af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
Size

89KB
MD5

c23fc9a2dd5e676942df0c1164c08a90
SHA1

e46f3d23b0b91f7553477d9255b3dd370a88d871
SHA256

af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7
SHA512

87882f8a0006a41ce36c568d1dcd4e3464b659c32dc9f9468e187a9d15f6105de574695b7d3f06572b008140b47898a7c82a39e68f13e1d8a2d09b087421f118
SSDEEP

1536:FuANcNv+JEzM7b70OkPtzqGxWzhXgzy99rSBBnUC1rsnDc1lExkg8Fk:FuQcNKEz2bYOTwYGy90BBnL1Ac1lakgN

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bobhal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boplllob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cphndc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beejng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behgcf32.exe

Executes dropped EXE 17 IoCs

pid	Process
2712	Beejng32.exe
2612	Blobjaba.exe
2696	Behgcf32.exe
2660	Bhfcpb32.exe
320	Boplllob.exe
2644	Bejdiffp.exe
1920	Bfkpqn32.exe
2344	Bobhal32.exe
1512	Cpceidcn.exe
1644	Cdoajb32.exe
2936	Cmgechbh.exe
1604	Cdanpb32.exe
2996	Cgpjlnhh.exe
2448	Cmjbhh32.exe
668	Cphndc32.exe
1600	Cbgjqo32.exe
1128	Ceegmj32.exe

Loads dropped DLL 38 IoCs

pid	Process
2852	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
2852	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
2712	Beejng32.exe
2712	Beejng32.exe
2612	Blobjaba.exe
2612	Blobjaba.exe
2696	Behgcf32.exe
2696	Behgcf32.exe
2660	Bhfcpb32.exe
2660	Bhfcpb32.exe
320	Boplllob.exe
320	Boplllob.exe
2644	Bejdiffp.exe
2644	Bejdiffp.exe
1920	Bfkpqn32.exe
1920	Bfkpqn32.exe
2344	Bobhal32.exe
2344	Bobhal32.exe
1512	Cpceidcn.exe
1512	Cpceidcn.exe
1644	Cdoajb32.exe
1644	Cdoajb32.exe
2936	Cmgechbh.exe
2936	Cmgechbh.exe
1604	Cdanpb32.exe
1604	Cdanpb32.exe
2996	Cgpjlnhh.exe
2996	Cgpjlnhh.exe
2448	Cmjbhh32.exe
2448	Cmjbhh32.exe
668	Cphndc32.exe
668	Cphndc32.exe
1600	Cbgjqo32.exe
1600	Cbgjqo32.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe
1480	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dhnook32.dll	Blobjaba.exe
File created	C:\Windows\SysWOW64\Bhfcpb32.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Behgcf32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Behgcf32.exe
File created	C:\Windows\SysWOW64\Imklkg32.dll	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdanpb32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Llaemaih.dll	Cphndc32.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Boplllob.exe
File created	C:\Windows\SysWOW64\Dnabbkhk.dll	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Aincgi32.dll	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Dojofhjd.dll	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Cphndc32.exe	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Cbgjqo32.exe	Cphndc32.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Blobjaba.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Liggabfp.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Cdoajb32.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Gnnffg32.dll	Cdoajb32.exe
File opened for modification	C:\Windows\SysWOW64\Cphndc32.exe	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Lopdpdmj.dll	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cbgjqo32.exe
File created	C:\Windows\SysWOW64\Eoqbnm32.dll	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Blobjaba.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File created	C:\Windows\SysWOW64\Beejng32.exe	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
File opened for modification	C:\Windows\SysWOW64\Beejng32.exe	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
File opened for modification	C:\Windows\SysWOW64\Boplllob.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bobhal32.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Cdoajb32.exe
File created	C:\Windows\SysWOW64\Ihmnkh32.dll	Beejng32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Blobjaba.exe
File created	C:\Windows\SysWOW64\Boplllob.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Bobhal32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cdanpb32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cdanpb32.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cbgjqo32.exe
File opened for modification	C:\Windows\SysWOW64\Blobjaba.exe	Beejng32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Boplllob.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	Bejdiffp.exe
File opened for modification	C:\Windows\SysWOW64\Cgpjlnhh.exe	Cdanpb32.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cgpjlnhh.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cgpjlnhh.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bobhal32.exe
File opened for modification	C:\Windows\SysWOW64\Cdoajb32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Cbgjqo32.exe	Cphndc32.exe

Program crash 1 IoCs

pid	pid_target	Process
1480	1128	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boplllob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdanpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmjbhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beejng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbgjqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgpjlnhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cphndc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkpqn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdoajb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceegmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bobhal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bhfcpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cbgjqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdoajb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lopdpdmj.dll"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdoajb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmnkh32.dll"	Beejng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imklkg32.dll"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llaemaih.dll"	Cphndc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beejng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqbnm32.dll"	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgpjlnhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll"	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cgpjlnhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbgjqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blobjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boplllob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bobhal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boplllob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnabbkhk.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll"	Cdanpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cphndc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blobjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhfcpb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2712	2852	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe	30
PID 2852 wrote to memory of 2712	2852	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe	30
PID 2852 wrote to memory of 2712	2852	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe	30
PID 2852 wrote to memory of 2712	2852	af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe	30
PID 2712 wrote to memory of 2612	2712	Beejng32.exe	31
PID 2712 wrote to memory of 2612	2712	Beejng32.exe	31
PID 2712 wrote to memory of 2612	2712	Beejng32.exe	31
PID 2712 wrote to memory of 2612	2712	Beejng32.exe	31
PID 2612 wrote to memory of 2696	2612	Blobjaba.exe	32
PID 2612 wrote to memory of 2696	2612	Blobjaba.exe	32
PID 2612 wrote to memory of 2696	2612	Blobjaba.exe	32
PID 2612 wrote to memory of 2696	2612	Blobjaba.exe	32
PID 2696 wrote to memory of 2660	2696	Behgcf32.exe	33
PID 2696 wrote to memory of 2660	2696	Behgcf32.exe	33
PID 2696 wrote to memory of 2660	2696	Behgcf32.exe	33
PID 2696 wrote to memory of 2660	2696	Behgcf32.exe	33
PID 2660 wrote to memory of 320	2660	Bhfcpb32.exe	34
PID 2660 wrote to memory of 320	2660	Bhfcpb32.exe	34
PID 2660 wrote to memory of 320	2660	Bhfcpb32.exe	34
PID 2660 wrote to memory of 320	2660	Bhfcpb32.exe	34
PID 320 wrote to memory of 2644	320	Boplllob.exe	35
PID 320 wrote to memory of 2644	320	Boplllob.exe	35
PID 320 wrote to memory of 2644	320	Boplllob.exe	35
PID 320 wrote to memory of 2644	320	Boplllob.exe	35
PID 2644 wrote to memory of 1920	2644	Bejdiffp.exe	36
PID 2644 wrote to memory of 1920	2644	Bejdiffp.exe	36
PID 2644 wrote to memory of 1920	2644	Bejdiffp.exe	36
PID 2644 wrote to memory of 1920	2644	Bejdiffp.exe	36
PID 1920 wrote to memory of 2344	1920	Bfkpqn32.exe	37
PID 1920 wrote to memory of 2344	1920	Bfkpqn32.exe	37
PID 1920 wrote to memory of 2344	1920	Bfkpqn32.exe	37
PID 1920 wrote to memory of 2344	1920	Bfkpqn32.exe	37
PID 2344 wrote to memory of 1512	2344	Bobhal32.exe	38
PID 2344 wrote to memory of 1512	2344	Bobhal32.exe	38
PID 2344 wrote to memory of 1512	2344	Bobhal32.exe	38
PID 2344 wrote to memory of 1512	2344	Bobhal32.exe	38
PID 1512 wrote to memory of 1644	1512	Cpceidcn.exe	39
PID 1512 wrote to memory of 1644	1512	Cpceidcn.exe	39
PID 1512 wrote to memory of 1644	1512	Cpceidcn.exe	39
PID 1512 wrote to memory of 1644	1512	Cpceidcn.exe	39
PID 1644 wrote to memory of 2936	1644	Cdoajb32.exe	40
PID 1644 wrote to memory of 2936	1644	Cdoajb32.exe	40
PID 1644 wrote to memory of 2936	1644	Cdoajb32.exe	40
PID 1644 wrote to memory of 2936	1644	Cdoajb32.exe	40
PID 2936 wrote to memory of 1604	2936	Cmgechbh.exe	41
PID 2936 wrote to memory of 1604	2936	Cmgechbh.exe	41
PID 2936 wrote to memory of 1604	2936	Cmgechbh.exe	41
PID 2936 wrote to memory of 1604	2936	Cmgechbh.exe	41
PID 1604 wrote to memory of 2996	1604	Cdanpb32.exe	42
PID 1604 wrote to memory of 2996	1604	Cdanpb32.exe	42
PID 1604 wrote to memory of 2996	1604	Cdanpb32.exe	42
PID 1604 wrote to memory of 2996	1604	Cdanpb32.exe	42
PID 2996 wrote to memory of 2448	2996	Cgpjlnhh.exe	43
PID 2996 wrote to memory of 2448	2996	Cgpjlnhh.exe	43
PID 2996 wrote to memory of 2448	2996	Cgpjlnhh.exe	43
PID 2996 wrote to memory of 2448	2996	Cgpjlnhh.exe	43
PID 2448 wrote to memory of 668	2448	Cmjbhh32.exe	44
PID 2448 wrote to memory of 668	2448	Cmjbhh32.exe	44
PID 2448 wrote to memory of 668	2448	Cmjbhh32.exe	44
PID 2448 wrote to memory of 668	2448	Cmjbhh32.exe	44
PID 668 wrote to memory of 1600	668	Cphndc32.exe	45
PID 668 wrote to memory of 1600	668	Cphndc32.exe	45
PID 668 wrote to memory of 1600	668	Cphndc32.exe	45
PID 668 wrote to memory of 1600	668	Cphndc32.exe	45

C:\Users\Admin\AppData\Local\Temp\af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe
"C:\Users\Admin\AppData\Local\Temp\af7497e06fa2431b5ed6159be6de28ae0b4c1fb7be35d753cc34a5e9dc5ce0e7N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\SysWOW64\Beejng32.exe
  C:\Windows\system32\Beejng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Windows\SysWOW64\Blobjaba.exe
    C:\Windows\system32\Blobjaba.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Behgcf32.exe
      C:\Windows\system32\Behgcf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Windows\SysWOW64\Boplllob.exe
        
        C:\Windows\system32\Boplllob.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\SysWOW64\Bfkpqn32.exe
        
        C:\Windows\system32\Bfkpqn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Bobhal32.exe
        
        C:\Windows\system32\Bobhal32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Cdoajb32.exe
        
        C:\Windows\system32\Cdoajb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\Cdanpb32.exe
        
        C:\Windows\system32\Cdanpb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Cgpjlnhh.exe
        
        C:\Windows\system32\Cgpjlnhh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Cmjbhh32.exe
        
        C:\Windows\system32\Cmjbhh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Cphndc32.exe
        
        C:\Windows\system32\Cphndc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Cbgjqo32.exe
        
        C:\Windows\system32\Cbgjqo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Ceegmj32.exe
        
        C:\Windows\system32\Ceegmj32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1128 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Beejng32.exe

Filesize
89KB

MD5
6c28d35a3ad1c4b2b55d8aa19cc18d95

SHA1
c8750a99155048e39973d5e7739b0bfae45ef3f6

SHA256
21a820f0079261066cbfe73b7774a251fc44a81c44d8540fcacb388843dc0f36

SHA512
c52fac39c09fb05cbd2d4f5257350ae9e357235305b647c8aa9b5fdd3f360438c67f09f5d7698dbf8aba9e886d7b1243e33ce1403bcb576735ef71fa58e21436

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
89KB

MD5
92422bc86d887db063497e3b3ab5ba1a

SHA1
a28cc82980fb74112bf4588a98bce3a0dc9b9810

SHA256
c1cba36d05d3a9445d353a4c2d0c75f4656cb21e8a3293271759b3e8d77f05f6

SHA512
4f753e95b4b1f7890598201bf175149874281ef48a94823714b9435b2bea2d51a50be231e1ecc5e7127bede281552749645582eb3319623bc3f02b1080536f43

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
89KB

MD5
863da859db6b517cc7c545e0f70a8b16

SHA1
8fac6d545097fbc3e292ea915893f25d4b3870f2

SHA256
11a0a9a8bd65fd1fc5890b2ff3e785056bdd1b1106a77f738d49fcd56cad18f1

SHA512
6bd3addb40218fc99c781736ab63c530d1a38d7a6b1cc89f3070cc1ce7b2e856539eaa535f5d0f9a4f853bfc1452523d10d6e12767144d72155463f72f4a7e72

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
89KB

MD5
f9edfe89b774886007beeaa2d284c96b

SHA1
832fbf7788d8152c319dc0edb36ee599d0d46abd

SHA256
683f7dd38c9bc025b99b21b55559fe0df0c4e2710b90bbb06c9554775b3cd912

SHA512
060357e16f5f6c6dac26a6ab117195bd864c7f3588b8d9d864dc258555d5e373166d33b058af64ccaa447280b12bc5aed98149dbab60456c2667462d2a92c343

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
89KB

MD5
2ed1a6535ca29d1e48acba234f7d947e

SHA1
c0aec9e59f604507725463b2257b27ebb8b228e7

SHA256
331ca462f026221352b3dec248a37fd280df276e91820a4b85e93dc3d7903373

SHA512
467b0e540a250e6a828901cd211cc8599542f9b690508a657ee2de59381cce1554541cd2f2ed65d3cb871817d8c0c79622be4379e04deb11f90ea3552e26cc94

Download Submit
C:\Windows\SysWOW64\Blobjaba.exe

Filesize
89KB

MD5
e885f6781c3620f2dd24d1a55885e7cc

SHA1
f6e01d60c203125b1a132af7e7049832380b253e

SHA256
4b581f62427985fbbe15d2b95541e509f38f2a47a3050ceedb9f114e07adbefb

SHA512
fbb46bc56a4e4b914674f764eaef98e8372b63427d859040cbadc5eda77869e392714d95e97136d7067616a596dda17365f2c87c687157a1183a59efd4ccef5c

Download Submit
C:\Windows\SysWOW64\Bobhal32.exe

Filesize
89KB

MD5
6d7b662021db1b47696843ca1c433dae

SHA1
c4fbc5afcfbcfcce57f582e6474db59577c395cc

SHA256
302d312f128e0314df4b85c9e451489a26249e40465e782fc06de5786fb6f922

SHA512
71136191d1aa20fd6b2f66144a23383377a029edd48dad37639d56327d977295325892bc2992b631ee7eede8cd242ab2df8e6c09472f972d61ec6c980df986ac

Download Submit
C:\Windows\SysWOW64\Boplllob.exe

Filesize
89KB

MD5
9f266217297b773b8c5c45b5d66d45bb

SHA1
f853b4034d158ea38036981a0ad6fc0d733c9249

SHA256
36e8ab09bc093313f0b1dbd5e2fe33d82ddd9dd9032d6bfdd9759c46e1ead8a2

SHA512
61c615f6ef550520cf29de19ecf520818b9437c764aa9000cbe5c066d3f19c667a70830527bba25d371107e58ac5ae0eef2d74beeb6ff520bde7e5f2f4b32c1d

Download Submit
C:\Windows\SysWOW64\Cbgjqo32.exe

Filesize
89KB

MD5
499529bc35adc68ba80740bd4de3e0a5

SHA1
736743e64c5e984c39159ab6554f607154cf7c63

SHA256
407d4160382cf5dda2a584f1f3d252c6bbe141224cf3c59340e8cec44e3bf90a

SHA512
b785eb4c0a3f2804392baaf6d702bfa20ff6fb40e702d90ebca75420d75d408592da47df0b1c739ac0f3d92dd51b2925bacc71c4ab9380f526edbf08c1150a99

Download Submit
C:\Windows\SysWOW64\Cdanpb32.exe

Filesize
89KB

MD5
95b5b927254e7cc0bf2cf300082ea6ae

SHA1
a4bad8ff4ac167f15a121daf65d1c494b7046242

SHA256
666a977db8a7e419621db4403e3f9ba06d856f70819efa16b88685b15d6983d1

SHA512
339ff6420b0f93c0b83611c08a9f3aabaa6764b28a982460f43f3d3feb4ccc87081c69a59b1ad557302d694e401ca6191d26665e06900699d6797e0cb530ee2c

Download Submit
C:\Windows\SysWOW64\Cdoajb32.exe

Filesize
89KB

MD5
1200fb00ffc8d254610e79f2d53dd0c7

SHA1
a3e36dadbedd3b97506305472c70bb79c341420b

SHA256
eee5c8e97da86acccc2551ec80949884950a3a0b641a3163d1dc4305ab484380

SHA512
719a6feb841e5581047ca94f01372f591868acd039ece9e7a6add5fb42d568924734307a9b5dad6cdb4fd6833838efe75c31ea5bc3dc8b34d6251b88d82569e5

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
89KB

MD5
aea9c2ed287b619834de4325ff762d2b

SHA1
4b7316c32ab422751f7be46caefee3f973fd4dbf

SHA256
ce298e5bea2d81ca07fe2344fda3ac57e59944fc934c953ce5f17c218344bbfa

SHA512
bf05a10d5c42e6ffaf2a904abd2be8db73bea1f58fd272a69d34e057eae786005d64b4f6799e3c0d602f7145d82e9762e8a4fba902a1dcac7df0ce916fbe9f4d

Download Submit
C:\Windows\SysWOW64\Cgpjlnhh.exe

Filesize
89KB

MD5
98d73b47ff4f42de016260de0a0cc3f9

SHA1
8dc22521ad16e1aee8fec05371524233c6fa35fb

SHA256
1351c50c6f0bb621d9f3fadebbe54f6abeefc59c631f7fd2a555142e78c73aa0

SHA512
fdfd60dcb47feea64e57c8f538368ea6ecd5888538927d6ae598a17800769bd06a09a320efd68051c75f9c22965acf7fcd4ce73d01e7c01895db139f6e1d50bd

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
89KB

MD5
e088c89ead8f6cd4006a01fdb4c56174

SHA1
223ef8c198bce654f80dbcd84005986a7b5da2a1

SHA256
8b763b567f8a573cb2d1defe7fcbf48da51ebf6959b9c4d154bc9ac5c1a153c3

SHA512
7f896b0cb4c0dee5c1c3fa860152678a1244ee622548dbcb12cfecfed9a9d121b0683c4e6f0cc9ad14c20f7e5e98438ef87ee2135368dd83126185d7bc2c38fc

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
89KB

MD5
fff4c9a9dedacc6b7adfac2c87924ee1

SHA1
8812763488cca6204f64901ef888a364444000de

SHA256
d472c04e17988e45e9abfc12bde94c9f18ef0a3a4309023d262f77e1a91bce26

SHA512
d6adcc9bbd09df97f75c899ac8a03f13e60d79dd141ba8edff965f24db0bf803d74afec5a514d6ba9b701151f12be5655ebb6835236c82a044d964bcaa54b825

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
89KB

MD5
e1f8dccc762cbf85632d5caae7b8b675

SHA1
98ecb9f8c310c9ff86e23c43ccc8fcb9f5d21ba5

SHA256
6ef5fd61311f1e421a3211e1d528a446ee68a7bce65672cc940c3cb49e79741e

SHA512
156a4c4d02c603d88771e2b19402d3fa9a6eff15f08d4ced9762352f39ab088914aec1e35d5a9bef230354fdbddda5bcf702743f4702cb60efc7a55b889973b8

Download Submit
C:\Windows\SysWOW64\Cphndc32.exe

Filesize
89KB

MD5
55dbc721666e47ce70563775d53fb33d

SHA1
e08f1f9bb61ad85e9b32adc5187585c2ebc44152

SHA256
9c16fdc327c0d6244c6bc7cf80dbe29b8beaf36bb6610c51564b5aeb6a4ab2b2

SHA512
318fa50a3b7ac183dbcc91d90d3464bd059b4d3292662c030473ec5496d359e5f05dbd2f0bd4a6d4c215a31471e2084bf0c3353d612b611d50bcb33723921242

Download Submit
C:\Windows\SysWOW64\Liggabfp.dll

Filesize
7KB

MD5
bdaa5af69bc6acc38538497e091112df

SHA1
b8a499fd3ae0246ad8e81becd66d82e3134c1f88

SHA256
e9e44763f35a0cab598883984197d5da5da27aaa1f034e4249ffdbc8e5032dda

SHA512
6789661d0c98757854b8c964758d1e31154556cfa94a45fb7d1f45a461c7786c8f76e73f50ed8dd5bea6062b74a56926736b428eb56012b53935e60eb1af9665

Download Submit
memory/320-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/320-76-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/320-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/668-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1128-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-130-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/1512-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1644-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-103-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1920-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2344-109-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2612-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2644-82-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2696-47-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2696-53-0x0000000000310000-0x0000000000350000-memory.dmp

Filesize
256KB

Download
memory/2712-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-17-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2852-18-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2936-157-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2936-149-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2996-183-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads