840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0

Analysis

max time kernel
141s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
Size

64KB
MD5

ea985d594084437f94bc176c2eb7e3af
SHA1

6d47deda661a4834f4273ecaea9b69178066bcec
SHA256

840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0
SHA512

aa791cf2b2f806e3ea5d5d697a0505af549feb5bb652fdf64c51f3a5b34b1dfdd18136aac3e270269fad602ac8a8a5dc66075ea05e9ed1b0043d568a6da89760
SSDEEP

1536:Mpcpx32PnV5b3ulAEu/Yw78cZPEfo2LdAMCeW:lxsnbb3ulAJlo5f5dpW

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe

Executes dropped EXE 19 IoCs

pid	Process
4352	Bkmeha32.exe
1696	Bpjmph32.exe
4440	Bgdemb32.exe
3328	Cajjjk32.exe
3256	Cbkfbcpb.exe
440	Ckbncapd.exe
1548	Cmpjoloh.exe
4968	Cdjblf32.exe
1512	Ckdkhq32.exe
4780	Cancekeo.exe
2676	Ckggnp32.exe
4764	Caqpkjcl.exe
2452	Ccblbb32.exe
4456	Cildom32.exe
1416	Cacmpj32.exe
3084	Dgpeha32.exe
2360	Dmjmekgn.exe
464	Dcffnbee.exe
4560	Diqnjl32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cancekeo.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Mgqaip32.dll	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Dmjmekgn.exe
File opened for modification	C:\Windows\SysWOW64\Bpjmph32.exe	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Dmjmekgn.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Bkmeha32.exe	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
File created	C:\Windows\SysWOW64\Bgdemb32.exe	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Ccblbb32.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Ccblbb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Ckbncapd.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjmekgn.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Iponmakp.dll	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Ejnnldhi.dll	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Cajjjk32.exe	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Khokadah.dll	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	Bpjmph32.exe
File created	C:\Windows\SysWOW64\Cmpjoloh.exe	Ckbncapd.exe
File opened for modification	C:\Windows\SysWOW64\Dgpeha32.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Bpjmph32.exe	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Fdakcc32.dll	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Cancekeo.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Dooaccfg.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Fohhdm32.dll	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Bkmeha32.exe	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Ogajpp32.dll	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Ckdkhq32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bpjmph32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Ccblbb32.exe	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Ccblbb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3240	4560	WerFault.exe	112

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakcc32.dll"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khokadah.dll"	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iponmakp.dll"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cancekeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dcffnbee.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4352	224	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe	92
PID 224 wrote to memory of 4352	224	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe	92
PID 224 wrote to memory of 4352	224	840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe	92
PID 4352 wrote to memory of 1696	4352	Bkmeha32.exe	93
PID 4352 wrote to memory of 1696	4352	Bkmeha32.exe	93
PID 4352 wrote to memory of 1696	4352	Bkmeha32.exe	93
PID 1696 wrote to memory of 4440	1696	Bpjmph32.exe	94
PID 1696 wrote to memory of 4440	1696	Bpjmph32.exe	94
PID 1696 wrote to memory of 4440	1696	Bpjmph32.exe	94
PID 4440 wrote to memory of 3328	4440	Bgdemb32.exe	95
PID 4440 wrote to memory of 3328	4440	Bgdemb32.exe	95
PID 4440 wrote to memory of 3328	4440	Bgdemb32.exe	95
PID 3328 wrote to memory of 3256	3328	Cajjjk32.exe	96
PID 3328 wrote to memory of 3256	3328	Cajjjk32.exe	96
PID 3328 wrote to memory of 3256	3328	Cajjjk32.exe	96
PID 3256 wrote to memory of 440	3256	Cbkfbcpb.exe	97
PID 3256 wrote to memory of 440	3256	Cbkfbcpb.exe	97
PID 3256 wrote to memory of 440	3256	Cbkfbcpb.exe	97
PID 440 wrote to memory of 1548	440	Ckbncapd.exe	98
PID 440 wrote to memory of 1548	440	Ckbncapd.exe	98
PID 440 wrote to memory of 1548	440	Ckbncapd.exe	98
PID 1548 wrote to memory of 4968	1548	Cmpjoloh.exe	99
PID 1548 wrote to memory of 4968	1548	Cmpjoloh.exe	99
PID 1548 wrote to memory of 4968	1548	Cmpjoloh.exe	99
PID 4968 wrote to memory of 1512	4968	Cdjblf32.exe	100
PID 4968 wrote to memory of 1512	4968	Cdjblf32.exe	100
PID 4968 wrote to memory of 1512	4968	Cdjblf32.exe	100
PID 1512 wrote to memory of 4780	1512	Ckdkhq32.exe	102
PID 1512 wrote to memory of 4780	1512	Ckdkhq32.exe	102
PID 1512 wrote to memory of 4780	1512	Ckdkhq32.exe	102
PID 4780 wrote to memory of 2676	4780	Cancekeo.exe	103
PID 4780 wrote to memory of 2676	4780	Cancekeo.exe	103
PID 4780 wrote to memory of 2676	4780	Cancekeo.exe	103
PID 2676 wrote to memory of 4764	2676	Ckggnp32.exe	105
PID 2676 wrote to memory of 4764	2676	Ckggnp32.exe	105
PID 2676 wrote to memory of 4764	2676	Ckggnp32.exe	105
PID 4764 wrote to memory of 2452	4764	Caqpkjcl.exe	106
PID 4764 wrote to memory of 2452	4764	Caqpkjcl.exe	106
PID 4764 wrote to memory of 2452	4764	Caqpkjcl.exe	106
PID 2452 wrote to memory of 4456	2452	Ccblbb32.exe	107
PID 2452 wrote to memory of 4456	2452	Ccblbb32.exe	107
PID 2452 wrote to memory of 4456	2452	Ccblbb32.exe	107
PID 4456 wrote to memory of 1416	4456	Cildom32.exe	108
PID 4456 wrote to memory of 1416	4456	Cildom32.exe	108
PID 4456 wrote to memory of 1416	4456	Cildom32.exe	108
PID 1416 wrote to memory of 3084	1416	Cacmpj32.exe	109
PID 1416 wrote to memory of 3084	1416	Cacmpj32.exe	109
PID 1416 wrote to memory of 3084	1416	Cacmpj32.exe	109
PID 3084 wrote to memory of 2360	3084	Dgpeha32.exe	110
PID 3084 wrote to memory of 2360	3084	Dgpeha32.exe	110
PID 3084 wrote to memory of 2360	3084	Dgpeha32.exe	110
PID 2360 wrote to memory of 464	2360	Dmjmekgn.exe	111
PID 2360 wrote to memory of 464	2360	Dmjmekgn.exe	111
PID 2360 wrote to memory of 464	2360	Dmjmekgn.exe	111
PID 464 wrote to memory of 4560	464	Dcffnbee.exe	112
PID 464 wrote to memory of 4560	464	Dcffnbee.exe	112
PID 464 wrote to memory of 4560	464	Dcffnbee.exe	112

C:\Users\Admin\AppData\Local\Temp\840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe
"C:\Users\Admin\AppData\Local\Temp\840cea8bc888a4775fb3bc7b823c4d8862253e4c88a7c51010532ddf75a0c3e0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\Bkmeha32.exe
  C:\Windows\system32\Bkmeha32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Windows\SysWOW64\Bpjmph32.exe
    C:\Windows\system32\Bpjmph32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\Bgdemb32.exe
      C:\Windows\system32\Bgdemb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
      - C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Cancekeo.exe
        
        C:\Windows\system32\Cancekeo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        20⤵
        Executes dropped EXE
        
        PID:4560
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 400
        21⤵
        Program crash
        
        PID:3240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4560 -ip 4560
1⤵
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4412,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
64KB

MD5
56d8f837f84c5fae8ae7a8bc6561e363

SHA1
fab4bcb15eb26f8e7bbab7865f0fe9864fa17c89

SHA256
12ac9a39019fa26742a1742146b6e9bcf5115611b329fc81c1a7c9d6060262c5

SHA512
39c49c469e9b2054eb2e2706f9bea8226310c94f6c284f9e3ff4d757df6302ebf086576dfc4ddf8a9df92035ed644c58ae8e810ce4a30affd984e7da60eb13de

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
64KB

MD5
3db84364ba30823f78b29ebd1e106fbf

SHA1
10b658b4137d2ecba20af427ad5176c267ded868

SHA256
a7e46d00b703e6b6d97ebe83a0183f9cc7c80aeeb980e75f0a2efb42683ccdfe

SHA512
b5a40faa5aa482e9e115ce80e4bd625e27b975f88027cd389e77c7a500cb295ac6059283bd17993d5c3fd943d7bf928260a342b2ac9ebb1c032cabef1ebfede5

Download Submit
C:\Windows\SysWOW64\Bpjmph32.exe

Filesize
64KB

MD5
21f9c2eb443a10aedb571eb44dffcb07

SHA1
b896c85aac5546489a56a85ebba8fb35c5ea047c

SHA256
7d26d9e939d8d95f28c03773855bada6a158bcd9e634406c13e95b3986e40d7d

SHA512
d21a5476839bf8cb1570a06207fed24889a0ad51573e99bdf57237d39bf1b5b700c29e9d511115787f2f47c4e58704191c0174d58910b90a55049239b7d90f57

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
64KB

MD5
b90c930c591d113147416e8e5da35bf9

SHA1
17548e6da68bc955709138d19efc176a9a062120

SHA256
10a7f11471420d36761f9a1d367999f0160c4521c1f0dceb08c68188823336df

SHA512
242208806136a362055776c02deb63bab465a051d2839ffc3901ca4a549448e5ccf2247b8fbdbec2f1b62dc6f7d223264360b88bea3a713434e7cb2f2ba4fb16

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
64KB

MD5
a87d5edb2913edbf78dc015801c90db9

SHA1
668832acbef43f67797fe210dc0b74099df67100

SHA256
4fbddd2fd13086624495962bd1fa9241ab8d473fd2921b768cfb0fb9cae8511b

SHA512
a26f1049bb3d55ca2d63458cbf624f65d0f90d2b6633c7beb37e53e9948851f327b1b8e39d4c7ba60befcff866bf7f3869e10a0c2c69d7b5025643ad2f70e61c

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
64KB

MD5
d3d3d89642929e9fb10881355065c3ce

SHA1
9912f36847ff32061abf92450f87a71de8adba99

SHA256
e8d623008bfbbd71d5068686ff189aa628eb836eeb6b9a17abd759891bfedc42

SHA512
08d1f97310e44c8a3d252839c64d6accefa93cdfdf6f783685e5c2e36085a2668992e8d9b3163ef28e036c5169c3fe174b629589cc82fcb8835955208489969e

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
64KB

MD5
5365da21bcb4a5d7c418524e79ae0e72

SHA1
1894ca062be3b5fca38ce5ff75969385dcfd8d70

SHA256
71ee8db0890668943f7c963894ffbc7bf9494ecf6888f4e03a6787977fc16eb0

SHA512
f42bb6e735a603a42b0539701cf300f9fb1b5b4a5f8ab6e664d7d9405665c6f0d55eb702ca54c5f657f86ca97cc1407acac5ac8327e32778ee838b9f5d8adeb2

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
64KB

MD5
f379940d8530c7bfa163fa6d43580649

SHA1
343a019b0d210e6096b7817da6248792ecf0b9a1

SHA256
592dc38fb06830aa41b3ff8545ec89eef947c5689a4dbce0ccbb4256fcbcb4b4

SHA512
8ec7a450744f9da8be96b00ff7687e17f830a7f870c37bc7b046c13ad9b10acf9286ff899efc47dae9a84f4ddb3afd233b75806799059c7e15378404991f3f4b

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
64KB

MD5
f721803b1514b3498b094ca84ec4e70d

SHA1
6a5ab851242c6282ebf53960f883379433365086

SHA256
fe1206c1bdcd34c84016a15b7766a79f3f0805b997806767a3023c1726ebe7b0

SHA512
7b35de71af4e39ae4d513da73d2f4358d8f88caec1660baf0257bf4f2220a0be4dd10cb78f4dc20c4c45d83bc37de8549195ae17af183805ce1e734e0f0ecf11

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
64KB

MD5
c94d1b1452a03d70c0f232c614d579f7

SHA1
39ffc01d2e3b58dbb9fa2197977a4b268784417e

SHA256
54f6e74b30b6fee8a5cb9c3792657157c4cbe70c14d57862ce07a90cf0281c79

SHA512
e01bdff6c65828932ec013a9292cbafb4afb17db051878519a03a154087e6758ee1544e0ac7a8a6f97e77e09df9454dab5d141d7bb26c683014e32e143f76320

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
64KB

MD5
1f9496970dfdcf14d98b026c5ef01aae

SHA1
da2e0ef80a1ae35050e90c66d9bf8f74687f0fea

SHA256
e50503baffc25f8323479cf4d1da9f97d8ee0a377f24fbdf323d6d593981dbcb

SHA512
352885c88fddd83cc00cf779eb34b596affcd6895d09836ea593da2fb8512ce3980c0c8e076e23e85b85ab0dcc3d8c1663cb30117a321dbdf29b35907eefa9c9

Download Submit
C:\Windows\SysWOW64\Ckbncapd.exe

Filesize
64KB

MD5
a20648529e8174b411c34dfc13990143

SHA1
87f54d2c26070102d13de2230fb4d1254c9d7e2d

SHA256
be2c2c4af7a1338f548e512a403025cd8a77e4d7bebbe00a16a5299aa5e75d20

SHA512
e640f9a92f72b4802abae8ed87f2b643a8c75c26897e8e07d8c51c9be0c7159d68fffd69c67e260230db30cc6d9f37b6beb22a76d26d3ee7c05bb7d477f28d4c

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
64KB

MD5
5dd1fe9e0ebf15492704cceb41bf2b24

SHA1
2b818b846c99d471fb1e55dfac7aaadf68b42fc5

SHA256
1d868ca41d880e820febb522f0a36059a4a2f147a6a9b39cb5c37fb38a6f7bb5

SHA512
4cc39e1bce1d97210261977280cf11db593ff5e110d808bf5c85bf352eddf668bfef735562eef76b0f223466bf2813e77ceada6947649346886d3c8dda17190e

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
64KB

MD5
026f677f63dadba01879e0121d72ce44

SHA1
ccbea0361e3599b490261983ea22f848b57e4658

SHA256
0a8c090c31388b49f61130bbabbf9a32ed01da162fc2a7f816031a51447ac2f6

SHA512
523c8084b7a98e77ce278ccd794185c36c4e94a5283a423a3f19975a3c2e88a448ec7898b1d89e509efcbcab5b9bce9bf0c572636982966e20910fb2eb4615b5

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
64KB

MD5
762a3eb39518a56c9cdb3027b8420ef1

SHA1
c4f6ffdbd90700dad71a1e90ece2250d77ddd44f

SHA256
d450ee02a9640ebaa7eaea985fc70173b684cd0da6c93745f34418473a8a0d73

SHA512
c2c3f1c169b35d95df6d0f53663998075870141f5d7cc23dd17f820e4501c13f63151c8219aa4e494be9c6cbbe8aa64cbede5e126a41c28205490e3b1dcb840c

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
64KB

MD5
834c6cff213f9f9144dd085aa82082e2

SHA1
111b3c2f76c3cb5fcb4dd23f2b1cd89adf3333b4

SHA256
4b741a8c5fb1870563e9f2b6aceca1ae6a28b3a5ba52fc3613d1c9fe81d9c46a

SHA512
3583cc78dcf4c04a57b80223f50627abdbf7f4ab76b0cb0ed4ff43b1ca239203f4b48588d002e614e9cf7ff59d46931bcc83be2dfacf554a410c88c7f94ecc4f

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
64KB

MD5
a0e7a552f2e222aead642de25ec4f802

SHA1
7787e06021627594e79d12e920e15e8fc12ae436

SHA256
1d18ba937c49197deb6a0cd3acdabe53ead0e8c0def280e54c29b34dd393ca8b

SHA512
d04a62502a441995fa7328dcf4e00ddd5bd776fbdc80bf041bfe19efba85ddc23df48d4791f363389813a63750714a957efb1d860fd4a806bb8695d832511429

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
64KB

MD5
414d4b038a0931ebab3a3d64c0a85567

SHA1
b3db177e9c2047908e10dec2e72d0f2acdb41ee3

SHA256
ee166af0755f979adb66da45d67f7e4ae93a108c260f571551ad674e33cf9f5e

SHA512
cb2d62d946995b00f913895de406d6798dbb74f0eddf2515126257afb53f618d5354abd0ae07716cc54b3d90d3979375b3d92bd36849f506cbae2b4fcb0211d2

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
64KB

MD5
0e66dadeb736920fdce05dfc6f0b2573

SHA1
03750aac569c9641ac2b57f5b55c4ee4108fbd3f

SHA256
2c2e2bf88480fc665ea4166960a3c095669737e42f11f47503128e80932931a1

SHA512
e676ce8a76e3f2eaa6daec4af9a26b6b2ebc5c0591214e7e4fff061a5fe97e9030b53c308b492bbb39c1f36ec4a7aafceb81863e242ddf80d9474d3870c635c1

Download Submit
memory/224-172-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/224-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/224-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/440-53-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/464-155-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/464-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1416-158-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1416-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1512-164-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1512-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1548-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1548-166-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1696-170-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1696-17-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2360-156-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2360-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-104-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2452-160-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2676-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2676-162-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3084-157-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3084-128-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3256-167-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3256-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3328-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3328-168-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4352-8-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4352-171-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4440-25-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4440-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4456-159-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4456-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4560-154-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4560-153-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4764-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4764-96-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4780-163-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4780-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4968-165-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4968-65-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads