6332cd57c6d6f758f6ecb44d8ee52c58fc4c0920638accf8e51717b6e5675807

Analysis

max time kernel
90s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-09-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eac35a8c0209537ccd23825c6cc31f0N.exe
Size

314KB
MD5

2eac35a8c0209537ccd23825c6cc31f0
SHA1

f97bb9b97282025dcbd1c1afcd9f92027946f1df
SHA256

6332cd57c6d6f758f6ecb44d8ee52c58fc4c0920638accf8e51717b6e5675807
SHA512

0b2aa391c720fb70efbc9f8452812d8520c1d678ceb231672fc85cfcc21a752366b62dab48a481585e7c6dca2e5ebf979e95b78ae6b720745f303ba310ca0098
SSDEEP

6144:UAMlSyej6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:PUW6Najb87gP3C

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmcclolh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Admgglep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biqfpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amglgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Admgglep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baealp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2eac35a8c0209537ccd23825c6cc31f0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alofnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Alofnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aegkfpah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmcclolh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qanolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qanolm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aegkfpah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccpqjfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2eac35a8c0209537ccd23825c6cc31f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amglgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aebakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aebakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cniajdkg.exe

Executes dropped EXE 19 IoCs

pid	Process
2964	Qgfkchmp.exe
2820	Qmcclolh.exe
2812	Qanolm32.exe
2780	Amglgn32.exe
2836	Aebakp32.exe
2728	Alofnj32.exe
1080	Aegkfpah.exe
2260	Admgglep.exe
436	Baqhapdj.exe
3056	Bjiljf32.exe
2012	Baealp32.exe
2724	Biqfpb32.exe
1164	Bgdfjfmi.exe
1020	Chhpgn32.exe
2844	Ccnddg32.exe
1888	Ccpqjfnh.exe
1792	Cniajdkg.exe
1640	Chofhm32.exe
2212	Coindgbi.exe

Loads dropped DLL 38 IoCs

pid	Process
2296	2eac35a8c0209537ccd23825c6cc31f0N.exe
2296	2eac35a8c0209537ccd23825c6cc31f0N.exe
2964	Qgfkchmp.exe
2964	Qgfkchmp.exe
2820	Qmcclolh.exe
2820	Qmcclolh.exe
2812	Qanolm32.exe
2812	Qanolm32.exe
2780	Amglgn32.exe
2780	Amglgn32.exe
2836	Aebakp32.exe
2836	Aebakp32.exe
2728	Alofnj32.exe
2728	Alofnj32.exe
1080	Aegkfpah.exe
1080	Aegkfpah.exe
2260	Admgglep.exe
2260	Admgglep.exe
436	Baqhapdj.exe
436	Baqhapdj.exe
3056	Bjiljf32.exe
3056	Bjiljf32.exe
2012	Baealp32.exe
2012	Baealp32.exe
2724	Biqfpb32.exe
2724	Biqfpb32.exe
1164	Bgdfjfmi.exe
1164	Bgdfjfmi.exe
1020	Chhpgn32.exe
1020	Chhpgn32.exe
2844	Ccnddg32.exe
2844	Ccnddg32.exe
1888	Ccpqjfnh.exe
1888	Ccpqjfnh.exe
1792	Cniajdkg.exe
1792	Cniajdkg.exe
1640	Chofhm32.exe
1640	Chofhm32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Admgglep.exe	Aegkfpah.exe
File opened for modification	C:\Windows\SysWOW64\Bjiljf32.exe	Baqhapdj.exe
File opened for modification	C:\Windows\SysWOW64\Bgdfjfmi.exe	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Cniajdkg.exe	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Aegkfpah.exe	Alofnj32.exe
File created	C:\Windows\SysWOW64\Baqhapdj.exe	Admgglep.exe
File created	C:\Windows\SysWOW64\Eobohl32.dll	Aegkfpah.exe
File created	C:\Windows\SysWOW64\Alofnj32.exe	Aebakp32.exe
File opened for modification	C:\Windows\SysWOW64\Aegkfpah.exe	Alofnj32.exe
File created	C:\Windows\SysWOW64\Biqfpb32.exe	Baealp32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Chofhm32.exe
File opened for modification	C:\Windows\SysWOW64\Aebakp32.exe	Amglgn32.exe
File created	C:\Windows\SysWOW64\Lnfbic32.dll	Qmcclolh.exe
File opened for modification	C:\Windows\SysWOW64\Baealp32.exe	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Eajkip32.dll	Bgdfjfmi.exe
File opened for modification	C:\Windows\SysWOW64\Ccnddg32.exe	Chhpgn32.exe
File opened for modification	C:\Windows\SysWOW64\Qmcclolh.exe	Qgfkchmp.exe
File opened for modification	C:\Windows\SysWOW64\Baqhapdj.exe	Admgglep.exe
File created	C:\Windows\SysWOW64\Ccpqjfnh.exe	Ccnddg32.exe
File opened for modification	C:\Windows\SysWOW64\Chofhm32.exe	Cniajdkg.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Chofhm32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Chofhm32.exe
File opened for modification	C:\Windows\SysWOW64\Qgfkchmp.exe	2eac35a8c0209537ccd23825c6cc31f0N.exe
File created	C:\Windows\SysWOW64\Pkknia32.dll	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Dbidpo32.dll	Qanolm32.exe
File opened for modification	C:\Windows\SysWOW64\Biqfpb32.exe	Baealp32.exe
File created	C:\Windows\SysWOW64\Ccnddg32.exe	Chhpgn32.exe
File opened for modification	C:\Windows\SysWOW64\Alofnj32.exe	Aebakp32.exe
File created	C:\Windows\SysWOW64\Anfdhfiq.dll	Admgglep.exe
File opened for modification	C:\Windows\SysWOW64\Chhpgn32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Khpbbn32.dll	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Phjflgea.dll	Amglgn32.exe
File created	C:\Windows\SysWOW64\Mjhdbb32.dll	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Dggekf32.dll	Aebakp32.exe
File created	C:\Windows\SysWOW64\Amglgn32.exe	Qanolm32.exe
File opened for modification	C:\Windows\SysWOW64\Amglgn32.exe	Qanolm32.exe
File created	C:\Windows\SysWOW64\Aiffeloi.dll	2eac35a8c0209537ccd23825c6cc31f0N.exe
File created	C:\Windows\SysWOW64\Oellihpf.dll	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Aebakp32.exe	Amglgn32.exe
File created	C:\Windows\SysWOW64\Baealp32.exe	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Qmcclolh.exe	Qgfkchmp.exe
File opened for modification	C:\Windows\SysWOW64\Qanolm32.exe	Qmcclolh.exe
File created	C:\Windows\SysWOW64\Ggqbii32.dll	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Qgfkchmp.exe	2eac35a8c0209537ccd23825c6cc31f0N.exe
File opened for modification	C:\Windows\SysWOW64\Admgglep.exe	Aegkfpah.exe
File created	C:\Windows\SysWOW64\Kipdmjne.dll	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Chhpgn32.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Madcho32.dll	Chhpgn32.exe
File opened for modification	C:\Windows\SysWOW64\Cniajdkg.exe	Ccpqjfnh.exe
File created	C:\Windows\SysWOW64\Chofhm32.exe	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Hfgjcq32.dll	Alofnj32.exe
File opened for modification	C:\Windows\SysWOW64\Ccpqjfnh.exe	Ccnddg32.exe
File created	C:\Windows\SysWOW64\Bjiljf32.exe	Baqhapdj.exe
File created	C:\Windows\SysWOW64\Knoegqbp.dll	Baealp32.exe
File created	C:\Windows\SysWOW64\Bgdfjfmi.exe	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Ojeffiih.dll	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Qanolm32.exe	Qmcclolh.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmcclolh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qanolm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alofnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfkchmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admgglep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baqhapdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccnddg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2eac35a8c0209537ccd23825c6cc31f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aebakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aegkfpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjiljf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biqfpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chhpgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amglgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baealp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccpqjfnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cniajdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chofhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqbii32.dll"	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccnddg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobohl32.dll"	Aegkfpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Admgglep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qanolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phjflgea.dll"	Amglgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Alofnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	2eac35a8c0209537ccd23825c6cc31f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiffeloi.dll"	2eac35a8c0209537ccd23825c6cc31f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll"	Biqfpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmcclolh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madcho32.dll"	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkknia32.dll"	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amglgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccnddg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccpqjfnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cniajdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qanolm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aegkfpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoegqbp.dll"	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2eac35a8c0209537ccd23825c6cc31f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amglgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfgjcq32.dll"	Alofnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfdhfiq.dll"	Admgglep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eajkip32.dll"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chhpgn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qmcclolh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aebakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aegkfpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2eac35a8c0209537ccd23825c6cc31f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biqfpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chhpgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbidpo32.dll"	Qanolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggekf32.dll"	Aebakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Alofnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aebakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll"	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll"	Ccpqjfnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2eac35a8c0209537ccd23825c6cc31f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnfbic32.dll"	Qmcclolh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2eac35a8c0209537ccd23825c6cc31f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oellihpf.dll"	Qgfkchmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhdbb32.dll"	Bjiljf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2964	2296	2eac35a8c0209537ccd23825c6cc31f0N.exe	30
PID 2296 wrote to memory of 2964	2296	2eac35a8c0209537ccd23825c6cc31f0N.exe	30
PID 2296 wrote to memory of 2964	2296	2eac35a8c0209537ccd23825c6cc31f0N.exe	30
PID 2296 wrote to memory of 2964	2296	2eac35a8c0209537ccd23825c6cc31f0N.exe	30
PID 2964 wrote to memory of 2820	2964	Qgfkchmp.exe	31
PID 2964 wrote to memory of 2820	2964	Qgfkchmp.exe	31
PID 2964 wrote to memory of 2820	2964	Qgfkchmp.exe	31
PID 2964 wrote to memory of 2820	2964	Qgfkchmp.exe	31
PID 2820 wrote to memory of 2812	2820	Qmcclolh.exe	32
PID 2820 wrote to memory of 2812	2820	Qmcclolh.exe	32
PID 2820 wrote to memory of 2812	2820	Qmcclolh.exe	32
PID 2820 wrote to memory of 2812	2820	Qmcclolh.exe	32
PID 2812 wrote to memory of 2780	2812	Qanolm32.exe	33
PID 2812 wrote to memory of 2780	2812	Qanolm32.exe	33
PID 2812 wrote to memory of 2780	2812	Qanolm32.exe	33
PID 2812 wrote to memory of 2780	2812	Qanolm32.exe	33
PID 2780 wrote to memory of 2836	2780	Amglgn32.exe	34
PID 2780 wrote to memory of 2836	2780	Amglgn32.exe	34
PID 2780 wrote to memory of 2836	2780	Amglgn32.exe	34
PID 2780 wrote to memory of 2836	2780	Amglgn32.exe	34
PID 2836 wrote to memory of 2728	2836	Aebakp32.exe	35
PID 2836 wrote to memory of 2728	2836	Aebakp32.exe	35
PID 2836 wrote to memory of 2728	2836	Aebakp32.exe	35
PID 2836 wrote to memory of 2728	2836	Aebakp32.exe	35
PID 2728 wrote to memory of 1080	2728	Alofnj32.exe	36
PID 2728 wrote to memory of 1080	2728	Alofnj32.exe	36
PID 2728 wrote to memory of 1080	2728	Alofnj32.exe	36
PID 2728 wrote to memory of 1080	2728	Alofnj32.exe	36
PID 1080 wrote to memory of 2260	1080	Aegkfpah.exe	37
PID 1080 wrote to memory of 2260	1080	Aegkfpah.exe	37
PID 1080 wrote to memory of 2260	1080	Aegkfpah.exe	37
PID 1080 wrote to memory of 2260	1080	Aegkfpah.exe	37
PID 2260 wrote to memory of 436	2260	Admgglep.exe	38
PID 2260 wrote to memory of 436	2260	Admgglep.exe	38
PID 2260 wrote to memory of 436	2260	Admgglep.exe	38
PID 2260 wrote to memory of 436	2260	Admgglep.exe	38
PID 436 wrote to memory of 3056	436	Baqhapdj.exe	39
PID 436 wrote to memory of 3056	436	Baqhapdj.exe	39
PID 436 wrote to memory of 3056	436	Baqhapdj.exe	39
PID 436 wrote to memory of 3056	436	Baqhapdj.exe	39
PID 3056 wrote to memory of 2012	3056	Bjiljf32.exe	40
PID 3056 wrote to memory of 2012	3056	Bjiljf32.exe	40
PID 3056 wrote to memory of 2012	3056	Bjiljf32.exe	40
PID 3056 wrote to memory of 2012	3056	Bjiljf32.exe	40
PID 2012 wrote to memory of 2724	2012	Baealp32.exe	41
PID 2012 wrote to memory of 2724	2012	Baealp32.exe	41
PID 2012 wrote to memory of 2724	2012	Baealp32.exe	41
PID 2012 wrote to memory of 2724	2012	Baealp32.exe	41
PID 2724 wrote to memory of 1164	2724	Biqfpb32.exe	42
PID 2724 wrote to memory of 1164	2724	Biqfpb32.exe	42
PID 2724 wrote to memory of 1164	2724	Biqfpb32.exe	42
PID 2724 wrote to memory of 1164	2724	Biqfpb32.exe	42
PID 1164 wrote to memory of 1020	1164	Bgdfjfmi.exe	43
PID 1164 wrote to memory of 1020	1164	Bgdfjfmi.exe	43
PID 1164 wrote to memory of 1020	1164	Bgdfjfmi.exe	43
PID 1164 wrote to memory of 1020	1164	Bgdfjfmi.exe	43
PID 1020 wrote to memory of 2844	1020	Chhpgn32.exe	44
PID 1020 wrote to memory of 2844	1020	Chhpgn32.exe	44
PID 1020 wrote to memory of 2844	1020	Chhpgn32.exe	44
PID 1020 wrote to memory of 2844	1020	Chhpgn32.exe	44
PID 2844 wrote to memory of 1888	2844	Ccnddg32.exe	45
PID 2844 wrote to memory of 1888	2844	Ccnddg32.exe	45
PID 2844 wrote to memory of 1888	2844	Ccnddg32.exe	45
PID 2844 wrote to memory of 1888	2844	Ccnddg32.exe	45

C:\Users\Admin\AppData\Local\Temp\2eac35a8c0209537ccd23825c6cc31f0N.exe
"C:\Users\Admin\AppData\Local\Temp\2eac35a8c0209537ccd23825c6cc31f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\Qgfkchmp.exe
  C:\Windows\system32\Qgfkchmp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\Qmcclolh.exe
    C:\Windows\system32\Qmcclolh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Qanolm32.exe
      C:\Windows\system32\Qanolm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\SysWOW64\Amglgn32.exe
        
        C:\Windows\system32\Amglgn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\SysWOW64\Aebakp32.exe
        
        C:\Windows\system32\Aebakp32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Alofnj32.exe
        
        C:\Windows\system32\Alofnj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Aegkfpah.exe
        
        C:\Windows\system32\Aegkfpah.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Admgglep.exe
        
        C:\Windows\system32\Admgglep.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Baqhapdj.exe
        
        C:\Windows\system32\Baqhapdj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Bjiljf32.exe
        
        C:\Windows\system32\Bjiljf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Baealp32.exe
        
        C:\Windows\system32\Baealp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Biqfpb32.exe
        
        C:\Windows\system32\Biqfpb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Chhpgn32.exe
        
        C:\Windows\system32\Chhpgn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Ccnddg32.exe
        
        C:\Windows\system32\Ccnddg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Ccpqjfnh.exe
        
        C:\Windows\system32\Ccpqjfnh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Cniajdkg.exe
        
        C:\Windows\system32\Cniajdkg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Chofhm32.exe
        
        C:\Windows\system32\Chofhm32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baealp32.exe

Filesize
314KB

MD5
69f810c06f7713f442022a191e6c6bf0

SHA1
e2b74522d7b161cc31b122d0b384c4beea5c80aa

SHA256
3af472ce6a940d10d5ae2e5bfd96fc11b27cba4f39d407b4a2bf3a83ee0750cb

SHA512
7afddde6f00a3b3a512f8bba8b4ca7967393fbe6a567c206f56e055da93c276d5a0b0b3fc012ce2dcec81e0de78f98a25f4a978862cdc51318cf67da110fc91c

Download Submit
C:\Windows\SysWOW64\Ccnddg32.exe

Filesize
314KB

MD5
f38d46ce93dfdf8d8852633045404052

SHA1
0d00696d97fd357a9260e6d1adc664075a57531d

SHA256
3d49d2ab12817638d4898c65f9802d69a60438a3a378ffe232aa75c15e987d99

SHA512
57ad4b2d19b83c8866b814d3d5b5b0959739637c7dea929ae2a3ef405e037479906b5ed70cbcf3fab4111ecfe41d7684bc97527ec0eabf7f484bf2336683e54c

Download Submit
C:\Windows\SysWOW64\Chofhm32.exe

Filesize
314KB

MD5
b70ec329530903fb917e46669a5a6ce5

SHA1
c2abe956c96b14d7aaa052910278f68c304edd2f

SHA256
d71cc3b4f04ab3133c30a77f18510d63d4b6c6642c633c787b5bcb3ef5aa5a22

SHA512
2dd6a22a37936119af41c622f18ae5c33094eebce2d88dba50d552a7fc2b382d945b2ebabd3be1ee541527067b51bada05a3dcae925c38dc25258c492ad1109d

Download Submit
C:\Windows\SysWOW64\Cniajdkg.exe

Filesize
314KB

MD5
281d01866123b57c2003fd0ba06955e2

SHA1
a54e8f9332a2c8cfd65a5118639f9c23e51a05df

SHA256
4da1000ef1fcfcf1afe3b03eb0de04804cf1dfbd149a3844e336cec9a38a5d29

SHA512
a019311be77eaad0918571d0f89e20e0618d5163a663991be8f206326c7fffb96caf94ccc18909755aa11864e91fb06a87c195e36da949aa5a0c7989d5f1b8d4

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
314KB

MD5
2e93ada852a6c18e64319cb63c3b847c

SHA1
b3f016ada281f7c870c904b2405f3d9d88828ace

SHA256
fd28b8a164696c6227b98ba2de7def12c7cab8b10860924d37f443e116d11ebb

SHA512
4e0fb04f911bbfffaa0c752941234e393de1b78ff7573524b1f53ebaddd2adfda10e90b9ae56c8d498768f4b556a638c718c0df901a62261c712263f85614fb3

Download Submit
C:\Windows\SysWOW64\Qanolm32.exe

Filesize
314KB

MD5
0b6cca4335f35b94113b92f6239c0f3b

SHA1
302f7c737c08d54a6b73ac3119d6d8b21c0aea31

SHA256
459fdd13d345674332d64468a3cc861d56ead547cfe6c2a0a6724d6c1c8f5808

SHA512
09bc90d00c3936f8d95b28559ffaefdf4c7bef266890d4dde298f0149e8c7c58d7dcc537d9f070f0477af00a8ae714aba42d96b49be4d4b5dfb18ce1aafc60ef

Download Submit
C:\Windows\SysWOW64\Qmcclolh.exe

Filesize
314KB

MD5
9a6923e50f78c17b0d932fda6a9e7918

SHA1
8451dad63c42e1f392d4b1d6b89bfeb3c7a376af

SHA256
ad3851e032b171976305c0fe000cf357675bf58d5531fe838dfc60e3e00d5aa5

SHA512
99003432269b35ffaa758dda46a7cf867cae15021c01ebcd95eccf990fda7d55216b078886d107947bd833eb49f9da4c228add91554f4436db21adf30b3284ca

Download Submit
\Windows\SysWOW64\Admgglep.exe

Filesize
314KB

MD5
e66207147be5c04732b1090afe298a4f

SHA1
98f1650735322cf270348875500152cdf7516f4b

SHA256
aa894ccdec675e2e187ea1ab08640a996b92f0c9c68cedf1099221f575b3c166

SHA512
f835f428f89ddb3ac98e3339b32f90e68e251b897350a623d9d9869505c7ea3dd4d860f8c5d16daf8c411084ff7ad0fe0d342629157ca40347337c30a9b2b9f8

Download Submit
\Windows\SysWOW64\Aebakp32.exe

Filesize
314KB

MD5
e973a3d011be87fdb6ef9e02115c61ec

SHA1
6dde9c993e335e8818b564d38f78a9615584658e

SHA256
c3812605e4c8749206fecc186ead5e03843750cb2c3959621cef27bdba7d29e7

SHA512
9433f63b4946d50195e689fec350e64380475c60c6e3ff681f878d5ea1989f44d03214ae47b5b025a24f9961fddf6356d17e9f6b1e17baefd918b47ae6f679d4

Download Submit
\Windows\SysWOW64\Aegkfpah.exe

Filesize
314KB

MD5
06060ff4408f67f49875bad4890c122c

SHA1
7593cddb19a30d3750b3540f9e5111169bd969bd

SHA256
5f12c40c0b6749bfeaed4d0cca08637aa8aaeec145e4312d407bb6029f1981fa

SHA512
1610a4756939b9ece8ad023eb6113fc82fbf3d98f045c4c8950711b32f31fb902dd4b281c68e5e73f415024987736c779a57a3835e66a633318430a030556637

Download Submit
\Windows\SysWOW64\Alofnj32.exe

Filesize
314KB

MD5
48d42611b62e9a9b8798cc8335a4048b

SHA1
b7e218f5a9232f0d8dafc2ee267b3807673c3d70

SHA256
8db7a6fdf8b13144c2eb18993239655055928265a331d95c206baca945f7e99c

SHA512
ae81552610d3d41b84cfd973790b4af32e06cc7c3288225984e9ec6861d9865a06f75b72d5d71e326065114f4db7a3b3f00f07fc3c7922b91792b0d7a7922c99

Download Submit
\Windows\SysWOW64\Amglgn32.exe

Filesize
314KB

MD5
413be20a31e3fb148b9e4762e8ec496f

SHA1
e6d3ab495a3873d0fb485c79965b52be99b353ce

SHA256
621de37ee5a396da1087124804da31a0a972b365a7b639e169ddd93eeade5e7c

SHA512
b11c2ef6bf3e07c6f281c0bbac169d2625c2fe59ea7f6621e53cbf0da946eedc4365d237ae3ae0d89ead6f5cf2f2c42b5da22eb189c701a553ffa06f4c0aac8e

Download Submit
\Windows\SysWOW64\Baqhapdj.exe

Filesize
314KB

MD5
972d2766140c873b4cec966e32cff5db

SHA1
30f8e212980033cf873b5ec2916f84dc7bbdf4a0

SHA256
7475b121625d03af0f49a3af19ecae8f2fc984b83d3f51b2f5090edf8c81e6e5

SHA512
1c84e3c29e00272d9432379bb8aa21b39e3477384e1588d9194b3d5999581fe7f42ccdb5ce0153e300502beff77af8647852f5ce52f7abdc301f57f994eb9d98

Download Submit
\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
314KB

MD5
675fa745d16ff7b95a3a0541e9cf6e10

SHA1
8b7a8e48db094e46afe9097bf1b19c0589b6e47f

SHA256
264cf5746005557d4624ec4b4bce6c887164e8672e64ff173b10e30b3f25e4cb

SHA512
a9c25ca39c75635959df410379a26ff2afebceb92bf544f0a99aed51deb40d7fbb8ae5ab365ff0a94cc8f5df5b433d221611fbc5be600cf2c3a1026da9412ad2

Download Submit
\Windows\SysWOW64\Biqfpb32.exe

Filesize
314KB

MD5
40da7e71601245a748f47d3ef64ed844

SHA1
b4820ce624dd51ccc8dfdf4ea27153ed0d862cd0

SHA256
bf2dc611ee4c4ad486865e24bc6470fd4bcfe607826715e935ffa573bbc9236a

SHA512
f3f5aa78d6b66f86516764de837d1f51866bb327eb1911b1685b4111e881f6b91679a954d8ec42497c87dd8a78b48a7ad90b6b375245cbb1d714d324a49f9db2

Download Submit
\Windows\SysWOW64\Bjiljf32.exe

Filesize
314KB

MD5
3afcec8f556114ef9b0e2e1c86830d85

SHA1
b7a80d31e853255cff3f3807b2a6c4c5481f9d09

SHA256
fd4b7916e094cc97d24122537ac7765316062f4e3e624a5f8da8f0176b288aac

SHA512
43418594521a46137435c196082535344a9147eb9b438ec113a2c330d742dadea31dbe8a68427ffd96d86938698bddbe04dd9e6d992afe73c28c38dc8b320bc0

Download Submit
\Windows\SysWOW64\Ccpqjfnh.exe

Filesize
314KB

MD5
127d560835de3c22b49e3e52773d5990

SHA1
91e5168b037bca02d4c062eb3a001eab99e2fe53

SHA256
afcd93fdc5d1dfbb90ab9a6a731088788b03e7d723df147e2e4e6fd1ca47b1e6

SHA512
36377e3782f74363be02710163378f7404c8df5a81f42c044cf745499fad78ce33e9de0957704820691c4157a8b86efca413db55fc8078ca15ada28fb730273b

Download Submit
\Windows\SysWOW64\Chhpgn32.exe

Filesize
314KB

MD5
3449f9ac0cc2694300be51e99913a6b8

SHA1
ae203facd158950f99555595b9f0809b83ace4a6

SHA256
d54fc21a9fd9be20a07dc9ab6409b18d4fd22af69877935c1166ea347fc5c863

SHA512
624df8bc749e8e6ab70277a10f77e661a53fccbd3adec1c258c76cf661012e2caa2a122872314013312be7f0c548d62e599adf0f7aa45feb51f7e8774ebdecbb

Download Submit
\Windows\SysWOW64\Qgfkchmp.exe

Filesize
314KB

MD5
72778a72962ad7b4f8c1b873f528e82b

SHA1
d455cb841bcfe7600dcc9bc6ae8bb28d827a1b72

SHA256
67e31ee4c945a83fbf87b8b2c674c8f9fa75febe3ad5c0cb9d0f59b8fa3b727e

SHA512
f24db8d73fc836849642c50f9235de9636244e22b9dad73c48aef1485a22ca7c8b04e3f0802a38ff350fff56467a61705ff20d48c11e23156a98a6f6eebdb7b7

Download Submit
memory/436-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/436-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/436-128-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/1020-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1020-201-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/1020-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-101-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1080-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1080-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1164-186-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/1164-174-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1164-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1640-245-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1640-249-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/1640-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1792-238-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1792-228-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1792-237-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1792-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1888-226-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/1888-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1888-227-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/1888-265-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-155-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2212-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-250-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2260-119-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2296-12-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2296-4-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2724-168-0x0000000001F40000-0x0000000001F83000-memory.dmp

Filesize
268KB

Download
memory/2724-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2728-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-65-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/2780-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2780-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2812-252-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2812-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2812-47-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2820-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2836-254-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2836-67-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2836-79-0x00000000002A0000-0x00000000002E3000-memory.dmp

Filesize
268KB

Download
memory/2844-209-0x0000000001F80000-0x0000000001FC3000-memory.dmp

Filesize
268KB

Download
memory/2844-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2844-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-251-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-18-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-259-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3056-134-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads