 2532	320	Calcpm32.exe	43
PID 320 wrote to memory of 2532	320	Calcpm32.exe	43
PID 2532 wrote to memory of 2444	2532	Cfhkhd32.exe	44
PID 2532 wrote to memory of 2444	2532	Cfhkhd32.exe	44
PID 2532 wrote to memory of 2444	2532	Cfhkhd32.exe	44
PID 2532 wrote to memory of 2444	2532	Cfhkhd32.exe	44
PID 2444 wrote to memory of 2932	2444	Dmbcen32.exe	45
PID 2444 wrote to memory of 2932	2444	Dmbcen32.exe	45
PID 2444 wrote to memory of 2932	2444	Dmbcen32.exe	45
PID 2444 wrote to memory of 2932	2444	Dmbcen32.exe	45
PID 2932 wrote to memory of 1708	2932	Dpapaj32.exe	46
PID 2932 wrote to memory of 1708	2932	Dpapaj32.exe	46
PID 2932 wrote to memory of 1708	2932	Dpapaj32.exe	46
PID 2932 wrote to memory of 1708	2932	Dpapaj32.exe	46

C:\Users\Admin\AppData\Local\Temp\c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe
"C:\Users\Admin\AppData\Local\Temp\c7f51261e29759349d9b056f2d1e666f9af91710dfb860459bde7af3a6514187.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:988
- C:\Windows\SysWOW64\Ciihklpj.exe
  C:\Windows\system32\Ciihklpj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\Cbblda32.exe
    C:\Windows\system32\Cbblda32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Cepipm32.exe
      C:\Windows\system32\Cepipm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:584
        
        C:\Windows\SysWOW64\Cmpgpond.exe
        
        C:\Windows\system32\Cmpgpond.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Cfhkhd32.exe
        
        C:\Windows\system32\Cfhkhd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 144
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
96KB

MD5
22218dbb4cd0135b9c25f93d9e468a79

SHA1
52011997041b507c0577e7590c55a5813c37a2fd

SHA256
8b636ea44de8a5064f5e6ce615438e46143950a67999b1130961a80cd780b11d

SHA512
980b9738bcaeb154edb1626221db8bfcb73017092b7db798f159c25b945ed362b5fedb3cd82ebe81154c7d454449b9464271f106a6e6ebe2b511fe6089f56c33

Download Submit
\Windows\SysWOW64\Caifjn32.exe

Filesize
96KB

MD5
f452c4f36d1bc1e9baab73b4f28d9cd8

SHA1
00c0e1931e3c27dc5b4a13746332d24722bb9a8b

SHA256
511e7c0076d5022f7399de2a446795b85715a938b88a9f10e21a26cbb563659a

SHA512
ca9462b79645e0c747edea97d25b2e66cb699b25e66dd0edd75b3cbb66fddb6b1fed7f15a93859c82f3d8f76f3ffa5d4e071a45d2d02e2477664f3b9bebf1488

Download Submit
\Windows\SysWOW64\Calcpm32.exe

Filesize
96KB

MD5
4d37282a445f2f02129f9c4a732a23de

SHA1
1654593977e8bbc14cc22ec6300fccd9024b7511

SHA256
88008052e3351adfc04a4ed43ea56b8959805b48759ba2969cfd64260d72637c

SHA512
53d13e0d160a88320097d2f60b1181f0e62ee66528f185c0dd7616a994ee144ecb0dd6c8a6ee51d06767e78a05a91c2ccc9331bd624b4ee17e2a05aa38502307

Download Submit
\Windows\SysWOW64\Cbblda32.exe

Filesize
96KB

MD5
5677cc992524006d4e86c554a1afe838

SHA1
cdbb7882b92a59c9a6c92816ba3dc57a7ca97b50

SHA256
266cf59d5536833f56199718817d1c199ea81fd9022dc49659f30f7c216016d0

SHA512
6338906e5cfadb2fa4ddbaf4f5d0ea240e8739526eab2e68fc8aa8914d441dfd117ad72a18b59463f5b71173bb5a90d36288a4b2a81a5964e89d8169ca05a837

Download Submit
\Windows\SysWOW64\Cchbgi32.exe

Filesize
96KB

MD5
82218f9d48c99cd40db0369aa9f9b853

SHA1
f366e0228aeb1cafc16684714ed4d26f42bba401

SHA256
29bc781ac2a258fac9f3dee7aedf567d4afbe3d2f1de74bf110b4c9eb832464f

SHA512
bf9b23280ac989f79468dc3d5d5531a17b48f8c971021c41fb936465e7398f671b582ff857a8fe960fa994bf7e0adbcf875cb63cd1738ead264d5c95b558b5b5

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
96KB

MD5
82f2e15be66a9ee782bc388c80bece86

SHA1
40bb0ab228f363976b0aae83c2087c1596d4dd1d

SHA256
c1057918880b9a3296facdae25239eab66c55568e3a9f4bc938d7a4ec31a3732

SHA512
d8722a33d43f7564ae3af05b63dac8a1bcf2d526305a07eacd7417b925c241b0dcd73898796078df72aec5134dd63d1b6a06fd137d1511b90b03d747ee125599

Download Submit
\Windows\SysWOW64\Cfhkhd32.exe

Filesize
96KB

MD5
71b798345621ad540164c43b2415030c

SHA1
f518edf404f5e58dee0e076469d0b11684b8352b

SHA256
abcea7c5ecb4cbea210c5a7fb5fb753ea451d69f0d0e98d03d51b07bfbd71148

SHA512
1be7f76e023d1081178a4602fcb47f661a184f0fff461b93d412dd2930df0580a5b3252d66d07b2895f99a3a49fa479834a32381b7817299ff0331502ecbc17a

Download Submit
\Windows\SysWOW64\Cgoelh32.exe

Filesize
96KB

MD5
9ab2b98d16fa220ecc4b3cc102c344fc

SHA1
e26d657ac18426ccc1fb2875d46fac0abe0ab51d

SHA256
c879cc9276d096e87c5497345032076fc78b830ba4bc9b6dae0eae848ba022a5

SHA512
27093c94d0ecd5adf5095967212d28ad59dac34e6a8fded0e33f665a9204a4721142766e5c7bdd2ef09c674e0318f42d4d557541512ddc06865e0614c8da8cb7

Download Submit
\Windows\SysWOW64\Ciihklpj.exe

Filesize
96KB

MD5
68f8cd0154ed732d2b127f8320ee4e49

SHA1
4011d20671e456aaff040397bf50c003b0fc93a7

SHA256
c35a28e64f06d60f4c63081c281d56d84a8b6ace0788b5fe9f6c5173d54bb4cb

SHA512
5260f631441e2064586a9be66002c796af4a502f9b901a1087c36ad93e3d7035c5aab2edc14fdb04fe5076375a141394ef464ba5180f9e99a978a2f8ed2b52db

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
96KB

MD5
9993f3118280f3de8b4536795be82b4b

SHA1
b29e8a0c516b6f525eddb6025d06534357ec76d3

SHA256
9e16a008bd9f3595e9c8e15dd908f1fff00f36fc4b8a5dfef9343cdd93b9883f

SHA512
affd8ab300aba8f132975089e1e4accc2d3ff1e34ac16ff9be12e9bc8f717abe96625a9c59707c811b91f17d9f720295b570a864b2cfeba6f1f8763e2d3ce779

Download Submit
\Windows\SysWOW64\Cjakccop.exe

Filesize
96KB

MD5
d5cc49e08b166816baca3b6910ca5e9e

SHA1
9cff96f4c2a0d2aed1575bb4564655aa397b6882

SHA256
4e7df5da41af190ccf1f149aa34e47b73b3fb6d3034fc8099639b46500a01e02

SHA512
42cb9f5d4a88f151d276bdccb18eb3a8da50df6a10dda027bd09ebddacd2fddd5e95198d25454b5ba31cd19d48d264e3bf37c73bb278e892a645781085e2e45d

Download Submit
\Windows\SysWOW64\Cmpgpond.exe

Filesize
96KB

MD5
d778380d15d1a80341381f9d9fbc3d67

SHA1
8696a2cdd7e4a78558562fa715357ca69a022edc

SHA256
50c1c745acd89a678f133a69572be41492902bf37c4ac0fa7239fc443c20f214

SHA512
2dcaafc0fd973714e566c6be79a3be15fd139eb318e4fdb83160a2819d34db038329fcc6252c1968378b67ea65c4027d4f36b471f1de2d430e88d8c9d1c96699

Download Submit
\Windows\SysWOW64\Cnimiblo.exe

Filesize
96KB

MD5
228af7b14f865c4eac5e3180276376f4

SHA1
1c7f803b7405c87b943e2bd1291d0036962158d1

SHA256
5e529a368732b61d878262261694ba835695b2b2a91d03d00bbbde16fd287fc4

SHA512
7a40b0104b06242268601b55f7795094ed6c148459d351c1a28e7fab0c5580b454da1a0f82d2ef3489acec6b6d49d3ea899e0c11a8ba3e0855a3ca967c59bd34

Download Submit
\Windows\SysWOW64\Dmbcen32.exe

Filesize
96KB

MD5
394c4ff57aee3845ef1f0fd07b6d6ce9

SHA1
9b0780574d47bc6e49e070aba38b3b8d26c393ef

SHA256
add5f84f0a4779d28bf85a1ae98f44bccb24adf19043eab1c3b1fe0918fab0e2

SHA512
8fb81ec7b2ab3cd0aeb9db9f0ab4257c523947036ee749585f3a2766d9ba72f92b8bfacecc5bf640024e2a5243d7a947fdc08cbaa135a76f9f54f71e96cb6bfc

Download Submit
\Windows\SysWOW64\Dpapaj32.exe

Filesize
96KB

MD5
1c8c9f04cc79c0e62f3e140a54d91d30

SHA1
c4c81a5331a53ec27f4eaeafee4863898bde1029

SHA256
fbe95377b474371eb1d4d8ea1613152bdf138b085184777acaec1cae15485b7e

SHA512
802ca5901f3ac9dd300d93a837100921d0099a3a428d73be45a337c2f2791f2859186b5bc07e34723eb814aa255a387dc76a3e61c54258dc9bf333e35623e5f6

Download Submit
memory/320-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/584-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/584-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/988-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1436-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-156-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1604-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-118-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2444-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2532-183-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2532-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2728-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2728-64-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2788-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2788-28-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2788-21-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2844-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-55-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2856-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-108-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2856-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-203-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2996-81-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2996-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads