212c724a8bf87f653f89d24cd78e2bcb828fd67acdabf66807014585e1c15e72

Analysis

max time kernel
0s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
Size

94KB
MD5

8653a1ceb98271149c1c475166f3b0ec
SHA1

806e39041b812ea0b6bb95a025310676ecb878ec
SHA256

212c724a8bf87f653f89d24cd78e2bcb828fd67acdabf66807014585e1c15e72
SHA512

f00b3b0599f6f0ef79c78302ce6fe51dcec6f3bb23879e5a5357e472e7bcc2ea800f41256fb1497fa536883386163d610d0ac0c120f711c16e2c52eeafd6a18c
SSDEEP

1536:eq0ToeD9h+5NfXIH3NO8tdQqWvLPHq39KUIC0uGmVJHQj1BEsCOyiKbZ9rQJg:f0UeDONfE3NxWvjH6KU90uGimj1ieybl

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcjcme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkegah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cepipm32.exe

Executes dropped EXE 14 IoCs

pid	Process
316	Bqlfaj32.exe
2644	Bcjcme32.exe
2684	Bfioia32.exe
2140	Bigkel32.exe
2484	Bkegah32.exe
2588	Ccmpce32.exe
2672	Cfkloq32.exe
2780	Ciihklpj.exe
1636	Ckhdggom.exe
1928	Cbblda32.exe
328	Cepipm32.exe
1964	Cgoelh32.exe
1284	Cpfmmf32.exe
2516	Cbdiia32.exe

Loads dropped DLL 28 IoCs

pid	Process
1692	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
1692	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
316	Bqlfaj32.exe
316	Bqlfaj32.exe
2644	Bcjcme32.exe
2644	Bcjcme32.exe
2684	Bfioia32.exe
2684	Bfioia32.exe
2140	Bigkel32.exe
2140	Bigkel32.exe
2484	Bkegah32.exe
2484	Bkegah32.exe
2588	Ccmpce32.exe
2588	Ccmpce32.exe
2672	Cfkloq32.exe
2672	Cfkloq32.exe
2780	Ciihklpj.exe
2780	Ciihklpj.exe
1636	Ckhdggom.exe
1636	Ckhdggom.exe
1928	Cbblda32.exe
1928	Cbblda32.exe
328	Cepipm32.exe
328	Cepipm32.exe
1964	Cgoelh32.exe
1964	Cgoelh32.exe
1284	Cpfmmf32.exe
1284	Cpfmmf32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Jidmcq32.dll	Cepipm32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File created	C:\Windows\SysWOW64\Gjhmge32.dll	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File opened for modification	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
File created	C:\Windows\SysWOW64\Hiablm32.dll	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Bkegah32.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Bnjdhe32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Ccmpce32.exe	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
File created	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bcjcme32.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Ciihklpj.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cepipm32.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cepipm32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Gdgqdaoh.dll	Cbblda32.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Oghnkh32.dll	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cbdiia32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bfioia32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bkegah32.exe
File opened for modification	C:\Windows\SysWOW64\Ciihklpj.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Fhgpia32.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bcjcme32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ckhdggom.exe

Program crash 1 IoCs

pid	pid_target	Process
1920	2656	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepipm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbdiia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihklpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjcme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkegah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgoelh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfioia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbblda32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bkegah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cepipm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Ciihklpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ednoihel.dll"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjcme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkegah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhmge32.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cepipm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1692 wrote to memory of 316	1692	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe	30
PID 1692 wrote to memory of 316	1692	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe	30
PID 1692 wrote to memory of 316	1692	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe	30
PID 1692 wrote to memory of 316	1692	Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe	30
PID 316 wrote to memory of 2644	316	Bqlfaj32.exe	31
PID 316 wrote to memory of 2644	316	Bqlfaj32.exe	31
PID 316 wrote to memory of 2644	316	Bqlfaj32.exe	31
PID 316 wrote to memory of 2644	316	Bqlfaj32.exe	31
PID 2644 wrote to memory of 2684	2644	Bcjcme32.exe	32
PID 2644 wrote to memory of 2684	2644	Bcjcme32.exe	32
PID 2644 wrote to memory of 2684	2644	Bcjcme32.exe	32
PID 2644 wrote to memory of 2684	2644	Bcjcme32.exe	32
PID 2684 wrote to memory of 2140	2684	Bfioia32.exe	33
PID 2684 wrote to memory of 2140	2684	Bfioia32.exe	33
PID 2684 wrote to memory of 2140	2684	Bfioia32.exe	33
PID 2684 wrote to memory of 2140	2684	Bfioia32.exe	33
PID 2140 wrote to memory of 2484	2140	Bigkel32.exe	34
PID 2140 wrote to memory of 2484	2140	Bigkel32.exe	34
PID 2140 wrote to memory of 2484	2140	Bigkel32.exe	34
PID 2140 wrote to memory of 2484	2140	Bigkel32.exe	34
PID 2484 wrote to memory of 2588	2484	Bkegah32.exe	35
PID 2484 wrote to memory of 2588	2484	Bkegah32.exe	35
PID 2484 wrote to memory of 2588	2484	Bkegah32.exe	35
PID 2484 wrote to memory of 2588	2484	Bkegah32.exe	35
PID 2588 wrote to memory of 2672	2588	Ccmpce32.exe	36
PID 2588 wrote to memory of 2672	2588	Ccmpce32.exe	36
PID 2588 wrote to memory of 2672	2588	Ccmpce32.exe	36
PID 2588 wrote to memory of 2672	2588	Ccmpce32.exe	36
PID 2672 wrote to memory of 2780	2672	Cfkloq32.exe	37
PID 2672 wrote to memory of 2780	2672	Cfkloq32.exe	37
PID 2672 wrote to memory of 2780	2672	Cfkloq32.exe	37
PID 2672 wrote to memory of 2780	2672	Cfkloq32.exe	37
PID 2780 wrote to memory of 1636	2780	Ciihklpj.exe	38
PID 2780 wrote to memory of 1636	2780	Ciihklpj.exe	38
PID 2780 wrote to memory of 1636	2780	Ciihklpj.exe	38
PID 2780 wrote to memory of 1636	2780	Ciihklpj.exe	38
PID 1636 wrote to memory of 1928	1636	Ckhdggom.exe	39
PID 1636 wrote to memory of 1928	1636	Ckhdggom.exe	39
PID 1636 wrote to memory of 1928	1636	Ckhdggom.exe	39
PID 1636 wrote to memory of 1928	1636	Ckhdggom.exe	39
PID 1928 wrote to memory of 328	1928	Cbblda32.exe	40
PID 1928 wrote to memory of 328	1928	Cbblda32.exe	40
PID 1928 wrote to memory of 328	1928	Cbblda32.exe	40
PID 1928 wrote to memory of 328	1928	Cbblda32.exe	40
PID 328 wrote to memory of 1964	328	Cepipm32.exe	41
PID 328 wrote to memory of 1964	328	Cepipm32.exe	41
PID 328 wrote to memory of 1964	328	Cepipm32.exe	41
PID 328 wrote to memory of 1964	328	Cepipm32.exe	41
PID 1964 wrote to memory of 1284	1964	Cgoelh32.exe	42
PID 1964 wrote to memory of 1284	1964	Cgoelh32.exe	42
PID 1964 wrote to memory of 1284	1964	Cgoelh32.exe	42
PID 1964 wrote to memory of 1284	1964	Cgoelh32.exe	42
PID 1284 wrote to memory of 2516	1284	Cpfmmf32.exe	43
PID 1284 wrote to memory of 2516	1284	Cpfmmf32.exe	43
PID 1284 wrote to memory of 2516	1284	Cpfmmf32.exe	43
PID 1284 wrote to memory of 2516	1284	Cpfmmf32.exe	43

C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe
"C:\Users\Admin\AppData\Local\Temp\Virus.Hijack.ATA_virussign.com_8653a1ceb98271149c1c475166f3b0ec.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Windows\SysWOW64\Bqlfaj32.exe
  C:\Windows\system32\Bqlfaj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\Bcjcme32.exe
    C:\Windows\system32\Bcjcme32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\Bfioia32.exe
      C:\Windows\system32\Bfioia32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
      - C:\Windows\SysWOW64\Bkegah32.exe
        
        C:\Windows\system32\Bkegah32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Ciihklpj.exe
        
        C:\Windows\system32\Ciihklpj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Cepipm32.exe
        
        C:\Windows\system32\Cepipm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Cbdiia32.exe
        
        C:\Windows\system32\Cbdiia32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\Cebeem32.exe
        
        C:\Windows\system32\Cebeem32.exe
        16⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\Cgaaah32.exe
        
        C:\Windows\system32\Cgaaah32.exe
        17⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\Cjonncab.exe
        
        C:\Windows\system32\Cjonncab.exe
        18⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        19⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\Ceebklai.exe
        
        C:\Windows\system32\Ceebklai.exe
        20⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        21⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\Clojhf32.exe
        
        C:\Windows\system32\Clojhf32.exe
        22⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        23⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        24⤵
        
        PID:604
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        25⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        26⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        27⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        28⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        29⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 144
        30⤵
        Program crash
        
        PID:1920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bcjcme32.exe

Filesize
94KB

MD5
632cc60fd3acab27212c75255c26edc8

SHA1
b8fe8c5c07da681837d4041516da61570b49223d

SHA256
7833823f9418add3521b7ddfb932d15bf2f131e4ccd9f0e6b50eb66796454080

SHA512
4b31b20a258815ebbb8144000ed2e01ab5d736e42429c33a4099ec4631f0eb2ef38614f55e7f33dddea46b2a11b70acf900aba4db66a412f702927ea7928a54f

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
94KB

MD5
0b3eedcbf2584b17c67ea14d3e31eb37

SHA1
0f45d9e4548edf6fb27b830af21fa2592e88f20e

SHA256
8afcb083fcba4524a2e3af3f99218b35862cb80b4143bd69c0be338b9dd8d5a6

SHA512
af478ed4ae3045d5143974bf961f22d020712c3d35d280558dfa8274bdf8c500a419cf405c7ab7ccec7150faadc1f9d3b7ec740a38920c7f7de3eb76a921cab5

Download Submit
C:\Windows\SysWOW64\Bigkel32.exe

Filesize
94KB

MD5
259f098788ee39380878330184389ccf

SHA1
2de9ed7fdb8e411c41efa68a03f8f74ad2ff0286

SHA256
523036d468364664552a0ebfb36345fac22341798539a1faed7da599c4d1e1c1

SHA512
85119dd361204da408922a54f3f2966a6e49d7073af3e5916c533aa1f416ba4ace59b359404e72b5b2b5619b95f2dde049d05c3624f39d1747da5f9a7122d403

Download Submit
C:\Windows\SysWOW64\Bkegah32.exe

Filesize
94KB

MD5
2f4777cb8c6f39d0e6e19c9096c01356

SHA1
1107563f8a1d205a482abbc481c371a6996b94fb

SHA256
bef9a8108d4a557ccb856081f31617cf3830ff3b79238405a2f9c761e6da9541

SHA512
0d42719cbafb0b81ec062c804f197b7eff14d98189ef7e1d5efa2cd5f07d8c6532576d183a23f43efc064c457046b05db8698b65a7acf271d89c15a7b2b079bf

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
94KB

MD5
45468d995e5619c1484dcc2afad92e0c

SHA1
66a4067d81b55833156d0c206030d67b3fd686eb

SHA256
e17fb50504b1e466555dafd21d3c5db19ebe9dd8be7f23fe3ad97aa7c91a063e

SHA512
ff83e4a0a0c6b423b6d0611f01c5bf118a5f85e7f27f0dfd3cf2f1a7e73881a05378266763617d61e9040074c28384c07ab69e12bbbde00cf6013a475bea4b09

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
94KB

MD5
88d2e82e353a07c8f286153875463746

SHA1
f5aa15aa51519d4ed388a1b491ac6dc1a700b8a9

SHA256
90ad038ee587443c13f8a326e12daaea4c3ca5d9403df8c01765370ac8cb1ebe

SHA512
2691aa0373afc03d7ebc449b9b00d5ba0b77f67c5a8143087dadf8dd92f9f9cf78386cd0b5bf848fa69e7d397d0deb55c659369631ab652cf3b75017a9188ee6

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
94KB

MD5
62f4c12d0f0a377f7d2d28eda73d4b25

SHA1
c9537180af45171169cfd5f23884f5e58d5e50f0

SHA256
5c7b321d49441c10e9e4c79e86daeaf0377dc13f64d0424723d43c618bbf0693

SHA512
91a99f7d2a6c37dd2d716f0c79b69899fcaa7591fdbaeaed92b0b0eabfb9cef83400ded91f43f21a7ab9b6d8c21ad72a5adab7bf8f5d3ba4e7b2d32161d96ace

Download Submit
C:\Windows\SysWOW64\Cbdiia32.exe

Filesize
94KB

MD5
f9726d09ceefe5c762d5b1ed45cf8945

SHA1
038ae998d3cc5ebb8ace4ff41580d4968cd75427

SHA256
77e1862ce847ffb7de99e20e85f6cd01bd8bc187b2e5a9355e1f8a60d5e92401

SHA512
ec4700066e5ebab6cc00289de400ea3155f23810d018a3ac3ab24ac05165b7ec2dd051a24279aed58ea2dead18b68ea35ca4c10adbdc96d83090e4801b7611cb

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
94KB

MD5
0e3f0bec3c6313363952f0a9cb446290

SHA1
2993c544f3db0ad3389ff2c24cc0b23a13887a33

SHA256
cb603f16b65ba16f14826a48178d392abd68ed5155c896c9143e3ac1b531c704

SHA512
b1e5ef4eba0647a7db4ab845222f6a6341a02146782ecd4f2da624acfa6cd9dde8df4b044d94804477ab9416b2aa859a32de32b8345e49cf0c2977389aefd772

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
94KB

MD5
d9d9a75f85f4043dfd0051e934390d0f

SHA1
72f91ae211ccbaeae7a7be7230e4c54e13c38b16

SHA256
7b0062713096981202aa3b25a61fc8dbde9d956f7699679e4321863f83fcea24

SHA512
368798db3bdfd9c4f005e309dfae6c768ce1ee8d9aef64fa6ab7264fba02d26839aee9e623d7e43fff7b0bf861970a7538a1c0e1b1f87e180c84df3fd170d10e

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
94KB

MD5
9935d77a0d0f7037b7b67ff80627521f

SHA1
13460b5ff00e7aea8ad23ad75f482d4c28b2e6b9

SHA256
0f9edb5b14f5983377a12f3ab2e74c548e7b7e2533249224fb26b6b63c80b78c

SHA512
6ec9a785e4d90eb7e6f591fd19f7f61b6c8e50d5848717e993e9320814973d0e42d26c1a8822b2495c7ea87cf55277e84fcee54c632c39513e44a6409bb62a03

Download Submit
C:\Windows\SysWOW64\Cebeem32.exe

Filesize
94KB

MD5
ab7529d0abfc800ae2e4dcdbd43499e9

SHA1
5fb33945802c2657edaa8384b38f151401f534e8

SHA256
7d2464e61efd36d776b370a25b357cd3049c8b3886203def4fb3ffec866dc55b

SHA512
fde06d97807249b72fb3f84359cfeea835ed7140ff50c5b4036d9ae7c9c131e21da1496be544666bc2f85740bea2b74458cf60281dff3861a31e5eb53454b0f2

Download Submit
C:\Windows\SysWOW64\Ceebklai.exe

Filesize
94KB

MD5
0825f4af1e38199a98e6c0cbcebdff97

SHA1
364973ddb31404b49889941deb57253640a6e333

SHA256
dbf584464c097b89a8392a9857bc983eb086dea2874a20a786958e8ef99c0825

SHA512
c89e1b7226d09bd8f276840fd07a9995c39544c5c06fca9608577a3cfb42b77abc1fbaa7c33fcf164a6789ba0dc7eff8c1eb14098bf7b21cc1ce90209eb8f62f

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
94KB

MD5
6aca25fdcddfb6d86e013b8a9ee031ab

SHA1
166cc6d5b40b844874491bcd1d807d15dc0a6820

SHA256
464fe39a91a095f0cae1ef15fc0908ad7369aa10093fa730baee5b4994bc1fd0

SHA512
92b02e8bbe685cba9016540ce943d6c8f4a4c1a78dedd9cc470b14aa8e683464e0801fb3c30a7090ca8dbfd91807849455e1526034be19a693792d2cde7554a1

Download Submit
C:\Windows\SysWOW64\Cepipm32.exe

Filesize
94KB

MD5
a8a4f287b5b958d6eed3a82509f0c255

SHA1
455aa6ab10d4b06a76d11dbd4525a75cd2c212b6

SHA256
9e77876467cb09a4dc3a9f3e98163db909e35a3087c1b79da1a84ef5aaee94f6

SHA512
f856765150ac55deb26a0b7cb22217180fb26f9046800e14e771d60ba6c02b3085326bcdb82965f62ce76d8ff96f713611c15dabd18f563f24bab83ee112fa0e

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
94KB

MD5
25ef830c6644cc909f6e73c1203cf021

SHA1
5bf97e7f08e1fac170b8f60c9af67e328890d6ba

SHA256
8b02da8b5a6d8802258b0da7808e7f68e875b3a4739d1af8c3c74a26f65c564b

SHA512
24e5f68b042803460b0a97369f62edf37f68009ff4071834d24b2311e93fc0f1e98c2418a6994dbc78516decc7cfecb4981c3fcaefd2984b01b53579b53dd8f4

Download Submit
C:\Windows\SysWOW64\Cgaaah32.exe

Filesize
94KB

MD5
fb255cb28a07c87103d6a55f144e91e8

SHA1
e3ff26d8889e39c1192bd37c2e9a01941825d1a8

SHA256
91df3cc9c60f86a44bed894eb9734b2a509e5cba454dc046c73482f0df19299b

SHA512
08cee6ae1c5da5d01d9a5beb6c648ff95d8bbf092e3bd90b9260f96220e3c52996545cc6159ec248ede6a5217000c934225d9702197f8ecf78d716f62a77b80b

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
94KB

MD5
e661d1c28dae134c48295a5537b4d20b

SHA1
e3b49a52a3c8159b6b6ba18596c1af22eececadd

SHA256
c6d5734726723e87f57288b8174e636dbd34e99f4106067dcd102343b1d521d7

SHA512
e4ed55f9dc110ea353f7b2af7ead57663207f475a0642504c809ebc6356e049d2760055991c386324a1f4aeba93fc835947efb72985e8def7f2550748855d651

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
94KB

MD5
01276cbe7229075abfbdcbc52beb433e

SHA1
061e041050439574d4cc016df37c35b3f6843aec

SHA256
ef80f1cab1561724920018c9a90270be15ead56ea118b22f13b7a14e0c86175b

SHA512
937abab574ce01f00c1223bb329d81edeb7e38bf99417c92039908fde24ef73bce46416f430e57d43552cd4f2770ce42abf57a2d1d0485663c21afc740cecbc9

Download Submit
C:\Windows\SysWOW64\Ciihklpj.exe

Filesize
94KB

MD5
d53288a99b9c4ae3d835a6facc283d03

SHA1
66b935838ab924d15ef7658f75a037df03cc39b6

SHA256
964800e62efb85fb3510dd9744ccae09b080643f6090f2a1d0e8dad5200028b1

SHA512
d0bfeaa50521bbe1822ce584572fb0ed32ff6ae097dcd0380163e3b8cd8c364d28829799c7b1464bfaf0cc23aa18e550b77bcc1616db3bc4c29aee234bc02db8

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
94KB

MD5
f83971e7e243eeb0bde04938050d0fd1

SHA1
47e98532f42db07fb2cd1d89c8d5cf06158d905e

SHA256
0ff9948969ca35aef4d19d91da40575f2b20827e127c677c2c42718c58573b78

SHA512
ec6effd523784214905b32e8c8e8787bc7333d9250a7545fe0d1d2e4a309f1bc478d1c3587bcd0dafd53deb0bed74888e3a21fd8b30b784e4de7655856f9f91e

Download Submit
C:\Windows\SysWOW64\Cjonncab.exe

Filesize
94KB

MD5
5a555e6f40b8c1b1ac03ecf4eb0e0dbf

SHA1
f693745128b8346fecde9c1fdfb228a9bfe7091d

SHA256
54af036d4cb686256bb47bd6ff925d53d099916755d3b09ba68e4c40e88cfc5a

SHA512
9f584dbd7e0a9a64bd2fd01f3e01cc1ccd84a7bbcad6cf866c0545b3704fc35afc88cc073fadbd1e556465c0a4f0192611e70ed6a91ba4351786c98c963bd05c

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
94KB

MD5
ad966f7ecae4b8eaa4234f8e78b6040f

SHA1
60d925fc93de95df9d0294030d33d2c97f95f188

SHA256
e89444a0f453968c6fe9561928c3f3cd31bcd053292b1d1195ebec8d8a330319

SHA512
d4129af1cd7b45ccb4f6a48057b6a25bf496e2d6f45049aea6a4c3f1c79ab04555b73536e71687631dac0a16da5af1938b2a0c950575b1bf5f1d9d1c14b3b19f

Download Submit
C:\Windows\SysWOW64\Clojhf32.exe

Filesize
94KB

MD5
88a0b66240000733aba85b8980489b03

SHA1
1a4c6a61bde1d831835252efa412706d809b3760

SHA256
25b65f0a5c333bd6bdd358a86d9f61333909685f9f2158a5091e338ea6be5f64

SHA512
8f0e4b3368760ebccad8544450fded4147bc93f2595ab1b486be4b1d4de9eab212c28d156e9323bb6dee1f221048bf7c31d49154d37ea1cf95569e669a2f475b

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
94KB

MD5
1c61ab5ef0c758d10f17a3801dab58b8

SHA1
286493156e48b9f549c7a92a7e28025c5aa9cf68

SHA256
63307e11f199ee33ce4e91c14dd809d70eb8175503009dde1b4a73dd4fb7b3fd

SHA512
d004b08954f4f3a59be14edf40b1c556029d6861e3f62adab0c3c324024155bcdb63de916befcdc9723dffbd21894e34c5a98f2e5730044a7229360bd23cfd7d

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
94KB

MD5
388e81daa048f7caa35828704909c3be

SHA1
2ff4ace2872e13f5e1d382456c535786e283aa31

SHA256
dd0b75fa4f7dec7a504e5d931230d3e077d72a1cb5268b68c0ec9c940328df7a

SHA512
2d40dbc16cc2a8ffa2d587e83afb2ca147f2ec58c6e264e2ff501189cb678e871a983e6ff215cdfc00d21053c8297e1af9116953ed491f181de91fe5f1e1922f

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
94KB

MD5
594e0c8bf1852db7077b7bcbddb3f9b2

SHA1
5af54084ff3613b02443a5562ef5057696dab422

SHA256
2d49c07a88a97e25c4ef838b21c12c9b7a23272b4513b8c43b505bbb1fcfd2a8

SHA512
cd826280d84b7a3c6fdf3d0b718e2032dab928f3453d28771b5b72193dbe94f4ea1ee1057d1289c82f33b726fa5dda4be418313d0428bdd71f3e11e9c651ba5b

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
94KB

MD5
567034c1d325f42c357e3ba7dfabcdf4

SHA1
5d17e473ab030142327110b0574d79206a0fc1e9

SHA256
5265d457e9dbe53f35e0e8f234cfd21b53b458ce6c3c7a716a03b802e210423d

SHA512
455bf5fd4f23628b308c6699b271ae49086d0b63b004bb29b1ecaddfbaf416a80ddede3dac6577d025bd27d3606ab08e1484b8e6f778fbe8be7d4752e159b26c

Download Submit
memory/316-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/316-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/328-155-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/328-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/604-299-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/604-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/604-366-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/604-298-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1092-223-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1092-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1092-227-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1284-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-187-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1284-186-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1344-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-248-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1344-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1344-244-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1380-360-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-236-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1380-237-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1624-319-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1624-318-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1624-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-358-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-216-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1636-134-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1636-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-344-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/1692-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1692-12-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/1692-11-0x0000000001F70000-0x0000000001FB0000-memory.dmp

Filesize
256KB

Download
memory/1692-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-258-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1744-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1744-254-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1928-146-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1928-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1964-173-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1964-168-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1964-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-309-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2036-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-305-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2056-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-329-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2056-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-61-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2140-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-287-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2172-288-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2332-337-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2332-340-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2332-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2332-370-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-80-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2484-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2484-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-357-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2516-202-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2516-197-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2516-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-89-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2588-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2588-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2656-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-107-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2684-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2684-346-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-278-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2756-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2756-274-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2780-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2780-116-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2780-351-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-364-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-264-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3048-268-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads