81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb

Analysis

max time kernel
143s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 23:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
Size

64KB
MD5

cfd8d88bee0490eddb3784a5b0b0b752
SHA1

32c922b1e0fe470b6676d0524ebeb30afc64167c
SHA256

81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb
SHA512

428b748adba34f0306e15d2e57331a09c10c299b3c16827f2e8b0ae52ba59f50455d3ea6b98e3b66e52aecd035cd48fc3013a72e1bb45546b7a1d396ceb0f4e5
SSDEEP

1536:GF2B05rZ9xjGt/woA6kykYp4EXkZuYDPf:GF2SLnjQk0JkZuY7f

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aajbne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe

Executes dropped EXE 17 IoCs

pid	Process
2496	Aniimjbo.exe
2612	Aajbne32.exe
2540	Aaloddnn.exe
2720	Aigchgkh.exe
2520	Abphal32.exe
2828	Alhmjbhj.exe
1424	Afnagk32.exe
784	Bmhideol.exe
2864	Bbdallnd.exe
2264	Blmfea32.exe
2168	Blobjaba.exe
1820	Behgcf32.exe
656	Blaopqpo.exe
1100	Bejdiffp.exe
2276	Bmeimhdj.exe
1720	Cfnmfn32.exe
2588	Cacacg32.exe

Loads dropped DLL 38 IoCs

pid	Process
3012	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
3012	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
2496	Aniimjbo.exe
2496	Aniimjbo.exe
2612	Aajbne32.exe
2612	Aajbne32.exe
2540	Aaloddnn.exe
2540	Aaloddnn.exe
2720	Aigchgkh.exe
2720	Aigchgkh.exe
2520	Abphal32.exe
2520	Abphal32.exe
2828	Alhmjbhj.exe
2828	Alhmjbhj.exe
1424	Afnagk32.exe
1424	Afnagk32.exe
784	Bmhideol.exe
784	Bmhideol.exe
2864	Bbdallnd.exe
2864	Bbdallnd.exe
2264	Blmfea32.exe
2264	Blmfea32.exe
2168	Blobjaba.exe
2168	Blobjaba.exe
1820	Behgcf32.exe
1820	Behgcf32.exe
656	Blaopqpo.exe
656	Blaopqpo.exe
1100	Bejdiffp.exe
1100	Bejdiffp.exe
2276	Bmeimhdj.exe
2276	Bmeimhdj.exe
1720	Cfnmfn32.exe
1720	Cfnmfn32.exe
1920	WerFault.exe
1920	WerFault.exe
1920	WerFault.exe
1920	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lfobiqka.dll	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Aniimjbo.exe	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
File created	C:\Windows\SysWOW64\Mgjcep32.dll	Alhmjbhj.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Aigchgkh.exe	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Afnagk32.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Afnagk32.exe	Alhmjbhj.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Alhmjbhj.exe	Abphal32.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Koldhi32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Bmhideol.exe
File opened for modification	C:\Windows\SysWOW64\Blaopqpo.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Aajbne32.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Aajbne32.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Aajbne32.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Blmfea32.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Blmfea32.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Aigchgkh.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Ghmnek32.dll	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Alhmjbhj.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Afnagk32.exe
File opened for modification	C:\Windows\SysWOW64\Blmfea32.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Ekdnehnn.dll	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Blmfea32.exe
File created	C:\Windows\SysWOW64\Oimbjlde.dll	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Aajbne32.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Lmpanl32.dll	Afnagk32.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
File created	C:\Windows\SysWOW64\Jmogdj32.dll	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
File created	C:\Windows\SysWOW64\Blmfea32.exe	Bbdallnd.exe

Program crash 1 IoCs

pid	pid_target	Process
1920	2588	WerFault.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koldhi32.dll"	Abphal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alhmjbhj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Aajbne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdnehnn.dll"	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blmfea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aajbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfgheegc.dll"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghmnek32.dll"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blmfea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgjcep32.dll"	Alhmjbhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Afnagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afnagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll"	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpggbq32.dll"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2496	3012	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe	28
PID 3012 wrote to memory of 2496	3012	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe	28
PID 3012 wrote to memory of 2496	3012	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe	28
PID 3012 wrote to memory of 2496	3012	81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe	28
PID 2496 wrote to memory of 2612	2496	Aniimjbo.exe	29
PID 2496 wrote to memory of 2612	2496	Aniimjbo.exe	29
PID 2496 wrote to memory of 2612	2496	Aniimjbo.exe	29
PID 2496 wrote to memory of 2612	2496	Aniimjbo.exe	29
PID 2612 wrote to memory of 2540	2612	Aajbne32.exe	30
PID 2612 wrote to memory of 2540	2612	Aajbne32.exe	30
PID 2612 wrote to memory of 2540	2612	Aajbne32.exe	30
PID 2612 wrote to memory of 2540	2612	Aajbne32.exe	30
PID 2540 wrote to memory of 2720	2540	Aaloddnn.exe	31
PID 2540 wrote to memory of 2720	2540	Aaloddnn.exe	31
PID 2540 wrote to memory of 2720	2540	Aaloddnn.exe	31
PID 2540 wrote to memory of 2720	2540	Aaloddnn.exe	31
PID 2720 wrote to memory of 2520	2720	Aigchgkh.exe	32
PID 2720 wrote to memory of 2520	2720	Aigchgkh.exe	32
PID 2720 wrote to memory of 2520	2720	Aigchgkh.exe	32
PID 2720 wrote to memory of 2520	2720	Aigchgkh.exe	32
PID 2520 wrote to memory of 2828	2520	Abphal32.exe	33
PID 2520 wrote to memory of 2828	2520	Abphal32.exe	33
PID 2520 wrote to memory of 2828	2520	Abphal32.exe	33
PID 2520 wrote to memory of 2828	2520	Abphal32.exe	33
PID 2828 wrote to memory of 1424	2828	Alhmjbhj.exe	34
PID 2828 wrote to memory of 1424	2828	Alhmjbhj.exe	34
PID 2828 wrote to memory of 1424	2828	Alhmjbhj.exe	34
PID 2828 wrote to memory of 1424	2828	Alhmjbhj.exe	34
PID 1424 wrote to memory of 784	1424	Afnagk32.exe	35
PID 1424 wrote to memory of 784	1424	Afnagk32.exe	35
PID 1424 wrote to memory of 784	1424	Afnagk32.exe	35
PID 1424 wrote to memory of 784	1424	Afnagk32.exe	35
PID 784 wrote to memory of 2864	784	Bmhideol.exe	36
PID 784 wrote to memory of 2864	784	Bmhideol.exe	36
PID 784 wrote to memory of 2864	784	Bmhideol.exe	36
PID 784 wrote to memory of 2864	784	Bmhideol.exe	36
PID 2864 wrote to memory of 2264	2864	Bbdallnd.exe	37
PID 2864 wrote to memory of 2264	2864	Bbdallnd.exe	37
PID 2864 wrote to memory of 2264	2864	Bbdallnd.exe	37
PID 2864 wrote to memory of 2264	2864	Bbdallnd.exe	37
PID 2264 wrote to memory of 2168	2264	Blmfea32.exe	38
PID 2264 wrote to memory of 2168	2264	Blmfea32.exe	38
PID 2264 wrote to memory of 2168	2264	Blmfea32.exe	38
PID 2264 wrote to memory of 2168	2264	Blmfea32.exe	38
PID 2168 wrote to memory of 1820	2168	Blobjaba.exe	39
PID 2168 wrote to memory of 1820	2168	Blobjaba.exe	39
PID 2168 wrote to memory of 1820	2168	Blobjaba.exe	39
PID 2168 wrote to memory of 1820	2168	Blobjaba.exe	39
PID 1820 wrote to memory of 656	1820	Behgcf32.exe	40
PID 1820 wrote to memory of 656	1820	Behgcf32.exe	40
PID 1820 wrote to memory of 656	1820	Behgcf32.exe	40
PID 1820 wrote to memory of 656	1820	Behgcf32.exe	40
PID 656 wrote to memory of 1100	656	Blaopqpo.exe	41
PID 656 wrote to memory of 1100	656	Blaopqpo.exe	41
PID 656 wrote to memory of 1100	656	Blaopqpo.exe	41
PID 656 wrote to memory of 1100	656	Blaopqpo.exe	41
PID 1100 wrote to memory of 2276	1100	Bejdiffp.exe	42
PID 1100 wrote to memory of 2276	1100	Bejdiffp.exe	42
PID 1100 wrote to memory of 2276	1100	Bejdiffp.exe	42
PID 1100 wrote to memory of 2276	1100	Bejdiffp.exe	42
PID 2276 wrote to memory of 1720	2276	Bmeimhdj.exe	43
PID 2276 wrote to memory of 1720	2276	Bmeimhdj.exe	43
PID 2276 wrote to memory of 1720	2276	Bmeimhdj.exe	43
PID 2276 wrote to memory of 1720	2276	Bmeimhdj.exe	43

C:\Users\Admin\AppData\Local\Temp\81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe
"C:\Users\Admin\AppData\Local\Temp\81b2f420ee9297c9c44c95304f7a5cf129f13c246ea534d27046faaa963e7ebb.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\Aniimjbo.exe
  C:\Windows\system32\Aniimjbo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\Aajbne32.exe
    C:\Windows\system32\Aajbne32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Aaloddnn.exe
      C:\Windows\system32\Aaloddnn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Alhmjbhj.exe
        
        C:\Windows\system32\Alhmjbhj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Afnagk32.exe
        
        C:\Windows\system32\Afnagk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Blmfea32.exe
        
        C:\Windows\system32\Blmfea32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Blobjaba.exe
        
        C:\Windows\system32\Blobjaba.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        18⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
59KB

MD5
c8cb68928925c1009020ce5875dd8af1

SHA1
f850b2c0e335a8681a1f6ffcd2c0142952df01c1

SHA256
223261bdd9e44cd078dec61bf5d247bfd66a6e0bac921059714fed817cb78a2a

SHA512
902818806a446dba57f51b3731af27c8c059a49d0eff321a3d84d0e7ee75f55cfe6580290fd4feec2c1de8a88a66368741a412a30d0daad713d4f0eba5ab8ff4

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
40KB

MD5
bfde9fd13ccb8c5551754eb5e12c67f0

SHA1
3be35d4c63023a7b25e72b48b6c24d742b2e9302

SHA256
21d3d160964d0586191949c20d61ecbbfbf089286e56cac9cfa48d3285a9727f

SHA512
d7c52feb5390b928f180ff60f53b298c883a9dcc6dd07cbf7e86f691cee794a0d84e4ac1c5c2d8cba8db5583d837593f1077b7e6ee64cb5099583ea1629e42ed

Download Submit
C:\Windows\SysWOW64\Abphal32.exe

Filesize
64KB

MD5
b191945379e5e8bb9a2553a73f20b12b

SHA1
3ea9e05c5a8f41fc61a747f2083795def45e422f

SHA256
f25cbb3fd4f78484a64664f36d2738bbba87deda4ff2ffe629d4adf803b1b10a

SHA512
dccbde4ccf077527721633fcbb6c738310bb50ff31db79c3065e0acfb10ac6893336b820dd1dc9e7ab46108a06f7b40fecbf77d3485fbc30eb00940fa934da92

Download Submit
C:\Windows\SysWOW64\Afnagk32.exe

Filesize
64KB

MD5
ddde33db414a89c0fd7ab660124705d5

SHA1
91b629fab495b71478b2b69bda50e76ba45e82cc

SHA256
c949f202438bdbb85e08947c708b8ec816d0f4ae6c90579fe8390c10793a3c60

SHA512
9187f2ad8fe7fa840409c30761d636720af3e0d4a4de56ff918bdc08f9d3eed1f0f923e9f4fd2354461f4408b4e0609755dfdc90d5621de01c50adacae769d6f

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
28KB

MD5
63cc4d3bac671346f637ff2434f887b0

SHA1
48db7d66a0ba99384c9e36b92c3b77c06846cf77

SHA256
44a770cd0b95cba7feb99240c1e55e4810d40b56342f6679e08254593b9f3b8c

SHA512
6216439a4a8f20ee5db15e818789c8387eeef784022e1137fd41d802e178a52e14f9d1fa3590d8ba584adba4838ca306e17de58f0acbfcf7a8335547627415b5

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
49KB

MD5
626e43995f2d5e3b071440c655b067e9

SHA1
f9ef835fc296fbc6a93fa5e79525638e1f21a099

SHA256
1ccc4d966590b4a950225384d7a2342f478b27b4667c52d3f50429938e06d737

SHA512
121f8961a050d343d0cc4c6cd3f38517f38c43b472ec42e872acdc193c000ae3837cc260d1c98189fa4be64c9909dc3b1bc2786ee5ca3cd69d89e523b25579a7

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
33KB

MD5
c6353221422b4ab94dbd9703f651cfec

SHA1
0a23cb7d9a96a46862ab7c14fae8190e84ee1795

SHA256
d94c01313a9d9f1930d577ac2de0ebb3b9cd5686871bd04360a64f04cdd88ece

SHA512
e95ee363fac3297c90a23c4058b62eb000df5321d5870a8f761e923599ba622b44db3c6b136bef7c1ec58f2c337ff6fd4ad12314e5fcac763176658e0f2056e1

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
64KB

MD5
4d07d5fd41f0150e2835a935b45ddd60

SHA1
06ee104cb3538669a979b50ec9bdd14f3a9f4304

SHA256
d5610e72b1e54abf0c937ef1e7fed5938898b93913a631ef4e7ba2245a3781fa

SHA512
c61b4a122bdd5b33ae1c46f19d657e2a27befcebd698cf27c4085406582d2a588ffc1405934a17c912ea6fa1b7d19c993f3fa8da24ac1aee1070f25dd27852c4

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
64KB

MD5
6dd5a7022fec20e99a56c348e07b4eda

SHA1
43e5bf8bc148bd88d8a1bb973af51ba1aa10848a

SHA256
9f2a2b14cbc52a348561b1a0fabfa5950752fc854c861b026c990b4c9360255c

SHA512
9fb579b247cad46dcb05b363c03722400c82fba95fee81b8b6d1018a3c2f48cd298ad873411f39802576b3383d833f3899a02af84de88a79c9dbfa7ea307c6ad

Download Submit
C:\Windows\SysWOW64\Blmfea32.exe

Filesize
64KB

MD5
1535f8c989b2da2b7b202c496871daf1

SHA1
0dad8bb18a55fd4cfabf127d8ffc93e7df6f6553

SHA256
bfcfc6ebf71b8e11719d8b6b09102e96d01cb7548baeecc24d68a55f2a7822fb

SHA512
86d7d35ce063d0892c275fe66a962dfe895336348f1f6cff3a448fecae0d85b1bd9f7d135b096fe834a554b9b67ecab072777155c217c0d09bd4c218beda3c91

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
64KB

MD5
3f920e9b2979c8ad5b84e42adfebce41

SHA1
2f2afca7362ad9ad20315a22d5408459118fa910

SHA256
64a390b80a66b210405c2d009994fcd08b094a343d60b3e09493ce73c3c0d27b

SHA512
e52933b8ce1c46aa730007b4629418834efa3b905bd2db3e090cbcf98e82c0919dd27ae176b7603f966126e027fc1d4ab5b43b4dba7a5a3dbe7d317598052c78

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
64KB

MD5
e4ae9a4bd4ceb50ebca5409025100a54

SHA1
ffc7738d7202d4322e25f22db438cc38073b8cc5

SHA256
ac6757cdec7f917883306dfaad1e1887714ac298c33d0f39f65c1edbbae8f08a

SHA512
340f1816b28f725cfa4cd8b25c7bec19dcbde9ed588f9070e715621d4dbf30e61d6e4372ea7543b9a072d4aeee73a20ce473dea4bcf134605a8e70014038df30

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
64KB

MD5
d2abd2c551d9e2a9c9fc222708df47cc

SHA1
0e08ae46f1ffcc56e12d7eb9c1fa2c757378952d

SHA256
a04ca56736b3043cbd827b94d246456b35299cb5f8dd1a8e2122cf39f3921116

SHA512
3992445a6674420ce4d7ca2e83bd81e049974ea88eb9fa02fa5af1e4d02637dd2e428375af8215709a35fa09ffa28a8631bae5ffa80de40b25d991818d43d9b5

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
64KB

MD5
a1a9dea9de72b67775859e1f2e141449

SHA1
23cea59b5789dcca296554699f446a66e5bd1f48

SHA256
1f1c21142b974d6cd8c0c546c1b401e0bf9b782dd0e8757e32b09e018f8f5daa

SHA512
38b2a5de4f5f9547a1be004d05095276c53244ed530e821e0146f7f4d1e7bbbb1d961396d1a718605896be1ac95654c99f86b5f97658ad271d3bcd58d10ae1e2

Download Submit
\Windows\SysWOW64\Aajbne32.exe

Filesize
64KB

MD5
84b4daaed67297da7f093348aa49979e

SHA1
838cc838220f5de28121965aba90913ccbb6338c

SHA256
c97874b4daf07caf99b0f6ac3e17db1d1b2bfffc4411e6b87492c4edefae814d

SHA512
96781173380fafd6f4b4e44569fa6c439bc15234de04a11b73b374839b5b05b78c9bb4140eb3bce038eab171fb973bed99eaa7ee7fcb611eae46b35971eefeeb

Download Submit
\Windows\SysWOW64\Aaloddnn.exe

Filesize
64KB

MD5
d43718d17799441694c58cfb0c509c2c

SHA1
c174313fb282c9fcc1b5e8ebdf80aa54dc401f86

SHA256
9cc58e85e3c5b3ff05a7324bfe11518e0907bac19f754cf9fb257a51b2f713f7

SHA512
4fbfaf06a6b7a20f18515a0c4b8cf507699a9a8eb6b91b210bfd1fb7457789635040775f5d08aec35049f67baf804921d75fa1828a955bf69b910fcf07ccb660

Download Submit
\Windows\SysWOW64\Abphal32.exe

Filesize
30KB

MD5
91f12ec40e2f347a910f44635337597a

SHA1
4e66057b68c97d1bb9218f6843641d3c6b4bfa6e

SHA256
12516c20f626777589de81df183e0d41f8fbf1db3b9a9729ebab05a818712f02

SHA512
01ac32ff6fa2fd3300073c664ca35886ad96d8870ecab7e7852dfacb764601f255e798534bf3abd162a161bf324ec189b1f995f8c2f4b4ce390c6d48053293f6

Download Submit
\Windows\SysWOW64\Aigchgkh.exe

Filesize
59KB

MD5
77d0703efa6d9f097b281211de5ebad4

SHA1
2648fe82ffee201ccd472b90bf7b2e1ef1190525

SHA256
9f9ce56526389cc9496c77a5e887b499c4c6f1df97baf085e1476ad3609d2bc7

SHA512
5a3c38ad8799c9f2cdcec9cfcf10672d5587f045aca935135df07eff0c2b5ddc1699c867b78955b388f6d8e66950970fd45480f52eb3887e76880124451849f1

Download Submit
\Windows\SysWOW64\Aigchgkh.exe

Filesize
64KB

MD5
81edf6cf6ce0b2da226e315041397ad1

SHA1
7ed16b8c41ca305a4d05bd0ed05be1d1294f028f

SHA256
bcb394f5e5022dd2cb260322fa8eab117524bdffaf0ecd18b4f64ec74a885df2

SHA512
79150e247a8b2dbc43d2bd839f39b2892b7b0e20e05e2b89c731d639b298e8943ef2bb6fabdc4f78f9406a231a860217c6b59bd73701a9fbcc8da33f7267c15b

Download Submit
\Windows\SysWOW64\Alhmjbhj.exe

Filesize
64KB

MD5
19b5806b2966bbc9f04b981ad6ddf13b

SHA1
1f345f1556900dddbc86663dae35b739d0f04c8a

SHA256
914f4f62042c6e4b4f20c8211f7b4d655a6483d9775d347e822103eb2a278a5c

SHA512
f602ffd6cdb38c09516302e74617d11f58bfc01f7d3d4740136fc902a6551294820c6a6c1036d5e7f9519c718c24923b710d18e715e43673f377b5fd885b885b

Download Submit
\Windows\SysWOW64\Aniimjbo.exe

Filesize
64KB

MD5
cff1c680f63499c6744deb5db87a736a

SHA1
47b06219069c1e2331e85839229a81534fcf99ef

SHA256
f2d6c93a7bd594fa220316a093143659fad28521ef6b70b051b1ab8f483c9f5e

SHA512
e3f5310008a79ca80b0ecb54f1f059d8830fc78ba13e624e443ecdd8fb3cd484126e616769083672a154f4dc33973ebe6b927d69492fdfc100971bac0ee9a77e

Download Submit
\Windows\SysWOW64\Bbdallnd.exe

Filesize
64KB

MD5
8302b124738f897e3d30fd7b681d3348

SHA1
9971112cfdd91de154ff233bdf63631671c11757

SHA256
598ff429265d4edfad80cb8629362b29dd3c445cd3b4afde9373b3a98fce0dcf

SHA512
510c1c0633574256bbc0839b22d915001fec39d8fa5aee0b62a760bf43be1bd916a074817c1a4bab5b625b342f58afad97382fc2565ab8921575f3f1435601ef

Download Submit
\Windows\SysWOW64\Bejdiffp.exe

Filesize
64KB

MD5
305a0819ea8421e823c33ad4642d9e16

SHA1
a9359407ee8eb771e7c723e60bba2893fadee046

SHA256
1d46e503838a2f9ccbd92a16c3ac48af6721f37ed1ad7a86584a8cf7e6350092

SHA512
21a4ded8a07094f3cfe63d68a374ecfa2602683df3f883e34a5232126676702bacc3692d224e0e3be91de54bbe0313e9227501460b571df59c10bf4fc409ada7

Download Submit
\Windows\SysWOW64\Blobjaba.exe

Filesize
64KB

MD5
54d81750942aa6881e800b5745037ae8

SHA1
e97979036f9e0195c44e8b203066bf67fcc0f247

SHA256
b7745e72679d5470c9bbe05dea07b9d27590a82e9b5ea75db9d8390161a28c36

SHA512
70ac4ff9e4e84e0a97900b5c89063f8233e283ff6786189a4c51e3533f21c7f172052cac4069eaf26e68355454d942cf71b54cf7e82c957df137b476ae4ddd24

Download Submit
memory/656-181-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/656-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-119-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/784-117-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/784-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-198-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1100-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-145-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2276-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-19-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2496-25-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2496-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2520-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-47-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2588-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-34-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2612-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-91-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2864-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-6-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads