c16090dfbf291e0372c9e2cd72a725ee6a4a8ce9aa4c9176e79df9bcf294806b

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/09/2024, 17:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

db56a7df25b8af345b56756232979660N.exe
Size

96KB
MD5

db56a7df25b8af345b56756232979660
SHA1

a06a4849744a88f14c626464cff9471e9dcf90b8
SHA256

c16090dfbf291e0372c9e2cd72a725ee6a4a8ce9aa4c9176e79df9bcf294806b
SHA512

84cf4984c403af9dda75207e2daba3f0e9b0c5fe3767f61d627263f041950c70d946950543269f850e2e2abc181fc96dd8d953c84906e3b2e30005c1c353964c
SSDEEP

3072:ynFkznzyvPwglSlnhKlkG5Lp+d69jc0v:MozEVcYp+d6NV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	db56a7df25b8af345b56756232979660N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bipecnkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	db56a7df25b8af345b56756232979660N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cildom32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cigkdmel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdmoafdb.exe

Executes dropped EXE 17 IoCs

pid	Process
5024	Bipecnkd.exe
220	Bdeiqgkj.exe
4844	Cibain32.exe
1848	Cajjjk32.exe
4328	Cgfbbb32.exe
396	Calfpk32.exe
2868	Cdjblf32.exe
2564	Cigkdmel.exe
2016	Cdmoafdb.exe
1004	Ckggnp32.exe
2816	Cdolgfbp.exe
4016	Cildom32.exe
432	Cdaile32.exe
2972	Dinael32.exe
4780	Daeifj32.exe
4852	Dgbanq32.exe
1168	Diqnjl32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Anbgamkp.dll	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Bcidlo32.dll	Cajjjk32.exe
File opened for modification	C:\Windows\SysWOW64\Dinael32.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Dccfme32.dll	Cdaile32.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Cigkdmel.exe
File opened for modification	C:\Windows\SysWOW64\Calfpk32.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Cdmoafdb.exe
File opened for modification	C:\Windows\SysWOW64\Cdolgfbp.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Dinael32.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Daeifj32.exe
File created	C:\Windows\SysWOW64\Cgfbbb32.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Cildom32.exe	Cdolgfbp.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Cajjjk32.exe	Cibain32.exe
File opened for modification	C:\Windows\SysWOW64\Cgfbbb32.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Icpjna32.dll	Ckggnp32.exe
File opened for modification	C:\Windows\SysWOW64\Cildom32.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Lncmdghm.dll	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Cibain32.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Daeifj32.exe	Dinael32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dgbanq32.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Calfpk32.exe
File created	C:\Windows\SysWOW64\Bipecnkd.exe	db56a7df25b8af345b56756232979660N.exe
File opened for modification	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Cigkdmel.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdmoafdb.exe	Cigkdmel.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Bipecnkd.exe	db56a7df25b8af345b56756232979660N.exe
File created	C:\Windows\SysWOW64\Qdqaqhbj.dll	db56a7df25b8af345b56756232979660N.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bipecnkd.exe
File opened for modification	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bipecnkd.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Calfpk32.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cildom32.exe
File created	C:\Windows\SysWOW64\Mnokmd32.dll	Dinael32.exe
File created	C:\Windows\SysWOW64\Jlojif32.dll	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Cildom32.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cgfbbb32.exe
File created	C:\Windows\SysWOW64\Daeifj32.exe	Dinael32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2352	1168	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db56a7df25b8af345b56756232979660N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgfbbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cildom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bipecnkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calfpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cigkdmel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdeiqgkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinael32.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgfbbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	db56a7df25b8af345b56756232979660N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bipecnkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dinael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	db56a7df25b8af345b56756232979660N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlojif32.dll"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcidlo32.dll"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	db56a7df25b8af345b56756232979660N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkppnab.dll"	Daeifj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	db56a7df25b8af345b56756232979660N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncmdghm.dll"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokmd32.dll"	Dinael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daeifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bipecnkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cigkdmel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfme32.dll"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	db56a7df25b8af345b56756232979660N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bipecnkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgfbbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdqaqhbj.dll"	db56a7df25b8af345b56756232979660N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Cildom32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cibain32.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 5024	3236	db56a7df25b8af345b56756232979660N.exe	90
PID 3236 wrote to memory of 5024	3236	db56a7df25b8af345b56756232979660N.exe	90
PID 3236 wrote to memory of 5024	3236	db56a7df25b8af345b56756232979660N.exe	90
PID 5024 wrote to memory of 220	5024	Bipecnkd.exe	91
PID 5024 wrote to memory of 220	5024	Bipecnkd.exe	91
PID 5024 wrote to memory of 220	5024	Bipecnkd.exe	91
PID 220 wrote to memory of 4844	220	Bdeiqgkj.exe	92
PID 220 wrote to memory of 4844	220	Bdeiqgkj.exe	92
PID 220 wrote to memory of 4844	220	Bdeiqgkj.exe	92
PID 4844 wrote to memory of 1848	4844	Cibain32.exe	93
PID 4844 wrote to memory of 1848	4844	Cibain32.exe	93
PID 4844 wrote to memory of 1848	4844	Cibain32.exe	93
PID 1848 wrote to memory of 4328	1848	Cajjjk32.exe	94
PID 1848 wrote to memory of 4328	1848	Cajjjk32.exe	94
PID 1848 wrote to memory of 4328	1848	Cajjjk32.exe	94
PID 4328 wrote to memory of 396	4328	Cgfbbb32.exe	95
PID 4328 wrote to memory of 396	4328	Cgfbbb32.exe	95
PID 4328 wrote to memory of 396	4328	Cgfbbb32.exe	95
PID 396 wrote to memory of 2868	396	Calfpk32.exe	96
PID 396 wrote to memory of 2868	396	Calfpk32.exe	96
PID 396 wrote to memory of 2868	396	Calfpk32.exe	96
PID 2868 wrote to memory of 2564	2868	Cdjblf32.exe	97
PID 2868 wrote to memory of 2564	2868	Cdjblf32.exe	97
PID 2868 wrote to memory of 2564	2868	Cdjblf32.exe	97
PID 2564 wrote to memory of 2016	2564	Cigkdmel.exe	99
PID 2564 wrote to memory of 2016	2564	Cigkdmel.exe	99
PID 2564 wrote to memory of 2016	2564	Cigkdmel.exe	99
PID 2016 wrote to memory of 1004	2016	Cdmoafdb.exe	100
PID 2016 wrote to memory of 1004	2016	Cdmoafdb.exe	100
PID 2016 wrote to memory of 1004	2016	Cdmoafdb.exe	100
PID 1004 wrote to memory of 2816	1004	Ckggnp32.exe	101
PID 1004 wrote to memory of 2816	1004	Ckggnp32.exe	101
PID 1004 wrote to memory of 2816	1004	Ckggnp32.exe	101
PID 2816 wrote to memory of 4016	2816	Cdolgfbp.exe	103
PID 2816 wrote to memory of 4016	2816	Cdolgfbp.exe	103
PID 2816 wrote to memory of 4016	2816	Cdolgfbp.exe	103
PID 4016 wrote to memory of 432	4016	Cildom32.exe	104
PID 4016 wrote to memory of 432	4016	Cildom32.exe	104
PID 4016 wrote to memory of 432	4016	Cildom32.exe	104
PID 432 wrote to memory of 2972	432	Cdaile32.exe	105
PID 432 wrote to memory of 2972	432	Cdaile32.exe	105
PID 432 wrote to memory of 2972	432	Cdaile32.exe	105
PID 2972 wrote to memory of 4780	2972	Dinael32.exe	106
PID 2972 wrote to memory of 4780	2972	Dinael32.exe	106
PID 2972 wrote to memory of 4780	2972	Dinael32.exe	106
PID 4780 wrote to memory of 4852	4780	Daeifj32.exe	107
PID 4780 wrote to memory of 4852	4780	Daeifj32.exe	107
PID 4780 wrote to memory of 4852	4780	Daeifj32.exe	107
PID 4852 wrote to memory of 1168	4852	Dgbanq32.exe	108
PID 4852 wrote to memory of 1168	4852	Dgbanq32.exe	108
PID 4852 wrote to memory of 1168	4852	Dgbanq32.exe	108

C:\Users\Admin\AppData\Local\Temp\db56a7df25b8af345b56756232979660N.exe
"C:\Users\Admin\AppData\Local\Temp\db56a7df25b8af345b56756232979660N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Windows\SysWOW64\Bipecnkd.exe
  C:\Windows\system32\Bipecnkd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\Bdeiqgkj.exe
    C:\Windows\system32\Bdeiqgkj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\SysWOW64\Cibain32.exe
      C:\Windows\system32\Cibain32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Windows\SysWOW64\Cgfbbb32.exe
        
        C:\Windows\system32\Cgfbbb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Cigkdmel.exe
        
        C:\Windows\system32\Cigkdmel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Cildom32.exe
        
        C:\Windows\system32\Cildom32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 412
        19⤵
        Program crash
        
        PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1168 -ip 1168
1⤵
PID:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4400,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=3864 /prefetch:8
1⤵
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcidlo32.dll

Filesize
7KB

MD5
3eb7545e1b59fd72567ab499e594ab9c

SHA1
7b487b7d519dbeed55fd9d1e544a8073a3c69e4b

SHA256
0e114cc704a48ff3b4de3c1ca887a3e04d48ae9d63bbb31de4be9a2c53021fb8

SHA512
537f1797fe8a652ad0bf231f0e65f26ddfefa58a53021e31b2ddde7adc83c365e14690ddd34f979203c763c72c3751edb76d1b462ee593e53ed4391b62d9200b

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
96KB

MD5
9812a65e468b365ac6176920fed057e8

SHA1
c8fd43f0537caa8a6f28eb706167092d9bb75088

SHA256
f0cad419fef2d3bb81eeae3fcfd1b9ab5cfadf146d487ec8c6680fefab6e1ddd

SHA512
18e0690f6f8bed5d2ecbf7cea1f021c3026a4eb152655db3e8be5b29e108b9635d7ee6797a57728c035ed52366fcab43c28aa21e0809e5ce58f955fc1bca7204

Download Submit
C:\Windows\SysWOW64\Bipecnkd.exe

Filesize
96KB

MD5
0fb470fa5cca0e1f509b45ad2078a1ea

SHA1
fcc3095f49190cc8b4b76b2cbc35338f54faf825

SHA256
2bdadc845f9018a6a94c170a5adeb79d2506b85ad8dab8baa30fcc8484bae46f

SHA512
18f24bb60f6f2246fab10e019f30fa9d3f7d9e867893da46650bca8fb43389f2cb5ecf3cb26ef97a6634b85e9f2dd6a20def91c5d6e7dd8d3025ed9faf7c8a3e

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
96KB

MD5
2aa129bbea223d8c41f3ea1ba5146d29

SHA1
844a9c8e18a0ab3150e49dbaa48794b844a2ace5

SHA256
72f3f36ee64600aa25f40906baecf88cf2c3a32bdb621b909a1d3453e337c6e7

SHA512
a77ddf59533c4b5a02ff83d9c69f8a3de625596deac62a4c2fa852e750e992ceb8680cf416a9499ca0d5f3f3628c1cdb8768c9f93a6175beb9b9a86329677ab4

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
96KB

MD5
8b6bdf9504355c843926f803161cc28e

SHA1
4cbe8b62b5116e5f8fd31073a7b84802e4e285ad

SHA256
e63713c8053b7bbcfe57ae65a6e14707166d02ec03de692a1296ff3cf18ef7fc

SHA512
fbcc918932d6bce2fdecb5e0e4aeea593755e18ebdf9976fa8b70589391f7e0053208dff7a057510b1b810b336448922235d457f83081cdb9d693642c3797a8f

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
96KB

MD5
51fec73400f0b1aee09aa17232d1afd8

SHA1
97f071e9023f7db5ba46650196370d065b9c5302

SHA256
b6a886085c3413def17c243739e4e02baac9755e4da5d341356b4284327bc341

SHA512
929480528e7a26f8415a6ef6af295bfb610f2fd4783c20ab0e1d77c5131826abf637bd3b62f415d97993090bab08d93c856bc34d3ac871434ee8dd7247202576

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
96KB

MD5
d32331d8cb0d04b388bb0b0896e6bb92

SHA1
d42503252d3818155a3cbe78a89a4b53a7c12df2

SHA256
9956be7c685fc66aee84e0fd84f7e6459c44a3808036f3b1940da6add757c88f

SHA512
14b07342c0fb142337e2b6572acbf946a353765a4de74b687cb7974d9e343549ba96e9ecf3070e722536ae4fef496050b2634f67171a5187fcf3049014887083

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
96KB

MD5
228c8c0fbe81af201ca8006587813dcb

SHA1
bd22cc425f7b0abaf7883dd27edc7311a4897883

SHA256
549f2803ea2f8d1d4e798bc724a8bcc5f6969772d74a8c19cebd875f0dd35e7e

SHA512
ede0d2fa1b925f555fcde37416eaff806be518e200cc682c06907a7f696ec5c662ec40d3fd739349af29af002540b3591f40da25960d9e7e7c8d39456d1186ac

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
64KB

MD5
ab161ef0df4a30c53653c3e18737623d

SHA1
bb297598d02cc7d9fd97c15f40d5d9f54c4517e1

SHA256
37e92115f2e3eb701ea0587a5c45d023954ecf683b4c6bef41f35859813c1848

SHA512
f8ae81105a45edd3a5924550f89744c1ecd6a6718ae89269c4a8686280560d2df88b25870d1b60613e8126bc6a81f8f74740bd51b1e919af5f2056c4f8e11500

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
96KB

MD5
8b50455ca740b525e373087511cfd170

SHA1
87b8dc64e381cc1a57c1c879a5f0ebe1e35c7a44

SHA256
390b27c9f7b61fcc238c56f94dfb2ed38989eb48d797f29eae2ffbedff5c008c

SHA512
431fef45cbb19459a7d08efdca0148fde7d0cfe0dcc99dd1fb30dad33988cfbee0d1d08abead3b6ea86ecd1dcc35321734bb1732ba209dfc4631fb64232c66a4

Download Submit
C:\Windows\SysWOW64\Cgfbbb32.exe

Filesize
96KB

MD5
37407a2b41c0f5c34f0f738cc88d4dd4

SHA1
7c1b23541e45da5388f89309cfba73d493f570d3

SHA256
4dacc03f6a57637487c8eec6cfe967acb7f744a20fb5b6ab2002652554058105

SHA512
876b61ac7a35315a3c956b403c3a86419e71891d3b272948e34f6f10898d607ff4a2adac5a6cb417789e8f1bcb0980d1046c96cdd6f066eb9f435aa5187f1c27

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
96KB

MD5
9401022682b5ab7098cd0d3da6a81ccb

SHA1
b468f4d4dfb805de10c87053055cd785328b0729

SHA256
3bb2275efe92fa7365781c0da76571569a62e9bc43b9a5004453b23792a476de

SHA512
5011b7bbd812399afe4ff172e0db747c8f79e48ac3e6089040df36e63c170d9f4e519af5f11b01bd44e292b2160377b7f43c0bf450b591c27be6ad34fda020a0

Download Submit
C:\Windows\SysWOW64\Cigkdmel.exe

Filesize
96KB

MD5
7ab6e4e4a637baa85f43c8536fe673bc

SHA1
9d64103b5f8f1375dace61082ab93b4c2410b4df

SHA256
313960d037550c87f98303880fddc8c917806dfe0085cbbda36dfb7023f4170a

SHA512
ca6380a5ace50c35697ec3162f38b36a5d2f0b174f42bc7c471fc33d4f8aec4996e6f316e4d76703198dbe10d27212609fe5e0186207f405a800f385dccd16b8

Download Submit
C:\Windows\SysWOW64\Cildom32.exe

Filesize
96KB

MD5
a09432bbd6d020abe17e5e9d414b28a1

SHA1
c6225e4343ea1f86942bb6cb2046d79e09710d76

SHA256
657de325bc47e4b4cefd621d02236740802579a9978f125e4c06190e6a3e30bc

SHA512
d7ad7fb254e23d2c7ae4edcd506d6c456ea1698ec78c6658a5ac95417d5af703e0c34b51b321428416406e8ca577794dd45d974f08c8a3452d46717d1db16b7a

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
96KB

MD5
38801d42fc9c2e0c25e3b0994ea2bc16

SHA1
187be39fe2b780d97e1b0354a99a22a5495be680

SHA256
744b0827bfc0210bf1ed587e7c2121f19581ab7371fded4c14239f20c97c7a51

SHA512
353a451fdc322210bb7a4df95a9fbbd659d8dd2290ccf9b36fb31b6d478b1e7059fbc277b63d0973f5fa308f87a74f68a359051278f35e3db7673216ee2c8fdd

Download Submit
C:\Windows\SysWOW64\Daeifj32.exe

Filesize
96KB

MD5
4777a59eb313bafc423983745dca4637

SHA1
6585b6613c016728421e4819f548e8287d96c75a

SHA256
f5f6f6f042f8b9acfe4a6db74c5cbc492586447175fc0154d893707f504f5fb1

SHA512
c5289c63854d60233ff6f2ceee4b907b2028af89517b7708594e90164fd2f8dc3c66737f72018820964e8a0e55dc508c341d0b20ad5d0622d15fda21d252cd18

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
96KB

MD5
90a9b57f1675813cfdc241664595256a

SHA1
ec0c761e952ab49e42b92ed0b5259029f7596534

SHA256
acc86bc31fe2f3118c5edc97bf50ecec2e414c30f5128e54cb9e02a8505c5760

SHA512
be3b343c22150340d4096667471bbe29b9719ef7ffe604cb06a31113bdecfc02ca8e8802c10f7f918ea9779672ac76030083e12a66a9047c56c584d63246060e

Download Submit
C:\Windows\SysWOW64\Dinael32.exe

Filesize
96KB

MD5
96b8e54cfd9a1dc9acf8087231eb59b1

SHA1
4174cd2cafcc655e03dcf1563d68d24fa9cf21e1

SHA256
ad519dcff84678060d4ef57973e281d992da897056613c90ea202524b5cbec9a

SHA512
bd6c9e2c6d8ce5a12a8bb43a71a86932e91d40ac38ac57ce42e35d61b65e43be8a72459d61ab0d26f169b09b39ec3168d6fbb0fb2a4d825639ca0455f5b6f9d1

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
96KB

MD5
89192ef7589f401c5d4eec80ca804447

SHA1
ac524cff9d6ff1d70f7d2b56bddcb848be31eeb8

SHA256
19479b53ffdbe6a4fa1f47871c75b10d2d1364db09fe3199f56a234f8c8bd8f6

SHA512
46a3e36b8e09bffd079196c800fc25e706edb7b19cc05994b0c043c1697e7c17d8d7444ecb5cbcc7b7157c8ad00a336cf963aaf88aea3e5441273bd78e55a12b

Download Submit
memory/220-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/220-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/396-150-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/396-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/432-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/432-141-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1004-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1004-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1168-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1168-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1848-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1848-149-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2016-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2564-147-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2564-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2816-87-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2816-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2868-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-111-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3236-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3236-154-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4016-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4016-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4328-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4780-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4780-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4844-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4852-137-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5024-153-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5024-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads