14b201e70e169b3a6571220b203f6f1678c17f036451fa41700a3fcf7d66c6e3

Analysis

max time kernel
111s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
Size

320KB
MD5

6315093a1f1d7c1687cdcfcc0ac6a2b0
SHA1

665e7bb38269ae1317aac04cf80e7312a90897b2
SHA256

14b201e70e169b3a6571220b203f6f1678c17f036451fa41700a3fcf7d66c6e3
SHA512

c9bf9c88d8a5ec0b07d49cf9c128fdb8a03bdb8d07c5d60133d701b9e5986a5a3c6540e06c3aac4c104a1f9a9c49526fcced0f70e14027c831f100f2256f33f6
SSDEEP

6144:Izd4Pgs9wDMV+tbFOLM77OLnFe3HCqxNRmJ4PavntPRD:udPs9wVtsNePmjvtPRD

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cocphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boljgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boogmgkl.exe

Executes dropped EXE 18 IoCs

pid	Process
1764	Bdqlajbb.exe
2800	Bgoime32.exe
2848	Bniajoic.exe
2708	Bceibfgj.exe
2600	Bmnnkl32.exe
2424	Boljgg32.exe
2260	Bmpkqklh.exe
2904	Boogmgkl.exe
2816	Bmbgfkje.exe
1916	Ccmpce32.exe
2920	Cocphf32.exe
1268	Cepipm32.exe
2096	Cagienkb.exe
1176	Cnkjnb32.exe
1276	Cjakccop.exe
1732	Cnmfdb32.exe
1704	Ccjoli32.exe
1480	Dpapaj32.exe

Loads dropped DLL 39 IoCs

pid	Process
824	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
824	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
1764	Bdqlajbb.exe
1764	Bdqlajbb.exe
2800	Bgoime32.exe
2800	Bgoime32.exe
2848	Bniajoic.exe
2848	Bniajoic.exe
2708	Bceibfgj.exe
2708	Bceibfgj.exe
2600	Bmnnkl32.exe
2600	Bmnnkl32.exe
2424	Boljgg32.exe
2424	Boljgg32.exe
2260	Bmpkqklh.exe
2260	Bmpkqklh.exe
2904	Boogmgkl.exe
2904	Boogmgkl.exe
2816	Bmbgfkje.exe
2816	Bmbgfkje.exe
1916	Ccmpce32.exe
1916	Ccmpce32.exe
2920	Cocphf32.exe
2920	Cocphf32.exe
1268	Cepipm32.exe
1268	Cepipm32.exe
2096	Cagienkb.exe
2096	Cagienkb.exe
1176	Cnkjnb32.exe
1176	Cnkjnb32.exe
1276	Cjakccop.exe
1276	Cjakccop.exe
1732	Cnmfdb32.exe
1732	Cnmfdb32.exe
1704	Ccjoli32.exe
1704	Ccjoli32.exe
632	WerFault.exe
632	WerFault.exe
632	WerFault.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lbhnia32.dll	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Jdpkmjnb.dll	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Aqpmpahd.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Cocphf32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bniajoic.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bdqlajbb.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bmpkqklh.exe	Boljgg32.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Cagienkb.exe	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File created	C:\Windows\SysWOW64\Bmpkqklh.exe	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Liempneg.dll	Cagienkb.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Bmnnkl32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Cagienkb.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cjakccop.exe
File created	C:\Windows\SysWOW64\Lmdlck32.dll	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cocphf32.exe
File created	C:\Windows\SysWOW64\Bmnnkl32.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Pijjilik.dll	Boljgg32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cagienkb.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Bdqlajbb.exe	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
File opened for modification	C:\Windows\SysWOW64\Bdqlajbb.exe	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Boogmgkl.exe	Bmpkqklh.exe
File created	C:\Windows\SysWOW64\Hbcfdk32.dll	Cepipm32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bmbgfkje.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bdqlajbb.exe
File opened for modification	C:\Windows\SysWOW64\Boljgg32.exe	Bmnnkl32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Boogmgkl.exe
File opened for modification	C:\Windows\SysWOW64\Cocphf32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cocphf32.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cagienkb.exe
File created	C:\Windows\SysWOW64\Godonkii.dll	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bmpkqklh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
632	1480	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cocphf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbgfkje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmnnkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagienkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdqlajbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boljgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpkqklh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll"	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmpkqklh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdqlajbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pijjilik.dll"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll"	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cagienkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbcfdk32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqpmpahd.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boljgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpkqklh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagienkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdqlajbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cocphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmnnkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmnnkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boljgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cocphf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 1764	824	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe	31
PID 824 wrote to memory of 1764	824	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe	31
PID 824 wrote to memory of 1764	824	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe	31
PID 824 wrote to memory of 1764	824	6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe	31
PID 1764 wrote to memory of 2800	1764	Bdqlajbb.exe	32
PID 1764 wrote to memory of 2800	1764	Bdqlajbb.exe	32
PID 1764 wrote to memory of 2800	1764	Bdqlajbb.exe	32
PID 1764 wrote to memory of 2800	1764	Bdqlajbb.exe	32
PID 2800 wrote to memory of 2848	2800	Bgoime32.exe	33
PID 2800 wrote to memory of 2848	2800	Bgoime32.exe	33
PID 2800 wrote to memory of 2848	2800	Bgoime32.exe	33
PID 2800 wrote to memory of 2848	2800	Bgoime32.exe	33
PID 2848 wrote to memory of 2708	2848	Bniajoic.exe	34
PID 2848 wrote to memory of 2708	2848	Bniajoic.exe	34
PID 2848 wrote to memory of 2708	2848	Bniajoic.exe	34
PID 2848 wrote to memory of 2708	2848	Bniajoic.exe	34
PID 2708 wrote to memory of 2600	2708	Bceibfgj.exe	35
PID 2708 wrote to memory of 2600	2708	Bceibfgj.exe	35
PID 2708 wrote to memory of 2600	2708	Bceibfgj.exe	35
PID 2708 wrote to memory of 2600	2708	Bceibfgj.exe	35
PID 2600 wrote to memory of 2424	2600	Bmnnkl32.exe	36
PID 2600 wrote to memory of 2424	2600	Bmnnkl32.exe	36
PID 2600 wrote to memory of 2424	2600	Bmnnkl32.exe	36
PID 2600 wrote to memory of 2424	2600	Bmnnkl32.exe	36
PID 2424 wrote to memory of 2260	2424	Boljgg32.exe	37
PID 2424 wrote to memory of 2260	2424	Boljgg32.exe	37
PID 2424 wrote to memory of 2260	2424	Boljgg32.exe	37
PID 2424 wrote to memory of 2260	2424	Boljgg32.exe	37
PID 2260 wrote to memory of 2904	2260	Bmpkqklh.exe	38
PID 2260 wrote to memory of 2904	2260	Bmpkqklh.exe	38
PID 2260 wrote to memory of 2904	2260	Bmpkqklh.exe	38
PID 2260 wrote to memory of 2904	2260	Bmpkqklh.exe	38
PID 2904 wrote to memory of 2816	2904	Boogmgkl.exe	39
PID 2904 wrote to memory of 2816	2904	Boogmgkl.exe	39
PID 2904 wrote to memory of 2816	2904	Boogmgkl.exe	39
PID 2904 wrote to memory of 2816	2904	Boogmgkl.exe	39
PID 2816 wrote to memory of 1916	2816	Bmbgfkje.exe	40
PID 2816 wrote to memory of 1916	2816	Bmbgfkje.exe	40
PID 2816 wrote to memory of 1916	2816	Bmbgfkje.exe	40
PID 2816 wrote to memory of 1916	2816	Bmbgfkje.exe	40
PID 1916 wrote to memory of 2920	1916	Ccmpce32.exe	41
PID 1916 wrote to memory of 2920	1916	Ccmpce32.exe	41
PID 1916 wrote to memory of 2920	1916	Ccmpce32.exe	41
PID 1916 wrote to memory of 2920	1916	Ccmpce32.exe	41
PID 2920 wrote to memory of 1268	2920	Cocphf32.exe	42
PID 2920 wrote to memory of 1268	2920	Cocphf32.exe	42
PID 2920 wrote to memory of 1268	2920	Cocphf32.exe	42
PID 2920 wrote to memory of 1268	2920	Cocphf32.exe	42
PID 1268 wrote to memory of 2096	1268	Cepipm32.exe	43
PID 1268 wrote to memory of 2096	1268	Cepipm32.exe	43
PID 1268 wrote to memory of 2096	1268	Cepipm32.exe	43
PID 1268 wrote to memory of 2096	1268	Cepipm32.exe	43
PID 2096 wrote to memory of 1176	2096	Cagienkb.exe	44
PID 2096 wrote to memory of 1176	2096	Cagienkb.exe	44
PID 2096 wrote to memory of 1176	2096	Cagienkb.exe	44
PID 2096 wrote to memory of 1176	2096	Cagienkb.exe	44
PID 1176 wrote to memory of 1276	1176	Cnkjnb32.exe	45
PID 1176 wrote to memory of 1276	1176	Cnkjnb32.exe	45
PID 1176 wrote to memory of 1276	1176	Cnkjnb32.exe	45
PID 1176 wrote to memory of 1276	1176	Cnkjnb32.exe	45
PID 1276 wrote to memory of 1732	1276	Cjakccop.exe	46
PID 1276 wrote to memory of 1732	1276	Cjakccop.exe	46
PID 1276 wrote to memory of 1732	1276	Cjakccop.exe	46
PID 1276 wrote to memory of 1732	1276	Cjakccop.exe	46

C:\Users\Admin\AppData\Local\Temp\6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe
"C:\Users\Admin\AppData\Local\Temp\6315093a1f1d7c1687cdcfcc0ac6a2b0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\Bdqlajbb.exe
  C:\Windows\system32\Bdqlajbb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\SysWOW64\Bgoime32.exe
    C:\Windows\system32\Bgoime32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\SysWOW64\Bniajoic.exe
      C:\Windows\system32\Bniajoic.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Bmnnkl32.exe
        
        C:\Windows\system32\Bmnnkl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Boljgg32.exe
        
        C:\Windows\system32\Boljgg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Bmpkqklh.exe
        
        C:\Windows\system32\Bmpkqklh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Cocphf32.exe
        
        C:\Windows\system32\Cocphf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\Cagienkb.exe
        
        C:\Windows\system32\Cagienkb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 144
        20⤵
        Loads dropped DLL
        Program crash
        
        PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bdqlajbb.exe

Filesize
320KB

MD5
32a7beed471cfefcb2e1e3d034310b7e

SHA1
41590728ab3868eac7200ca531e7b18fc5c4b909

SHA256
2d4b6f6894906e3081aec8b0d1b05391f05ff191e2026d73943ca4fb5123539a

SHA512
1df31f19f9aca605621912ea686206f3857eb5d95da439823eb78041eabed3800a097002625fb35dfc78a3f35dec0e83bc73e3572c0866703bd8fddb7fa24294

Download Submit
C:\Windows\SysWOW64\Bgoime32.exe

Filesize
320KB

MD5
c4f84969b60edf0815b23dce8f078be8

SHA1
64f7cc37c471e39454007737a402f189275c7a6e

SHA256
a83ab706a3106234f1b0887bd353cfd9b8c64ea62654c3343016ede6cc70ad87

SHA512
55498024fb9c65c7b0a3854b0f3db9e3a52f6b79c1e3c78b6728183f7e540d724404ec59347b9cc89cbfbad63bf4063e5af93fd1bda72ec9f7e650ee21aaeb8a

Download Submit
C:\Windows\SysWOW64\Bmnnkl32.exe

Filesize
320KB

MD5
fe91a6e47099260707fdb4e51b9e6d86

SHA1
ee23c6e88c706a68cf73ddf6e21623168220785b

SHA256
96a767f2f05dcb4424a76cfc8672ae8554fa51216e47cb0229d4713fd6ebc4ee

SHA512
a6b2113fa5c0b5fa975d5c54e4564f699c3002377cb151c4be3a9bf4178d8bcddfcd4f93abea5f2971ac40711670111a0d4aa150467dccfd7ab53a757a2265e8

Download Submit
C:\Windows\SysWOW64\Boljgg32.exe

Filesize
320KB

MD5
4635bb47bd959fb8d9ebc398c1f87a84

SHA1
2cd0c3b61d2d8a5330fec8b2816cb81f5f986398

SHA256
a1cc3a54b35a27ee3b6321287aae8e901f892b14434a3eb0a172572c9b01fc27

SHA512
9bd63e2d8698b6933d8dfd39279874f6392b4bc3d4d711950f478f7f266b7e8b450c9d96395026f548bb9950ceae7d46da178a392a87dffaab3b25dd49ac05ba

Download Submit
C:\Windows\SysWOW64\Cagienkb.exe

Filesize
320KB

MD5
1c2d96db1e973bf1a41687d7e1daacea

SHA1
40d94236448736aaba9663f55cdde9bcccad92bf

SHA256
065c7ccfffbc19020a9e838b86ad61c150dc7e9766b0014976ba44c6015e9707

SHA512
453cccd27c4bac656b7305fcf91c5732f3a2dba5b47dd6be81517d231056bda7e6a6ddab9379ce3c545ee48573b36455fc7c330a62255f57362ffa6207ca03c5

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
320KB

MD5
959a59ae255ff2ace25f47517ad6bb48

SHA1
4313bd16b929e8d8df663616c0ad345f5b19c688

SHA256
9379bdbecee396e1e02f749e1449ca4adee6505747248640528d2a3919273b74

SHA512
c69cdd7705d4904f5eb964485436430ded981aefbb762992658217a94e10529c0c5047c5e85c60095268da16f50431325fb99cbb315cad3a8d0e068987aa8485

Download Submit
C:\Windows\SysWOW64\Cocphf32.exe

Filesize
320KB

MD5
645f53716c280643d05eb98297643050

SHA1
40fae1c53eae8f5d12e4a732d965aaea20906303

SHA256
cfcab36856cbc786bcc1bde91ee29d35bb8fd52395d222e826952de84872f70e

SHA512
3d36cf541a1f845867b6488dd2408d53b6dd7ca1a263c8113761d4851a7028680d27de9b89cbb535860e81aa41d0aa8bac0dc532cf8a13541af888af5072c207

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
320KB

MD5
e7bbff8f9aeb7f0c2e8262c1bec94504

SHA1
a01993bb84908e4d44ca3624e57bb51891dc697e

SHA256
aba1b311d754890521b8fb02930e6475b546a78d4f2e7829c7dfad01155ce9f3

SHA512
8badba4ac084f9b9247800ee90528fbd33282a32eb5074ea4da5a9638b5c9bd4a427c9601d08741bb9c43dec422e846221b5f6ee3112b520a36cfeaee71d86a5

Download Submit
C:\Windows\SysWOW64\Godonkii.dll

Filesize
7KB

MD5
9548913c7684c80cb140ab0319c9cd31

SHA1
3c91a6bb23526674c9ac94ed1053192bea55cd8b

SHA256
8c6ca3019329e73f3aaa05a1594b65f42f9026517d47663f504d888bf1dda68f

SHA512
840c7879803b751ba42e8af9d23911de740f4e8bc33dc0a5eda78182560d559a0f4e72de66b36fa1a7f873942f2affcfe5ff05d7fa058d9ff262be70aee6fdb3

Download Submit
\Windows\SysWOW64\Bceibfgj.exe

Filesize
320KB

MD5
152f58a58803745d72d5768174c0fc2f

SHA1
2cf73526c27be57856faa82274aac9d6ede63238

SHA256
825b5f649b70a865d4b302145a100923307f6d5dceb336759283272312c13296

SHA512
b39092174f3d0a8bbd0b2c3b1824384d6c4238e5dbc48852271cbc1ac0421d88297f8d574cddbc778df30eab83d8207f8f2c0c78a578f389bc74c1a75d6fa8ba

Download Submit
\Windows\SysWOW64\Bmbgfkje.exe

Filesize
320KB

MD5
69b010433da9b67d8f6c1d10503a3f4f

SHA1
b3a7605f572c4c8fca0a3129b490cf6edab88e0b

SHA256
d9e1f6b1ee743d6946049cdf095cc62d3218ae13ebc493e33e1c4952be0ff044

SHA512
54eb6e31d5f862bbc03e7fee85c4d02ea1c48cf1a3c159b15374465d2ffaa2e0e72cae681af87d95c4f092fa4dfa6c08b5cb1c5b5cd99423f6a7a7286270ed97

Download Submit
\Windows\SysWOW64\Bmpkqklh.exe

Filesize
320KB

MD5
27d746385c36d86ccc1049bd5afc875e

SHA1
2009abd2ef4289a45e52b1a824361ae545dbe3e5

SHA256
e45152ac7887edd82f1540d600a4e160896ef26ccd5f9eafc45a5a720134b66f

SHA512
bd6e3e4468cfea946b896351dd963cb44659ad4c16c5dcb35e04c9ad35faff9a668170ba51edc8691f66382e99ba1a233f7aba7b3505b0870e4725dcfcb09f25

Download Submit
\Windows\SysWOW64\Bniajoic.exe

Filesize
320KB

MD5
a6a4a3e259673be72281af6a5889f712

SHA1
e54f668417e31e655604c168500cf4cd854aa94a

SHA256
043519ee26b47481299d965a95e77d9ae641153e5d71b45906afd2a3632e1411

SHA512
c74a388217352c7ea94dc27b68b06607e9b2f760ce3111efc8f5f139f8dbfa6af692a4af9a62078fb37e591b7d2922779207b3ad51c798e49643275c26d6dea2

Download Submit
\Windows\SysWOW64\Boogmgkl.exe

Filesize
320KB

MD5
f7f566e90655f6d5f7b16da53d5181aa

SHA1
fae01f6c79f2a1d5a2e9bb1046cfedb039bba802

SHA256
0837faafd5ec62448a885a179a6da89f1f575a7a99714ae78b5fbd7ee06a8c15

SHA512
f7974dab12a04c5d0fbc4ba466c0547d562ed1a65dd4b4f4dec7b643ec2861ffcd0253be9ddcbe747ec8e3e34be198157c079f2885dd5ad36975788b0860e92e

Download Submit
\Windows\SysWOW64\Ccmpce32.exe

Filesize
320KB

MD5
4df8bf12eff2a39484a3b9ec9edd2ed1

SHA1
b364e19e753494036436940f4398d876f635679b

SHA256
b24d8d349d3cfe654d7ab22466c5d57637978e3bc1cf8ad95d500d4d1ee6befc

SHA512
36d9370a0f3b4457488d55bf098566570de2401699826448fe9fd91df0a6b27033ba96321a77d12752bf5793103c776f38e6106c8c1cee05de2acdbdf11058ac

Download Submit
\Windows\SysWOW64\Cepipm32.exe

Filesize
320KB

MD5
38ca58b97c13d765ce75e8d39c14d70b

SHA1
580583df5c9edb5f9028944cd6c7f71ea3bbe018

SHA256
310d4f44aea1652d21cd5c8ce57ab5e9e5fd8e06c9cc70995e62c18efa8f694b

SHA512
f886d20d029cc128d410fbacd37bb4a6d5c9917def5fbe5624b037f86bf8b2dcf77ecbbe19f3bdaa9bff686f00f3eabe89c6d762179f03612abefe4d077d8b3a

Download Submit
\Windows\SysWOW64\Cjakccop.exe

Filesize
320KB

MD5
6d4181a7943ac48d9fed8bef5809c436

SHA1
f5581f2366ebbbc92259772282dfd02f0bdaa84f

SHA256
e32ff367774fc8b4cf42ef05c4d6670f881fc2a9e730c6215292fb65fae61400

SHA512
547df11562b9e53a7265a8ac76e0eacecba8c781c989a47dec1899c55afeec64f0b5dd2ef7ea61ce73005ffa903cacd7cf08e077806d89f4f6254154b61535ca

Download Submit
\Windows\SysWOW64\Cnkjnb32.exe

Filesize
320KB

MD5
4b6e0b9c919cc0d9e44e09aa9d9b2bb1

SHA1
9686b7a81da545c8735db176f074fb5439b17da2

SHA256
5b6c5bc304c7aca6b42b62455f500e4060393165d62a8a074327f43b16d67bd2

SHA512
0028a3f04a76c0ede85c9763a52c5093ce88a1d5b2d52a50fe8b153b5458a4e6a6bbd492930b78bbafaf0c8385f3ac0c6bd94513e3a5dab9f889feb8ca8a563d

Download Submit
\Windows\SysWOW64\Cnmfdb32.exe

Filesize
320KB

MD5
4c73621631251441829cadfc5b2964b0

SHA1
ad2f3a47a9579dff35d3ae0f066c8dc08096c03d

SHA256
a1043a9e218ee6f6468b4c280446f14a7e10cec992064e87e8bf9d8724430331

SHA512
e25181c8cd6d6e00a8cf4c82eec5df751274c0257bfdda8ce329c31b6ee869c56e7aef8016f4247aadcaf700aaa73d7a621c243afbfc91c308f7e26e92659ac7

Download Submit
memory/824-7-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/824-13-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/824-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-213-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1176-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1176-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-178-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/1276-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-241-0x0000000000380000-0x00000000003B4000-memory.dmp

Filesize
208KB

Download
memory/1704-236-0x0000000000380000-0x00000000003B4000-memory.dmp

Filesize
208KB

Download
memory/1704-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1704-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-231-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1764-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-150-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1916-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1916-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2096-192-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2096-258-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-80-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2600-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2708-70-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2708-249-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2800-40-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2816-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-132-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2816-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-55-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2848-48-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2848-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-110-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-123-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2920-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-160-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads