0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
Size

77KB
MD5

6d75d843db0567f4f868579227ce0498
SHA1

bb0ded1f2ff12e302631c80b6ccf38480d053700
SHA256

0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15
SHA512

740cd484f49a157e509cbd9f0a173538cfc6c563430ca32df70e68be16d8fb850fa32053108d756f15677e864de17e69567ff0fb28964d9ac10e133ed6af3772
SSDEEP

1536:HAr+GJf0ab8anbJJUxPpOfjSnzON2Ltewfi+TjRC/D:YJf0Yz1WpOSnzOeIwf1TjYD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe

Executes dropped EXE 19 IoCs

pid	Process
2440	Bipecnkd.exe
1960	Bagmdllg.exe
640	Cibain32.exe
4288	Cpljehpo.exe
2008	Cgfbbb32.exe
1008	Cmpjoloh.exe
3076	Calfpk32.exe
1356	Cdjblf32.exe
4588	Cigkdmel.exe
4156	Ccppmc32.exe
1608	Ciihjmcj.exe
4804	Cpcpfg32.exe
3484	Cgmhcaac.exe
2812	Cmgqpkip.exe
1208	Cdaile32.exe
3624	Dkkaiphj.exe
1088	Dphiaffa.exe
456	Dcffnbee.exe
4256	Diqnjl32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Calfpk32.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Ogajpp32.dll	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Ifncdb32.dll	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcpfg32.exe	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Anbgamkp.dll	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Ccppmc32.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Bipecnkd.exe	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Cibain32.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Calfpk32.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	Bipecnkd.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Cmgqpkip.exe	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Cmgqpkip.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Qdqaqhbj.dll	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
File created	C:\Windows\SysWOW64\Gfchag32.dll	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Calfpk32.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Cgmhcaac.exe	Cpcpfg32.exe
File opened for modification	C:\Windows\SysWOW64\Bipecnkd.exe	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
File opened for modification	C:\Windows\SysWOW64\Cmgqpkip.exe	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Cgmhcaac.exe	Cpcpfg32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfbbb32.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Cmpjoloh.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Jmbpjm32.dll	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Cibain32.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Cdaile32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Ciihjmcj.exe	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Cpljehpo.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dcffnbee.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1884	4256	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipecnkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigkdmel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcpfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpjm32.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdqaqhbj.dll"	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Cibain32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgmhcaac.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 2440	5088	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe	90
PID 5088 wrote to memory of 2440	5088	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe	90
PID 5088 wrote to memory of 2440	5088	0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe	90
PID 2440 wrote to memory of 1960	2440	Bipecnkd.exe	91
PID 2440 wrote to memory of 1960	2440	Bipecnkd.exe	91
PID 2440 wrote to memory of 1960	2440	Bipecnkd.exe	91
PID 1960 wrote to memory of 640	1960	Bagmdllg.exe	92
PID 1960 wrote to memory of 640	1960	Bagmdllg.exe	92
PID 1960 wrote to memory of 640	1960	Bagmdllg.exe	92
PID 640 wrote to memory of 4288	640	Cibain32.exe	93
PID 640 wrote to memory of 4288	640	Cibain32.exe	93
PID 640 wrote to memory of 4288	640	Cibain32.exe	93
PID 4288 wrote to memory of 2008	4288	Cpljehpo.exe	94
PID 4288 wrote to memory of 2008	4288	Cpljehpo.exe	94
PID 4288 wrote to memory of 2008	4288	Cpljehpo.exe	94
PID 2008 wrote to memory of 1008	2008	Cgfbbb32.exe	95
PID 2008 wrote to memory of 1008	2008	Cgfbbb32.exe	95
PID 2008 wrote to memory of 1008	2008	Cgfbbb32.exe	95
PID 1008 wrote to memory of 3076	1008	Cmpjoloh.exe	96
PID 1008 wrote to memory of 3076	1008	Cmpjoloh.exe	96
PID 1008 wrote to memory of 3076	1008	Cmpjoloh.exe	96
PID 3076 wrote to memory of 1356	3076	Calfpk32.exe	98
PID 3076 wrote to memory of 1356	3076	Calfpk32.exe	98
PID 3076 wrote to memory of 1356	3076	Calfpk32.exe	98
PID 1356 wrote to memory of 4588	1356	Cdjblf32.exe	99
PID 1356 wrote to memory of 4588	1356	Cdjblf32.exe	99
PID 1356 wrote to memory of 4588	1356	Cdjblf32.exe	99
PID 4588 wrote to memory of 4156	4588	Cigkdmel.exe	101
PID 4588 wrote to memory of 4156	4588	Cigkdmel.exe	101
PID 4588 wrote to memory of 4156	4588	Cigkdmel.exe	101
PID 4156 wrote to memory of 1608	4156	Ccppmc32.exe	102
PID 4156 wrote to memory of 1608	4156	Ccppmc32.exe	102
PID 4156 wrote to memory of 1608	4156	Ccppmc32.exe	102
PID 1608 wrote to memory of 4804	1608	Ciihjmcj.exe	103
PID 1608 wrote to memory of 4804	1608	Ciihjmcj.exe	103
PID 1608 wrote to memory of 4804	1608	Ciihjmcj.exe	103
PID 4804 wrote to memory of 3484	4804	Cpcpfg32.exe	104
PID 4804 wrote to memory of 3484	4804	Cpcpfg32.exe	104
PID 4804 wrote to memory of 3484	4804	Cpcpfg32.exe	104
PID 3484 wrote to memory of 2812	3484	Cgmhcaac.exe	105
PID 3484 wrote to memory of 2812	3484	Cgmhcaac.exe	105
PID 3484 wrote to memory of 2812	3484	Cgmhcaac.exe	105
PID 2812 wrote to memory of 1208	2812	Cmgqpkip.exe	107
PID 2812 wrote to memory of 1208	2812	Cmgqpkip.exe	107
PID 2812 wrote to memory of 1208	2812	Cmgqpkip.exe	107
PID 1208 wrote to memory of 3624	1208	Cdaile32.exe	108
PID 1208 wrote to memory of 3624	1208	Cdaile32.exe	108
PID 1208 wrote to memory of 3624	1208	Cdaile32.exe	108
PID 3624 wrote to memory of 1088	3624	Dkkaiphj.exe	109
PID 3624 wrote to memory of 1088	3624	Dkkaiphj.exe	109
PID 3624 wrote to memory of 1088	3624	Dkkaiphj.exe	109
PID 1088 wrote to memory of 456	1088	Dphiaffa.exe	110
PID 1088 wrote to memory of 456	1088	Dphiaffa.exe	110
PID 1088 wrote to memory of 456	1088	Dphiaffa.exe	110
PID 456 wrote to memory of 4256	456	Dcffnbee.exe	111
PID 456 wrote to memory of 4256	456	Dcffnbee.exe	111
PID 456 wrote to memory of 4256	456	Dcffnbee.exe	111

C:\Users\Admin\AppData\Local\Temp\0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe
"C:\Users\Admin\AppData\Local\Temp\0b3beeb3db9ed2a98009e2b0d07b734e1862b8a2cf13ab0eb82b16ef73083e15.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Windows\SysWOW64\Bipecnkd.exe
  C:\Windows\system32\Bipecnkd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\Bagmdllg.exe
    C:\Windows\system32\Bagmdllg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\Cibain32.exe
      C:\Windows\system32\Cibain32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:640
    - - C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4288
      - C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4256
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 400
        21⤵
        Program crash
        
        PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4256 -ip 4256
1⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4388,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:8
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
77KB

MD5
0118a842a6b5aaea89c0d2f6ed640b90

SHA1
5abef58a85d74e60766a4937cb133d48477e134d

SHA256
f213579091b3569284a99c790ff114235ec1d4bbb2a43f3a127c8d387ff129b5

SHA512
77704a7de4f1897d26e8213a97ba5a102198bf64233ac64eb5efac4872678551f71bf6767edb1a51d2a120a22a2652f5271f51b641645cc1d1d91c58ce4e34c7

Download Submit
C:\Windows\SysWOW64\Bipecnkd.exe

Filesize
77KB

MD5
fb99ad3f1bd3551f03820d8f02b594b5

SHA1
a2fec0347d595a16ae2398dc08f7e7a4013ae4d1

SHA256
7120ea8d76a57ef5cb7d90ff8913520ac2996a648ea29a2a21617a5a3e9893ce

SHA512
8b0ea42c6e2031e83f1a3727ccb86f9dc471eacfa71c40901840affd38634f7ca58338679d7838627e033b661fa7c35093f3928c11428bef1f943c567daff39f

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
77KB

MD5
829a059010b80733a04947787966e383

SHA1
5e759c06c41f964f11772bd1e7de4d7b9de3407c

SHA256
53274620dd7c536fb76103de5e2793619d796b5b6d9974c5597efe7d80417c3b

SHA512
e41921ccf099b90d9dbfcd53fe5f40cfb3150374b2edf8bf8924428b564ec501ea424680b5e87bcc86d34b463e43e8df14456fb1673ca0a20199eda2338dbea0

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
77KB

MD5
1d6802c5383088ef4939a17af7244583

SHA1
3ed827590cc1364d1611cc0f03e78f1ddb324be5

SHA256
4f8ef7b23f402c5b97d13afe3e1515d2c9866f8e31b17d9cf33a1cd82d3ee6ed

SHA512
4db9d88dbd25bbc9218281ded212acc0c001d10b2cba8e669e490aff585236397acef01c428eb03b1f34ebf3564926fcfa5c9b5f2cf17d119f850776a5db3f11

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
77KB

MD5
2796b071b8a2e896c46fccecc7cd68c1

SHA1
d4c2e63cf41f55253e4a434239f45dfb80ef17ad

SHA256
3ccb521fb0a2dbca39945967055eab74b9713eb0f9644a3a44d6b522ae6cf51d

SHA512
1ef7fac7d5658a071102ff5135706a9398ed8bc307d055e12779519a203ad6e3b8ac42120dc4137f0d4391aea37652e422a6a39161eca3aa2b5ec1b9f5291154

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
77KB

MD5
8c77511b18d3c9328d1c9c9da1973292

SHA1
351e24190c05e6415bed26505d1b244f71c01101

SHA256
7654b83204ea7e4a2f5c0c7da8f736de8e2ba3295f04440ae0c2f751a6cd66b8

SHA512
3c8589750d5df5181c07eabc208f2d1bc8feccd63482eddd72f14e00583d59b5ee8ea72d67530694be688a6a7275576a552396030f1925ed2165792da57373f0

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
77KB

MD5
0fbd77f8d5379420f87b05362fa11db2

SHA1
24afec85da35b3b6b43aa03fa3947168d04917e2

SHA256
42e89e3c17c8bedae4256f1449253bfc27a80cf9c55767c618be52dd4e7df9fe

SHA512
8bd14794835cf9159083f9c2826efe41fcd6a138eb121110b3defa07ea1ef52756e211dcd45bdc389478d860af0953126a0b1b2e99440c19735ee6ab535a627f

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
77KB

MD5
4d3298cfac5e7bde0972a02b7b25da66

SHA1
07b3cc93d20da0499e99d8e9a0065599742e6a77

SHA256
114472b25a699e13b1049f0c312946dbbb41f690092853c179fe8c54dc511d3c

SHA512
9309fb4090d564c36d5ab5928eac2cb4e4ff947da4ba644b7a8cd31ecdc2c8aa94271f5aa30a865d98817825d8c4e75f1dc46ace8efc84660b7c01d7a1cecc16

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
77KB

MD5
88ebaac9861b552f3f40608abd4a7de5

SHA1
2c5dbe1fffe2917752cadd54871512af01f7f674

SHA256
0ac04758113d19807744b69ec7c56bfd17c3e57d3c28072050e9ee6f03541c62

SHA512
9b47874759f2fde6faabbfcb55e945da8f86c12abc53119c86fb8afa48f52195ac5e3f169380f14205217b2fd7977483777818dc8fdb14ee6d576ea66bc52117

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
77KB

MD5
bd0806d6c4e30f3e83875473a6f84b87

SHA1
527b5df98166043b98dab5c3ddae8308c6620719

SHA256
e01221237fdc0d3e63a294b5293d348aeda4873c31bd6d41ddbaa20e3c166e95

SHA512
fd3b32ddce1619326758143f4a134da410a9621b84850a384fdb0f1a6768f31a0b8d54ebb238299504d7be14abeac77c72d6cac35c1d9a6c4a8227d22f719b27

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
77KB

MD5
9f6ad5d965cf50e0d1c6c22e0280f54e

SHA1
8207a4737f89437369a1b4cac9378c7042a399c6

SHA256
f48681c584578d6566b1d584e1b129e78db8aa87c69f701f093a5a6499064f6a

SHA512
717c1ee7c7e78d8ba04fae8d270efd2b60ac71775cb6668c6d5abce278e7e90f775f90a5da468900d043f66c839cbc5c053039f61824e0c6c67a18b844a09611

Download Submit
C:\Windows\SysWOW64\Cmgqpkip.exe

Filesize
77KB

MD5
13d021b37e308e1df3aa399af89ce240

SHA1
b4ee15fddcdd45ddd4d14e91c29054f7dd11ed46

SHA256
40bf94d672ca6313b0238c426f613281136801cc0faa23efc69897f93ed9e702

SHA512
ff226bfede6b248e5ba22b093bda6311e43fff1494e7731b518c0e4259f7d12f336b58c90a3f9f407e31b7a019bb4f5d92dcd8723c580dc8edf1401f6b47744d

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
77KB

MD5
686d10e19b48b027c94c1bb0e08fd450

SHA1
e20f1598fdacb1d1927065b2b31ac05ff42178d7

SHA256
05c91c8ed8ab3782b5044d742becc9c95857f0a154b76a91e2e5e437b7059d85

SHA512
71bfeed738bca3fef4c952cee7410348a18d84388de8b539c03883535dd4d6444fbe2080504dcdbd4482e0ca70274dda44953b743d8ad77c57dffea1da0311c7

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
77KB

MD5
8c0369979ffb54b4d317dafe4bb89aef

SHA1
bfd8a1a2e7a7e2cf41ecf0ba0801aeedbe3c8a24

SHA256
b9c0b0819a2698287652caf97f69999d933a53343b00e17366e2e5e9943059e4

SHA512
dff3ec29865d04a3cd15ab7e004c8652178e026484d385a9678cbbf57a2f658dbd3f48ea7ef792d88a68540efcacccb9cffbde0ae1add86e76068240535a0a60

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
77KB

MD5
1260d55458e56a31fdf73a7660b00149

SHA1
e7c4770b21712285be1ab23d43d54c54dc560e37

SHA256
0585a69e82e61e0bcc06e4e4eabff1add59ab74d52a487469755186409cd307c

SHA512
6484fc2cfc0a62f6857ddd7527a52b1c18d018d5f93aedef50f9ce972846eab6b50683e4283a9d249cd0a3f131cf8643b33c1e96783a6282cfef83632d12e775

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
77KB

MD5
2dc297d47f520bcff12ab626e136acd6

SHA1
6431327ce8decb25201386d5efab67e9e9214626

SHA256
6486e01878be8803c06322f508d68fff9764a011bc7f4f8934315999b26c3cde

SHA512
afef463e7baad71c0e21b9d1da59fae18207489b253b3e3ee7dee332b5291e37e0e8e844f7f3792f1a521ae6b9ad54f2724776ec7243c245ae37982d65204a33

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
77KB

MD5
ecd780f8a8aeed3e3497c10b8354e69c

SHA1
c045cc5ccac965646470b1b13dd0b8873d735b6f

SHA256
5a1c9fbd2fb5cc13210b442f974bbb1b7cb35e32fea24c3d94988484c20de46f

SHA512
b3d7d2c66417e4ab4bd818ac7f1ae0891793da18ece63425ddf50290e3e0700c135309867f67217c1008dad3a0d988cb0c3f73507680a3e0a053b4aaec9760e6

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
77KB

MD5
187d169a42c0d55aba9672825f37d82b

SHA1
bd17ac9bb306363e784688c1e9ee1baf18ca7d62

SHA256
c092afbad6fa4d03593d2d4697d27e3e392fa385348ce6fe9885ced6c4bd08ea

SHA512
232cbcab6dbf348b15d3441f65da6d9eefef20bc218b2549daae165bca5aacbca3aab4d48823f1986f5b80cfaf14e3d417f355f344bd8b6cb0636bd9abdaf989

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
77KB

MD5
f48cb511c27f4b037636ce0ce05b5f3f

SHA1
d0eb0d1df8a2a6eea024de87230147c6547496d6

SHA256
75d263e0c9c0dd49eb1047e77262f374b601fd098180cbd047e4da9fe0f8436b

SHA512
f633a4372a57d692fa8b3298bcc1b47e2339f34b5705a7a2bcfd0db39ccbcddf88ba474970d7720fdb60c06c3e63ce12f566b95a083dfc842717f3de248ff278

Download Submit
memory/456-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/456-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1008-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1088-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1208-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1356-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-17-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2008-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4256-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4256-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4588-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4804-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/5088-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads