d80282a47e1c0c1418e67353111d6c513cdcf835b5f838227c47c921b991e1b0

Analysis

max time kernel
167s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
Size

80KB
MD5

051a55d1f2168e60ce3d20b5bb54ccfa
SHA1

56ce319bd2d28819e30ac6e94b6c3b7407835681
SHA256

d80282a47e1c0c1418e67353111d6c513cdcf835b5f838227c47c921b991e1b0
SHA512

0388ef1ae033eceac97b4a268360a8f619f2c7fe598f6a523f208b3ab2d91f0c0b483ee646808e03a1d1fc00366fe1a166b8c6dc8925f7ef71aa481f16e3bee8
SSDEEP

1536:5Mf6FRJ20Es1xyuBwqTXY2LmCYrum8SPG2:DUCyWwEpmVT8SL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Babcil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigbmpco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdpad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigbmpco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdpad32.exe

Executes dropped EXE 16 IoCs

pid	Process
4932	Bigbmpco.exe
712	Bfkbfd32.exe
4644	Bdocph32.exe
3796	Babcil32.exe
4592	Bbdpad32.exe
1204	Bmidnm32.exe
4960	Bagmdllg.exe
464	Cibain32.exe
3752	Cbkfbcpb.exe
5044	Ccmcgcmp.exe
1308	Cigkdmel.exe
1592	Caqpkjcl.exe
4012	Ckidcpjl.exe
2172	Dkkaiphj.exe
436	Ddcebe32.exe
4048	Diqnjl32.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Bfkbfd32.exe
File created	C:\Windows\SysWOW64\Gfchag32.dll	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Ejnnldhi.dll	Cibain32.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Bfkbfd32.exe	Bigbmpco.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Bdocph32.exe
File created	C:\Windows\SysWOW64\Ifcmmg32.dll	Bbdpad32.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Faagecfk.dll	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Bigbmpco.exe	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Bfkbfd32.exe
File created	C:\Windows\SysWOW64\Dilcjbag.dll	Babcil32.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Ckidcpjl.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Bbdpad32.exe	Babcil32.exe
File created	C:\Windows\SysWOW64\Bmidnm32.exe	Bbdpad32.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cibain32.exe
File opened for modification	C:\Windows\SysWOW64\Ckidcpjl.exe	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Ckidcpjl.exe
File opened for modification	C:\Windows\SysWOW64\Bdocph32.exe	Bfkbfd32.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Bdocph32.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Bmidnm32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmcgcmp.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Babcil32.exe	Bdocph32.exe
File opened for modification	C:\Windows\SysWOW64\Bbdpad32.exe	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Aammfkln.dll	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Bigbmpco.exe	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
File created	C:\Windows\SysWOW64\Gnhekleo.dll	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
File opened for modification	C:\Windows\SysWOW64\Bfkbfd32.exe	Bigbmpco.exe
File created	C:\Windows\SysWOW64\Mgmqkimh.dll	Bigbmpco.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Anbgamkp.dll	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Bmidnm32.exe	Bbdpad32.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Ccmcgcmp.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Fbcolk32.dll	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Cigkdmel.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4624	4048	WerFault.exe	102

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigbmpco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigbmpco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmqkimh.dll"	Bigbmpco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilcjbag.dll"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll"	Cibain32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmg32.dll"	Bbdpad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhekleo.dll"	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcolk32.dll"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Babcil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 5108 wrote to memory of 4932	5108	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe	87
PID 5108 wrote to memory of 4932	5108	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe	87
PID 5108 wrote to memory of 4932	5108	051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe	87
PID 4932 wrote to memory of 712	4932	Bigbmpco.exe	88
PID 4932 wrote to memory of 712	4932	Bigbmpco.exe	88
PID 4932 wrote to memory of 712	4932	Bigbmpco.exe	88
PID 712 wrote to memory of 4644	712	Bfkbfd32.exe	89
PID 712 wrote to memory of 4644	712	Bfkbfd32.exe	89
PID 712 wrote to memory of 4644	712	Bfkbfd32.exe	89
PID 4644 wrote to memory of 3796	4644	Bdocph32.exe	90
PID 4644 wrote to memory of 3796	4644	Bdocph32.exe	90
PID 4644 wrote to memory of 3796	4644	Bdocph32.exe	90
PID 3796 wrote to memory of 4592	3796	Babcil32.exe	91
PID 3796 wrote to memory of 4592	3796	Babcil32.exe	91
PID 3796 wrote to memory of 4592	3796	Babcil32.exe	91
PID 4592 wrote to memory of 1204	4592	Bbdpad32.exe	92
PID 4592 wrote to memory of 1204	4592	Bbdpad32.exe	92
PID 4592 wrote to memory of 1204	4592	Bbdpad32.exe	92
PID 1204 wrote to memory of 4960	1204	Bmidnm32.exe	93
PID 1204 wrote to memory of 4960	1204	Bmidnm32.exe	93
PID 1204 wrote to memory of 4960	1204	Bmidnm32.exe	93
PID 4960 wrote to memory of 464	4960	Bagmdllg.exe	94
PID 4960 wrote to memory of 464	4960	Bagmdllg.exe	94
PID 4960 wrote to memory of 464	4960	Bagmdllg.exe	94
PID 464 wrote to memory of 3752	464	Cibain32.exe	95
PID 464 wrote to memory of 3752	464	Cibain32.exe	95
PID 464 wrote to memory of 3752	464	Cibain32.exe	95
PID 3752 wrote to memory of 5044	3752	Cbkfbcpb.exe	96
PID 3752 wrote to memory of 5044	3752	Cbkfbcpb.exe	96
PID 3752 wrote to memory of 5044	3752	Cbkfbcpb.exe	96
PID 5044 wrote to memory of 1308	5044	Ccmcgcmp.exe	97
PID 5044 wrote to memory of 1308	5044	Ccmcgcmp.exe	97
PID 5044 wrote to memory of 1308	5044	Ccmcgcmp.exe	97
PID 1308 wrote to memory of 1592	1308	Cigkdmel.exe	98
PID 1308 wrote to memory of 1592	1308	Cigkdmel.exe	98
PID 1308 wrote to memory of 1592	1308	Cigkdmel.exe	98
PID 1592 wrote to memory of 4012	1592	Caqpkjcl.exe	99
PID 1592 wrote to memory of 4012	1592	Caqpkjcl.exe	99
PID 1592 wrote to memory of 4012	1592	Caqpkjcl.exe	99
PID 4012 wrote to memory of 2172	4012	Ckidcpjl.exe	100
PID 4012 wrote to memory of 2172	4012	Ckidcpjl.exe	100
PID 4012 wrote to memory of 2172	4012	Ckidcpjl.exe	100
PID 2172 wrote to memory of 436	2172	Dkkaiphj.exe	101
PID 2172 wrote to memory of 436	2172	Dkkaiphj.exe	101
PID 2172 wrote to memory of 436	2172	Dkkaiphj.exe	101
PID 436 wrote to memory of 4048	436	Ddcebe32.exe	102
PID 436 wrote to memory of 4048	436	Ddcebe32.exe	102
PID 436 wrote to memory of 4048	436	Ddcebe32.exe	102

C:\Users\Admin\AppData\Local\Temp\051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe
"C:\Users\Admin\AppData\Local\Temp\051a55d1f2168e60ce3d20b5bb54ccfa_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5108
- C:\Windows\SysWOW64\Bigbmpco.exe
  C:\Windows\system32\Bigbmpco.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\SysWOW64\Bfkbfd32.exe
    C:\Windows\system32\Bfkbfd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:712
  - - C:\Windows\SysWOW64\Bdocph32.exe
      C:\Windows\system32\Bdocph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
      - C:\Windows\SysWOW64\Bbdpad32.exe
        
        C:\Windows\system32\Bbdpad32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\SysWOW64\Cibain32.exe
        
        C:\Windows\system32\Cibain32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        17⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 400
        18⤵
        Program crash
        
        PID:4624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4048 -ip 4048
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Babcil32.exe

Filesize
80KB

MD5
9421a84829024f862268ca82871318c9

SHA1
90517794f369c6641c49a790f1085c0fc0cd6a2e

SHA256
89769bb8c4b4b19cc03efa3c9180e3546307905accdea092b4ad4082136b76f4

SHA512
427d4eafe0603747dc84a520d175596723db5a49d23b5a20c0dbdd7d273bff13f75e8afb1b7add368f54568b7f619aa55ceedacbe6cd15853a901c24d1ba2db9

Download Submit
C:\Windows\SysWOW64\Babcil32.exe

Filesize
80KB

MD5
9421a84829024f862268ca82871318c9

SHA1
90517794f369c6641c49a790f1085c0fc0cd6a2e

SHA256
89769bb8c4b4b19cc03efa3c9180e3546307905accdea092b4ad4082136b76f4

SHA512
427d4eafe0603747dc84a520d175596723db5a49d23b5a20c0dbdd7d273bff13f75e8afb1b7add368f54568b7f619aa55ceedacbe6cd15853a901c24d1ba2db9

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
80KB

MD5
f2dbe749dfd14e8c5af558693fa3c844

SHA1
e40c9f6b693e3c627af92a43c370d645745d10f1

SHA256
3f80aa77c4ee1d4123f1b7d6d0ba4bff72ca9d82572cb4d11b76d6ad8ea75f71

SHA512
a60bb6b2145b5d28d9105ec1e61dcc6e8e7ab2d69b8dc4316331bdcc338d6584b80d335ecd678899e216b01fa01e48b3e2b342737527896532476cd683702630

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
80KB

MD5
f2dbe749dfd14e8c5af558693fa3c844

SHA1
e40c9f6b693e3c627af92a43c370d645745d10f1

SHA256
3f80aa77c4ee1d4123f1b7d6d0ba4bff72ca9d82572cb4d11b76d6ad8ea75f71

SHA512
a60bb6b2145b5d28d9105ec1e61dcc6e8e7ab2d69b8dc4316331bdcc338d6584b80d335ecd678899e216b01fa01e48b3e2b342737527896532476cd683702630

Download Submit
C:\Windows\SysWOW64\Bbdpad32.exe

Filesize
80KB

MD5
0d3235e75654621a863dceca0a0b6951

SHA1
5a01aa62af0009ee0405c995262d9d6d64352195

SHA256
b46b47621c54468bb37fc8821eb0d6e4ab739a64489244e9c010be5852293a08

SHA512
7ecb627e3a819a5224edbfe12caccbf5ad5f3673a4250e81132e128ece24fc30e2a2199938d7f223f57cd76910cbbaa361233a9e2f9e74d7f4cc3fc98084d309

Download Submit
C:\Windows\SysWOW64\Bbdpad32.exe

Filesize
80KB

MD5
0d3235e75654621a863dceca0a0b6951

SHA1
5a01aa62af0009ee0405c995262d9d6d64352195

SHA256
b46b47621c54468bb37fc8821eb0d6e4ab739a64489244e9c010be5852293a08

SHA512
7ecb627e3a819a5224edbfe12caccbf5ad5f3673a4250e81132e128ece24fc30e2a2199938d7f223f57cd76910cbbaa361233a9e2f9e74d7f4cc3fc98084d309

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
80KB

MD5
756d6b5c519cffed897a35eacb3f353d

SHA1
af3a5bfd2bbb94fe147882ada1961b1d57609f91

SHA256
24f9c536ddc38da56cc24d81c19754aebb43af6f94de89867e9e1db790450265

SHA512
d54434105dbb0cd229c950bb748cfd926066192edd80074f65e9e9354b84c33c6886ba2b631fbf5bcea9d05dd8d67dca4496b419c47616f22cf27d0fded3921b

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
80KB

MD5
756d6b5c519cffed897a35eacb3f353d

SHA1
af3a5bfd2bbb94fe147882ada1961b1d57609f91

SHA256
24f9c536ddc38da56cc24d81c19754aebb43af6f94de89867e9e1db790450265

SHA512
d54434105dbb0cd229c950bb748cfd926066192edd80074f65e9e9354b84c33c6886ba2b631fbf5bcea9d05dd8d67dca4496b419c47616f22cf27d0fded3921b

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
80KB

MD5
11f4eedb0214471d1c1b18aaa7381d27

SHA1
aae77a85ffa8c440fb329a05093249bfd1083924

SHA256
0169e46dee5115d8fadb0b4bd668b6b74dbab02197e92b5d0de222bb7cb39b4f

SHA512
6f0f2914a2df65a976fca79d1013c7e48d26d408bc69910e476dfda9a97e547e0956537be20cc33758a8d0bf699fcc1d677dad8bab40c8fd1b208fa2bd2978aa

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
80KB

MD5
11f4eedb0214471d1c1b18aaa7381d27

SHA1
aae77a85ffa8c440fb329a05093249bfd1083924

SHA256
0169e46dee5115d8fadb0b4bd668b6b74dbab02197e92b5d0de222bb7cb39b4f

SHA512
6f0f2914a2df65a976fca79d1013c7e48d26d408bc69910e476dfda9a97e547e0956537be20cc33758a8d0bf699fcc1d677dad8bab40c8fd1b208fa2bd2978aa

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
80KB

MD5
11f4eedb0214471d1c1b18aaa7381d27

SHA1
aae77a85ffa8c440fb329a05093249bfd1083924

SHA256
0169e46dee5115d8fadb0b4bd668b6b74dbab02197e92b5d0de222bb7cb39b4f

SHA512
6f0f2914a2df65a976fca79d1013c7e48d26d408bc69910e476dfda9a97e547e0956537be20cc33758a8d0bf699fcc1d677dad8bab40c8fd1b208fa2bd2978aa

Download Submit
C:\Windows\SysWOW64\Bigbmpco.exe

Filesize
80KB

MD5
7f30552c4ad5ee128767511937be6164

SHA1
611c5bb9a542945ddee4e3b07cf4f091086cf3c9

SHA256
1ce1ecd4acee13c7e617ab29f28ab9d4d256912fac7880e711b728e39ccdbea6

SHA512
0a085565a10203c0b1f2641ddbfcccdcee2ab3d9682fd8db789c735e293e4174083ff3236a3138da1ff243abb3f771cffe6c33c6cff7f4b76458d97a81616a92

Download Submit
C:\Windows\SysWOW64\Bigbmpco.exe

Filesize
80KB

MD5
7f30552c4ad5ee128767511937be6164

SHA1
611c5bb9a542945ddee4e3b07cf4f091086cf3c9

SHA256
1ce1ecd4acee13c7e617ab29f28ab9d4d256912fac7880e711b728e39ccdbea6

SHA512
0a085565a10203c0b1f2641ddbfcccdcee2ab3d9682fd8db789c735e293e4174083ff3236a3138da1ff243abb3f771cffe6c33c6cff7f4b76458d97a81616a92

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
80KB

MD5
42b32291bd2fea600f2913dc87e02159

SHA1
84b85d57bb198f85cad606307a0b6aac337949fb

SHA256
070a29ad04a3c32ee9f289eb4ceb31f65216a9f8df7894ba6ec3f51543d42495

SHA512
4ac178430b0207617ce9a94a509d1fdc1036b8215913636468d39ba6edb14660b22c3233ea1d907bf8de97ade11d3113df3eaf85c20e994bb690e8668a85b2ea

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
80KB

MD5
42b32291bd2fea600f2913dc87e02159

SHA1
84b85d57bb198f85cad606307a0b6aac337949fb

SHA256
070a29ad04a3c32ee9f289eb4ceb31f65216a9f8df7894ba6ec3f51543d42495

SHA512
4ac178430b0207617ce9a94a509d1fdc1036b8215913636468d39ba6edb14660b22c3233ea1d907bf8de97ade11d3113df3eaf85c20e994bb690e8668a85b2ea

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
80KB

MD5
492e50d3f5f33f7a5ea80bb551d3f850

SHA1
65ec0c4821b18a08567b875fdf77fb7ba1a14bb5

SHA256
e2b92f5f8f9f30770410ab7d6491019752face74a0419ee31682afbe50782106

SHA512
f330684505bbdadde9b6ea567207b5557ac8177e53cdf746203090ab93ddd2400c238344799114203d877f5ce67adf2106578d9b9ca7692a73134e9a363474d1

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
80KB

MD5
492e50d3f5f33f7a5ea80bb551d3f850

SHA1
65ec0c4821b18a08567b875fdf77fb7ba1a14bb5

SHA256
e2b92f5f8f9f30770410ab7d6491019752face74a0419ee31682afbe50782106

SHA512
f330684505bbdadde9b6ea567207b5557ac8177e53cdf746203090ab93ddd2400c238344799114203d877f5ce67adf2106578d9b9ca7692a73134e9a363474d1

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
80KB

MD5
84c253241030561c61f57e0d92b5f5ca

SHA1
f1842f7a37a8985513be104763a8302be577e4ff

SHA256
9473804786442e56f52ea5f48b721f1afc454e69c0a7ccb79eb6dd7b23f61aec

SHA512
3c04bd71c1805d69362b33e534baaf9c05bdbe21ad1ffdcd4d96f9d33b51f3460a636d9d4d93b696797ccb2e4273ee658a38cda070850a2252d1c4c591ab9d8a

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
80KB

MD5
84c253241030561c61f57e0d92b5f5ca

SHA1
f1842f7a37a8985513be104763a8302be577e4ff

SHA256
9473804786442e56f52ea5f48b721f1afc454e69c0a7ccb79eb6dd7b23f61aec

SHA512
3c04bd71c1805d69362b33e534baaf9c05bdbe21ad1ffdcd4d96f9d33b51f3460a636d9d4d93b696797ccb2e4273ee658a38cda070850a2252d1c4c591ab9d8a

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
80KB

MD5
0e569865ea54e47ac4ca1f18b32fb801

SHA1
b2be735b3ea051b6442a1051ad6dc211d19a4db8

SHA256
c1ffdfae520c15787ac9df7794f3461146df9873825f2188601bac5af217588d

SHA512
fc4a02dc2f45a61297552d4d4a506413d9fd9dd3f13961506215a31b287af72b7bc5c3290a7b7c6ceb09c46d3a4315047ffe8bd3e731c74545093ce5ae3bd741

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
80KB

MD5
0e569865ea54e47ac4ca1f18b32fb801

SHA1
b2be735b3ea051b6442a1051ad6dc211d19a4db8

SHA256
c1ffdfae520c15787ac9df7794f3461146df9873825f2188601bac5af217588d

SHA512
fc4a02dc2f45a61297552d4d4a506413d9fd9dd3f13961506215a31b287af72b7bc5c3290a7b7c6ceb09c46d3a4315047ffe8bd3e731c74545093ce5ae3bd741

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
80KB

MD5
349fa756e9379858b17a946c4e8eb802

SHA1
e1702d21eea9a9c3caee5df9df0f1af4da39b5b3

SHA256
5f4a711628ed652d7e5c8258650edeb4026b26edab61ef43fe2df3b62f83e568

SHA512
82104a4fc6891f0b838434bd6206130a22abac9ac241c6e0f6e560ec48c63a40e832dff20dfbb479d20255a434e270c2147e0efca85ab1f6c986558ebd2b52ef

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
80KB

MD5
349fa756e9379858b17a946c4e8eb802

SHA1
e1702d21eea9a9c3caee5df9df0f1af4da39b5b3

SHA256
5f4a711628ed652d7e5c8258650edeb4026b26edab61ef43fe2df3b62f83e568

SHA512
82104a4fc6891f0b838434bd6206130a22abac9ac241c6e0f6e560ec48c63a40e832dff20dfbb479d20255a434e270c2147e0efca85ab1f6c986558ebd2b52ef

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
80KB

MD5
f47e6dbd8e4c578013423fe2139041c4

SHA1
63af4a16a8a4ec366bba8a34f3060e1daa5c27ac

SHA256
4b074cba8d3f7b15560539d7c5923eeac837e08fa8be07a478180ed641a05018

SHA512
347c4485f72d1cd5e51102c3c8b2b3bcc41fc4a365af275ed05250810fbe0541739f61bc030d437fd158b435b52df7f8fd8b79d747fe2135181639e18898cfeb

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
80KB

MD5
f47e6dbd8e4c578013423fe2139041c4

SHA1
63af4a16a8a4ec366bba8a34f3060e1daa5c27ac

SHA256
4b074cba8d3f7b15560539d7c5923eeac837e08fa8be07a478180ed641a05018

SHA512
347c4485f72d1cd5e51102c3c8b2b3bcc41fc4a365af275ed05250810fbe0541739f61bc030d437fd158b435b52df7f8fd8b79d747fe2135181639e18898cfeb

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
80KB

MD5
2578d8553655a1ad1c48dca8d273c4d6

SHA1
561a0c8278684c6c8be52aaa54a4f63cfe9cca93

SHA256
22dae2501cf3814612c44b17a1725027f4a5e49c2a14377abbfece59f8766c97

SHA512
51708830aa0dcf7c4e3460bf1ff5ecd6ba447bec08fb5f07157cf02d582b5113c1039c4cd5807d2e8e43aec7515ead05beec8b69462e7191ffa56d63f8139ff4

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
80KB

MD5
2578d8553655a1ad1c48dca8d273c4d6

SHA1
561a0c8278684c6c8be52aaa54a4f63cfe9cca93

SHA256
22dae2501cf3814612c44b17a1725027f4a5e49c2a14377abbfece59f8766c97

SHA512
51708830aa0dcf7c4e3460bf1ff5ecd6ba447bec08fb5f07157cf02d582b5113c1039c4cd5807d2e8e43aec7515ead05beec8b69462e7191ffa56d63f8139ff4

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
80KB

MD5
09dfbaca43269dcbe287535c54001cff

SHA1
8e51bbd1f3a464ea931bab12ecbf4482707d1bf4

SHA256
92050e8254c6941ec5440c3cbcf1d2b1dec38903c1d70a320d19a98640c2f953

SHA512
3043a2fcee490a6368eb96168ac453ae9f6fe566da18bfc5cb88377690fd7b9a4e42f9ff05bfbe62381ff02b9fd1b809579d0667a51236f1979604964edfd87c

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
80KB

MD5
09dfbaca43269dcbe287535c54001cff

SHA1
8e51bbd1f3a464ea931bab12ecbf4482707d1bf4

SHA256
92050e8254c6941ec5440c3cbcf1d2b1dec38903c1d70a320d19a98640c2f953

SHA512
3043a2fcee490a6368eb96168ac453ae9f6fe566da18bfc5cb88377690fd7b9a4e42f9ff05bfbe62381ff02b9fd1b809579d0667a51236f1979604964edfd87c

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
80KB

MD5
09dfbaca43269dcbe287535c54001cff

SHA1
8e51bbd1f3a464ea931bab12ecbf4482707d1bf4

SHA256
92050e8254c6941ec5440c3cbcf1d2b1dec38903c1d70a320d19a98640c2f953

SHA512
3043a2fcee490a6368eb96168ac453ae9f6fe566da18bfc5cb88377690fd7b9a4e42f9ff05bfbe62381ff02b9fd1b809579d0667a51236f1979604964edfd87c

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
80KB

MD5
fa9bba95a15000ecb82ba3e180faee3a

SHA1
0855d0214f33a14e7d5ab3d7e73f2ef3cca382b3

SHA256
45704087bcd92124127b3f3d9b3d360880d648578eb1aa66eec273422dbaff0b

SHA512
0cbfd9fc2518940681868ea6e12d41cab7f82d55268294e2eb9c6ed60f66c0c62f8920bc837b0fd8ea030f8dea79e19106839bd0cecbcf27593e975fc1ddd227

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
80KB

MD5
fa9bba95a15000ecb82ba3e180faee3a

SHA1
0855d0214f33a14e7d5ab3d7e73f2ef3cca382b3

SHA256
45704087bcd92124127b3f3d9b3d360880d648578eb1aa66eec273422dbaff0b

SHA512
0cbfd9fc2518940681868ea6e12d41cab7f82d55268294e2eb9c6ed60f66c0c62f8920bc837b0fd8ea030f8dea79e19106839bd0cecbcf27593e975fc1ddd227

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
80KB

MD5
f9056f5217c7ae4701aa82a416a843dd

SHA1
4eef1faf34d1227736c59d7c6b4da9c991571e2d

SHA256
4c74dd4c33834b105ad7f74136766078a6a52450b212feec2d96c65b1e87269b

SHA512
3f320a6d99b6d7293bcb01fa2d6c3bfc5081786ac403034f5c1daa7a89cda77e2c24cee65b2120d2d2268f23e4c2c6cb83f0899462dc0b7f05e271bf0f310f06

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
80KB

MD5
f9056f5217c7ae4701aa82a416a843dd

SHA1
4eef1faf34d1227736c59d7c6b4da9c991571e2d

SHA256
4c74dd4c33834b105ad7f74136766078a6a52450b212feec2d96c65b1e87269b

SHA512
3f320a6d99b6d7293bcb01fa2d6c3bfc5081786ac403034f5c1daa7a89cda77e2c24cee65b2120d2d2268f23e4c2c6cb83f0899462dc0b7f05e271bf0f310f06

Download Submit
memory/436-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/436-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1592-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3752-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4960-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads