c93f277cd6d55833fe1bb02866463cab46fa0580bdd79ccf5f0c92c0c4cbbf4e

Analysis

max time kernel
112s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/09/2024, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c692f3e0bed2a33c8d067e335a719290N.exe
Size

407KB
MD5

c692f3e0bed2a33c8d067e335a719290
SHA1

73050486240620c9d4245c6e767f8b7dcb45acf8
SHA256

c93f277cd6d55833fe1bb02866463cab46fa0580bdd79ccf5f0c92c0c4cbbf4e
SHA512

69102a36f4c0f0de7b2618f62aec08952e8c6f45fb7e06e84cfe085264438700a37c215e6f034771a2ef688bb79d4fb06b69def9aaefd8f5adb3f2d30b582fdd
SSDEEP

6144:Y6CzFpSpIYzpui6yYPaIGcjDpui6yYPaIGckSU05836pui6yYPaIGckN:nC5QGKpV6yYP3pV6yYPg058KpV6yYPS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qjdgpcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afbnec32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjdgpcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Palbgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkojoghl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdodmlcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c692f3e0bed2a33c8d067e335a719290N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Celpqbon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbnec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailqfooi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdodmlcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Biccfalm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c692f3e0bed2a33c8d067e335a719290N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Palbgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkojoghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdaabk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aejglo32.exe

Executes dropped EXE 18 IoCs

pid	Process
2216	Pkojoghl.exe
2884	Palbgn32.exe
2880	Qgfkchmp.exe
2696	Qjdgpcmd.exe
2776	Ailqfooi.exe
840	Afbnec32.exe
552	Ahcjmkbo.exe
2488	Aejglo32.exe
2600	Baqhapdj.exe
1416	Bdodmlcm.exe
2940	Bdaabk32.exe
2280	Bmlbaqfh.exe
3060	Biccfalm.exe
2428	Ciepkajj.exe
2340	Celpqbon.exe
2496	Chjmmnnb.exe
1124	Chmibmlo.exe
332	Coindgbi.exe

Loads dropped DLL 36 IoCs

pid	Process
2748	c692f3e0bed2a33c8d067e335a719290N.exe
2748	c692f3e0bed2a33c8d067e335a719290N.exe
2216	Pkojoghl.exe
2216	Pkojoghl.exe
2884	Palbgn32.exe
2884	Palbgn32.exe
2880	Qgfkchmp.exe
2880	Qgfkchmp.exe
2696	Qjdgpcmd.exe
2696	Qjdgpcmd.exe
2776	Ailqfooi.exe
2776	Ailqfooi.exe
840	Afbnec32.exe
840	Afbnec32.exe
552	Ahcjmkbo.exe
552	Ahcjmkbo.exe
2488	Aejglo32.exe
2488	Aejglo32.exe
2600	Baqhapdj.exe
2600	Baqhapdj.exe
1416	Bdodmlcm.exe
1416	Bdodmlcm.exe
2940	Bdaabk32.exe
2940	Bdaabk32.exe
2280	Bmlbaqfh.exe
2280	Bmlbaqfh.exe
3060	Biccfalm.exe
3060	Biccfalm.exe
2428	Ciepkajj.exe
2428	Ciepkajj.exe
2340	Celpqbon.exe
2340	Celpqbon.exe
2496	Chjmmnnb.exe
2496	Chjmmnnb.exe
1124	Chmibmlo.exe
1124	Chmibmlo.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pfapgnji.dll	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Clmkgm32.dll	Celpqbon.exe
File opened for modification	C:\Windows\SysWOW64\Ailqfooi.exe	Qjdgpcmd.exe
File created	C:\Windows\SysWOW64\Gpfecckm.dll	Qjdgpcmd.exe
File opened for modification	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bdaabk32.exe
File opened for modification	C:\Windows\SysWOW64\Palbgn32.exe	Pkojoghl.exe
File created	C:\Windows\SysWOW64\Qgfkchmp.exe	Palbgn32.exe
File created	C:\Windows\SysWOW64\Hlggmcob.dll	Bmlbaqfh.exe
File created	C:\Windows\SysWOW64\Chmibmlo.exe	Chjmmnnb.exe
File opened for modification	C:\Windows\SysWOW64\Chmibmlo.exe	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Afbnec32.exe	Ailqfooi.exe
File opened for modification	C:\Windows\SysWOW64\Afbnec32.exe	Ailqfooi.exe
File created	C:\Windows\SysWOW64\Biccfalm.exe	Bmlbaqfh.exe
File opened for modification	C:\Windows\SysWOW64\Biccfalm.exe	Bmlbaqfh.exe
File opened for modification	C:\Windows\SysWOW64\Chjmmnnb.exe	Celpqbon.exe
File created	C:\Windows\SysWOW64\Ahcjmkbo.exe	Afbnec32.exe
File opened for modification	C:\Windows\SysWOW64\Ahcjmkbo.exe	Afbnec32.exe
File created	C:\Windows\SysWOW64\Baqhapdj.exe	Aejglo32.exe
File created	C:\Windows\SysWOW64\Bdaabk32.exe	Bdodmlcm.exe
File created	C:\Windows\SysWOW64\Lpppjikm.dll	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Mncmib32.dll	Afbnec32.exe
File created	C:\Windows\SysWOW64\Befima32.dll	Ahcjmkbo.exe
File created	C:\Windows\SysWOW64\Celpqbon.exe	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Chmibmlo.exe
File opened for modification	C:\Windows\SysWOW64\Qgfkchmp.exe	Palbgn32.exe
File opened for modification	C:\Windows\SysWOW64\Ciepkajj.exe	Biccfalm.exe
File opened for modification	C:\Windows\SysWOW64\Bdodmlcm.exe	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Chjmmnnb.exe	Celpqbon.exe
File created	C:\Windows\SysWOW64\Inngpj32.dll	Ailqfooi.exe
File opened for modification	C:\Windows\SysWOW64\Baqhapdj.exe	Aejglo32.exe
File created	C:\Windows\SysWOW64\Bdodmlcm.exe	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Aejglo32.exe	Ahcjmkbo.exe
File created	C:\Windows\SysWOW64\Anfdhfiq.dll	Aejglo32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Dmpgan32.dll	c692f3e0bed2a33c8d067e335a719290N.exe
File opened for modification	C:\Windows\SysWOW64\Bdaabk32.exe	Bdodmlcm.exe
File created	C:\Windows\SysWOW64\Iibogmjf.dll	Biccfalm.exe
File opened for modification	C:\Windows\SysWOW64\Qjdgpcmd.exe	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Ailqfooi.exe	Qjdgpcmd.exe
File opened for modification	C:\Windows\SysWOW64\Pkojoghl.exe	c692f3e0bed2a33c8d067e335a719290N.exe
File created	C:\Windows\SysWOW64\Palbgn32.exe	Pkojoghl.exe
File created	C:\Windows\SysWOW64\Aiffeloi.dll	Palbgn32.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Npjkgala.dll	Pkojoghl.exe
File created	C:\Windows\SysWOW64\Qjdgpcmd.exe	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Bijpeihq.dll	Bdodmlcm.exe
File created	C:\Windows\SysWOW64\Ciepkajj.exe	Biccfalm.exe
File opened for modification	C:\Windows\SysWOW64\Celpqbon.exe	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Pkojoghl.exe	c692f3e0bed2a33c8d067e335a719290N.exe
File created	C:\Windows\SysWOW64\Llpaflnl.dll	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Bmlbaqfh.exe	Bdaabk32.exe
File opened for modification	C:\Windows\SysWOW64\Aejglo32.exe	Ahcjmkbo.exe
File created	C:\Windows\SysWOW64\Agcmideg.dll	Bdaabk32.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdaabk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c692f3e0bed2a33c8d067e335a719290N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjdgpcmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aejglo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baqhapdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdodmlcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbnec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciepkajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjmmnnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkojoghl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailqfooi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biccfalm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palbgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfkchmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahcjmkbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmlbaqfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celpqbon.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	c692f3e0bed2a33c8d067e335a719290N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befima32.dll"	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Celpqbon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncmib32.dll"	Afbnec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ahcjmkbo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll"	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdaabk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmlbaqfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmpgan32.dll"	c692f3e0bed2a33c8d067e335a719290N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkojoghl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Palbgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qjdgpcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfapgnji.dll"	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c692f3e0bed2a33c8d067e335a719290N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	c692f3e0bed2a33c8d067e335a719290N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afbnec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llpaflnl.dll"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjdgpcmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ahcjmkbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlggmcob.dll"	Bmlbaqfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pkojoghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffeloi.dll"	Palbgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpfecckm.dll"	Qjdgpcmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aejglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdodmlcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll"	Celpqbon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npjkgala.dll"	Pkojoghl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Palbgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpppjikm.dll"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inngpj32.dll"	Ailqfooi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afbnec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c692f3e0bed2a33c8d067e335a719290N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ailqfooi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfdhfiq.dll"	Aejglo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdodmlcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijpeihq.dll"	Bdodmlcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibogmjf.dll"	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Biccfalm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c692f3e0bed2a33c8d067e335a719290N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmibmlo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 2216	2748	c692f3e0bed2a33c8d067e335a719290N.exe	30
PID 2748 wrote to memory of 2216	2748	c692f3e0bed2a33c8d067e335a719290N.exe	30
PID 2748 wrote to memory of 2216	2748	c692f3e0bed2a33c8d067e335a719290N.exe	30
PID 2748 wrote to memory of 2216	2748	c692f3e0bed2a33c8d067e335a719290N.exe	30
PID 2216 wrote to memory of 2884	2216	Pkojoghl.exe	31
PID 2216 wrote to memory of 2884	2216	Pkojoghl.exe	31
PID 2216 wrote to memory of 2884	2216	Pkojoghl.exe	31
PID 2216 wrote to memory of 2884	2216	Pkojoghl.exe	31
PID 2884 wrote to memory of 2880	2884	Palbgn32.exe	32
PID 2884 wrote to memory of 2880	2884	Palbgn32.exe	32
PID 2884 wrote to memory of 2880	2884	Palbgn32.exe	32
PID 2884 wrote to memory of 2880	2884	Palbgn32.exe	32
PID 2880 wrote to memory of 2696	2880	Qgfkchmp.exe	33
PID 2880 wrote to memory of 2696	2880	Qgfkchmp.exe	33
PID 2880 wrote to memory of 2696	2880	Qgfkchmp.exe	33
PID 2880 wrote to memory of 2696	2880	Qgfkchmp.exe	33
PID 2696 wrote to memory of 2776	2696	Qjdgpcmd.exe	34
PID 2696 wrote to memory of 2776	2696	Qjdgpcmd.exe	34
PID 2696 wrote to memory of 2776	2696	Qjdgpcmd.exe	34
PID 2696 wrote to memory of 2776	2696	Qjdgpcmd.exe	34
PID 2776 wrote to memory of 840	2776	Ailqfooi.exe	35
PID 2776 wrote to memory of 840	2776	Ailqfooi.exe	35
PID 2776 wrote to memory of 840	2776	Ailqfooi.exe	35
PID 2776 wrote to memory of 840	2776	Ailqfooi.exe	35
PID 840 wrote to memory of 552	840	Afbnec32.exe	36
PID 840 wrote to memory of 552	840	Afbnec32.exe	36
PID 840 wrote to memory of 552	840	Afbnec32.exe	36
PID 840 wrote to memory of 552	840	Afbnec32.exe	36
PID 552 wrote to memory of 2488	552	Ahcjmkbo.exe	37
PID 552 wrote to memory of 2488	552	Ahcjmkbo.exe	37
PID 552 wrote to memory of 2488	552	Ahcjmkbo.exe	37
PID 552 wrote to memory of 2488	552	Ahcjmkbo.exe	37
PID 2488 wrote to memory of 2600	2488	Aejglo32.exe	38
PID 2488 wrote to memory of 2600	2488	Aejglo32.exe	38
PID 2488 wrote to memory of 2600	2488	Aejglo32.exe	38
PID 2488 wrote to memory of 2600	2488	Aejglo32.exe	38
PID 2600 wrote to memory of 1416	2600	Baqhapdj.exe	39
PID 2600 wrote to memory of 1416	2600	Baqhapdj.exe	39
PID 2600 wrote to memory of 1416	2600	Baqhapdj.exe	39
PID 2600 wrote to memory of 1416	2600	Baqhapdj.exe	39
PID 1416 wrote to memory of 2940	1416	Bdodmlcm.exe	40
PID 1416 wrote to memory of 2940	1416	Bdodmlcm.exe	40
PID 1416 wrote to memory of 2940	1416	Bdodmlcm.exe	40
PID 1416 wrote to memory of 2940	1416	Bdodmlcm.exe	40
PID 2940 wrote to memory of 2280	2940	Bdaabk32.exe	41
PID 2940 wrote to memory of 2280	2940	Bdaabk32.exe	41
PID 2940 wrote to memory of 2280	2940	Bdaabk32.exe	41
PID 2940 wrote to memory of 2280	2940	Bdaabk32.exe	41
PID 2280 wrote to memory of 3060	2280	Bmlbaqfh.exe	42
PID 2280 wrote to memory of 3060	2280	Bmlbaqfh.exe	42
PID 2280 wrote to memory of 3060	2280	Bmlbaqfh.exe	42
PID 2280 wrote to memory of 3060	2280	Bmlbaqfh.exe	42
PID 3060 wrote to memory of 2428	3060	Biccfalm.exe	43
PID 3060 wrote to memory of 2428	3060	Biccfalm.exe	43
PID 3060 wrote to memory of 2428	3060	Biccfalm.exe	43
PID 3060 wrote to memory of 2428	3060	Biccfalm.exe	43
PID 2428 wrote to memory of 2340	2428	Ciepkajj.exe	44
PID 2428 wrote to memory of 2340	2428	Ciepkajj.exe	44
PID 2428 wrote to memory of 2340	2428	Ciepkajj.exe	44
PID 2428 wrote to memory of 2340	2428	Ciepkajj.exe	44
PID 2340 wrote to memory of 2496	2340	Celpqbon.exe	45
PID 2340 wrote to memory of 2496	2340	Celpqbon.exe	45
PID 2340 wrote to memory of 2496	2340	Celpqbon.exe	45
PID 2340 wrote to memory of 2496	2340	Celpqbon.exe	45

C:\Users\Admin\AppData\Local\Temp\c692f3e0bed2a33c8d067e335a719290N.exe
"C:\Users\Admin\AppData\Local\Temp\c692f3e0bed2a33c8d067e335a719290N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Windows\SysWOW64\Pkojoghl.exe
  C:\Windows\system32\Pkojoghl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Windows\SysWOW64\Palbgn32.exe
    C:\Windows\system32\Palbgn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\Qgfkchmp.exe
      C:\Windows\system32\Qgfkchmp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2880
    - - C:\Windows\SysWOW64\Qjdgpcmd.exe
        
        C:\Windows\system32\Qjdgpcmd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\SysWOW64\Ailqfooi.exe
        
        C:\Windows\system32\Ailqfooi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Afbnec32.exe
        
        C:\Windows\system32\Afbnec32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Ahcjmkbo.exe
        
        C:\Windows\system32\Ahcjmkbo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Aejglo32.exe
        
        C:\Windows\system32\Aejglo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Baqhapdj.exe
        
        C:\Windows\system32\Baqhapdj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Bdodmlcm.exe
        
        C:\Windows\system32\Bdodmlcm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Bdaabk32.exe
        
        C:\Windows\system32\Bdaabk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Bmlbaqfh.exe
        
        C:\Windows\system32\Bmlbaqfh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\SysWOW64\Biccfalm.exe
        
        C:\Windows\system32\Biccfalm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\SysWOW64\Ciepkajj.exe
        
        C:\Windows\system32\Ciepkajj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Celpqbon.exe
        
        C:\Windows\system32\Celpqbon.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Chjmmnnb.exe
        
        C:\Windows\system32\Chjmmnnb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ahcjmkbo.exe

Filesize
407KB

MD5
cab13e3e2594261e484a7768e2c18cfa

SHA1
ac4c2fde76f3bd8aa27a6a8657c443ef04315bc4

SHA256
48d121dce1ce90ac242abb7be9ac05a51c5232ce256e56e8f5532c4d4116ca69

SHA512
4a9095d03e6a52134b6f37f1dc26b85e02c9f192c0b27b0b73a49abb9a12b323ed3209755fe2dea6002feca98ff421dc540b7f6405fb65ab99123292688507f5

Download Submit
C:\Windows\SysWOW64\Bmlbaqfh.exe

Filesize
407KB

MD5
fa96e08bcbe023721ae0911a4ef0d85f

SHA1
a9c53e4ff58cf22745177c6f721404918f4d8819

SHA256
6bcb62014f1fb4ef5c30d40814ea055366239af6c8bad7f83b0416018c0bad30

SHA512
21e26e93c053bab527c2ff728257e642e2f34fdb1501397cf7419503924f0bd8a853555db7109b86114f88f4a398a3ce900c8da1b9e23606bdaef4f06fb09df0

Download Submit
C:\Windows\SysWOW64\Celpqbon.exe

Filesize
407KB

MD5
3afddf967a110b704599e326d94df17d

SHA1
4d6362577a2fe3b94d177266c6dfcff2843a721d

SHA256
a36e6d9417dfd0fd5c3a350eee864e6b967f190366362570a56a7c84a1190345

SHA512
11b4741a759c899247e0d5be57a226dc0ddc84f6d4926fc6004d19f909907508380cebb74331415cca7b8ffc4fcb0744447ddcf3d314fbb2a120861193f1fc17

Download Submit
C:\Windows\SysWOW64\Chmibmlo.exe

Filesize
407KB

MD5
fe9802bc8f2bd00da0300e69db5cf1c4

SHA1
a926e64336151679a8aa89e48a968f93e047838d

SHA256
6d0236000ccae0182e770512722e4856912d7b106b804cb5dc7ccb086be50a94

SHA512
c5acc3ca05a6378866e343d3f1acc0e8e298a6386532757bc5780ff816ebdc9edb0f334972ea40d17a06cb17d5b6124328ce73905d83c3f28cf71f8c5926b45c

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
407KB

MD5
475991bd28049a44032f06e130cc2e3e

SHA1
b164003db0af5e2b9acc88b8fd0d5f9e3e16552e

SHA256
355bdc968cdec6c651de5d115d47241de0923202b8a4a11cab879b0ccf5fe8ed

SHA512
8efe6e66fab86364a1a58ad0551c2a8152c1b7609dba25809d12c0e0c93fee110ad7b2038dc9a66e7c7cf7ee1dd54f16dd5def6df5ae98b8d4d8a2c20ffe3267

Download Submit
C:\Windows\SysWOW64\Gpfecckm.dll

Filesize
7KB

MD5
62425e99a4f4c6ea802ce14aaf1ea83b

SHA1
d4e8c6651110f86b5e0cf26a22d5b204f69b3347

SHA256
7f9a10d7639a5b02971a2ed3e1afbdcb02324f27afb15cf234c6d7b892b8c124

SHA512
988961170419a5e524b7dbdf6f86d18c198696d26194930bffe7e17f8d9d2fadd7bb0a8ed4347aec6f0f6f276ffd4a75c79661a6e5dc3cbad2a969635fc2a2b3

Download Submit
C:\Windows\SysWOW64\Palbgn32.exe

Filesize
407KB

MD5
14419f14c026a51bb6b8d93e611ffc13

SHA1
6f9e3c9f29aabe963e91bb39daf0920d4c15f64c

SHA256
0b5896eb45aef5c600ce8f64a8c2e9f69d811133d9dd1bf94dae3b401ace6a3b

SHA512
9a82bef1820a288cdd872e9863f5660999fd59f43114a159e8c43518a45024e7d5bc7654fb49eef5c080ae5beca6ebf6c2fa79b354e171ff98a8fe39c8cab00d

Download Submit
C:\Windows\SysWOW64\Qgfkchmp.exe

Filesize
407KB

MD5
769fc4a08dd120aa0e49aa73327f2794

SHA1
3e16d4a7d3f123b85f3132dc4a702f42ce1efc66

SHA256
739b7086af655f15b8a985e50bae883084890d9d6add71a33a9c638a0743e324

SHA512
bd6ffcf117ec3f8aebb7464ae84227d333c94ce131b0bf1e22509681f02535b0bce688c4d4cc330af6e6a64f09dd6a7d30bb92c33dd8dac9d873ed0e04c6a3e5

Download Submit
\Windows\SysWOW64\Aejglo32.exe

Filesize
407KB

MD5
4e933d6946a823a9d501d88265a63658

SHA1
8b41e01fa7dd01e5625bce39c9c831567ccfb8ea

SHA256
8459a79e0f1e9a6cf888b39fded6a7cc13f035e26156af10b550e305b78eb9f5

SHA512
901ea2bf29311c9e9f2cf3f1d973f7f39bdba9a471ddc3e2e1f22c5cdb60d213a23c27f5788b841bf3ee9ebdcf4f79e0368ab58a56be14eee9f89bcf43f38b8e

Download Submit
\Windows\SysWOW64\Afbnec32.exe

Filesize
407KB

MD5
f5f164bcc15e19bc8b3e427d508aeec8

SHA1
4aded518242a5b3ac137bb6baf810f93b3168d84

SHA256
3d088dd9429c4d9ac06b04a49f4c4a7db6d82b716e77ced308b2ff66873d6a97

SHA512
9fa0975d4447ab644c66f45b2fcd662598d61c941675260bd06f58c1470d511189c6fe88ac0d4f43f1b800970828fac1e60f536f72d04efaaa97c3b146a51165

Download Submit
\Windows\SysWOW64\Ailqfooi.exe

Filesize
407KB

MD5
0dd7b847efcfe4545a6703114ffb97c8

SHA1
7cd681cd309bde07162e61b63fc26de5e285a324

SHA256
884802745563659b7a86474a2b091ea45cc2c5ae9dfb5bc368d96a887247ef0a

SHA512
b14d9409d169eb663bae53c2e8dbdab803f7719fed909dbdf4a04a848e229a314aed340abfddbc84317dd9571f2375f3434b97ef9626b306bf04f121e372a6e4

Download Submit
\Windows\SysWOW64\Baqhapdj.exe

Filesize
407KB

MD5
a8d05a9e99779f73d568cfaa503b3eb1

SHA1
ab39ce41948e02cc06c0c5c8a3014f551e5c7a00

SHA256
c65b9c6acf57733ad090b1531ab453b0e9ab1ea40de6fcde3dbbfd1addb8024c

SHA512
17e197b0e2becbc749bb0c99cbb7966be4dab3490615b9ed7c6f0c37dfedb2d00e90a91bf26e026dc0e55f320d11c9b4d8146c29ec65ffd8d3946e853444874d

Download Submit
\Windows\SysWOW64\Bdaabk32.exe

Filesize
407KB

MD5
15a2caefeab9ad1de9d22ff9e77dd085

SHA1
5a1aa1afa40e20ae5bfda3e2b7cda7e55b675e23

SHA256
2fba1dde40bfa71aa05050e9351f97beef152fb7908b3b3426418d34c990b449

SHA512
f59be1328f434ddb81faf46df405e4658cd0c59a052e65ebc599c687932d5ca6dd610b4b2e917fb2b1220a5fcc47ffea787f1c10fbfe894915acd3fdc51a4192

Download Submit
\Windows\SysWOW64\Bdodmlcm.exe

Filesize
407KB

MD5
463c2d64f28b8f43e796935983a948eb

SHA1
68cecf68d9a7644edc894d064633dc9e073f5f99

SHA256
0a06aa585de6857f46a747e8c7619dd5e6db99185fec2dfd6b9027537b2d28ce

SHA512
103bea311a48283ed5b9b41857a820b2cb09a83c42bd56dee893b9cc6ce46a7791c8ecda7e048cb07f54be110b333a122b91bcf2acaec790d427505d3af0f99a

Download Submit
\Windows\SysWOW64\Biccfalm.exe

Filesize
407KB

MD5
9ae1a1142f95bf2fc8212956cc653617

SHA1
ea39b31faba471c96738b78b68e66e434ddf1d41

SHA256
8b6bad0c7cf73d488df91d0cefebee536aa81bb624ef2aec9c3cf5ec5269b5dc

SHA512
db48987b271224e270cb9e5da5341a814084fdb228d5e731b1ee1a79b7ac4e054f8ec6e34a0d598a93d0e83d5ad426b004d0854cc2c3ed62ca31890fde182804

Download Submit
\Windows\SysWOW64\Chjmmnnb.exe

Filesize
407KB

MD5
8f9c0250b6144c1dfaf7d965d7dc86f5

SHA1
4ff92a536b4450dd31973037ba64341581255ac3

SHA256
8b94f25fd36bd6d089c8e4f313185247fc00896f4e410ee559b4458d00c723bc

SHA512
c483858d7494c7690980d78747bfe36b4c4da9d8eb1624d1c146b39e8b0b18350d0c9b63fea2f9c9f511fc089b0cf61b1009b96df3326eaa7fe8098b4806bb06

Download Submit
\Windows\SysWOW64\Ciepkajj.exe

Filesize
407KB

MD5
597085edb4528c7ecb59e9f657b1e455

SHA1
96778f66b643a447afaeb0f5f7b8942f83e7d4d7

SHA256
42830220a09b6c2de1de7b4e03af84b3600c08a717fde5eca08f08fe0db931dc

SHA512
e0692647b92ed01213f5d4de10b2ac12d6ec555490c24fa579feaa69b2d8892b4cdce35b1c941421735b2a8c3956f23c8d9d1396e537685a905186eb2fdbb635

Download Submit
\Windows\SysWOW64\Pkojoghl.exe

Filesize
407KB

MD5
79383230a6880de9cdfed2670848233c

SHA1
f35b6a8b09888ae9b057e21086079fe896a16242

SHA256
11f5d03590d5ac58be9da4d4ee91f0a58d0ab83bf8758e2906a8b9101d0ee125

SHA512
20217626feca703eb93d84e3ccca4eb13ec831f34963d7a08cb5c063a36ae2b826defa40e7cbf6e9e83a47748f4526140c6d177635dfee2442147a47416db4b6

Download Submit
\Windows\SysWOW64\Qjdgpcmd.exe

Filesize
407KB

MD5
25407226ed6c5f0a35e21efdfa9165bc

SHA1
6541913bd0b0bcd68f650028b3e713d4b5de1404

SHA256
98bfa96a78f496a5854c9c9cd8d8d32ec0bc57d56d80a160a4f580bb23e2c953

SHA512
216ce7ae01e32abdf7b269659563feb753e6121d308b5a32aba2b8948a0faf0c73defada8e694d1d386e83005b06aa292819ad09e263917b4faa746047890b64

Download Submit
memory/332-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-107-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/552-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-255-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/840-99-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1124-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1124-247-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1124-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-155-0x0000000000370000-0x00000000003A3000-memory.dmp

Filesize
204KB

Download
memory/1416-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-183-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2280-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-225-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2340-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-212-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2428-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-127-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2488-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-234-0x0000000001FB0000-0x0000000001FE3000-memory.dmp

Filesize
204KB

Download
memory/2496-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-141-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2600-140-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2600-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-69-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2696-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-64-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2696-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-11-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2748-12-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2776-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-83-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2776-84-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2776-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2880-54-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2880-55-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2880-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-45-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2884-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-170-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3060-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-192-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/3060-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads