dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240

Analysis

max time kernel
125s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
Size

74KB
MD5

df9c84fa4a6949232c295a1dfeeb6b58
SHA1

927ffd1209d841b05ef39278a60ed5c9c3be35c6
SHA256

dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240
SHA512

ba509f81e4af4553bb2ae795270d32ab7251e4130f01b6712146938deffed6ed175a40552717f2e06ee2737b1269bd8b843135a33816b4277f7d6336ed10a1df
SSDEEP

1536:08bz5A4fgk0EeI5h2g42m4nwTOgkpxv5365p4jmudrLXCWLWfFj:02z5BOEe6h2g4wwM15365qBXxWV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmggingc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmggingc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bboffejp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe

Executes dropped EXE 20 IoCs

pid	Process
1424	Bboffejp.exe
4904	Biiobo32.exe
3868	Bdocph32.exe
2252	Bmggingc.exe
2388	Bdapehop.exe
1188	Bmidnm32.exe
3528	Bbfmgd32.exe
3828	Bagmdllg.exe
5116	Bgdemb32.exe
3276	Cajjjk32.exe
4320	Cienon32.exe
632	Calfpk32.exe
3492	Cigkdmel.exe
396	Cpacqg32.exe
2952	Ckggnp32.exe
2852	Cdolgfbp.exe
5096	Cildom32.exe
2932	Dgpeha32.exe
2756	Daeifj32.exe
3540	Diqnjl32.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Daeifj32.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Cdolgfbp.exe	Ckggnp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgpeha32.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Eknphfld.dll	Bboffejp.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Bbfmgd32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Daeifj32.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Calfpk32.exe
File created	C:\Windows\SysWOW64\Daeifj32.exe	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Calfpk32.exe	Cienon32.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Calfpk32.exe
File created	C:\Windows\SysWOW64\Mnokmd32.dll	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Bmidnm32.exe	Bdapehop.exe
File opened for modification	C:\Windows\SysWOW64\Bbfmgd32.exe	Bmidnm32.exe
File opened for modification	C:\Windows\SysWOW64\Daeifj32.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Afjpan32.dll	Bmidnm32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Daeifj32.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Biiobo32.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cienon32.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Ifcmmg32.dll	Bdapehop.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	Bbfmgd32.exe
File created	C:\Windows\SysWOW64\Icpjna32.dll	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Bboffejp.exe	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
File opened for modification	C:\Windows\SysWOW64\Cienon32.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Cpacqg32.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Biiobo32.exe	Bboffejp.exe
File opened for modification	C:\Windows\SysWOW64\Bdapehop.exe	Bmggingc.exe
File created	C:\Windows\SysWOW64\Cajjjk32.exe	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Cajjjk32.exe
File opened for modification	C:\Windows\SysWOW64\Biiobo32.exe	Bboffejp.exe
File opened for modification	C:\Windows\SysWOW64\Bdocph32.exe	Biiobo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmidnm32.exe	Bdapehop.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Bboffejp.exe	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Bbfmgd32.exe	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Bgdemb32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Fnihje32.dll	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
File created	C:\Windows\SysWOW64\Bmggingc.exe	Bdocph32.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Ckggnp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmggingc.exe	Bdocph32.exe
File created	C:\Windows\SysWOW64\Hnmanm32.dll	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Bdapehop.exe	Bmggingc.exe
File opened for modification	C:\Windows\SysWOW64\Cpacqg32.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Ghfqhkbn.dll	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Ijgiemgc.dll	Bdocph32.exe
File created	C:\Windows\SysWOW64\Boplohfa.dll	Bmggingc.exe
File created	C:\Windows\SysWOW64\Gfchag32.dll	Bbfmgd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1900	3540	WerFault.exe	111

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgiemgc.dll"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjpan32.dll"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmanm32.dll"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfqhkbn.dll"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biiobo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boplohfa.dll"	Bmggingc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmg32.dll"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll"	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll"	Biiobo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihje32.dll"	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bboffejp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cienon32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 1424	4424	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe	90
PID 4424 wrote to memory of 1424	4424	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe	90
PID 4424 wrote to memory of 1424	4424	dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe	90
PID 1424 wrote to memory of 4904	1424	Bboffejp.exe	91
PID 1424 wrote to memory of 4904	1424	Bboffejp.exe	91
PID 1424 wrote to memory of 4904	1424	Bboffejp.exe	91
PID 4904 wrote to memory of 3868	4904	Biiobo32.exe	92
PID 4904 wrote to memory of 3868	4904	Biiobo32.exe	92
PID 4904 wrote to memory of 3868	4904	Biiobo32.exe	92
PID 3868 wrote to memory of 2252	3868	Bdocph32.exe	94
PID 3868 wrote to memory of 2252	3868	Bdocph32.exe	94
PID 3868 wrote to memory of 2252	3868	Bdocph32.exe	94
PID 2252 wrote to memory of 2388	2252	Bmggingc.exe	95
PID 2252 wrote to memory of 2388	2252	Bmggingc.exe	95
PID 2252 wrote to memory of 2388	2252	Bmggingc.exe	95
PID 2388 wrote to memory of 1188	2388	Bdapehop.exe	96
PID 2388 wrote to memory of 1188	2388	Bdapehop.exe	96
PID 2388 wrote to memory of 1188	2388	Bdapehop.exe	96
PID 1188 wrote to memory of 3528	1188	Bmidnm32.exe	97
PID 1188 wrote to memory of 3528	1188	Bmidnm32.exe	97
PID 1188 wrote to memory of 3528	1188	Bmidnm32.exe	97
PID 3528 wrote to memory of 3828	3528	Bbfmgd32.exe	98
PID 3528 wrote to memory of 3828	3528	Bbfmgd32.exe	98
PID 3528 wrote to memory of 3828	3528	Bbfmgd32.exe	98
PID 3828 wrote to memory of 5116	3828	Bagmdllg.exe	100
PID 3828 wrote to memory of 5116	3828	Bagmdllg.exe	100
PID 3828 wrote to memory of 5116	3828	Bagmdllg.exe	100
PID 5116 wrote to memory of 3276	5116	Bgdemb32.exe	101
PID 5116 wrote to memory of 3276	5116	Bgdemb32.exe	101
PID 5116 wrote to memory of 3276	5116	Bgdemb32.exe	101
PID 3276 wrote to memory of 4320	3276	Cajjjk32.exe	102
PID 3276 wrote to memory of 4320	3276	Cajjjk32.exe	102
PID 3276 wrote to memory of 4320	3276	Cajjjk32.exe	102
PID 4320 wrote to memory of 632	4320	Cienon32.exe	103
PID 4320 wrote to memory of 632	4320	Cienon32.exe	103
PID 4320 wrote to memory of 632	4320	Cienon32.exe	103
PID 632 wrote to memory of 3492	632	Calfpk32.exe	104
PID 632 wrote to memory of 3492	632	Calfpk32.exe	104
PID 632 wrote to memory of 3492	632	Calfpk32.exe	104
PID 3492 wrote to memory of 396	3492	Cigkdmel.exe	105
PID 3492 wrote to memory of 396	3492	Cigkdmel.exe	105
PID 3492 wrote to memory of 396	3492	Cigkdmel.exe	105
PID 396 wrote to memory of 2952	396	Cpacqg32.exe	106
PID 396 wrote to memory of 2952	396	Cpacqg32.exe	106
PID 396 wrote to memory of 2952	396	Cpacqg32.exe	106
PID 2952 wrote to memory of 2852	2952	Ckggnp32.exe	107
PID 2952 wrote to memory of 2852	2952	Ckggnp32.exe	107
PID 2952 wrote to memory of 2852	2952	Ckggnp32.exe	107
PID 2852 wrote to memory of 5096	2852	Cdolgfbp.exe	108
PID 2852 wrote to memory of 5096	2852	Cdolgfbp.exe	108
PID 2852 wrote to memory of 5096	2852	Cdolgfbp.exe	108
PID 5096 wrote to memory of 2932	5096	Cildom32.exe	109
PID 5096 wrote to memory of 2932	5096	Cildom32.exe	109
PID 5096 wrote to memory of 2932	5096	Cildom32.exe	109
PID 2932 wrote to memory of 2756	2932	Dgpeha32.exe	110
PID 2932 wrote to memory of 2756	2932	Dgpeha32.exe	110
PID 2932 wrote to memory of 2756	2932	Dgpeha32.exe	110
PID 2756 wrote to memory of 3540	2756	Daeifj32.exe	111
PID 2756 wrote to memory of 3540	2756	Daeifj32.exe	111
PID 2756 wrote to memory of 3540	2756	Daeifj32.exe	111

C:\Users\Admin\AppData\Local\Temp\dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe
"C:\Users\Admin\AppData\Local\Temp\dc6476c4fd4c4f73391620c418a6f47004c79b9ba5d51c658882af2f4b0ff240.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\SysWOW64\Bboffejp.exe
  C:\Windows\system32\Bboffejp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\Biiobo32.exe
    C:\Windows\system32\Biiobo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\SysWOW64\Bdocph32.exe
      C:\Windows\system32\Bdocph32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3868
    - - C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        21⤵
        Executes dropped EXE
        
        PID:3540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 420
        22⤵
        Program crash
        
        PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3540 -ip 3540
1⤵
PID:452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,18267267250369716772,14567143188126594249,262144 --variations-seed-version --mojo-platform-channel-handle=4636 /prefetch:8
1⤵
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
74KB

MD5
4ee4c44c25c23d2862c29d0e2ec748f0

SHA1
2e067549ec669785ff77f540c6f6d6ca64b91fe4

SHA256
38482c0dab8b7cdb5131f0220718adfbf007fbe9987b4887643bc625430632e9

SHA512
e2b91e83452d66c04f6bc97efa001bb0613d0583f63187931d1c1b4abeea04f140c0678ad35ae1c93198fc355ba1472d559417fc235b136953d3686232720bf8

Download Submit
C:\Windows\SysWOW64\Bbfmgd32.exe

Filesize
74KB

MD5
43bad9083683f3c32a4900e7520c193b

SHA1
da63d9b56055d911991af4e5a3b349683b0d4a50

SHA256
cba2628480bd918707f2dc770e77939dd743074a3e5616c8adbfe06f3e439cc2

SHA512
637cc4d03fc63bf35b034587d269c2ceeb98df0cc3f8673e72e0e41f717561ee21f9e14c5ea4ff552ffddbb7059d9aeae8d5924af5b953f895e83b7b1c253d1a

Download Submit
C:\Windows\SysWOW64\Bboffejp.exe

Filesize
74KB

MD5
99ffd45c79aef9a6dfd450ff4333bf80

SHA1
ea919e600b56d15ffb06f3f85a2162fe252d4f33

SHA256
3c75ce275a0a91620f011e309eced341e000e274d896070ed25da0923ecd1c1f

SHA512
035105f19e6ec43af07780b409aba0e546efdb0eac61c697c9d20b02355cb16eaadaeb62f74dfbe0b339ed5c63ef9437e7d2a1f4a10acdbca2a008aae4ae7e6a

Download Submit
C:\Windows\SysWOW64\Bdapehop.exe

Filesize
74KB

MD5
952d77ae95db5df3a95f1b25f92197c2

SHA1
452a507a58fcd6123aac8d1141316f2204964f42

SHA256
701a18dab9c8002e116125be010415c1e68f8522deb25f4dad93e193b8d1d8a3

SHA512
f13f61f3b9ccc7b14126273ffe45d0460685306e2a97f8acec2c51f2b517b6e622e09eac564d23d9557779d4fc64eee376b6679d9ec0a2b7a9c071fb1f9c5080

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
74KB

MD5
93bced656db02a6c4a9152f904ef7805

SHA1
59dc1324354c63ca785a9966ebf691c9fe6f0f12

SHA256
c351e6858914c33410ce649c8152ad24b44c5232fc5fff7b168fcf843224f267

SHA512
0ba2b37455484a0d75e79aa5d22ed19c6dae0d73657f02ad6a4e5c9b1252380d9afbd20e40000c1b76873935b6894807db30ee2ea284fcb5c022da85f7f8b884

Download Submit
C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
74KB

MD5
4ed46cd5448f0c8578ff585e1e0894bf

SHA1
ed5a46a646660b0a670d8dc2536a513703fcac5c

SHA256
41916c2455e75d91ba71829bfd398b8d6dc91339af2f3cdee69cc618124682d5

SHA512
1bf6d0f0a0904dcf99eadfb3e11c93f9d5729efd64321c2b28532269ec870bfff40e5f118aaa4a5aa84251e73f005eda74d80c06a7f5927abc42c8fa719a8830

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
74KB

MD5
f3a65a823c8bb822ab31f0465a2d82b2

SHA1
5145fb643cdbf0fc81562c73de22195511facf79

SHA256
44208533ef460bf929e31847a4155f0851e9a70c37e80dd4b661e02065ee5292

SHA512
e5c0c662a8eaf89e80341a302003b649848a976c38c81bfcc2a74580d62ab5d41051133e5e2a216a3d75b6ba7f8407d4651c4e8bf354348069ee71393a0c5056

Download Submit
C:\Windows\SysWOW64\Bmggingc.exe

Filesize
74KB

MD5
edbbc7741eb9341420d3cc58f8f9d74e

SHA1
4d05b81549bf8a96c5e2b3d7934b8bf2f867ae95

SHA256
16ca53f9d1b56f0e31718ff7ef92623b8f840269eaa22c83403d3eafd7ba7d2c

SHA512
4af7d1cc2a8399ea1df523428ec4845d970d1ce19a8e642e5fcf9452e03cb484d94537daf7f333e9c93dba0adc2247e86843334118d71bded78d1d18e1e1e932

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
74KB

MD5
ad5bfd5a8408f0acc2ba927a378aeead

SHA1
c3851646d368537ef88d74a23a04215c689085c8

SHA256
405038047b9657f99b59982d669f405abc371fbf0d482faf9c0930c0ddca91d8

SHA512
2f895c32abf9008aa75c684b77d8ab28ee2b225395420948d1a82867d1c55f42396117b80fbe385845c2dbd5849d99b4e1ea92e53533be885cf1cc573028fabe

Download Submit
C:\Windows\SysWOW64\Boplohfa.dll

Filesize
7KB

MD5
23cc2fe713806643f8c0fe3ee4b41f98

SHA1
9609a04b4cd5437a11257c83ee0d52fe4e6fffad

SHA256
c76a1b1d842f234f20a97ddcb731be002ea2ede91c7209998c2b69d40adfd110

SHA512
5f007f848e8fd6f450b97699f05ecfda6553e400cc36f315b77e8fac8fcd97184182a69cb1379c3348354c2ffd6249412bcb4efe7f2cf062b4ae8ee1cedd61e0

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
74KB

MD5
1e3b5aa8f869d3adbf805e50e16a89ec

SHA1
95214fc915bca85f3b5fe8735317461159b32d82

SHA256
3c2d9c133ab8c9dc27865bb7fc452d3efced6565cbf8da6208e9d37727f1471e

SHA512
7933aaa068c2b4e279f30a880e9540892e29fbd10f36857a12125092b992d9a0eb1f6be7429255fc4a0ea73cfee7354e8ef26e23f827de454e8330294e75d6cc

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
74KB

MD5
1264ddf0247aa186ff2967bd0db00799

SHA1
fcb0100417adfdc2ff0baccb6815d60ffd00c915

SHA256
d61ed674e1b547ae8d9cbb8365223643aca87e71c3b8aade89754dfa3129a413

SHA512
eae0b0b301f58f8dabe0fc1189c815eee6b91843efb6ce8b4108a4ad5b0ccfe31aa696b51f725dcfad0e5c8546933fc7bc821719e0a0e76dd32391129dc893b0

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
74KB

MD5
1fa9dd8e7e4eb386e917f486c3c62c27

SHA1
ab32636c31cc931e0b0a37971b4bd0bfeb045762

SHA256
ab7e03aa8afe03bb1c7211e94a6f55b487544d65e636a4ad07ce68a729dd42ca

SHA512
b85055ff8fa9e5a595a1072f083e0a8f52befeefb3c12fa09936375dd6a0c974e944c17e1acccb372c66791b58a7fc7866b420423b0a92dad61fa18799228d42

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
74KB

MD5
863f9e0dfe8948896de7f4caed708f7e

SHA1
3b34ca5e04d2448c0f81877a2be221989907b8c2

SHA256
5c89cf7c473e47aea40e11a7bb9cd21a5f040ec6adc5fd4be8f9226e0552c3a8

SHA512
56bd53b4f439729693f8bab797688f5477e05f638d851e8dd670608b57ea7bec20e12f459207636e1e8089009209a19048a6c95e6a5506298f9bdd1b16038bad

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
74KB

MD5
22a8a149466632df2ba60de0956cb0a5

SHA1
01fe9aef8db6d857689d7dc89cdcf34352f6bb58

SHA256
7c957e6a02168951ec743cf0d3e56bdbf5774057d1618f7550299ba13decccbc

SHA512
54a93d096d7a84cefe626082f33cf30825389184f9bae554f8c3f647b8fa47f0fba25383be60fa2001aa99cbb5832aa0fd23feb67c7722024285b46d69f1af78

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
74KB

MD5
09daabd61b8b7439855ba5ffd7e1976c

SHA1
a83d5e6efb7d790412523a2dcb934e7a602b4ad1

SHA256
86d7916affd8c65de1493a446e845352d96640b05e225037068c242e05e77be2

SHA512
d5060fc8f8d2b772ae03ac18c667e6c0f74d64c0066c26111459d9dde841f35367587c6b4608df0961e784367f34a27f7fb414fe4553116b7c18cf47c207b3da

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
74KB

MD5
68a2e3bb6d0cb331300a8a1958f1b224

SHA1
570922fa1bca4a40c85e6a4c1a321cec7664fa5f

SHA256
9881d6e4c6160ecd83bcbf87133a7ce1a6fa3cdcacc525ee28a3213e2a9d3548

SHA512
4fb8ce18990027f3f3410da859175e82a7dd22b484589232d7323368398890dd11308d0ab6146c3e5755460a035005dceff584b2e1c99a6b88e0bd017b741408

Download Submit
C:\Windows\SysWOW64\Cpacqg32.exe

Filesize
74KB

MD5
58128879e984a4a4979f408aeed82502

SHA1
78077b3ddfe843cfe319bc99d1a83cf9c1bd4fc0

SHA256
e77370c462b369e11b6fba346eb41646d25a673703a207470c68019b2e1f81aa

SHA512
0ef4ff0907400aee5543934093892f602e0cdda196394836949567b73610e88104dea85ad2629108f5a3faeddf6120529f95282136c432ec6fe50a93f063081c

Download Submit
C:\Windows\SysWOW64\Daeifj32.exe

Filesize
74KB

MD5
b08d286b905855193e9f07e7cd27d35d

SHA1
7c2e9a24219c817e6794262f1cc2bd95184e34d1

SHA256
9d5366e822ab42e0fb132562f25ea342dd61f6708ea0a21b246cc17b64e43ba1

SHA512
6ce6d6a9e1f3884d9a2f61a204d9a2f13c106ae336180dc227af620c621051a03e0ce9c9f7996fd2bb7116c81b4649e826cb1d58a473d33ab2630e9e26739570

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
74KB

MD5
12093c78e66d1a325459fcea1d37c325

SHA1
499f8b066960c32172e6d009954b98ee42ddeac4

SHA256
c1d93de8f99b487badf87d0f4cb95f09f1a42d2359eef32f33e18b8326320a7c

SHA512
c324de2649685868c12f508ef116fef0414e5b05c8ce57d9c7e3e047fff6577a3dbe07af0589445aaf9691df6010af5af53d76de051b2519cb646b9d995293ba

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
74KB

MD5
68263373032f7011bd0994bebe973886

SHA1
0cd0c0bdc62b225b1d7b675ca00d4c06543816b5

SHA256
8a70dfabb97e931d8a2b625fc1584fcd533aab98c021c427ed23136440d86359

SHA512
0dfa10fa37246bba6940f633ab5b873365e9b8ca3f9f12cdc858699efe65f214c1f15cc3e47edfde9f55c4a15a53a0f6a22526d9595a6b78b6c091f28a2b1338

Download Submit
memory/396-112-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/396-167-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/632-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/632-169-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1188-47-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1188-173-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1424-12-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1424-177-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2252-175-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2252-32-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2388-174-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2388-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2756-162-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2756-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2852-164-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2852-128-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2932-144-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2932-163-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2952-120-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2952-166-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3276-79-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3276-179-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3492-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3492-168-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3528-172-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3528-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3540-161-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3540-159-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3828-171-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3828-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3868-23-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3868-176-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4320-92-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4424-178-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4424-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4904-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5096-165-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5096-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5116-170-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/5116-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads