a98d32804e5910ba10d518b771121caa9ef310f9de70bdfddc4cf6b25b1342ce

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d036476c44f4ce461c0368448466ef40N.exe
Size

96KB
MD5

d036476c44f4ce461c0368448466ef40
SHA1

a9644450abb39b644d681d51e2874cab42ea2049
SHA256

a98d32804e5910ba10d518b771121caa9ef310f9de70bdfddc4cf6b25b1342ce
SHA512

9129f242f6a15165fb5cf9a99a2d6fba82ee534229823dc02d6b8a1fb9bb7769f72678688e64a07c14634573810fc2569e42d6a2753bd68c6b341a5e2a6f8b0c
SSDEEP

1536:9uaUy3xuNaJAcZtAPEiDvFn1rB2LYDaIZTJ+7LhkiB0MPiKeEAgH:9uaRxuNaxZt4zvaAaMU7uihJ5

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d036476c44f4ce461c0368448466ef40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d036476c44f4ce461c0368448466ef40N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmpjoloh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgklmacf.exe

Executes dropped EXE 17 IoCs

pid	Process
1680	Bagmdllg.exe
428	Bbhildae.exe
3600	Cmnnimak.exe
1920	Cpljehpo.exe
3076	Cbkfbcpb.exe
1992	Cmpjoloh.exe
4552	Cdjblf32.exe
732	Cgiohbfi.exe
3212	Cmbgdl32.exe
1768	Cgklmacf.exe
5064	Ciihjmcj.exe
4440	Ccblbb32.exe
2800	Cacmpj32.exe
3588	Ccdihbgg.exe
1168	Dkkaiphj.exe
3752	Dcffnbee.exe
32	Diqnjl32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Cgiohbfi.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Ogajpp32.dll	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	d036476c44f4ce461c0368448466ef40N.exe
File created	C:\Windows\SysWOW64\Adppeapp.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Cmnnimak.exe
File opened for modification	C:\Windows\SysWOW64\Cpljehpo.exe	Cmnnimak.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Cmpjoloh.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Gfchag32.dll	d036476c44f4ce461c0368448466ef40N.exe
File opened for modification	C:\Windows\SysWOW64\Cgiohbfi.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Ccblbb32.exe	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Bbhildae.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Fohhdm32.dll	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Ejnnldhi.dll	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Cacmpj32.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Acajpc32.dll	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Cmnnimak.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Eiahpo32.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Nepmal32.dll	Cmbgdl32.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	d036476c44f4ce461c0368448466ef40N.exe
File opened for modification	C:\Windows\SysWOW64\Cmbgdl32.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Cgiohbfi.exe
File opened for modification	C:\Windows\SysWOW64\Cgklmacf.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Cmbgdl32.exe	Cgiohbfi.exe
File opened for modification	C:\Windows\SysWOW64\Ccdihbgg.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Dkkaiphj.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dkkaiphj.exe
File created	C:\Windows\SysWOW64\Cgklmacf.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Ciihjmcj.exe	Cgklmacf.exe
File created	C:\Windows\SysWOW64\Ccblbb32.exe	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Bigpblgh.dll	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cpljehpo.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Dkkaiphj.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Cgklmacf.exe
File opened for modification	C:\Windows\SysWOW64\Dkkaiphj.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dcffnbee.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2452	32	WerFault.exe	109

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkaiphj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpljehpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnimak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgiohbfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbgdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgklmacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d036476c44f4ce461c0368448466ef40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkfbcpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adppeapp.dll"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acajpc32.dll"	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d036476c44f4ce461c0368448466ef40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogajpp32.dll"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkaiphj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d036476c44f4ce461c0368448466ef40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	d036476c44f4ce461c0368448466ef40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkaiphj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahpo32.dll"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nepmal32.dll"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bigpblgh.dll"	Ccdihbgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d036476c44f4ce461c0368448466ef40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d036476c44f4ce461c0368448466ef40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpljehpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmpjoloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdbbme32.dll"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll"	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d036476c44f4ce461c0368448466ef40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagmdllg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohhdm32.dll"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgklmacf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccblbb32.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1680	3316	d036476c44f4ce461c0368448466ef40N.exe	91
PID 3316 wrote to memory of 1680	3316	d036476c44f4ce461c0368448466ef40N.exe	91
PID 3316 wrote to memory of 1680	3316	d036476c44f4ce461c0368448466ef40N.exe	91
PID 1680 wrote to memory of 428	1680	Bagmdllg.exe	92
PID 1680 wrote to memory of 428	1680	Bagmdllg.exe	92
PID 1680 wrote to memory of 428	1680	Bagmdllg.exe	92
PID 428 wrote to memory of 3600	428	Bbhildae.exe	93
PID 428 wrote to memory of 3600	428	Bbhildae.exe	93
PID 428 wrote to memory of 3600	428	Bbhildae.exe	93
PID 3600 wrote to memory of 1920	3600	Cmnnimak.exe	94
PID 3600 wrote to memory of 1920	3600	Cmnnimak.exe	94
PID 3600 wrote to memory of 1920	3600	Cmnnimak.exe	94
PID 1920 wrote to memory of 3076	1920	Cpljehpo.exe	95
PID 1920 wrote to memory of 3076	1920	Cpljehpo.exe	95
PID 1920 wrote to memory of 3076	1920	Cpljehpo.exe	95
PID 3076 wrote to memory of 1992	3076	Cbkfbcpb.exe	96
PID 3076 wrote to memory of 1992	3076	Cbkfbcpb.exe	96
PID 3076 wrote to memory of 1992	3076	Cbkfbcpb.exe	96
PID 1992 wrote to memory of 4552	1992	Cmpjoloh.exe	97
PID 1992 wrote to memory of 4552	1992	Cmpjoloh.exe	97
PID 1992 wrote to memory of 4552	1992	Cmpjoloh.exe	97
PID 4552 wrote to memory of 732	4552	Cdjblf32.exe	98
PID 4552 wrote to memory of 732	4552	Cdjblf32.exe	98
PID 4552 wrote to memory of 732	4552	Cdjblf32.exe	98
PID 732 wrote to memory of 3212	732	Cgiohbfi.exe	99
PID 732 wrote to memory of 3212	732	Cgiohbfi.exe	99
PID 732 wrote to memory of 3212	732	Cgiohbfi.exe	99
PID 3212 wrote to memory of 1768	3212	Cmbgdl32.exe	100
PID 3212 wrote to memory of 1768	3212	Cmbgdl32.exe	100
PID 3212 wrote to memory of 1768	3212	Cmbgdl32.exe	100
PID 1768 wrote to memory of 5064	1768	Cgklmacf.exe	102
PID 1768 wrote to memory of 5064	1768	Cgklmacf.exe	102
PID 1768 wrote to memory of 5064	1768	Cgklmacf.exe	102
PID 5064 wrote to memory of 4440	5064	Ciihjmcj.exe	103
PID 5064 wrote to memory of 4440	5064	Ciihjmcj.exe	103
PID 5064 wrote to memory of 4440	5064	Ciihjmcj.exe	103
PID 4440 wrote to memory of 2800	4440	Ccblbb32.exe	104
PID 4440 wrote to memory of 2800	4440	Ccblbb32.exe	104
PID 4440 wrote to memory of 2800	4440	Ccblbb32.exe	104
PID 2800 wrote to memory of 3588	2800	Cacmpj32.exe	105
PID 2800 wrote to memory of 3588	2800	Cacmpj32.exe	105
PID 2800 wrote to memory of 3588	2800	Cacmpj32.exe	105
PID 3588 wrote to memory of 1168	3588	Ccdihbgg.exe	107
PID 3588 wrote to memory of 1168	3588	Ccdihbgg.exe	107
PID 3588 wrote to memory of 1168	3588	Ccdihbgg.exe	107
PID 1168 wrote to memory of 3752	1168	Dkkaiphj.exe	108
PID 1168 wrote to memory of 3752	1168	Dkkaiphj.exe	108
PID 1168 wrote to memory of 3752	1168	Dkkaiphj.exe	108
PID 3752 wrote to memory of 32	3752	Dcffnbee.exe	109
PID 3752 wrote to memory of 32	3752	Dcffnbee.exe	109
PID 3752 wrote to memory of 32	3752	Dcffnbee.exe	109

C:\Users\Admin\AppData\Local\Temp\d036476c44f4ce461c0368448466ef40N.exe
"C:\Users\Admin\AppData\Local\Temp\d036476c44f4ce461c0368448466ef40N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\SysWOW64\Bagmdllg.exe
  C:\Windows\system32\Bagmdllg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\Bbhildae.exe
    C:\Windows\system32\Bbhildae.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\SysWOW64\Cmnnimak.exe
      C:\Windows\system32\Cmnnimak.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
      - C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Cgklmacf.exe
        
        C:\Windows\system32\Cgklmacf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Dkkaiphj.exe
        
        C:\Windows\system32\Dkkaiphj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:32
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 400
        19⤵
        Program crash
        
        PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 32 -ip 32
1⤵
PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4608 /prefetch:8
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
96KB

MD5
039c88bad2e4c2761e30088e6eb70afd

SHA1
da93463497760bd7beb7f448d78957ead7ee70c6

SHA256
608d08296f53b977f01cdb94cb6cd6918a952257f7e5b6be20b297e790452c8e

SHA512
9fcbd50ee9742212881db2718e7ccc522adda11f1bc9303f92b2dbfbba6a5975b94b0b3b977f3f2dc59ae5a3fd674148e75ec084c9938f10533e0990e1c49dbb

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
96KB

MD5
be372095e788af7747071f86d564c5b5

SHA1
a094c7b973494f5bc64730d46567032b88abdb6a

SHA256
29b4f29a2ccdd0a70fc0842ff71c9c2e71efb535c37cf19854fcf8447a2663a0

SHA512
5ab0b27ec865331b594d1554ccb0380e8aefcc4704d2786e083a7bbec65fbffcac3cd587e1937f26a5c376ef6f135eaac05247fcfa2e7aaca3444187827c1c35

Download Submit
C:\Windows\SysWOW64\Cacmpj32.exe

Filesize
96KB

MD5
66016520fb577c18ae13e09b8e85bdb3

SHA1
0ca9b62727092d018c8085ec63b45fb7a149a2f9

SHA256
9203de3e1e6ecc698fecd6cf8a251e0ebcc5bf0b048bac07ccce24953bb0db56

SHA512
6c91acb694ad11d62d4245666562f0829c8c4dd0747b87b5220e20e97e4e19aea00be23303299617d896f1bb25a43431e6e8cd46e9f3a372190ee1d17d6bcd8e

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
96KB

MD5
218e40e8ddcd2592819cff22d8222679

SHA1
d481826fcb9e72a8c4815e93946d4f296a66a671

SHA256
fcb9a1be842009ec6e14e89d3f8c8b6945c85a022d4ba5380f15bd1cc4400780

SHA512
8d4821b1ee2d14c787db3e2d751a82366f4ef11fb02965bd889ca100dcc60ba55264462e424c042bf842af0ad703deb13772275ab045cf63e68775b2249d9cc6

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
96KB

MD5
39207e296851a5899f536911b508bf32

SHA1
55e9888c0862c4d9afe5fb48891015ccadf22b92

SHA256
de02175acf3be8e7ce58c756f9c162b6d3e00f9e915e834e0dfe784917dae28d

SHA512
08d61b357214e370dcceed96c6bae100a90fbffc30ea0fd5d73a8812d9ff049080ff91f9aabbd936f96028af6e2132876f88c5921e37c5e008aa794289ac6250

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
96KB

MD5
f7d22222fa1f615a27a2c90728cb8f4b

SHA1
cc5391f7642411b47786f83efaeace2101d18e6d

SHA256
ffdf7586c841aae7c01fdd9d0c9defb83b29b762a95e51f8f6805787a294b05b

SHA512
8678da0e069c4a45a7c6f3e27d3fd45232db56d76e390004be8bfd7beab7f350c7289f7ef28fd22c8df495949cb87d9edc9f56520bd0c2f16789ece02b759146

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
96KB

MD5
0d6ee8998a29eb2de3e1de1c54e40075

SHA1
6395d95541f0c3b486a7553ea37fbf5c0dfd302c

SHA256
3116b327534109f5d67e4be9f495c47443ded2c845c17cab0789951abdbdce10

SHA512
7976814980ffa0818f689c4a2fd8a17d31e75a67899fe6ca3999b57707b6a2cb8cf3b68dd16021c41a1286b574373a1184b7c4f72e97500faab5d4f99644e478

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
96KB

MD5
4d006d676dc18b0cfa4d1d6b2a1ad493

SHA1
940c1176ebf12d7ee666b315d94fda80b75752b7

SHA256
1007c31eb6da136050832532b70cd963c73a5e697b323dbbad0421807173bd25

SHA512
d053c540ca7bc9ef91325394bafeaaef1c38ac2c2edfefa7e7028eb609a5ecd95bddaebb4a50c9004cc792fdb2539417b5460673a08066b9d2196e84a1482296

Download Submit
C:\Windows\SysWOW64\Cgklmacf.exe

Filesize
96KB

MD5
782f550a2e33a3c4b7c9244446b226c2

SHA1
9162cd9647776c133971efb64683341000db9f20

SHA256
fcaa44db5a5ced5e00c8f285a9b62340c3632573b56d4440cc651878d4cc19ad

SHA512
9734ac47db02fbd0d6ee431eb4893db5a100f0786dd364c4e85d9f0eed6ea3c82ece298abceb97dbe13f67c52a1b7f95c958afc91755796421ec82d07c8498d8

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
96KB

MD5
1db7a194b2d39c99003c348ecced9e77

SHA1
6b5a599395e562ffe15a04c7c58a9d11783b62d9

SHA256
51381c0542b5c6db3f86970f42c99b183376d5392dbaa346e032815c6a6b313f

SHA512
3ca71b951552453e845cb018b89ad9852a90d3c15940a7fb1271c540fa02aa667dd45cbb6914dcf13ddb502db277c20787ec1519d0725ded31d7679b00f30001

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
96KB

MD5
3b0a3afe937a7e49ed64ce1871f55259

SHA1
87fc9c50d9be2a62e1982dcd91464e797dad5be6

SHA256
59763aeb9f8d32715476c783eec3ca139c555073c99b1d00823add7c6b364afa

SHA512
617ae3be9f153043ad6638f8b1eaa3007de87d618069b2433a5a16febfc1699294ce78dbde47716632dd70c852fe03655633b8d2fb11796a522144d3ccf30b3d

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
96KB

MD5
90855a47ca5c1f0111a2d1324aad47d0

SHA1
5c37674f2cfcf0edc0c8f5bedd5c4e498c8ec5dc

SHA256
9b35e81f74dbd3aa410f6581f8bfc65e75d523f950415e706c564fd757f95777

SHA512
1c161065537602854722b15242a494505b63c6b546ac5a05bf97aafe0fd6b3b53127f0c57f02ed44fff24a2093417940ee72ccc18c3dbd89d5842e8cf4302e27

Download Submit
C:\Windows\SysWOW64\Cmpjoloh.exe

Filesize
96KB

MD5
f180d32068cae2131582c6a6bc75fe4b

SHA1
0a5800b3b2056cbeb8266ff51065cb1c804d433f

SHA256
4c3a9702354dee7368af40e83cbdb62b6ea46489ef370b7310528c025b8c4247

SHA512
e514e10246c932bb0237ca20348999a98c67e6d184abd1e3e2b966aff27a2587364d0848aa2b7bcf5a2af7e3df2076eb3434595a1bee84a5083a60be8a08a26d

Download Submit
C:\Windows\SysWOW64\Cpljehpo.exe

Filesize
96KB

MD5
e69314dd77474facff8d0ac7d0ebaadb

SHA1
65ee03c8f1cb317b4ce294a26c514d0f57138e7d

SHA256
7dc121c32dc0378cd3674d92e9b60678d424492b28aa1a261060f8798ac66f69

SHA512
179323c96ca18296d61421c6f834fc58737db57bd98fea64fe797c8257582ababfe711bfb2c2aa5bd4704c99953651791c1283f5c4cf8bd45b20f46e6f864d55

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
96KB

MD5
3bda69d7e71ad1ae7ff83535bfb99597

SHA1
a8f4f68afe8de47da13c8009d1f6ec963391f2f8

SHA256
c7f5a4778e75c464b583175db29607df46f3c8fe41fa29c3dce2d50a12e6b7d2

SHA512
d19fd703144a704c1e5c64a99d11713a029a445f8c02c5d94dc30818889f93798afe5cc3357eeb11cbe8db7de17aa546eceb95835bcdaa7fda84e47d8c1e713b

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
96KB

MD5
b370dc2cb4523fa4d4477d22d9e6fc56

SHA1
facd27a57cb89d1ac1e88ad76fcc293b9ce0c6d7

SHA256
73838d3f1381c13eb81f4f7227fc0bb1f0dca2faf398067a9cc6d8596018533c

SHA512
f00b5d9de00a6678af98d8cf95d2e121acdc7a25d76ad47d24713131d8b75f2cc5f3d399f2050386630c253d2acb42a8ae354ba4dfa3023a71e1a95e989ca481

Download Submit
C:\Windows\SysWOW64\Dkkaiphj.exe

Filesize
96KB

MD5
cf1e4ce9c1eb6729ddd3757af01ce131

SHA1
82ef7cdcaa61ab0252b2d567f791ffa15d1c2736

SHA256
1dd36f6d597c9e4e37f51e6484168bc18f35c7bd138518f6f9ad8ea51ded53a2

SHA512
40ad44f1d73c790f2ce7711929c739d0daf6fa408bbe477f15b825fc180b114f0e062d8e723f87bd221daec1c1005c92d43373d7c4cbd249c58a44d862248d42

Download Submit
memory/32-146-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/32-145-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/428-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/428-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/732-65-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/732-155-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-148-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1168-127-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1680-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-82-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1768-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1920-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1920-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-49-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1992-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2800-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2800-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3076-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3076-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3212-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3212-154-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3316-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3316-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3316-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-149-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3588-118-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3600-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3600-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3752-136-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3752-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4440-150-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4440-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4552-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4552-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-151-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-90-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads