bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
Size

223KB
MD5

deeae91b8607144c779ba028b2792d9e
SHA1

228daef469408604eea9540b4f139c05e5597ed9
SHA256

bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e
SHA512

4e414f80d7b58f2bf7682bac74b5521d38a708213816b91c909c43026ef21829b512f591634e9590ee8330d05e7ffe7c74639fb7fae5252587e1557831494ab9
SSDEEP

3072:JarOW+XDUjkVAURfE+HcdpgZiT0PMCU080SrXSx8A6WoG:Ad+zUjkRs+HcdeZpMCU080SOx8RTG

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpnojioo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anccmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blpjegfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhkdeggl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekhhadmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhela32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceaadk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blbfjg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aekodi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhkdeggl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blbfjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjfccn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emkaol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anccmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhela32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aekodi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceaadk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blpjegfm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpnojioo.exe

Executes dropped EXE 20 IoCs

pid	Process
1720	Aekodi32.exe
1920	Anccmo32.exe
2652	Bbhela32.exe
2612	Blpjegfm.exe
2912	Blbfjg32.exe
2368	Bbokmqie.exe
2928	Bhkdeggl.exe
1012	Ceaadk32.exe
2740	Cdgneh32.exe
612	Cpnojioo.exe
2088	Cjfccn32.exe
1584	Dhnmij32.exe
572	Dolnad32.exe
1416	Dggcffhg.exe
2812	Ebodiofk.exe
2200	Ekhhadmk.exe
1340	Emkaol32.exe
884	Eibbcm32.exe
2188	Effcma32.exe
2244	Fkckeh32.exe

Loads dropped DLL 44 IoCs

pid	Process
2008	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
2008	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
1720	Aekodi32.exe
1720	Aekodi32.exe
1920	Anccmo32.exe
1920	Anccmo32.exe
2652	Bbhela32.exe
2652	Bbhela32.exe
2612	Blpjegfm.exe
2612	Blpjegfm.exe
2912	Blbfjg32.exe
2912	Blbfjg32.exe
2368	Bbokmqie.exe
2368	Bbokmqie.exe
2928	Bhkdeggl.exe
2928	Bhkdeggl.exe
1012	Ceaadk32.exe
1012	Ceaadk32.exe
2740	Cdgneh32.exe
2740	Cdgneh32.exe
612	Cpnojioo.exe
612	Cpnojioo.exe
2088	Cjfccn32.exe
2088	Cjfccn32.exe
1584	Dhnmij32.exe
1584	Dhnmij32.exe
572	Dolnad32.exe
572	Dolnad32.exe
1416	Dggcffhg.exe
1416	Dggcffhg.exe
2812	Ebodiofk.exe
2812	Ebodiofk.exe
2200	Ekhhadmk.exe
2200	Ekhhadmk.exe
1340	Emkaol32.exe
1340	Emkaol32.exe
884	Eibbcm32.exe
884	Eibbcm32.exe
2188	Effcma32.exe
2188	Effcma32.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe
968	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Njmggi32.dll	Dggcffhg.exe
File opened for modification	C:\Windows\SysWOW64\Bhkdeggl.exe	Bbokmqie.exe
File opened for modification	C:\Windows\SysWOW64\Dhnmij32.exe	Cjfccn32.exe
File created	C:\Windows\SysWOW64\Dggcffhg.exe	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Eibbcm32.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Ffdiejho.dll	Bbokmqie.exe
File created	C:\Windows\SysWOW64\Gellaqbd.dll	Bhkdeggl.exe
File created	C:\Windows\SysWOW64\Fahgfoih.dll	Cpnojioo.exe
File created	C:\Windows\SysWOW64\Emkaol32.exe	Ekhhadmk.exe
File opened for modification	C:\Windows\SysWOW64\Anccmo32.exe	Aekodi32.exe
File created	C:\Windows\SysWOW64\Bbokmqie.exe	Blbfjg32.exe
File created	C:\Windows\SysWOW64\Dolnad32.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Mhofcjea.dll	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Emkaol32.exe	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Ekjajfei.dll	Blbfjg32.exe
File created	C:\Windows\SysWOW64\Elgkkpon.dll	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Dhnmij32.exe	Cjfccn32.exe
File created	C:\Windows\SysWOW64\Aekodi32.exe	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
File opened for modification	C:\Windows\SysWOW64\Ebodiofk.exe	Dggcffhg.exe
File opened for modification	C:\Windows\SysWOW64\Dolnad32.exe	Dhnmij32.exe
File created	C:\Windows\SysWOW64\Jhgnia32.dll	Emkaol32.exe
File created	C:\Windows\SysWOW64\Apmmjh32.dll	Bbhela32.exe
File created	C:\Windows\SysWOW64\Bhkdeggl.exe	Bbokmqie.exe
File opened for modification	C:\Windows\SysWOW64\Cpnojioo.exe	Cdgneh32.exe
File created	C:\Windows\SysWOW64\Fileil32.dll	Cjfccn32.exe
File opened for modification	C:\Windows\SysWOW64\Ekhhadmk.exe	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Amfidj32.dll	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Fjhlioai.dll	Blpjegfm.exe
File created	C:\Windows\SysWOW64\Nmnlfg32.dll	Ceaadk32.exe
File created	C:\Windows\SysWOW64\Cpnojioo.exe	Cdgneh32.exe
File opened for modification	C:\Windows\SysWOW64\Cdgneh32.exe	Ceaadk32.exe
File created	C:\Windows\SysWOW64\Cjfccn32.exe	Cpnojioo.exe
File created	C:\Windows\SysWOW64\Cdgneh32.exe	Ceaadk32.exe
File opened for modification	C:\Windows\SysWOW64\Aekodi32.exe	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
File created	C:\Windows\SysWOW64\Bbhela32.exe	Anccmo32.exe
File created	C:\Windows\SysWOW64\Igmdobgi.dll	Anccmo32.exe
File created	C:\Windows\SysWOW64\Cgllco32.dll	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Effcma32.exe
File opened for modification	C:\Windows\SysWOW64\Blbfjg32.exe	Blpjegfm.exe
File opened for modification	C:\Windows\SysWOW64\Ceaadk32.exe	Bhkdeggl.exe
File created	C:\Windows\SysWOW64\Ebodiofk.exe	Dggcffhg.exe
File created	C:\Windows\SysWOW64\Anccmo32.exe	Aekodi32.exe
File created	C:\Windows\SysWOW64\Blpjegfm.exe	Bbhela32.exe
File created	C:\Windows\SysWOW64\Eibbcm32.exe	Emkaol32.exe
File created	C:\Windows\SysWOW64\Effcma32.exe	Eibbcm32.exe
File opened for modification	C:\Windows\SysWOW64\Effcma32.exe	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Hdihmjpf.dll	Aekodi32.exe
File opened for modification	C:\Windows\SysWOW64\Bbhela32.exe	Anccmo32.exe
File opened for modification	C:\Windows\SysWOW64\Blpjegfm.exe	Bbhela32.exe
File created	C:\Windows\SysWOW64\Galmmc32.dll	Dhnmij32.exe
File opened for modification	C:\Windows\SysWOW64\Dggcffhg.exe	Dolnad32.exe
File created	C:\Windows\SysWOW64\Ekhhadmk.exe	Ebodiofk.exe
File opened for modification	C:\Windows\SysWOW64\Bbokmqie.exe	Blbfjg32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Effcma32.exe
File opened for modification	C:\Windows\SysWOW64\Cjfccn32.exe	Cpnojioo.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Fikjha32.dll	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
File created	C:\Windows\SysWOW64\Blbfjg32.exe	Blpjegfm.exe
File created	C:\Windows\SysWOW64\Ceaadk32.exe	Bhkdeggl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
968	2244	WerFault.exe	47

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Effcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aekodi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blbfjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Effcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gellaqbd.dll"	Bhkdeggl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceaadk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhnmij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmmjh32.dll"	Bbhela32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blpjegfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikjha32.dll"	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emkaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhela32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhkdeggl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahgfoih.dll"	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdihmjpf.dll"	Aekodi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhlioai.dll"	Blpjegfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceaadk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdgneh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll"	Dhnmij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgllco32.dll"	Ekhhadmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekjajfei.dll"	Blbfjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll"	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aekodi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anccmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll"	Emkaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhela32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blbfjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elgkkpon.dll"	Cdgneh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjfccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fileil32.dll"	Cjfccn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdiejho.dll"	Bbokmqie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpnojioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anccmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blpjegfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmdobgi.dll"	Anccmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhkdeggl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnlfg32.dll"	Ceaadk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmggi32.dll"	Dggcffhg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1720	2008	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe	28
PID 2008 wrote to memory of 1720	2008	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe	28
PID 2008 wrote to memory of 1720	2008	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe	28
PID 2008 wrote to memory of 1720	2008	bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe	28
PID 1720 wrote to memory of 1920	1720	Aekodi32.exe	29
PID 1720 wrote to memory of 1920	1720	Aekodi32.exe	29
PID 1720 wrote to memory of 1920	1720	Aekodi32.exe	29
PID 1720 wrote to memory of 1920	1720	Aekodi32.exe	29
PID 1920 wrote to memory of 2652	1920	Anccmo32.exe	30
PID 1920 wrote to memory of 2652	1920	Anccmo32.exe	30
PID 1920 wrote to memory of 2652	1920	Anccmo32.exe	30
PID 1920 wrote to memory of 2652	1920	Anccmo32.exe	30
PID 2652 wrote to memory of 2612	2652	Bbhela32.exe	31
PID 2652 wrote to memory of 2612	2652	Bbhela32.exe	31
PID 2652 wrote to memory of 2612	2652	Bbhela32.exe	31
PID 2652 wrote to memory of 2612	2652	Bbhela32.exe	31
PID 2612 wrote to memory of 2912	2612	Blpjegfm.exe	32
PID 2612 wrote to memory of 2912	2612	Blpjegfm.exe	32
PID 2612 wrote to memory of 2912	2612	Blpjegfm.exe	32
PID 2612 wrote to memory of 2912	2612	Blpjegfm.exe	32
PID 2912 wrote to memory of 2368	2912	Blbfjg32.exe	33
PID 2912 wrote to memory of 2368	2912	Blbfjg32.exe	33
PID 2912 wrote to memory of 2368	2912	Blbfjg32.exe	33
PID 2912 wrote to memory of 2368	2912	Blbfjg32.exe	33
PID 2368 wrote to memory of 2928	2368	Bbokmqie.exe	34
PID 2368 wrote to memory of 2928	2368	Bbokmqie.exe	34
PID 2368 wrote to memory of 2928	2368	Bbokmqie.exe	34
PID 2368 wrote to memory of 2928	2368	Bbokmqie.exe	34
PID 2928 wrote to memory of 1012	2928	Bhkdeggl.exe	35
PID 2928 wrote to memory of 1012	2928	Bhkdeggl.exe	35
PID 2928 wrote to memory of 1012	2928	Bhkdeggl.exe	35
PID 2928 wrote to memory of 1012	2928	Bhkdeggl.exe	35
PID 1012 wrote to memory of 2740	1012	Ceaadk32.exe	36
PID 1012 wrote to memory of 2740	1012	Ceaadk32.exe	36
PID 1012 wrote to memory of 2740	1012	Ceaadk32.exe	36
PID 1012 wrote to memory of 2740	1012	Ceaadk32.exe	36
PID 2740 wrote to memory of 612	2740	Cdgneh32.exe	37
PID 2740 wrote to memory of 612	2740	Cdgneh32.exe	37
PID 2740 wrote to memory of 612	2740	Cdgneh32.exe	37
PID 2740 wrote to memory of 612	2740	Cdgneh32.exe	37
PID 612 wrote to memory of 2088	612	Cpnojioo.exe	38
PID 612 wrote to memory of 2088	612	Cpnojioo.exe	38
PID 612 wrote to memory of 2088	612	Cpnojioo.exe	38
PID 612 wrote to memory of 2088	612	Cpnojioo.exe	38
PID 2088 wrote to memory of 1584	2088	Cjfccn32.exe	39
PID 2088 wrote to memory of 1584	2088	Cjfccn32.exe	39
PID 2088 wrote to memory of 1584	2088	Cjfccn32.exe	39
PID 2088 wrote to memory of 1584	2088	Cjfccn32.exe	39
PID 1584 wrote to memory of 572	1584	Dhnmij32.exe	40
PID 1584 wrote to memory of 572	1584	Dhnmij32.exe	40
PID 1584 wrote to memory of 572	1584	Dhnmij32.exe	40
PID 1584 wrote to memory of 572	1584	Dhnmij32.exe	40
PID 572 wrote to memory of 1416	572	Dolnad32.exe	41
PID 572 wrote to memory of 1416	572	Dolnad32.exe	41
PID 572 wrote to memory of 1416	572	Dolnad32.exe	41
PID 572 wrote to memory of 1416	572	Dolnad32.exe	41
PID 1416 wrote to memory of 2812	1416	Dggcffhg.exe	42
PID 1416 wrote to memory of 2812	1416	Dggcffhg.exe	42
PID 1416 wrote to memory of 2812	1416	Dggcffhg.exe	42
PID 1416 wrote to memory of 2812	1416	Dggcffhg.exe	42
PID 2812 wrote to memory of 2200	2812	Ebodiofk.exe	43
PID 2812 wrote to memory of 2200	2812	Ebodiofk.exe	43
PID 2812 wrote to memory of 2200	2812	Ebodiofk.exe	43
PID 2812 wrote to memory of 2200	2812	Ebodiofk.exe	43

C:\Users\Admin\AppData\Local\Temp\bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe
"C:\Users\Admin\AppData\Local\Temp\bb524bddcdc6ce83c855379205b570832ed48adc399deff1e9a6787356a8ef3e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\SysWOW64\Aekodi32.exe
  C:\Windows\system32\Aekodi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\Anccmo32.exe
    C:\Windows\system32\Anccmo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\Bbhela32.exe
      C:\Windows\system32\Bbhela32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\Blpjegfm.exe
        
        C:\Windows\system32\Blpjegfm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
      - C:\Windows\SysWOW64\Blbfjg32.exe
        
        C:\Windows\system32\Blbfjg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Bbokmqie.exe
        
        C:\Windows\system32\Bbokmqie.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Bhkdeggl.exe
        
        C:\Windows\system32\Bhkdeggl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Ceaadk32.exe
        
        C:\Windows\system32\Ceaadk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Cdgneh32.exe
        
        C:\Windows\system32\Cdgneh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Cpnojioo.exe
        
        C:\Windows\system32\Cpnojioo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\Cjfccn32.exe
        
        C:\Windows\system32\Cjfccn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Dhnmij32.exe
        
        C:\Windows\system32\Dhnmij32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Dolnad32.exe
        
        C:\Windows\system32\Dolnad32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Dggcffhg.exe
        
        C:\Windows\system32\Dggcffhg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Ebodiofk.exe
        
        C:\Windows\system32\Ebodiofk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Ekhhadmk.exe
        
        C:\Windows\system32\Ekhhadmk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Emkaol32.exe
        
        C:\Windows\system32\Emkaol32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Eibbcm32.exe
        
        C:\Windows\system32\Eibbcm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        21⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ebodiofk.exe

Filesize
223KB

MD5
58ac4425c25293bb437e0b90be5fc4cf

SHA1
534eff1909e0ed25dcd12eecf5096cdfb67d7819

SHA256
ec15ae0e7f2170fb6b0e5760f9311b83d31120113c9c013464937212f0e32d1d

SHA512
15108314e03ae34f3c681c26d988add3742f36046d311c27b18949e17ec267239c139d35bfaed6b1312a270d24b323bed881866493f42583d3fe58f941eff563

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
223KB

MD5
d03bf49e763dd3b11bbbf83fa9e4a1fe

SHA1
7f91f4dc724cbb4458c1ee431f4ab2beb325c63c

SHA256
58aac802a1e02495582c672da31ac601b9aafb401040323d0003765455a371aa

SHA512
55adeb54770bfca58fd556e62fd7409bce8c68ee386772d2bfd098de99da2c4c12c07009771e2ba3330cf06194028778eb14eb9f78eeffa43e624495629d8795

Download Submit
C:\Windows\SysWOW64\Eibbcm32.exe

Filesize
223KB

MD5
197ea1da55be506613e70039073ffa4a

SHA1
ca78c5e18212dc5bbc48aa6b15a2ff92a69ea73c

SHA256
5c3808bc742057f656b7d466abe5875467df143ad615f551f479abe11ff95d18

SHA512
f6a633616a512ebbfabc00211b5c3834c67d9fbfcf58fb886c1662fc1b48646f3f7a51caaba7b8bd620de2ca240a546a59bf8f66d5ec45c4876bd937bc4766cc

Download Submit
C:\Windows\SysWOW64\Emkaol32.exe

Filesize
223KB

MD5
f62f2fc6a9a09cf6aa3e1ae15d7f1792

SHA1
9f83de77f494d06a2bd4fc9adf13b524725d0902

SHA256
4e0a0b3aa18880dd8afca6ed44a07f501be57fc5f1cd71e0ce3e7cabc7056a1f

SHA512
636997a0b5603161f86b112c7037228c72fdb966f6c48bdd02d08d9ab77ceb37d63c2167043b312b376d79312f1c7b379d88f83acc035fcd1169d00cc0734abd

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
223KB

MD5
eaf55a877c11f4f8fe5ad1b1985a5f10

SHA1
6c804e1d1bd4fff1964e2e746a8eeb8c8e1ba6f2

SHA256
ff82cd92e82a966eb22e8892d42c69dd08a5d78c50088c5774ab7a55944a1bcc

SHA512
714c7275b481e6beecd63013d6bf6d110859ef4534de3219d7611626e438f8186f056856ab93724a63b9e4105a0e0533d1ea53ec19cc75064c7976deb92967ef

Download Submit
\Windows\SysWOW64\Aekodi32.exe

Filesize
223KB

MD5
b537163f5dc6b51b953ae4c88b10971d

SHA1
912dffd21997beafae6cdb00f91c91433d05776b

SHA256
a2198e32b07b6cdc47fc37bf398e81a1b114160912e8ef5b32bbf59e9d2942e0

SHA512
c291e35030ea579ba26cd718dcbe063b4e88f413665eb615b3d076769b28e12ed127d93a370a53eed659b3ccfeea1b1665e502c43ac78bb9b112e1ec9ad81a86

Download Submit
\Windows\SysWOW64\Anccmo32.exe

Filesize
223KB

MD5
e62a5c8979ace1866f0f82a11e587139

SHA1
5e4974bcdd38a0f03e7cfcbe1c090b978b580746

SHA256
83dce36e759ca7564b297fd59022b40332b60bf5fd3fddaacf33585527b0ac89

SHA512
f500706ae419aeb9be0f12009c59b423b8aa5b30d33e4f1335a02b18f8e4b2bf31df920645b3f52a64fc0b73a0185550fd4230de30fbc6bc016fe61a3828813d

Download Submit
\Windows\SysWOW64\Bbhela32.exe

Filesize
223KB

MD5
c74d4ae8a2fd55d59265e8c8cc0712db

SHA1
f56a9dbf2dc308540fbdd93e03a1870f37c66ff5

SHA256
b7d2dc09d61246042b2ba61c8bd4c88040c358272fbec086821e45512f1da057

SHA512
4ba010bef6e2bdc91bfff1e7a0e6ac1c3d8e41f156e95128b5f77e64eed51fc1950a6bd7dc8bf8d89396e0dd291a7931b0d4e7621d296ac682fbdba53c0305fa

Download Submit
\Windows\SysWOW64\Bbokmqie.exe

Filesize
223KB

MD5
dcf377132c5e105a6894233e7155748b

SHA1
47ae1c9f241bdcdb657a293205e3244a1709b791

SHA256
11860d4d2118133bffd5016a38c752e39ecaa6cfb1b8b67a0499cf86ce7276d3

SHA512
10e9c29dd3479c0587d9a246564924374b3d20d43dfea5d82e0f526555e074dd4f411f73a62fee6755f64814a3d435402da9c93fd05656f409faea8ac190fd66

Download Submit
\Windows\SysWOW64\Bhkdeggl.exe

Filesize
223KB

MD5
5b2f94b9d31e7f71523be3c6aba289ac

SHA1
84682f93b48df1c6b9947a9b9c6122b48d799be4

SHA256
3b0f1457b844c32d9144bda3349ad8f9e1408457a5c9648986194dbafc162f32

SHA512
d4e181743b5399762a6701483900870c9ccf7c46e71d0ec7fbb6bd59f924be6a435cc44568adb77146722048fe76d92e2debbf506a04409335f58e5108a8d8e9

Download Submit
\Windows\SysWOW64\Blbfjg32.exe

Filesize
223KB

MD5
028adc9867340652fc4a79ed72bc652d

SHA1
8e67e039e50745c37e73deb283666e556cababea

SHA256
f46ffa0437d3375e9e307f053766166ddf1691635e2eec134ecdc4324d6b9608

SHA512
a1b6e80f3e9fdf6c4ff6662ef0ddde9ec8acdd5a4c6fe731536f59e336cf2bf49e9dd11c7f4bd7530f2a1f081e7d18853ae8314b9ee056cec2ffe3698f431690

Download Submit
\Windows\SysWOW64\Blpjegfm.exe

Filesize
223KB

MD5
14e4ba6cb462b151f3e67464bf5d6547

SHA1
16f0fcaa2fb0beb2bb0e50fb8ba7eac98bf11949

SHA256
47e617b1ebd5bdbd8ad2b587854e30d2f70a8fa212d63c1e33bed00d3a093a2c

SHA512
175941aa7f5c2c41057cce92a60720813be22a1ce6295895c09af873e3c23579d1f2bdfc210500a09587ca5714fe04d410e307e52a4d1736e2115d928d1345b4

Download Submit
\Windows\SysWOW64\Cdgneh32.exe

Filesize
223KB

MD5
4d7a4797148ef3dad9472721feec7c64

SHA1
be0fb61a2593fe51ad8fc7d13b28b7b0f86ab4c4

SHA256
4d29e23f195101eb7a962236bde126657668b2f4f94eec0628643d1edf1b4416

SHA512
397c78ff24704d2234584697bd16ed9534dac72b33e5b739691576eaf5d9bc0800e28f808ce12f2881daf1625050f1dd9e4db36da9bc0c2296058763c30bb474

Download Submit
\Windows\SysWOW64\Ceaadk32.exe

Filesize
223KB

MD5
449fd97bfc8d075b9bd18ddf5b2bbd26

SHA1
f4c7fe0579651fc146725a8d38e157876a5fe769

SHA256
b4807f27977e6e09ba3e9cc864b942dddc9b86e79fa35a4305cbde518540878a

SHA512
d2ac0b9a3cb6732ec3bfa82248a3ddd85def8aa31fb23af30a200c0ea01b193224a88c7653c2f8c112590585cbb5a69653d4c87747fd2901a3ef83f03cb55e97

Download Submit
\Windows\SysWOW64\Cjfccn32.exe

Filesize
223KB

MD5
205b2084d9b40ee413dd32b54aa1ffe8

SHA1
da8f4837926fe57a765288ba05e9fe83d9a8b2f0

SHA256
05576376d346c60d5c61f8b04b7b75809c23d2142ee2ce7e7838e7f580ee47a7

SHA512
0c71a7f043056377e135e2eca49628aba3a373f1a991021580f9695a67af9ae955e9370c6f8555b1282a009ee5142562c4c4a886e87313cfae1e3cf743903ee1

Download Submit
\Windows\SysWOW64\Cpnojioo.exe

Filesize
223KB

MD5
11a36c68276f9f0f8c23b2b0e693d1a6

SHA1
2aafb41609d0b4542aefa0b007e1f918e31d8f2f

SHA256
d17be3e4bda18a4ab9e9dbcdb2f1aa51a41901427a0eeff2718621dfda2ab16b

SHA512
c4bcc85aa9972e9cfbcbe40c88ebca8f2be0a8cd336bb70dc8182592faa99954df4cc414a8cfffc90ab59d4defbfaefe2b36aec247a532bbdfc0f10a72ddbe9e

Download Submit
\Windows\SysWOW64\Dggcffhg.exe

Filesize
223KB

MD5
1c4faf3294c4d68eef0e4527a00e52d7

SHA1
fd0ffdfb5296e83f2f0a71187014ec606a7b7711

SHA256
00343b1b2c45cbe34c1f075637e464712d1d795c7cfde5c4dd5b3c94d8d66bf0

SHA512
9cdf9d02e087615e19b4fb88854b7522e0e490f1cd1a75be64ab684a6d0511760a7562a563e75b958282440b8b7ff190ad47ce7d9838807dcb4358aee27304c4

Download Submit
\Windows\SysWOW64\Dhnmij32.exe

Filesize
223KB

MD5
1f67612a8dd2f4c1c0674d73aa27cf6b

SHA1
2790e04a00ecd1b1a2bccb0420004a2dd44468f9

SHA256
61a9540fb1d026a53e696cc3b8ee87856e9c61e29889b1e9c5fb64a36725f3e8

SHA512
0d79840750e1919b240811c2b6910e63616f799fd7109531905ecb98694768b4d7558c1e1101c6eb3ebda66a0a7e2cc6bb14b6bbf76765d601a1c6beb11f84f7

Download Submit
\Windows\SysWOW64\Dolnad32.exe

Filesize
223KB

MD5
972e3cf60a434d87acf99c98af963394

SHA1
3840b8419ae09332e4b70218dead2a7c44f29502

SHA256
3b6eb2474ed59a459339804495291d96be520f6e9f88de28afcdb7cb743515bb

SHA512
f4ec85ef0fd9e0dc8c3c7f2e6c4ad442ce9c9d11da605f779e992d7796f2133406de44946823ae7616aff7aabb59de340286a3ca4d6724c10725f990908c65bc

Download Submit
\Windows\SysWOW64\Ekhhadmk.exe

Filesize
223KB

MD5
dadf7979c8925093f12780f01926e821

SHA1
ed881d65f2b346e84f95bfac5ea9890c089d9476

SHA256
590bce9d05211f79192485680b227c0cf1faf290740cc809c5c3aa997571ea83

SHA512
0b351a52c2b0975082dd15f4a026128d2d7719d01577795a5208b514b2bfd6090173d66b21b2d0e5a424937f7e3d889d0d2e38e4ee29fe671480513b2828bdaa

Download Submit
memory/572-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/612-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/612-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/612-139-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/884-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-247-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1012-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-236-0x00000000002B0000-0x00000000002E3000-memory.dmp

Filesize
204KB

Download
memory/1340-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-199-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1416-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-172-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1720-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-24-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1920-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2008-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-156-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2188-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-220-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2200-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-88-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2368-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2612-65-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2652-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-101-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads