ccf81eed5f034cb402e08ee9b7babf4ff1dcb1c6a2c3f7ac4e8871567be2c9bb

Analysis

max time kernel
115s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf99e71f0b6b886cb84e549eb1dcaa40N.exe
Size

448KB
MD5

bf99e71f0b6b886cb84e549eb1dcaa40
SHA1

a9b228caa0e58ab507c361de8ef31ead3332454d
SHA256

ccf81eed5f034cb402e08ee9b7babf4ff1dcb1c6a2c3f7ac4e8871567be2c9bb
SHA512

1a05b944fe7c4502da610fa96b9516f59d4107395107caa5005b9fff2d9b50e15f79526900d841a0f35d68e2959410469c0d3e4ce5114e44f20570684aca7369
SSDEEP

6144:uyyLiZCeLF8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrlo9:uyyLQp87g7/VycgE81lm

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mecbjd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbmpnjai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndjhpcoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phocfd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pdajpf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbbiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mecbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Niqgof32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndmeecmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaqeogll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	bf99e71f0b6b886cb84e549eb1dcaa40N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgjlgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbkchj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Opjlkc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkhdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oacbdg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ophoecoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdmhfpkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkokc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akkokc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjhpcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oaqeogll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mchokq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opjlkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkhdml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbbiii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebnigmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ophoecoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbplciof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mchokq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndmeecmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcmabnhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdajpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amebjgai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbmpnjai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbplciof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmhfpkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbbegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niqgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kgjlgm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdbcing.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcmabnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oophlpag.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkplgoop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfdbcing.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbkchj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ablmilgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bf99e71f0b6b886cb84e549eb1dcaa40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nebnigmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkplgoop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amebjgai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoihaa32.exe

Executes dropped EXE 32 IoCs

pid	Process
1952	Kgjlgm32.exe
2948	Kkhdml32.exe
1904	Lfdbcing.exe
3040	Lbkchj32.exe
2752	Lbmpnjai.exe
2284	Lbplciof.exe
2072	Lbbiii32.exe
1796	Mecbjd32.exe
2096	Mchokq32.exe
1192	Mcjlap32.exe
3020	Mdmhfpkg.exe
1924	Nbbegl32.exe
1908	Nebnigmp.exe
2664	Niqgof32.exe
2068	Ndjhpcoe.exe
696	Ndmeecmb.exe
2572	Oaqeogll.exe
2384	Oacbdg32.exe
2152	Ophoecoa.exe
1916	Opjlkc32.exe
2592	Oophlpag.exe
1588	Pcmabnhm.exe
1936	Pdajpf32.exe
876	Phocfd32.exe
2028	Pkplgoop.exe
2228	Qfimhmlo.exe
2388	Amebjgai.exe
2916	Akkokc32.exe
2808	Aoihaa32.exe
2280	Abiqcm32.exe
2164	Ablmilgf.exe
2476	Bmenijcd.exe

Loads dropped DLL 64 IoCs

pid	Process
2776	bf99e71f0b6b886cb84e549eb1dcaa40N.exe
2776	bf99e71f0b6b886cb84e549eb1dcaa40N.exe
1952	Kgjlgm32.exe
1952	Kgjlgm32.exe
2948	Kkhdml32.exe
2948	Kkhdml32.exe
1904	Lfdbcing.exe
1904	Lfdbcing.exe
3040	Lbkchj32.exe
3040	Lbkchj32.exe
2752	Lbmpnjai.exe
2752	Lbmpnjai.exe
2284	Lbplciof.exe
2284	Lbplciof.exe
2072	Lbbiii32.exe
2072	Lbbiii32.exe
1796	Mecbjd32.exe
1796	Mecbjd32.exe
2096	Mchokq32.exe
2096	Mchokq32.exe
1192	Mcjlap32.exe
1192	Mcjlap32.exe
3020	Mdmhfpkg.exe
3020	Mdmhfpkg.exe
1924	Nbbegl32.exe
1924	Nbbegl32.exe
1908	Nebnigmp.exe
1908	Nebnigmp.exe
2664	Niqgof32.exe
2664	Niqgof32.exe
2068	Ndjhpcoe.exe
2068	Ndjhpcoe.exe
696	Ndmeecmb.exe
696	Ndmeecmb.exe
2572	Oaqeogll.exe
2572	Oaqeogll.exe
2384	Oacbdg32.exe
2384	Oacbdg32.exe
2152	Ophoecoa.exe
2152	Ophoecoa.exe
1916	Opjlkc32.exe
1916	Opjlkc32.exe
2592	Oophlpag.exe
2592	Oophlpag.exe
1588	Pcmabnhm.exe
1588	Pcmabnhm.exe
1936	Pdajpf32.exe
1936	Pdajpf32.exe
876	Phocfd32.exe
876	Phocfd32.exe
2028	Pkplgoop.exe
2028	Pkplgoop.exe
2228	Qfimhmlo.exe
2228	Qfimhmlo.exe
2388	Amebjgai.exe
2388	Amebjgai.exe
2916	Akkokc32.exe
2916	Akkokc32.exe
2808	Aoihaa32.exe
2808	Aoihaa32.exe
2280	Abiqcm32.exe
2280	Abiqcm32.exe
2164	Ablmilgf.exe
2164	Ablmilgf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Diflambo.dll	Ablmilgf.exe
File created	C:\Windows\SysWOW64\Mecbjd32.exe	Lbbiii32.exe
File created	C:\Windows\SysWOW64\Maneecda.dll	Phocfd32.exe
File opened for modification	C:\Windows\SysWOW64\Aoihaa32.exe	Akkokc32.exe
File created	C:\Windows\SysWOW64\Madikm32.dll	Nbbegl32.exe
File created	C:\Windows\SysWOW64\Mmkcpmmb.dll	Oophlpag.exe
File created	C:\Windows\SysWOW64\Jbcimj32.dll	Pcmabnhm.exe
File created	C:\Windows\SysWOW64\Agefobee.dll	Pdajpf32.exe
File created	C:\Windows\SysWOW64\Qfimhmlo.exe	Pkplgoop.exe
File opened for modification	C:\Windows\SysWOW64\Mecbjd32.exe	Lbbiii32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmhfpkg.exe	Mcjlap32.exe
File created	C:\Windows\SysWOW64\Gmeckg32.dll	Mdmhfpkg.exe
File created	C:\Windows\SysWOW64\Hgeahj32.dll	Pkplgoop.exe
File created	C:\Windows\SysWOW64\Mdmhfpkg.exe	Mcjlap32.exe
File opened for modification	C:\Windows\SysWOW64\Oaqeogll.exe	Ndmeecmb.exe
File created	C:\Windows\SysWOW64\Abiqcm32.exe	Aoihaa32.exe
File opened for modification	C:\Windows\SysWOW64\Pkplgoop.exe	Phocfd32.exe
File created	C:\Windows\SysWOW64\Kkhdml32.exe	Kgjlgm32.exe
File created	C:\Windows\SysWOW64\Ejegcc32.dll	Oacbdg32.exe
File created	C:\Windows\SysWOW64\Oophlpag.exe	Opjlkc32.exe
File created	C:\Windows\SysWOW64\Nebnigmp.exe	Nbbegl32.exe
File created	C:\Windows\SysWOW64\Ibjenkae.dll	Ndmeecmb.exe
File opened for modification	C:\Windows\SysWOW64\Ophoecoa.exe	Oacbdg32.exe
File opened for modification	C:\Windows\SysWOW64\Opjlkc32.exe	Ophoecoa.exe
File created	C:\Windows\SysWOW64\Akkokc32.exe	Amebjgai.exe
File created	C:\Windows\SysWOW64\Kgjlgm32.exe	bf99e71f0b6b886cb84e549eb1dcaa40N.exe
File created	C:\Windows\SysWOW64\Dfddnb32.dll	bf99e71f0b6b886cb84e549eb1dcaa40N.exe
File created	C:\Windows\SysWOW64\Ifbpdhee.dll	Mecbjd32.exe
File opened for modification	C:\Windows\SysWOW64\Pcmabnhm.exe	Oophlpag.exe
File created	C:\Windows\SysWOW64\Pkplgoop.exe	Phocfd32.exe
File opened for modification	C:\Windows\SysWOW64\Qfimhmlo.exe	Pkplgoop.exe
File created	C:\Windows\SysWOW64\Alggph32.dll	Kgjlgm32.exe
File created	C:\Windows\SysWOW64\Lbplciof.exe	Lbmpnjai.exe
File created	C:\Windows\SysWOW64\Fchpmeni.dll	Ndjhpcoe.exe
File created	C:\Windows\SysWOW64\Pdajpf32.exe	Pcmabnhm.exe
File opened for modification	C:\Windows\SysWOW64\Amebjgai.exe	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Jpobja32.dll	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Aoihaa32.exe	Akkokc32.exe
File created	C:\Windows\SysWOW64\Kffhfj32.dll	Lfdbcing.exe
File created	C:\Windows\SysWOW64\Lbmpnjai.exe	Lbkchj32.exe
File created	C:\Windows\SysWOW64\Mchokq32.exe	Mecbjd32.exe
File created	C:\Windows\SysWOW64\Ophoecoa.exe	Oacbdg32.exe
File opened for modification	C:\Windows\SysWOW64\Akkokc32.exe	Amebjgai.exe
File created	C:\Windows\SysWOW64\Nbbegl32.exe	Mdmhfpkg.exe
File opened for modification	C:\Windows\SysWOW64\Niqgof32.exe	Nebnigmp.exe
File created	C:\Windows\SysWOW64\Oaqeogll.exe	Ndmeecmb.exe
File opened for modification	C:\Windows\SysWOW64\Pdajpf32.exe	Pcmabnhm.exe
File opened for modification	C:\Windows\SysWOW64\Phocfd32.exe	Pdajpf32.exe
File opened for modification	C:\Windows\SysWOW64\Abiqcm32.exe	Aoihaa32.exe
File created	C:\Windows\SysWOW64\Polhjf32.dll	Aoihaa32.exe
File opened for modification	C:\Windows\SysWOW64\Lbkchj32.exe	Lfdbcing.exe
File opened for modification	C:\Windows\SysWOW64\Nebnigmp.exe	Nbbegl32.exe
File opened for modification	C:\Windows\SysWOW64\Oophlpag.exe	Opjlkc32.exe
File created	C:\Windows\SysWOW64\Bemkkdbc.dll	Amebjgai.exe
File created	C:\Windows\SysWOW64\Lfdbcing.exe	Kkhdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lbmpnjai.exe	Lbkchj32.exe
File created	C:\Windows\SysWOW64\Amebjgai.exe	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Mcjlap32.exe	Mchokq32.exe
File created	C:\Windows\SysWOW64\Niqgof32.exe	Nebnigmp.exe
File created	C:\Windows\SysWOW64\Opjlkc32.exe	Ophoecoa.exe
File opened for modification	C:\Windows\SysWOW64\Ablmilgf.exe	Abiqcm32.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Ablmilgf.exe
File created	C:\Windows\SysWOW64\Ahdheo32.dll	Kkhdml32.exe
File created	C:\Windows\SysWOW64\Ibnqpj32.dll	Lbkchj32.exe

Program crash 1 IoCs

pid	pid_target	Process
2168	2476	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoihaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mchokq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oacbdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkplgoop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfimhmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebnigmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opjlkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcmabnhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amebjgai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbbiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbbegl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdajpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdmhfpkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndmeecmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjhpcoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phocfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkokc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abiqcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niqgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oophlpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbmpnjai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbplciof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mecbjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaqeogll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkhdml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbkchj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfdbcing.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ophoecoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablmilgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf99e71f0b6b886cb84e549eb1dcaa40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgjlgm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkhdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mecbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcimj32.dll"	Pcmabnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akkokc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahdheo32.dll"	Kkhdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaibff32.dll"	Lbmpnjai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdmhfpkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndjhpcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbkchj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbodi32.dll"	Nebnigmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bemkkdbc.dll"	Amebjgai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akkokc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibjbgbg.dll"	Abiqcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oophlpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nebnigmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndmeecmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lfdbcing.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnqpj32.dll"	Lbkchj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Niqgof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mchokq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ophoecoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbkchj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oaqeogll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ablmilgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Opjlkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpobja32.dll"	Qfimhmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pdajpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbpdhee.dll"	Mecbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmeckg32.dll"	Mdmhfpkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	bf99e71f0b6b886cb84e549eb1dcaa40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbplciof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oaqeogll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agefobee.dll"	Pdajpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amebjgai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbmjalg.dll"	Akkokc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kgjlgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndmeecmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcmabnhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfimhmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	bf99e71f0b6b886cb84e549eb1dcaa40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndjhpcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfddnb32.dll"	bf99e71f0b6b886cb84e549eb1dcaa40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodinj32.dll"	Opjlkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcjlap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kgjlgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjenkae.dll"	Ndmeecmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejegcc32.dll"	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pdajpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aoihaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbokqlp.dll"	Lbplciof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ablmilgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mecbjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Opjlkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffhfj32.dll"	Lfdbcing.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbcbcgp.dll"	Niqgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phocfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ophoecoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbmpnjai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbbiii32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 1952	2776	bf99e71f0b6b886cb84e549eb1dcaa40N.exe	30
PID 2776 wrote to memory of 1952	2776	bf99e71f0b6b886cb84e549eb1dcaa40N.exe	30
PID 2776 wrote to memory of 1952	2776	bf99e71f0b6b886cb84e549eb1dcaa40N.exe	30
PID 2776 wrote to memory of 1952	2776	bf99e71f0b6b886cb84e549eb1dcaa40N.exe	30
PID 1952 wrote to memory of 2948	1952	Kgjlgm32.exe	31
PID 1952 wrote to memory of 2948	1952	Kgjlgm32.exe	31
PID 1952 wrote to memory of 2948	1952	Kgjlgm32.exe	31
PID 1952 wrote to memory of 2948	1952	Kgjlgm32.exe	31
PID 2948 wrote to memory of 1904	2948	Kkhdml32.exe	32
PID 2948 wrote to memory of 1904	2948	Kkhdml32.exe	32
PID 2948 wrote to memory of 1904	2948	Kkhdml32.exe	32
PID 2948 wrote to memory of 1904	2948	Kkhdml32.exe	32
PID 1904 wrote to memory of 3040	1904	Lfdbcing.exe	33
PID 1904 wrote to memory of 3040	1904	Lfdbcing.exe	33
PID 1904 wrote to memory of 3040	1904	Lfdbcing.exe	33
PID 1904 wrote to memory of 3040	1904	Lfdbcing.exe	33
PID 3040 wrote to memory of 2752	3040	Lbkchj32.exe	34
PID 3040 wrote to memory of 2752	3040	Lbkchj32.exe	34
PID 3040 wrote to memory of 2752	3040	Lbkchj32.exe	34
PID 3040 wrote to memory of 2752	3040	Lbkchj32.exe	34
PID 2752 wrote to memory of 2284	2752	Lbmpnjai.exe	35
PID 2752 wrote to memory of 2284	2752	Lbmpnjai.exe	35
PID 2752 wrote to memory of 2284	2752	Lbmpnjai.exe	35
PID 2752 wrote to memory of 2284	2752	Lbmpnjai.exe	35
PID 2284 wrote to memory of 2072	2284	Lbplciof.exe	36
PID 2284 wrote to memory of 2072	2284	Lbplciof.exe	36
PID 2284 wrote to memory of 2072	2284	Lbplciof.exe	36
PID 2284 wrote to memory of 2072	2284	Lbplciof.exe	36
PID 2072 wrote to memory of 1796	2072	Lbbiii32.exe	37
PID 2072 wrote to memory of 1796	2072	Lbbiii32.exe	37
PID 2072 wrote to memory of 1796	2072	Lbbiii32.exe	37
PID 2072 wrote to memory of 1796	2072	Lbbiii32.exe	37
PID 1796 wrote to memory of 2096	1796	Mecbjd32.exe	38
PID 1796 wrote to memory of 2096	1796	Mecbjd32.exe	38
PID 1796 wrote to memory of 2096	1796	Mecbjd32.exe	38
PID 1796 wrote to memory of 2096	1796	Mecbjd32.exe	38
PID 2096 wrote to memory of 1192	2096	Mchokq32.exe	39
PID 2096 wrote to memory of 1192	2096	Mchokq32.exe	39
PID 2096 wrote to memory of 1192	2096	Mchokq32.exe	39
PID 2096 wrote to memory of 1192	2096	Mchokq32.exe	39
PID 1192 wrote to memory of 3020	1192	Mcjlap32.exe	40
PID 1192 wrote to memory of 3020	1192	Mcjlap32.exe	40
PID 1192 wrote to memory of 3020	1192	Mcjlap32.exe	40
PID 1192 wrote to memory of 3020	1192	Mcjlap32.exe	40
PID 3020 wrote to memory of 1924	3020	Mdmhfpkg.exe	41
PID 3020 wrote to memory of 1924	3020	Mdmhfpkg.exe	41
PID 3020 wrote to memory of 1924	3020	Mdmhfpkg.exe	41
PID 3020 wrote to memory of 1924	3020	Mdmhfpkg.exe	41
PID 1924 wrote to memory of 1908	1924	Nbbegl32.exe	42
PID 1924 wrote to memory of 1908	1924	Nbbegl32.exe	42
PID 1924 wrote to memory of 1908	1924	Nbbegl32.exe	42
PID 1924 wrote to memory of 1908	1924	Nbbegl32.exe	42
PID 1908 wrote to memory of 2664	1908	Nebnigmp.exe	43
PID 1908 wrote to memory of 2664	1908	Nebnigmp.exe	43
PID 1908 wrote to memory of 2664	1908	Nebnigmp.exe	43
PID 1908 wrote to memory of 2664	1908	Nebnigmp.exe	43
PID 2664 wrote to memory of 2068	2664	Niqgof32.exe	44
PID 2664 wrote to memory of 2068	2664	Niqgof32.exe	44
PID 2664 wrote to memory of 2068	2664	Niqgof32.exe	44
PID 2664 wrote to memory of 2068	2664	Niqgof32.exe	44
PID 2068 wrote to memory of 696	2068	Ndjhpcoe.exe	45
PID 2068 wrote to memory of 696	2068	Ndjhpcoe.exe	45
PID 2068 wrote to memory of 696	2068	Ndjhpcoe.exe	45
PID 2068 wrote to memory of 696	2068	Ndjhpcoe.exe	45

C:\Users\Admin\AppData\Local\Temp\bf99e71f0b6b886cb84e549eb1dcaa40N.exe
"C:\Users\Admin\AppData\Local\Temp\bf99e71f0b6b886cb84e549eb1dcaa40N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\Kgjlgm32.exe
  C:\Windows\system32\Kgjlgm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\Kkhdml32.exe
    C:\Windows\system32\Kkhdml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\Lfdbcing.exe
      C:\Windows\system32\Lfdbcing.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\Lbkchj32.exe
        
        C:\Windows\system32\Lbkchj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWOW64\Lbmpnjai.exe
        
        C:\Windows\system32\Lbmpnjai.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Lbplciof.exe
        
        C:\Windows\system32\Lbplciof.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Lbbiii32.exe
        
        C:\Windows\system32\Lbbiii32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Mecbjd32.exe
        
        C:\Windows\system32\Mecbjd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Mchokq32.exe
        
        C:\Windows\system32\Mchokq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Mcjlap32.exe
        
        C:\Windows\system32\Mcjlap32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Mdmhfpkg.exe
        
        C:\Windows\system32\Mdmhfpkg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Nbbegl32.exe
        
        C:\Windows\system32\Nbbegl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Nebnigmp.exe
        
        C:\Windows\system32\Nebnigmp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Niqgof32.exe
        
        C:\Windows\system32\Niqgof32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\Ndjhpcoe.exe
        
        C:\Windows\system32\Ndjhpcoe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Ndmeecmb.exe
        
        C:\Windows\system32\Ndmeecmb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Oaqeogll.exe
        
        C:\Windows\system32\Oaqeogll.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Oacbdg32.exe
        
        C:\Windows\system32\Oacbdg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Ophoecoa.exe
        
        C:\Windows\system32\Ophoecoa.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Opjlkc32.exe
        
        C:\Windows\system32\Opjlkc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Oophlpag.exe
        
        C:\Windows\system32\Oophlpag.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Pcmabnhm.exe
        
        C:\Windows\system32\Pcmabnhm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Pdajpf32.exe
        
        C:\Windows\system32\Pdajpf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Phocfd32.exe
        
        C:\Windows\system32\Phocfd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Pkplgoop.exe
        
        C:\Windows\system32\Pkplgoop.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Qfimhmlo.exe
        
        C:\Windows\system32\Qfimhmlo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2228
        
        C:\Windows\SysWOW64\Amebjgai.exe
        
        C:\Windows\system32\Amebjgai.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Akkokc32.exe
        
        C:\Windows\system32\Akkokc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Aoihaa32.exe
        
        C:\Windows\system32\Aoihaa32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Abiqcm32.exe
        
        C:\Windows\system32\Abiqcm32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Ablmilgf.exe
        
        C:\Windows\system32\Ablmilgf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 140
        34⤵
        Program crash
        
        PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abiqcm32.exe

Filesize
448KB

MD5
fc47b937abb725204a18f82e3674219d

SHA1
a88f1969969b8ad0730901b6366bf84fd27a4935

SHA256
e75d89387579179c2531464a0bdbb7bc39b1e79eb0bf830421a0e726f38a47c0

SHA512
c01f78527dd0ca06a451edf2519d82571cd7dd7baf54002960fe5bbb5a8151c7edcd961e13185c493fdf113fa4f6d7e9175afb9185630d2a02c05142f77c9bf4

Download Submit
C:\Windows\SysWOW64\Ablmilgf.exe

Filesize
448KB

MD5
0b713dc24b48e9a49454ec1271d82006

SHA1
b98fc86111a6ba89da1bb82ad6747f0e1a218567

SHA256
cf295c49a1d316a96f4e402928e8edecc2dd7f67dceeb634b55868b862989732

SHA512
1ac0cebe72c2a53bf70e7149ab26db87ec1497dd4fa570b9d6b7719ae42f944c1b3ee9daed061b17eae945eeee8bff8e89d876b2a95f38400b0b7452293637cb

Download Submit
C:\Windows\SysWOW64\Akkokc32.exe

Filesize
448KB

MD5
891e576dc723c8ca5bf5ccdf1fd5512e

SHA1
46aa8bd7c91d20c00a2148f7e40a34122f90758a

SHA256
45b1682900377bb5de679685ba252e232e10d06e359ecee95b772a1ae6693ef9

SHA512
87675ec12b1f3c08dbdfdeef59139331d2110a68b26c22c249df0c1c5e1eb3605fbc990d35758c260f07b95cbf36c43dcd78ee819b83a1074d2a63e5fbde2d1e

Download Submit
C:\Windows\SysWOW64\Amebjgai.exe

Filesize
448KB

MD5
5b380be32697b61c5618ef3ad83b8f5d

SHA1
1ca7697e29186a67bc87ff10b1ba6cdab689a3df

SHA256
1af42caa4c8362f0af4c47f966bcf7061becbe53668d64a2be02f16fed0c2d2b

SHA512
1a5af74cba51a39a61c3ee62f47d7a59f44736a55c2d8e34cb4fd693fb43e2390cb75dc695c2b45b7278d00b51e22a1b50d2dba87d485786f88319dbd36ce18c

Download Submit
C:\Windows\SysWOW64\Aoihaa32.exe

Filesize
448KB

MD5
283b846899b86eefd62b9d440432c0e0

SHA1
6497c48540ee9e6c177b9b7b68772a24b0260f81

SHA256
4be02e52dcda515498a75c9de14a1ec4bfcccda68869aeff904f7055e93e5d7d

SHA512
41f6045988680be1d4c424f227143ac97f115aea946d6289654bca19da7c20c2e65ce7db9b763c27f482adeacb3aecef89be2208e04a41837d89da99985cd960

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
448KB

MD5
17b3a52f7b42c7b4b150e1cfb35f10ab

SHA1
d64289d06d55a97401022cd4f391bcb6b3695b6e

SHA256
c18f38b90d73133dbf1e08cab2723fde80f9a4dff5d8bed8342056c82a06b690

SHA512
c02463c7ab111cc7e7d5f2e05fe81a684c5c6196e0a1ede1f87d5b43dead5c2e3839c453ef43447f59edaf493159f949d8abd7a76f0eb3e96988501c68e6d6a6

Download Submit
C:\Windows\SysWOW64\Ibnqpj32.dll

Filesize
7KB

MD5
f92209b0ebc7117676261efba57b0134

SHA1
8b801c59290168b41633b36fb7cb4afb781999c0

SHA256
2a386e804ee6b66e28bfde135c5be2697a77778f8647b8028aaa9e3e46e1fa98

SHA512
3cb1f92fb037b4af6a330472ca81ede47b21f3e9d204695f3fc50b7fd99824fbab24d4a62ead4480242d769773682e748292cf0d8db2ea0724d6c0003cfd4974

Download Submit
C:\Windows\SysWOW64\Lbkchj32.exe

Filesize
448KB

MD5
37518c32c54722f6506b3dbb627be2fa

SHA1
c436a762854d904c893143d153d13bf45c2f976f

SHA256
5afca6ca5d3555e4c973f3ffc9f70a82566ee9dcc80079ac5a94998aed735147

SHA512
b475828fd13d00f750a790da77bd3524a48ee101c6ccd83e107b3ce5ab895f9c61f3fe011dc898aafb4c62098133016fe5c3f5e82f3aa49b8d4e0c9b5fad9574

Download Submit
C:\Windows\SysWOW64\Lbplciof.exe

Filesize
448KB

MD5
7a146c38cb8095edb5337c8294dc4a8f

SHA1
d91dd42e4aa679ee5221bbecd1a6268210189230

SHA256
ce6af1d52170ea19a6971eab5be6deaaa21023878af30afd582cd4846b41add3

SHA512
ffd1dfbd40c6ebf96f1995f2a884893f8e301771b4d866ff4aadeb577d098f2f7dfdf8371d0bbaafec80fbfc05ccc58cc7c36361c483035fc62fcb6d500c8d83

Download Submit
C:\Windows\SysWOW64\Lfdbcing.exe

Filesize
448KB

MD5
d8bd2b9567b0966d7ef3c07791951e6d

SHA1
2076797be97e06dc0ae2e1a8e72da09c4ac8add0

SHA256
4cb9e4132b963497a34b56c44910657dc752ebd07f78ddda676e415ecfa99799

SHA512
5c5827a406bda1fa39b462dd17b46ea6b77c624b006f9596621420be5298488349f652cc96db82942a08d5fb919dab25e9fa43845449e736f4c1204923cdcd9f

Download Submit
C:\Windows\SysWOW64\Mchokq32.exe

Filesize
448KB

MD5
915c19906630abd67e48ef231d3d9f94

SHA1
bb8a176ea34e7ebe7477b863464c0cb2e82b5a1e

SHA256
5ed497276b452c201b62431e8edd556f37caa4d252587f7fd51930ce2e4fa780

SHA512
44a8bb4389719675a86e4950a5355279da0be11b09421911190a747a0cfb1c8222df0075b2781931cdefd43643683fd051c90261ddf43c35ccd707029bfb75a2

Download Submit
C:\Windows\SysWOW64\Mcjlap32.exe

Filesize
448KB

MD5
b2ea09abcfb882eb09554bb422b49156

SHA1
f5982d13da5fea0d43545f602a4dd1b673efa836

SHA256
09bc98ba879f846555cd7cf21b20fb39d419942799141f585a3fc64f96127063

SHA512
0f4c72c602d8f6c7c5a4bc6af143f9c2b2dc3cd1979a9be1d3b5f54b9a52cff6e74926c9850b09792d178145f249d8527e93fea1c9346b5c37067100f32d7352

Download Submit
C:\Windows\SysWOW64\Mdmhfpkg.exe

Filesize
448KB

MD5
5569fff88074cb18f2c9c862d102fcab

SHA1
27fb293c8888075773ed46cc3c2f8f357b728e32

SHA256
ab96c3353e313668a3dfa24b5bfa1978bf984ba64e493c0b798aa6c0a940d026

SHA512
fa31d39545441d82bc39de51d4811600a8bd4bcb6b577dc68ed28af6f1cdb946bdf10f3c0fe33138ab7b0fffa68e77ba0096b0b816f0deb073cb133350a817c2

Download Submit
C:\Windows\SysWOW64\Mecbjd32.exe

Filesize
448KB

MD5
96a39c1844f701c2130a867f2437cfb0

SHA1
166511746b86226327f4c9df9f038c8c777f9031

SHA256
799f4a5e96c6dd37025113c94f981edced0ba427a131d6c0924453ecfd9b4264

SHA512
a3b4db3c8e5bb0815d6ab200cc7cc6a2c22ea3a9ad03ea2aae4c3c46e45108c52a8db7f19e452cdade4c49bf547da93dde2176cd2504083c424c150a9f07ce72

Download Submit
C:\Windows\SysWOW64\Nbbegl32.exe

Filesize
448KB

MD5
1915c0b91bc97c040a69730f20f90326

SHA1
909245da573bc72b9cd81031859245532563a16d

SHA256
258b61cc8aa9fa778ed45ccdc7759199f28562c81aae9eba1768335f7aac31d4

SHA512
523c8f2ba6fd9669fee2923fe1ec7bf5fdc2e97237a79edc448ae1cdafa75201130ac45d408b5ab0eea560a457d14d9b976c6a23002925bf01807be485258612

Download Submit
C:\Windows\SysWOW64\Ndjhpcoe.exe

Filesize
448KB

MD5
712b0a5bc2beb252eb3f725f2c15ec84

SHA1
a1a9375eaf60785258260115a78883627210c40d

SHA256
241fab4684566b64a4e5503489dc9460b824b0f7557c8c4ef085e603548a4fd2

SHA512
1bc4a30fd1379e82e98817de35f0fee0476a52f3d0642f2bf99e19dd475ed0da0dd85026f02108c29207b0a51e9c759c359c5063c713ee0ae56b9371c2b43efe

Download Submit
C:\Windows\SysWOW64\Ndmeecmb.exe

Filesize
448KB

MD5
dd74a2cccf21a8c61ac36d41a35ef18f

SHA1
94ea358218d786cd8fc3a5a788dd15bbcc108eab

SHA256
73cb6015c3c3d37d57b769a219fd783b7b5c57aebfa61211fbc75725ace6797e

SHA512
ba2c6e33e0b10cbe9f5cf796f13d9f9e09108152f476560196c28ededfb4f221f6771c040f28800d244a2dbe520c2e94720f53afa372ba2fad8fcdbaca4d437c

Download Submit
C:\Windows\SysWOW64\Nebnigmp.exe

Filesize
448KB

MD5
61e1862f6d90ddcbee6b01ecb38e7c87

SHA1
4c317f89666b6325290aa8be0c44a3ad05ab6cbe

SHA256
925eee7ba10e0f83dfc39dbaae35f0e97bcf3a6579d524c230cd05669c669982

SHA512
ef77543464dcf960fa832235de313ca55c2aa7aebb6d3659257c95eab5d8de3ed5790fc3be83b5c10153796e51dd6ad8afcc369478476408cf2d2641ef32d4aa

Download Submit
C:\Windows\SysWOW64\Niqgof32.exe

Filesize
448KB

MD5
acfdb197cdb9516a6488e8c2442f5c2e

SHA1
d320341c7408a7ef7891062e61ad0c353daae33b

SHA256
9f7daad1a041c01b1d58c6960ead28c16b6b42f32beac09cf875be1489f67b77

SHA512
ad4571f099ceb985005a08a30a4281451eb09561bf4be50c8f1342a2830d102ac9a2e09deca35b71c02cb8ab492ec5bb5214e3e107dd33f91b32242412857145

Download Submit
C:\Windows\SysWOW64\Oacbdg32.exe

Filesize
448KB

MD5
3c63b02c910955a9e332ab186335d746

SHA1
a1c523b1d1acc36ed661efa8d60b03a4e94d4313

SHA256
e45977192c342bb8724c389e44d6ce50a76289085cd1df20fe78e08ff282de19

SHA512
a370ca81842e6f4ad80ba2a9c8d9a010af63fdc5f88ce6b5d94341ca0f68ebd3616d9ce910224aa4e2510e5fe054dec535cba40f4bfa720e6f63e5729bc2d064

Download Submit
C:\Windows\SysWOW64\Oaqeogll.exe

Filesize
448KB

MD5
d4e0e3c9cb8946fa5ab81ec02abe139d

SHA1
f9452e212b26d0caec6ddbd163fd7d55303fca30

SHA256
2c7c5feebb0d8ec1489cb2c770d9dcd2c8a8d294173376dc4ccf304c2a48bb66

SHA512
b24f5710dd669fbea27abd013e6464f863cfe87e6612b6b4a3b5c70f424afe86317055198c8f318b71a2f06c6df3696253b078c350a63cd0bb7a863d257d73ae

Download Submit
C:\Windows\SysWOW64\Oophlpag.exe

Filesize
448KB

MD5
8aa182dfbb55124f40953b8a8e34072a

SHA1
b63e9d59457e9a03e1a5a743fd517a713925cf45

SHA256
c4d85580f71feb1741583a3050cdb0555c80c1df44e9b37757957bb8e692804d

SHA512
1fce824fd78af9c400158d46400f755403ecef20af141c2ccf0b8ea9c9c14be109552a04ec60a7194d0262376f63d41f04d759185e39b5d0f6e3677a438fd619

Download Submit
C:\Windows\SysWOW64\Ophoecoa.exe

Filesize
448KB

MD5
9209f80b559a64f55e213bf376e85539

SHA1
5ad3ec2b83b49d11e258279ad1bae15364bfc239

SHA256
bd0f2088d18f9ebf0f9929e8720470872f718cae9c3f5b87d2b95c6db4415e32

SHA512
2cbf22419c5fa8d8f2a10c26072d5b0b608f6536c22de9171a68fd9999c7cee006e4016cb3eef1770bde9b1bf65a0f7a0044f441fc768f0225d2e2602763090e

Download Submit
C:\Windows\SysWOW64\Opjlkc32.exe

Filesize
448KB

MD5
d3c0cb56af53bd7adfab69663e443fe3

SHA1
1795e672cefc112af60e975550964b265943461c

SHA256
a3fe546a46021bb001475682b4bb004cf942d0dd1bf9eb621b315873639bfa30

SHA512
de3887bb773376b0b279a12a87eb6aafd94c91f2f9f43eefd251e18eedcb40bba033de2801b347cf864fd7b2f058306b6ecb6b502496eebcd94f253019ce600d

Download Submit
C:\Windows\SysWOW64\Pcmabnhm.exe

Filesize
448KB

MD5
595c765fcbc704e49e5488eacd23fefb

SHA1
4ae3ebc37e28830f2de31ac6475ef995035dab46

SHA256
956274daeb84508f2d8db5dbab55f9a860fdb5846d91d62d118e975f9ccc7246

SHA512
8734d962dc0847ffb06a3837ea8e1543e837eba3998c7eb00db2006bc459f31138625396f63e4abc331458c4fef5c266e43d77733aed87a5d78ea2cf011608ec

Download Submit
C:\Windows\SysWOW64\Pdajpf32.exe

Filesize
448KB

MD5
371614174c3c0b1f61887615fede5bf7

SHA1
4fdd2f3e2bf02c8ea2d13e2f258c5e17cb4e6d33

SHA256
fb255958524c0c2dfd9df319caa7e85dfb8fe7231e0aff2088b6ec7952178eb0

SHA512
4f57a4c2f3c59d3a9e731179fe77f97558b89297bd68aadb9a8026ffe13aaae0feb2c8910e93101d08fc0bb4c0a61a777ff2dd0327b71269ad915f42e335ddea

Download Submit
C:\Windows\SysWOW64\Phocfd32.exe

Filesize
448KB

MD5
05d8c93331dc6a6113a3c873b44681b4

SHA1
6541a8184dfcbf2dd8bfed70f99191d05ea9329f

SHA256
cf347cebc2637f11bc9bf0a4d4b619a9be6e400de5b7a4aebf53cef646d70058

SHA512
5f1a7265deb94e667e260f28c5da0bec585db51e6dbe72f37db8c38d766823cca063d5573c75a0b60cbdd74b0c6593ef87db1c43fd43b77a565834ff327bbb0c

Download Submit
C:\Windows\SysWOW64\Pkplgoop.exe

Filesize
448KB

MD5
9c3e2503b65ca88c7ecc4315c4c6d46c

SHA1
c9a6c53cde793f07f952d9e5656ea0ec4b583f38

SHA256
15a53ce6d9deafe89f29b619fc47f0268d47952b485a36ea4d20e1af0b439542

SHA512
4ba53a313b232d7935166daf155711963a34272149ed172e8f18155730d32b586316e740165307a1cfc6da0cadc7e89473462ab69a7c499b3fe4c7247409fa4c

Download Submit
C:\Windows\SysWOW64\Qfimhmlo.exe

Filesize
448KB

MD5
8412ff26b11a3cee6eb156e7448764ff

SHA1
515a480808417ff01f670b2c3a7b634affb1692e

SHA256
0d1857ec6ca5d442c1ba2daae641649a7a4ebe54bcd4e8709a6e8c503d98e750

SHA512
703c83db44d2f2b869f43dca1433c0a2562f41429796c757d5bfab4c2c217957735103d3a3b8972c9bc72a6cdc60fafbab0c2dad0fcc19144725e47bd868567d

Download Submit
\Windows\SysWOW64\Kgjlgm32.exe

Filesize
448KB

MD5
eb43f76fba940b451179858a1b89d490

SHA1
1f706f4702ef88da7a970087a8813909b3a83d7b

SHA256
3f5f05559bc5b5414d61ae050681e344b89419a469cabde1e25b2f61e79ae7b0

SHA512
4cb71bdfcb2b7b02c847b7fb08ab45198a8d253be48113c10e6674ba3388545e7bf856b7f8dd3a6d0b3735fa85b43103f0514504d6b08218ac0f7cbb18be3f06

Download Submit
\Windows\SysWOW64\Kkhdml32.exe

Filesize
448KB

MD5
94994e5fb230d673192bc1b8bbfac7bf

SHA1
e4977d1df7fd192d7a7775f64b88d9a99df7a028

SHA256
fc736d19c9d66ed9f10d39f12934f7957728040b929ca308dd30238b0d9ad199

SHA512
ce3b792a945377ceac042ba44f0ed1f9b32dc55d2c99dea4564172c6b93c9609ebae8711f3cae0b86fb40b4485ddeedbd57d38f5c8884a188b634814a672f06a

Download Submit
\Windows\SysWOW64\Lbbiii32.exe

Filesize
448KB

MD5
75c2db872211e28ac19df069d72b2b84

SHA1
d92025b9b30cf7a6029009da35caf6a0ff43def4

SHA256
36ac5979ef609d3f1022ba382d84c240291d278b76d56ce29710d2bb7363beb3

SHA512
a91244e1e1e142e43e321c301ad77cec41489b4636efb7cd619f7190a530e1bdf5febdd40eef817330b1739cb57af2c4998d90db87a4dbfc70b430f95c117380

Download Submit
\Windows\SysWOW64\Lbmpnjai.exe

Filesize
448KB

MD5
329d48f5e1c98c0fddb3f447c00d0d67

SHA1
13becd2c2ef261d9820a7a70b675112e17565604

SHA256
c8dfbfb4c8bc2a0804bb2ac3cff932bd63417f11a9a1dea589113dfc63c3c6f7

SHA512
360f687fdea2c1d9647189dd5282e3cac907ebb054e1a998a6df9ffd076a61c33dea4653a346868a9861ab56a974f5ffc92ecb8d44511c0bc2a94d9ec5e1cbb7

Download Submit
memory/696-235-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/696-234-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/696-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/696-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-318-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/876-319-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1192-156-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/1192-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-297-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1588-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-125-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1796-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-54-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/1904-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-198-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1916-276-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1916-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1916-417-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-184-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1924-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-310-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/1936-311-0x0000000000330000-0x0000000000363000-memory.dmp

Filesize
204KB

Download
memory/1936-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1936-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-18-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-333-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2028-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-332-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2028-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-223-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2068-227-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2068-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-111-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2072-110-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2072-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-139-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2096-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-266-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2152-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2152-265-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2164-394-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2164-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-395-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2228-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2228-340-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2228-341-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2280-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-383-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2280-384-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2284-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-99-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2284-100-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2384-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-354-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2388-355-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2388-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-245-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2572-249-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2592-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-291-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2592-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2592-290-0x0000000000230000-0x0000000000263000-memory.dmp

Filesize
204KB

Download
memory/2664-209-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2664-208-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2664-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-17-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2808-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2808-377-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2916-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-363-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2916-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-362-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2948-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-38-0x0000000001B90000-0x0000000001BC3000-memory.dmp

Filesize
204KB

Download
memory/3020-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-71-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/3040-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads