1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-03-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Size

180KB
MD5

0a947b618f4f0e34908edf3147764dc3
SHA1

c118ec066504d1b6e84a116c971972e7e14a957f
SHA256

1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9
SHA512

98fb411b020423d4823b207e6aa7706c83e1fb90c9726dcb83b25cc8e154acd9eebaea247137538f6bf854a03902c6c4add015a7e926c045c12c18e8e36c7f25
SSDEEP

3072:YvN8c1AD2AxOFcza6miE6Wj4/glEeqZYLtLw32NX/qs/YTJv1tFk+Fkkuj8UA8UA:5cFAxnzLdE6D/gaeFq32NX/qs/YTJ1tY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blkioa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apoooa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe

Executes dropped EXE 16 IoCs

pid	Process
2312	Qflhbhgg.exe
2628	Qqeicede.exe
2108	Abeemhkh.exe
2112	Anlfbi32.exe
2572	Ajbggjfq.exe
2444	Apoooa32.exe
2888	Amcpie32.exe
1192	Afkdakjb.exe
2660	Abbeflpf.exe
2852	Blkioa32.exe
2040	Bhajdblk.exe
1700	Biafnecn.exe
1672	Behgcf32.exe
2496	Boplllob.exe
2240	Cpceidcn.exe
1312	Cacacg32.exe

Loads dropped DLL 36 IoCs

pid	Process
1784	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
1784	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
2312	Qflhbhgg.exe
2312	Qflhbhgg.exe
2628	Qqeicede.exe
2628	Qqeicede.exe
2108	Abeemhkh.exe
2108	Abeemhkh.exe
2112	Anlfbi32.exe
2112	Anlfbi32.exe
2572	Ajbggjfq.exe
2572	Ajbggjfq.exe
2444	Apoooa32.exe
2444	Apoooa32.exe
2888	Amcpie32.exe
2888	Amcpie32.exe
1192	Afkdakjb.exe
1192	Afkdakjb.exe
2660	Abbeflpf.exe
2660	Abbeflpf.exe
2852	Blkioa32.exe
2852	Blkioa32.exe
2040	Bhajdblk.exe
2040	Bhajdblk.exe
1700	Biafnecn.exe
1700	Biafnecn.exe
1672	Behgcf32.exe
1672	Behgcf32.exe
2496	Boplllob.exe
2496	Boplllob.exe
2240	Cpceidcn.exe
2240	Cpceidcn.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe
3028	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Lmmlmd32.dll	Amcpie32.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Blkioa32.exe	Abbeflpf.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Abeemhkh.exe	Qqeicede.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Abeemhkh.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Apoooa32.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Amcpie32.exe	Apoooa32.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Apoooa32.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Blkioa32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Ajpjcomh.dll	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Boplllob.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Afkdakjb.exe
File opened for modification	C:\Windows\SysWOW64\Abeemhkh.exe	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Amcpie32.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bhajdblk.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Qflhbhgg.exe	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Icmqhn32.dll	Qqeicede.exe
File created	C:\Windows\SysWOW64\Cdblnn32.dll	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qflhbhgg.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Abeemhkh.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Afkdakjb.exe	Amcpie32.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Qflhbhgg.exe	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
File created	C:\Windows\SysWOW64\Apoooa32.exe	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Blkioa32.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Blkioa32.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Plnfdigq.dll	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe

Program crash 1 IoCs

pid	pid_target	Process
3028	1312	WerFault.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abeemhkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icmqhn32.dll"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnfdigq.dll"	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qflhbhgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdblnn32.dll"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deokbacp.dll"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajpjcomh.dll"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll"	Abeemhkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apoooa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qflhbhgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqeicede.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blkioa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 2312	1784	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe	28
PID 1784 wrote to memory of 2312	1784	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe	28
PID 1784 wrote to memory of 2312	1784	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe	28
PID 1784 wrote to memory of 2312	1784	1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe	28
PID 2312 wrote to memory of 2628	2312	Qflhbhgg.exe	29
PID 2312 wrote to memory of 2628	2312	Qflhbhgg.exe	29
PID 2312 wrote to memory of 2628	2312	Qflhbhgg.exe	29
PID 2312 wrote to memory of 2628	2312	Qflhbhgg.exe	29
PID 2628 wrote to memory of 2108	2628	Qqeicede.exe	30
PID 2628 wrote to memory of 2108	2628	Qqeicede.exe	30
PID 2628 wrote to memory of 2108	2628	Qqeicede.exe	30
PID 2628 wrote to memory of 2108	2628	Qqeicede.exe	30
PID 2108 wrote to memory of 2112	2108	Abeemhkh.exe	31
PID 2108 wrote to memory of 2112	2108	Abeemhkh.exe	31
PID 2108 wrote to memory of 2112	2108	Abeemhkh.exe	31
PID 2108 wrote to memory of 2112	2108	Abeemhkh.exe	31
PID 2112 wrote to memory of 2572	2112	Anlfbi32.exe	32
PID 2112 wrote to memory of 2572	2112	Anlfbi32.exe	32
PID 2112 wrote to memory of 2572	2112	Anlfbi32.exe	32
PID 2112 wrote to memory of 2572	2112	Anlfbi32.exe	32
PID 2572 wrote to memory of 2444	2572	Ajbggjfq.exe	33
PID 2572 wrote to memory of 2444	2572	Ajbggjfq.exe	33
PID 2572 wrote to memory of 2444	2572	Ajbggjfq.exe	33
PID 2572 wrote to memory of 2444	2572	Ajbggjfq.exe	33
PID 2444 wrote to memory of 2888	2444	Apoooa32.exe	34
PID 2444 wrote to memory of 2888	2444	Apoooa32.exe	34
PID 2444 wrote to memory of 2888	2444	Apoooa32.exe	34
PID 2444 wrote to memory of 2888	2444	Apoooa32.exe	34
PID 2888 wrote to memory of 1192	2888	Amcpie32.exe	35
PID 2888 wrote to memory of 1192	2888	Amcpie32.exe	35
PID 2888 wrote to memory of 1192	2888	Amcpie32.exe	35
PID 2888 wrote to memory of 1192	2888	Amcpie32.exe	35
PID 1192 wrote to memory of 2660	1192	Afkdakjb.exe	36
PID 1192 wrote to memory of 2660	1192	Afkdakjb.exe	36
PID 1192 wrote to memory of 2660	1192	Afkdakjb.exe	36
PID 1192 wrote to memory of 2660	1192	Afkdakjb.exe	36
PID 2660 wrote to memory of 2852	2660	Abbeflpf.exe	37
PID 2660 wrote to memory of 2852	2660	Abbeflpf.exe	37
PID 2660 wrote to memory of 2852	2660	Abbeflpf.exe	37
PID 2660 wrote to memory of 2852	2660	Abbeflpf.exe	37
PID 2852 wrote to memory of 2040	2852	Blkioa32.exe	38
PID 2852 wrote to memory of 2040	2852	Blkioa32.exe	38
PID 2852 wrote to memory of 2040	2852	Blkioa32.exe	38
PID 2852 wrote to memory of 2040	2852	Blkioa32.exe	38
PID 2040 wrote to memory of 1700	2040	Bhajdblk.exe	39
PID 2040 wrote to memory of 1700	2040	Bhajdblk.exe	39
PID 2040 wrote to memory of 1700	2040	Bhajdblk.exe	39
PID 2040 wrote to memory of 1700	2040	Bhajdblk.exe	39
PID 1700 wrote to memory of 1672	1700	Biafnecn.exe	40
PID 1700 wrote to memory of 1672	1700	Biafnecn.exe	40
PID 1700 wrote to memory of 1672	1700	Biafnecn.exe	40
PID 1700 wrote to memory of 1672	1700	Biafnecn.exe	40
PID 1672 wrote to memory of 2496	1672	Behgcf32.exe	41
PID 1672 wrote to memory of 2496	1672	Behgcf32.exe	41
PID 1672 wrote to memory of 2496	1672	Behgcf32.exe	41
PID 1672 wrote to memory of 2496	1672	Behgcf32.exe	41
PID 2496 wrote to memory of 2240	2496	Boplllob.exe	42
PID 2496 wrote to memory of 2240	2496	Boplllob.exe	42
PID 2496 wrote to memory of 2240	2496	Boplllob.exe	42
PID 2496 wrote to memory of 2240	2496	Boplllob.exe	42
PID 2240 wrote to memory of 1312	2240	Cpceidcn.exe	43
PID 2240 wrote to memory of 1312	2240	Cpceidcn.exe	43
PID 2240 wrote to memory of 1312	2240	Cpceidcn.exe	43
PID 2240 wrote to memory of 1312	2240	Cpceidcn.exe	43

C:\Users\Admin\AppData\Local\Temp\1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe
"C:\Users\Admin\AppData\Local\Temp\1dea505cb2e58cd046269124b348b40104ea3fbdda965afc24d4630886f744d9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784
- C:\Windows\SysWOW64\Qflhbhgg.exe
  C:\Windows\system32\Qflhbhgg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2312
- - C:\Windows\SysWOW64\Qqeicede.exe
    C:\Windows\system32\Qqeicede.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Abeemhkh.exe
      C:\Windows\system32\Abeemhkh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Apoooa32.exe
        
        C:\Windows\system32\Apoooa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Blkioa32.exe
        
        C:\Windows\system32\Blkioa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        17⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
51KB

MD5
6034c0943e5b8a6109e6676cd728652f

SHA1
73e8126cc751c36a378a43629b2ae97aac057f42

SHA256
7b5ded01d4c20ada95b91949c65f670e258c7c0ac5a95ae01b90d398d582e159

SHA512
0a119700cd6705394ab9e83c031a1ab132ba97cbc3c3833b8d7bd6a527ef405dff1b1794012390dd74acf6c8ed05ba0ddf373c54b752068f23e472ede3f40f63

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
82KB

MD5
0eed4fa1fe904b77a00a62649a9554cc

SHA1
52338066d176955d94b5de3c41b405a8060fdb0c

SHA256
0b4d481fda512cb161d6ab62d9a68b58d50b52ea4e1481d73db70c37b10ce041

SHA512
05e33cd050e613cddc0fcafeed9bd1a5d0b9d6553a35b9bfab2b49913c0f6adf42734b6ebc42eb7c3c836986ef7f44a2f9fd8a1dd3d174cc73da74fc61a36ddb

Download Submit
C:\Windows\SysWOW64\Abbeflpf.exe

Filesize
45KB

MD5
a13c1711e39d178c80091dcbd2f799c1

SHA1
964dba4cfb683042a0013e5fc50d1990c247a95b

SHA256
c1fbb38c348a44c6cd6e90352ff89a53873d7275668500a65a74aaf040125d11

SHA512
81a5b1a9f103ed1c9d6d29a4eda40f878d200ec154db804261011630f59029ede6ffde1e1e967b237f7e215ae0afbd8f9c08a257ff6b33f92820627fe5e6e9b1

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
137KB

MD5
e80f7ba79951d7182292501c68167dd5

SHA1
c3f24172c3b352926acf42113fa6d4782d1781a4

SHA256
b8688d9ecbeacb99ec06c43468b5da655ebac8eba13baefd9d1b0e005c4ac82c

SHA512
ea4266f3beab12ddb8961ba9734e5a9255a6a9880e03d4e31b5990796b3215437ddb1c8f2b076e298bc3ec831114b4921f0071c1ba75181d9e32835b279c639f

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
51KB

MD5
de23d15f19f310cf62c31aa7a415ea7b

SHA1
60bbd792b3a1c3e6f7a276ccf5c2fbbefc6ca694

SHA256
603e11a01747af25b4f9d168602d17a3b6f2f7bc028cafd12f72a415f5462a60

SHA512
34d0a03d7851560c38796a023c7b0866f66b59e73969980dcf06d66a4b2c0ff384b03e87953a50e966a084f6245eb1b93137c821f1da6944893914125afdfa95

Download Submit
C:\Windows\SysWOW64\Abeemhkh.exe

Filesize
115KB

MD5
aa0967cb663ee0bd6e9b43a9b1c209dd

SHA1
7543696769b1cbfe4b954f892d61eb602aef34a5

SHA256
d03465be6282e2616372dd33fd8cedddd2a0185767014ac85ddbf2067604ed6b

SHA512
4204404225f2c859107014531e53721aa8d47a04c526a762ef8b5b3391ec526123784fc55fd750e2f3e93b3ed413e5f2fc794136dde935476809164098c74ed1

Download Submit
C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
180KB

MD5
0bda401c4228b74b0bcd808774095b33

SHA1
efe125459851522306a483211a30df71aa846ab0

SHA256
bb8f2a90d88cb3c0513d113d161c138da5469c0beacd17868b74e7fe3b35e2a6

SHA512
a5a47fd0f46ae8cb1bc8c29824b09a432d0eaf7c948aa6db731c99b7726b86e68e5b93a164ed332e65caf117a1009942b61e9c53c2d7d1c8eb7306b325962763

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
73KB

MD5
bfcc267b83c84359777e21ff010e944f

SHA1
ad366b6fe77afd304e1ca7e3dc68a3c87e8794d1

SHA256
fee15c07f7f22ccc5c363d7c01128ade679adce1f48bec8f51bb9f1266e19368

SHA512
c7038876dfe65fa2cda8bcd1367e4c8d3247ad0bbbc53dd3e27087062e68b5ff15bf50c0c0448002d1ae660beeb022b9c6e8118c5ec8e2f176de72364cd8393e

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
180KB

MD5
e57efd05b4615be2f943a0e71acad5b2

SHA1
fc1680f35d1694eabeba4be3b7f64f74bef2c5be

SHA256
a7636cb40b7d517ba8fb93f164fbd3217d3e5c809ac8a5fade947c068450f4de

SHA512
fa9d5d9bd59a6ec9ca1aa49c17100d12fa50e44be2523389f1d0e3bce8cb13c04727c4e1500e305b9cd3a0780f1460bb371b17dfbbd74c58ce2d263878b6d325

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
139KB

MD5
2b9c845b4d040931e86a14a62baa37ae

SHA1
e14a150bdb2f688a63d80961d36b9ce0589801fa

SHA256
69be9af1784030d1fc3f2ff4868c551ecfe5c7d3143b95baf9714403b627c1b2

SHA512
9f77bb4a7708a6ce5ce98f16ef7776c45f2d2cf007f2bd7ee0f3844b7377ad8cca023d58c6641f73b8a9cde3cb4513f1db87a6668f48bfa03cc88a55101838bd

Download Submit
C:\Windows\SysWOW64\Anlfbi32.exe

Filesize
180KB

MD5
c42a06338b39d3d5fb68a4f10afd2759

SHA1
cbcd3c847477b7451a651a73017ad69b5793119d

SHA256
93c7d3d7a7130a302b4e8118aaeaadda9c7649067567540699ef43fde9d8cd9f

SHA512
bcbcbaa6a981fca977fdc790563c7098399802c8e6afdb1af07e041a0ee07bf59f0a64885d0aca9d42e300352763b46f86696bca0d696d55780cf32a899ff83f

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
72KB

MD5
80fdfad111f9f57cf804231b08569a0e

SHA1
14205c8a6e2ea71f684340e8edb48efbcae46a41

SHA256
eb688f7230797dbadf75faae168f2f47a37333cca016caff214cc19d1084e82d

SHA512
d0f96789825d10d4a786ef81e269ef6601004b87d368622bc95e62b3d2ad11bf6e4323e669de1de9bd5b16a2a193c651d0a074d067f085ec698a97e50bd6763c

Download Submit
C:\Windows\SysWOW64\Apoooa32.exe

Filesize
180KB

MD5
3234ccca7668c905724531480c0d484a

SHA1
165107c2b9e401ffa05d518aabbae1de43a18af3

SHA256
a7d95eaad0999be3da825bec4c061485569c9f3a9c48b945e6c74abb77813037

SHA512
5b7b2249f55a0b0cfaff6ec14ab2fa897495abc5c50c54003c2b85057d33d2c6ebe1db68acda5d4060035f51eac6f80cc5779e22a3e209f77abadb399ad502e3

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
180KB

MD5
72a3caa04c26964b413c591cf37f89a3

SHA1
379db4c8cc4ef9611a3bca1cfcf29e06929d8a2b

SHA256
2c5ab071046d04253a68e4ece2b01f979d7c8273b3d8a9d3140a746f5bc969de

SHA512
4ea8602d5185faefe82f54807502692b67a1201163f03ea00934d004a2951bd7a6c83696b90f8268fe58d3ab935ed99e432e4659139007ebd1ce6aae3538c2ab

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
180KB

MD5
d7a41321f69de3337371f96bc2b98d3b

SHA1
3beca2c51a6fec7c0f7264e87ca9fe784cf2ca46

SHA256
8e57571794a47c8b2c5a4affb82958b4ccaa64c05495201e3f5e656819ab8b35

SHA512
7d5c5031f8ade162c10f882a99f5dfd285db66f3251eb014f77db27b4fd6dbbaa3cb527019193ad1923a1ba7c46fb8a6ed2ff95da416e3ce11d478ec3d01468c

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
180KB

MD5
842145f76135196975aa1da2933afb0b

SHA1
e345a7412d06afac87335c85c06f61a7c87d3766

SHA256
8335d0ba31f388d9378104f826279fe15b6a9cbf18804282d897de9a12a50178

SHA512
3b6fc4e2bd8f3032c35640f299c7d338bd4c0477ad3dd20acdde816067acf0e2f45700dc41d68d4d56937849b78245e40d36ca830fcc2388dcdb0fce387d63c8

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
180KB

MD5
14288605b8b1f3bb43f4b98904ff8ad0

SHA1
2a5bf8bf21b8a89df9d12de4bb84d05078e78445

SHA256
d2244edd5e7705dc0dc1d5f11083cca90b096aba55e43ee8e5f63a2b873d0317

SHA512
14390da082c9498a179c8299dc19eea8363ec66508a402e13535f6fd2920b0b000506e86aa7595d79535bf5640d376bd71d414f2d18ea1808ed76377a27f2b3b

Download Submit
C:\Windows\SysWOW64\Blkioa32.exe

Filesize
10KB

MD5
f4401e626d9c0344fd8c589d78dd1b70

SHA1
b8475533f7b5980436f4b92e722e0795fd57ccd5

SHA256
60cb25b7893f8e921611ac9b05f785bdc6deb7985c1b1aaeb503a66d7caf9923

SHA512
22d8174ffd129540b7b464d0b534a0abc7afbba2e19027e22d848d9ea8c4772097451882b28874218ccd3556e474a9f4f338578fa9feffdf0cb860617660392d

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
170KB

MD5
f031df1ffb2d83dc9e2d56e49610e85b

SHA1
6a84a071a64980d3b0aef0374d0ad379b6c7e806

SHA256
312b9c6ba9e2ff6532a866e118ce4e5f1af55b5079260b49ad708b30828be894

SHA512
3bd09f371b1ab2064dbfc6a31b5e3027217a722959b1dbc88c4d8e2880cbf32e9dfec8fc6337dc39d60051acccc49221f4eb5494dd75250f9475e5989a7483a8

Download Submit
C:\Windows\SysWOW64\Qflhbhgg.exe

Filesize
180KB

MD5
f19390c411a71d86797a1212b9e54e93

SHA1
6881aedf049715bf635eefa22329c1e30916fff2

SHA256
a477207f27fa84caeca15c74783c783de112028cacd68e1c06ea4f2c08c46697

SHA512
887acc36876ed9916a7e350d4e714e4e6538615f83b3a6572216d3e9744aacb89c658b3e4132194bd1e682ba9e135ca11a2afd3135d7a0879edf6e385212f430

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
105KB

MD5
1a32feaadfb0073d979b05d7f4059dcc

SHA1
a4a05fd83763f36765f53cc5652292bf3f9db0f2

SHA256
02ac0ab1a5b43e4bd2f7342f55ed65ffdbe878f5b2473879717c82c71a140b09

SHA512
f2656c61ea6259c1dfd9dd829e2d724d6c720a6f8769bba2e5e736779820b0a3db9c9ad6e3089ac25848ca40c4af569d183d8ef9ad7877a451d235e00c81652a

Download Submit
C:\Windows\SysWOW64\Qqeicede.exe

Filesize
180KB

MD5
e123d6a1956d809b7543e7c39fde8150

SHA1
b6a5ba4cb81e5da0c4246a1e174aa6b2306c2f0e

SHA256
acde68b24aa0f3f57b6c503b657963a2dc522f4015ebc4f1066aade285f017db

SHA512
d32ca8772ccb584a946944040235fd630dd5501a663573aca84a5ac2995647d10e9f642ae12e09218fd1a3812dddc938fb2c4dff2cc1d5d6ec60056471e9a74c

Download Submit
\Windows\SysWOW64\Abbeflpf.exe

Filesize
180KB

MD5
d0aee0b5ddb2d06bc2e1ccf4397103fc

SHA1
1b99b72e57b9bfb093ffafde04aac20e76fe6b2e

SHA256
1055ca7f1cb98e34fce431158064a730bdea696462b37a9f01bffbca5bd25c2f

SHA512
c6b9ba744ced6bd78d8efd18a49d2ff4bae1935c80261b07e9a98c64fefca8e421d33ad1e7760e4b54ec090bb5e432cf7cdfce799f53f566ad68212156a139f8

Download Submit
\Windows\SysWOW64\Abeemhkh.exe

Filesize
180KB

MD5
bf95683ce686d4dedaf5a4e7f2dde967

SHA1
6616a98a691fa61471604c590afecf7d4a1618e3

SHA256
de31dde8ab35a0556523b09daa31c6586b3a44460489bbe76e9cdb4e9d0244fe

SHA512
c3fc1515a72e61fd70b7c123d9e554d8839599d6a13d9aa2d4615076cbb08dc80902423f78db9d0456fc5d990ce70598378cd71cbe52818ea3b3c980c00fff16

Download Submit
\Windows\SysWOW64\Abeemhkh.exe

Filesize
98KB

MD5
3d605c9dddccd78f6c85ad85ecaaa407

SHA1
6b1aaf4bf66f8f80230e3e64ea7d47c0874c38b3

SHA256
bde2267b59c4bd4a6bfa0da5926caa4688de6508c0bb0a58311e40c93c919079

SHA512
2c7c6e049e60d74e766a1b83c7295143795a52cd9943a83219bc6013a25d33a24c4617eec4345e253c84561498f907e4916e7906a9c24482240dee122a295689

Download Submit
\Windows\SysWOW64\Afkdakjb.exe

Filesize
68KB

MD5
129746dbb5adf34f303f21905404ea28

SHA1
dfb2ea1153c53cc03d68595690810217caefd956

SHA256
f8c89760419c2173dc32b9db997afad97cb8e147e5db951c868bdf3e3573b16e

SHA512
5fa389f99b49a90d904a697dfd73ada5830c1c4afe28e2da7c7d06f78568bb90ebfc19ba0912b8a17ba1bebacba9199131a512702b48b8df352de332f92cb249

Download Submit
\Windows\SysWOW64\Amcpie32.exe

Filesize
180KB

MD5
eac4ea4a07537577bb9a707212f4bb68

SHA1
a3e2eb1229deee38646c5a83b5483aa4e059111b

SHA256
7f3c08bd3bfbaf6f56a61a3138ae00140af699cca8c39a3bf0fc9491046f0292

SHA512
ac0e779dd2640ff7bfdac19d13b129630406365d521b734b6b4df1936717b83631b142eed91e9c9c88d4585f0596140aec2147a834220442764dab455b2679cc

Download Submit
\Windows\SysWOW64\Anlfbi32.exe

Filesize
74KB

MD5
eb372880d9adba5ee90171a7f69efd0e

SHA1
2291630cd83be626fe4a55cb052640d41f617876

SHA256
253b38644a3cf37e73ed926ebe0283c0920212ac174eb904a7147b1dfc7e5b1f

SHA512
2229dfb66464a3ac9db1f3a976de922f852490807e3638e1af2180f88b5c388245c5463204481a12d19b58e51b975066fc5ad192cd927130bbc01577feaa6ff0

Download Submit
\Windows\SysWOW64\Boplllob.exe

Filesize
180KB

MD5
36dc89598abb2e772f1e754ca986e0e0

SHA1
40ce26eb4e1b4ec91137fbd2886bb72ab71f874e

SHA256
84e35a3b12aaf68dc85d7253a216730dab81dc4a5d22612c5e3cf4ecbac7ba95

SHA512
310724b8d2887af41874e209dee36582c7f5e1b88a4337061eaa1c0124a3f330827789d698b3c7ed3ba941c33852ef583de91e9527d8dec1d97bccbe74cf1b04

Download Submit
\Windows\SysWOW64\Cacacg32.exe

Filesize
180KB

MD5
de9a00138377b26e7a07edeca80cb195

SHA1
61875f7ec76da3f75b84d67af82712e42fc3ed91

SHA256
68ff1e6c810ab030defddeb4129a3d819e11493851ec397c5dde796a69d9a9a1

SHA512
b3a4931243090116a2a9a241c9be7075363b832e9284697ad575d21de72b7d45c7cce9742fa4ed2f749288e3f57b6db8fc7f0854748d4b17604c59e40ff1d32f

Download Submit
\Windows\SysWOW64\Cpceidcn.exe

Filesize
180KB

MD5
d48da856ed4e3eff63af8b638458ebb7

SHA1
9fd71bde790090ba0c1e855b5390144cec77154a

SHA256
b8087484c7cffe590176675df5bc64a96af89be110883fac06ff7707c5256908

SHA512
c75f42cb6d43fdf929f3b0b2651c8f998f8c818b1e2abbb8179fda1e00b37e6279cf89c6834cdfd7d56baa62b36f14f7ed1773f1932d1a5b85a1268b90fd64e7

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
162KB

MD5
58b2a9cfb1327a49303685a966cf76af

SHA1
ae4e73d8b96a75b9a066337adae0035240d778d5

SHA256
2473a4777b8287a4aaa8a844ef515890106dd7d98cb18d19d277fc1cb4a38616

SHA512
a43cbab5eef7a3858298b7dcb22a71df4924ab5d158f5c43b1734166c57996985d28de6cc9ce106f406c6cf793f2312927b394ed986d1519fc5b8047a3fd49cd

Download Submit
memory/1192-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-115-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/1192-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-183-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1672-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1784-6-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/1784-13-0x00000000003A0000-0x00000000003D3000-memory.dmp

Filesize
204KB

Download
memory/2040-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-46-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2112-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2112-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-215-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2240-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-20-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2312-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-92-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2444-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-196-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2496-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-33-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2628-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-139-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2660-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-133-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2852-155-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/2852-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-101-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads