138fa02a1736ed5da6b034a042d16c5bba45ea39856fa7c3919064cc3cb23319

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60434a40a0fabc9d98c7d4403267ca10N.exe
Size

128KB
MD5

60434a40a0fabc9d98c7d4403267ca10
SHA1

7d0f013e529e7a22ea4c0feccc7abd8e2c592196
SHA256

138fa02a1736ed5da6b034a042d16c5bba45ea39856fa7c3919064cc3cb23319
SHA512

ecb78e6a9eddadb2f6a0c4529c48cd9187e9bf1f548ed531a599ddc9bb440c8e073a0f6ba5219ad9c34015e39d2cebf3179e416dcf57296378a78125ef251110
SSDEEP

3072:LoPePihhkNUuav9Kr+EDd1AZoUBW3FJeRuaWNXmgu+tB:LWLi+2dWZHEFJ7aWN1B

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	60434a40a0fabc9d98c7d4403267ca10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	60434a40a0fabc9d98c7d4403267ca10N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckggnp32.exe

Executes dropped EXE 17 IoCs

pid	Process
1152	Bgdemb32.exe
5036	Cpljehpo.exe
1584	Ckbncapd.exe
1196	Cmpjoloh.exe
1036	Ccmcgcmp.exe
912	Cigkdmel.exe
976	Cpacqg32.exe
1500	Ccppmc32.exe
4148	Ckggnp32.exe
2504	Caqpkjcl.exe
812	Cildom32.exe
2540	Cacmpj32.exe
4488	Cdaile32.exe
3588	Ccdihbgg.exe
1552	Dinael32.exe
1968	Dgbanq32.exe
4056	Diqnjl32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ghfqhkbn.dll	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Dinael32.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Fdakcc32.dll	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Dinael32.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Ccmcgcmp.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Cdaile32.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	60434a40a0fabc9d98c7d4403267ca10N.exe
File created	C:\Windows\SysWOW64\Cpacqg32.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Cmpjoloh.exe	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Dinael32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmcgcmp.exe	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Dccfme32.dll	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Fbcolk32.dll	Cmpjoloh.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckggnp32.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Cildom32.exe
File opened for modification	C:\Windows\SysWOW64\Dinael32.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Fohhdm32.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Cacmpj32.exe
File opened for modification	C:\Windows\SysWOW64\Ccppmc32.exe	Cpacqg32.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Ckbncapd.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Cpacqg32.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	Cpacqg32.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Ccmcgcmp.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Dinael32.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Bgdemb32.exe	60434a40a0fabc9d98c7d4403267ca10N.exe
File opened for modification	C:\Windows\SysWOW64\Cpljehpo.exe	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Ogajpp32.dll	Ckbncapd.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cacmpj32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	60434a40a0fabc9d98c7d4403267ca10N.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Ccmcgcmp.exe

Program crash 1 IoCs

pid	pid_target	Process
2984	4056	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigkdmel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccppmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpacqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60434a40a0fabc9d98c7d4403267ca10N.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	60434a40a0fabc9d98c7d4403267ca10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dinael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	60434a40a0fabc9d98c7d4403267ca10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	60434a40a0fabc9d98c7d4403267ca10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpagekkf.dll"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakcc32.dll"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkppnab.dll"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcolk32.dll"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfqhkbn.dll"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	60434a40a0fabc9d98c7d4403267ca10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	60434a40a0fabc9d98c7d4403267ca10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfme32.dll"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccppmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	60434a40a0fabc9d98c7d4403267ca10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caqpkjcl.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 1152	2716	60434a40a0fabc9d98c7d4403267ca10N.exe	91
PID 2716 wrote to memory of 1152	2716	60434a40a0fabc9d98c7d4403267ca10N.exe	91
PID 2716 wrote to memory of 1152	2716	60434a40a0fabc9d98c7d4403267ca10N.exe	91
PID 1152 wrote to memory of 5036	1152	Bgdemb32.exe	92
PID 1152 wrote to memory of 5036	1152	Bgdemb32.exe	92
PID 1152 wrote to memory of 5036	1152	Bgdemb32.exe	92
PID 5036 wrote to memory of 1584	5036	Cpljehpo.exe	93
PID 5036 wrote to memory of 1584	5036	Cpljehpo.exe	93
PID 5036 wrote to memory of 1584	5036	Cpljehpo.exe	93
PID 1584 wrote to memory of 1196	1584	Ckbncapd.exe	94
PID 1584 wrote to memory of 1196	1584	Ckbncapd.exe	94
PID 1584 wrote to memory of 1196	1584	Ckbncapd.exe	94
PID 1196 wrote to memory of 1036	1196	Cmpjoloh.exe	95
PID 1196 wrote to memory of 1036	1196	Cmpjoloh.exe	95
PID 1196 wrote to memory of 1036	1196	Cmpjoloh.exe	95
PID 1036 wrote to memory of 912	1036	Ccmcgcmp.exe	96
PID 1036 wrote to memory of 912	1036	Ccmcgcmp.exe	96
PID 1036 wrote to memory of 912	1036	Ccmcgcmp.exe	96
PID 912 wrote to memory of 976	912	Cigkdmel.exe	97
PID 912 wrote to memory of 976	912	Cigkdmel.exe	97
PID 912 wrote to memory of 976	912	Cigkdmel.exe	97
PID 976 wrote to memory of 1500	976	Cpacqg32.exe	98
PID 976 wrote to memory of 1500	976	Cpacqg32.exe	98
PID 976 wrote to memory of 1500	976	Cpacqg32.exe	98
PID 1500 wrote to memory of 4148	1500	Ccppmc32.exe	99
PID 1500 wrote to memory of 4148	1500	Ccppmc32.exe	99
PID 1500 wrote to memory of 4148	1500	Ccppmc32.exe	99
PID 4148 wrote to memory of 2504	4148	Ckggnp32.exe	100
PID 4148 wrote to memory of 2504	4148	Ckggnp32.exe	100
PID 4148 wrote to memory of 2504	4148	Ckggnp32.exe	100
PID 2504 wrote to memory of 812	2504	Caqpkjcl.exe	102
PID 2504 wrote to memory of 812	2504	Caqpkjcl.exe	102
PID 2504 wrote to memory of 812	2504	Caqpkjcl.exe	102
PID 812 wrote to memory of 2540	812	Cildom32.exe	103
PID 812 wrote to memory of 2540	812	Cildom32.exe	103
PID 812 wrote to memory of 2540	812	Cildom32.exe	103
PID 2540 wrote to memory of 4488	2540	Cacmpj32.exe	104
PID 2540 wrote to memory of 4488	2540	Cacmpj32.exe	104
PID 2540 wrote to memory of 4488	2540	Cacmpj32.exe	104
PID 4488 wrote to memory of 3588	4488	Cdaile32.exe	105
PID 4488 wrote to memory of 3588	4488	Cdaile32.exe	105
PID 4488 wrote to memory of 3588	4488	Cdaile32.exe	105
PID 3588 wrote to memory of 1552	3588	Ccdihbgg.exe	106
PID 3588 wrote to memory of 1552	3588	Ccdihbgg.exe	106
PID 3588 wrote to memory of 1552	3588	Ccdihbgg.exe	106
PID 1552 wrote to memory of 1968	1552	Dinael32.exe	107
PID 1552 wrote to memory of 1968	1552	Dinael32.exe	107
PID 1552 wrote to memory of 1968	1552	Dinael32.exe	107
PID 1968 wrote to memory of 4056	1968	Dgbanq32.exe	108
PID 1968 wrote to memory of 4056	1968	Dgbanq32.exe	108
PID 1968 wrote to memory of 4056	1968	Dgbanq32.exe	108

C:\Users\Admin\AppData\Local\Temp\60434a40a0fabc9d98c7d4403267ca10N.exe
"C:\Users\Admin\AppData\Local\Temp\60434a40a0fabc9d98c7d4403267ca10N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\Bgdemb32.exe
  C:\Windows\system32\Bgdemb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\Cpljehpo.exe
    C:\Windows\system32\Cpljehpo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\SysWOW64\Ckbncapd.exe
      C:\Windows\system32\Ckbncapd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1584
    - - C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4148
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4056 -s 412
        19⤵
        Program crash
        
        PID:2984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4056 -ip 4056
1⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3264,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4180 /prefetch:8
1⤵
PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
128KB

MD5
d8834adf0744e49722c50c63c663e353

SHA1
ca883ae2fa1e8bc3a9359f9716b2d95c0f8363a1

SHA256
f3d9da432a98e48a123031c30fc8efca28f428d1b793590a1e49e300a87d1b73

SHA512
62d14fe5d04056c259844d35785871c0c9033306f35dee911aa7511643b73c63fbafb114b3cb6bac9bfdab4905c55e3afe532d1eece9e2e1e579c152bd3d9400

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
128KB

MD5
8173788661ee6fc7960847d7c51e5670

SHA1
8afd0c79e382761b4f134552ca7a65e8cc83d208

SHA256
72b18edde9924f643d068435f77acc206a541cbdc672721e157f4866cf801a0c

SHA512
d86ea8bf432fcd6bf280382e9ac1e47c5fa965d1a1f989bb64bb72464c74c7ebce579848468817b81d0763026c25a0912c77073c3081b67741dcf3ca3e51b8ba

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
128KB

MD5
d46fe4416d01dcea3c834e2c65ec24e7

SHA1
ac0e6506dc73ecc2cc200eb3863c8b3d60d29beb

SHA256
8e1ff552db6f19fed558454491d194ae326feb54a9a34cef621351f2f49e3478

SHA512
2c77f73af71e342586c62ed0df96a92599c03826f5a0c567f28313d214a2efe5c6e19efb1df35b2f72097d01a51deabeb88fdc8649d70e7c183d4448eb13874b

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
128KB

MD5
5b04a74aacbbb86c865a774640865e7e

SHA1
fda935877a4385237f9bc25beb0cfd08f3cc97cf

SHA256
79bab958c98d0fe267bfe454346faa6b88cb60c7c216d71ec7f8a7c7124678fd

SHA512
fd487defab4074df6d9fdb0ed14d86c794ecd4f72390dae3fde1b60a2aa0fae633b9272edfaea28b90c6665bc67208ede873d3b0958e2ce1f8b0bfcfea617e02

Download Submit
C:\Windows\SysWOW64\Ccmcgcmp.exe

Filesize
128KB

MD5
27df222c95280e2e31dac2ee74c4159f

SHA1
3be72c54a6825631049bda624223822cbf44ffbe

SHA256
2e6bda7ed080d643a3c7dbbdce55c8117136040f08b6722b095e398be2b9531c

SHA512
5945fc5054b63c38d59967a70abb929b82cc0a37d02693a34dd7f9d2de7bab29ce7081e33ff5aa981013443bb0a6809fd43a38f0e563b13bd37bbee3317360bc

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
128KB

MD5
dad8ea3f46d8a25455f5c0fdae35c2fd

SHA1
05d30b338611fed563d1a052232f16e83a34adb7

SHA256
655ddf8a4f6a87bc1606653cf312b6d069d2acf12aed3e51c2711aa5976ed904

SHA512
971e28a162a6b9fa638f3808f894feca45a50ebbdd27660dc37d3dca6cf46824cd014888fe8459624cb940d5d84fe777b637c7836b8942b2898966dbfd4d6602

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
128KB

MD5
03091620fee7277e2a14f5053b833c14

SHA1
8ea097df8fb8dc4322e737810f807939a78efa67

SHA256
56d1ba9f43535d29e7e6f04b68c6cd7a48d0936ef0e4c4aa0288f72a33a428ed

SHA512
056b43e553a15866f2bd946d35c6d1c31105891be8cc6c2f2223f22ed0a0c00e6c734d77dc1e01a8b01167fb3ba28b2256728e1e4330b27bf931eba4561b8fe5

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
128KB

MD5
ff0d1ebc7e4b07a6f1d17bf25098014a

SHA1
8122879e17d26869c317f26ed0749caa9370def9

SHA256
a7f4df86bc9205fbef0ef3fa509dc76072d6c761b79db27a296be36dfd4c46bc

SHA512
0e1e1d3e8cfd5ffd700d39da87fdf101e37a2da217a69113ea9c36e4446842b47fab96a1c7db593f0b0929092e3e8a66b47a990aa9c28e34f8ff0c3fe50d0bd7

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
128KB

MD5
195415129ed6b9b1764042a0ec10a85f

SHA1
90f2ad543054630fddc0299837ac04f0d8afccf3

SHA256
6112456c9129ef7a7a9e9fb7750914dd51fa70c919d11e918052d94ecd96d66c

SHA512
5aa26b370686614d04422f759e0bbaa5c03d5ca4fa0fa4463d4de56d1c14b3786565e1317471cae504478dc5eb3bc02a7791153d6cee2d3784d4f3a2eb91c619

Download Submit
C:\Windows\SysWOW64\Ckbncapd.exe

Filesize
128KB

MD5
ac5431a27b7feb729d8a80f977c32ef8

SHA1
af39d9024d0464259392c9beff1937258766a318

SHA256
a5ded77fa8ba7a1ff351a6ed626b0daf0be799fccd7d38429ea54c8c5785e7f9

SHA512
9322ec89d7db47ef4cac9cf737fcc773718197e329c1a62c7fd8718769efc86633bcde8f49161ac62cd7cc536035c6d906d44864f0a152cd62286df2a7e6b9ca

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
128KB

MD5
8b0a0e906a4fd4d9fa8511ac9b622281

SHA1
33fbe534bcd35590489e0654e95dd95925452877

SHA256
15b46e4579ce05053e69c6c13b4b24a61eebe1a0791b33478b218109f6443885

SHA512
4099b6fd193733a78ff0bb6328a1f01c21aed6bee4ab8308f1ad71458c7854332dec66c047bb561dddb66a2f74d177d70f40098f9106a69d2a709dc01cfc1655

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
128KB

MD5
3ae23af04b718a4338185e49162661e3

SHA1
550d938b6b8185bfa8a4e8ad6f854a728d301bd5

SHA256
99c9d724b0f6bfc33f23cf231ff0a2ce44fefac108ffc482c12f5619d3731646

SHA512
98ea5fde016a0fab0a25df47f7783a5f4deec10e27c80eb473609d58b8f8b245b1fd3c45a08ac6475c55ed842c766909508354e4886d46c6483d84c47af0cf82

Download Submit
C:\Windows\SysWOW64\Cpacqg32.exe

Filesize
128KB

MD5
eee75b892718fa0456cc113983d6152d

SHA1
5089d2b390988d162b8cc7fe1394b16fed21165d

SHA256
e9054fdbb6ab691ab1eced3414adb647bb5986630d9a9b6ab6f8e377d870c16f

SHA512
a731ce19ea130e282c87b789c0889c10ac33bbe5bf0620d4fe3d2adb2ee6ad31fd9e8304b94978e18cc3f93a1effb2e37efbbbe622d66d587dcbece7c8992039

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
128KB

MD5
025fd3ab294e08fd19618be5bf036e5c

SHA1
e830e912d048767dceb9fc23756792a507ffbcdf

SHA256
6cb0d2052b344e220073b744fa4bf97abbbcaa4e64adb1fa016bbdb914160c59

SHA512
fc219725ec47392e1fe473e50142883ff3580942a2c244ca8c2937f61e11bf3817343a163a9655237675338f3c7e0ef621d0452ca3b5e9f46684795d82f897bc

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
128KB

MD5
8ef27d55e625e8b952bb6af30c6ab2af

SHA1
6cce406621c2c479d885f1158366d3bef0924458

SHA256
4972ac56036d126a2e4937e7b6ca4b0c96f82323b92f0d7913ef92762cc1b62d

SHA512
6706cd5cddcf67247ecfccd42aedef8cd258c375d23891ba5479c6a6a15a2c0613751185bfee5d2d46ff9101ae830f8e3a29a6fd646d15f66b58f5b42e127062

Download Submit
C:\Windows\SysWOW64\Dinael32.exe

Filesize
128KB

MD5
ff015dbf70c9538f476448ad96da6fc3

SHA1
144e24f6f561c6d29d026717cbb88f35511b0dc8

SHA256
1835c06418dacb621d833f7d2f950a824397c7913480b027173d631aacd6ea88

SHA512
3941c9d0c2c874c479e549cb46bcc5e3abe65fb2d959e175086f13c2efe31648c6f72723d84e3a2496ccce5e0747aada142437fd0402efa1c75fb6c6a5475781

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
128KB

MD5
0368b6ee80a3343e3bfa776121baf08f

SHA1
905b4e599e0a288f955adb963aa0b867f2467855

SHA256
d7001e7e846ed986345c4356831197dacac01434d048bedaefa6608c5f7c6316

SHA512
ba679e0d5a29d5e29c4923e6dd77b9f0a8f3f428ca78a4dd8880f3efb7e4ae23617994f24231c7b448dd31e43295ca07ef70960c16d61f82abaf3ee050080536

Download Submit
C:\Windows\SysWOW64\Fbcolk32.dll

Filesize
7KB

MD5
e52fd7ffd05c68e334ae8a0a45f730c0

SHA1
2f7efe1d66f69412a612873663c8e19e24821ca9

SHA256
55d643f8a7f3bbfec1b3da9f3761055a9a8ab3087b7ba7f81aa9db93fe71b198

SHA512
d3b6d1872aa2848e2487526b4bad8ba3d7cf97900f84ee5160410389a4b28d076529386870ffb96d20ee380372939384559498fefbb0a77c13bfd799800632af

Download Submit
memory/812-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/812-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/912-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/912-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/976-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/976-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1036-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1036-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1152-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1196-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1196-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1500-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1500-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1552-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1552-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1584-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1584-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1968-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2504-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2504-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2716-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3588-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3588-114-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4056-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4148-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5036-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5036-102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads