cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60

Analysis

max time kernel
145s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe
Size

768KB
MD5

88193d53372d02ae042580d276ce6f7c
SHA1

41f61bdcfe0aff4b68c30cd46e9cad2deed313e1
SHA256

cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60
SHA512

0cb3dbe1400177ef4a8a1c033034cdc15f88587c47c4755f5c81474e106570a0f968b25a1d1e8dc987a119f8707d0811344cfda27008c34323b55b6072190c0c
SSDEEP

12288:VjhvvT6IveDVqvQ6IvYvc6IveDVqvQ6IvBaSHaMaZRBEYyqmaf2qwiHPKgRC4gvO:Vpq5h3q5htaSHFaZRBEYyqmaf2qwiHPX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pegnglnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmbje32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbblkaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cniajdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noojdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkjqcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnkiebib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgocid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkmldbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Podpoffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdamao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liibgkoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkohjbah.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amglgn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkmldbcj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkfkidmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkjqcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalofa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdgmbhgh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfkgdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnkiebib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjbjjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amglgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Binikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biccfalm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceickb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdnkanfg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aphehidc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caenkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Admgglep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfpdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmbje32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkohjbah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okkddd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofldf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajipkb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjiln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdoccg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdqp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Binikb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmiolk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmjekahk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nedifo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ockbdebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Podpoffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amjiln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalofa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdfjnkne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldjmidcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odqlhjbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okkddd32.exe

Executes dropped EXE 55 IoCs

pid	Process
2960	Kjkbpp32.exe
2668	Kmiolk32.exe
2684	Kgocid32.exe
2468	Ldjmidcj.exe
2444	Liibgkoo.exe
2496	Lkmldbcj.exe
1720	Mkohjbah.exe
2272	Mdgmbhgh.exe
1756	Mlgkbi32.exe
2836	Mdoccg32.exe
1000	Nedifo32.exe
2380	Noojdc32.exe
2376	Nkfkidmk.exe
1624	Odqlhjbi.exe
1672	Okkddd32.exe
1196	Ockbdebl.exe
872	Pdnkanfg.exe
1648	Podpoffm.exe
1740	Pbblkaea.exe
780	Pkjqcg32.exe
756	Pofldf32.exe
2332	Pkmmigjo.exe
1160	Pnkiebib.exe
1552	Pjbjjc32.exe
2528	Pegnglnm.exe
2308	Qgfkchmp.exe
1588	Qnpcpa32.exe
2572	Qfkgdd32.exe
2652	Qijdqp32.exe
2860	Ajipkb32.exe
2740	Amglgn32.exe
2476	Amjiln32.exe
1228	Aphehidc.exe
2064	Anmbje32.exe
2840	Aalofa32.exe
1952	Admgglep.exe
2292	Bjfpdf32.exe
1964	Bhjpnj32.exe
1956	Bjiljf32.exe
2372	Binikb32.exe
2240	Bmjekahk.exe
2096	Bknfeege.exe
1940	Biqfpb32.exe
1464	Bdfjnkne.exe
1820	Biccfalm.exe
380	Bopknhjd.exe
2896	Ceickb32.exe
2164	Ciepkajj.exe
2636	Capdpcge.exe
2132	Ckiiiine.exe
1920	Cabaec32.exe
2200	Cniajdkg.exe
2876	Caenkc32.exe
2560	Chofhm32.exe
2492	Coindgbi.exe

Loads dropped DLL 64 IoCs

pid	Process
2752	cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe
2752	cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe
2960	Kjkbpp32.exe
2960	Kjkbpp32.exe
2668	Kmiolk32.exe
2668	Kmiolk32.exe
2684	Kgocid32.exe
2684	Kgocid32.exe
2468	Ldjmidcj.exe
2468	Ldjmidcj.exe
2444	Liibgkoo.exe
2444	Liibgkoo.exe
2496	Lkmldbcj.exe
2496	Lkmldbcj.exe
1720	Mkohjbah.exe
1720	Mkohjbah.exe
2272	Mdgmbhgh.exe
2272	Mdgmbhgh.exe
1756	Mlgkbi32.exe
1756	Mlgkbi32.exe
2836	Mdoccg32.exe
2836	Mdoccg32.exe
1000	Nedifo32.exe
1000	Nedifo32.exe
2380	Noojdc32.exe
2380	Noojdc32.exe
2376	Nkfkidmk.exe
2376	Nkfkidmk.exe
1624	Odqlhjbi.exe
1624	Odqlhjbi.exe
1672	Okkddd32.exe
1672	Okkddd32.exe
1196	Ockbdebl.exe
1196	Ockbdebl.exe
872	Pdnkanfg.exe
872	Pdnkanfg.exe
1648	Podpoffm.exe
1648	Podpoffm.exe
1740	Pbblkaea.exe
1740	Pbblkaea.exe
780	Pkjqcg32.exe
780	Pkjqcg32.exe
756	Pofldf32.exe
756	Pofldf32.exe
2332	Pkmmigjo.exe
2332	Pkmmigjo.exe
1160	Pnkiebib.exe
1160	Pnkiebib.exe
1552	Pjbjjc32.exe
1552	Pjbjjc32.exe
2528	Pegnglnm.exe
2528	Pegnglnm.exe
2308	Qgfkchmp.exe
2308	Qgfkchmp.exe
1588	Qnpcpa32.exe
1588	Qnpcpa32.exe
2572	Qfkgdd32.exe
2572	Qfkgdd32.exe
2652	Qijdqp32.exe
2652	Qijdqp32.exe
2860	Ajipkb32.exe
2860	Ajipkb32.exe
2740	Amglgn32.exe
2740	Amglgn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mdgmbhgh.exe	Mkohjbah.exe
File opened for modification	C:\Windows\SysWOW64\Admgglep.exe	Aalofa32.exe
File opened for modification	C:\Windows\SysWOW64\Cniajdkg.exe	Cdamao32.exe
File created	C:\Windows\SysWOW64\Hdjgff32.dll	Bjfpdf32.exe
File opened for modification	C:\Windows\SysWOW64\Binikb32.exe	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Kpfdhgca.dll	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Ldjmidcj.exe	Kgocid32.exe
File created	C:\Windows\SysWOW64\Podpoffm.exe	Pdnkanfg.exe
File created	C:\Windows\SysWOW64\Bhjpnj32.exe	Bjfpdf32.exe
File created	C:\Windows\SysWOW64\Ciepkajj.exe	Ceickb32.exe
File created	C:\Windows\SysWOW64\Mdgmbhgh.exe	Mkohjbah.exe
File created	C:\Windows\SysWOW64\Defhonof.dll	Pkmmigjo.exe
File created	C:\Windows\SysWOW64\Pjbjjc32.exe	Pnkiebib.exe
File opened for modification	C:\Windows\SysWOW64\Pkjqcg32.exe	Pbblkaea.exe
File created	C:\Windows\SysWOW64\Cblaaajo.dll	Kjkbpp32.exe
File created	C:\Windows\SysWOW64\Nkfkidmk.exe	Noojdc32.exe
File created	C:\Windows\SysWOW64\Ockbdebl.exe	Okkddd32.exe
File created	C:\Windows\SysWOW64\Dmknff32.dll	Aphehidc.exe
File opened for modification	C:\Windows\SysWOW64\Caenkc32.exe	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Hakhbifq.dll	Cniajdkg.exe
File created	C:\Windows\SysWOW64\Lkmldbcj.exe	Liibgkoo.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjjc32.exe	Pnkiebib.exe
File created	C:\Windows\SysWOW64\Qnpcpa32.exe	Qgfkchmp.exe
File created	C:\Windows\SysWOW64\Jggdmb32.dll	Biqfpb32.exe
File created	C:\Windows\SysWOW64\Hlggmcob.dll	Bdfjnkne.exe
File opened for modification	C:\Windows\SysWOW64\Cabaec32.exe	Ckiiiine.exe
File opened for modification	C:\Windows\SysWOW64\Pegnglnm.exe	Pjbjjc32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdqp32.exe	Qfkgdd32.exe
File created	C:\Windows\SysWOW64\Bknfeege.exe	Bmjekahk.exe
File created	C:\Windows\SysWOW64\Cbiphidl.dll	Biccfalm.exe
File opened for modification	C:\Windows\SysWOW64\Noojdc32.exe	Nedifo32.exe
File created	C:\Windows\SysWOW64\Pofldf32.exe	Pkjqcg32.exe
File created	C:\Windows\SysWOW64\Binikb32.exe	Bjiljf32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfpdf32.exe	Admgglep.exe
File created	C:\Windows\SysWOW64\Ndjhjkfi.dll	Admgglep.exe
File created	C:\Windows\SysWOW64\Bmjekahk.exe	Binikb32.exe
File opened for modification	C:\Windows\SysWOW64\Capdpcge.exe	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Pkjqcg32.exe	Pbblkaea.exe
File created	C:\Windows\SysWOW64\Pnkiebib.exe	Pkmmigjo.exe
File created	C:\Windows\SysWOW64\Ipippm32.dll	Anmbje32.exe
File opened for modification	C:\Windows\SysWOW64\Ockbdebl.exe	Okkddd32.exe
File created	C:\Windows\SysWOW64\Liibgkoo.exe	Ldjmidcj.exe
File created	C:\Windows\SysWOW64\Dknnijed.dll	Lkmldbcj.exe
File created	C:\Windows\SysWOW64\Qchjfo32.dll	Noojdc32.exe
File created	C:\Windows\SysWOW64\Bjiljf32.exe	Bhjpnj32.exe
File created	C:\Windows\SysWOW64\Kipdmjne.dll	Bhjpnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bopknhjd.exe	Biccfalm.exe
File opened for modification	C:\Windows\SysWOW64\Ciepkajj.exe	Ceickb32.exe
File opened for modification	C:\Windows\SysWOW64\Nkfkidmk.exe	Noojdc32.exe
File opened for modification	C:\Windows\SysWOW64\Amglgn32.exe	Ajipkb32.exe
File opened for modification	C:\Windows\SysWOW64\Amjiln32.exe	Amglgn32.exe
File created	C:\Windows\SysWOW64\Ipgfpp32.dll	Amjiln32.exe
File opened for modification	C:\Windows\SysWOW64\Aalofa32.exe	Anmbje32.exe
File opened for modification	C:\Windows\SysWOW64\Ceickb32.exe	Bopknhjd.exe
File opened for modification	C:\Windows\SysWOW64\Lkmldbcj.exe	Liibgkoo.exe
File created	C:\Windows\SysWOW64\Onchdkoc.dll	Mdgmbhgh.exe
File created	C:\Windows\SysWOW64\Mfhdke32.dll	Pjbjjc32.exe
File created	C:\Windows\SysWOW64\Qmpebb32.dll	cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe
File opened for modification	C:\Windows\SysWOW64\Qgfkchmp.exe	Pegnglnm.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Capdpcge.exe
File created	C:\Windows\SysWOW64\Mpmmdhad.dll	Liibgkoo.exe
File created	C:\Windows\SysWOW64\Mkohjbah.exe	Lkmldbcj.exe
File opened for modification	C:\Windows\SysWOW64\Anmbje32.exe	Aphehidc.exe
File created	C:\Windows\SysWOW64\Aiffeloi.dll	Pegnglnm.exe

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkmldbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkjqcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amglgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalofa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldjmidcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkohjbah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfkchmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfpdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biqfpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbblkaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfkgdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphehidc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknfeege.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfjnkne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgocid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Noojdc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pegnglnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bopknhjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nedifo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockbdebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajipkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cniajdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgkbi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjiljf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biccfalm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Capdpcge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caenkc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Admgglep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceickb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciepkajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chofhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofldf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjiln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmiolk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liibgkoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdnkanfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdgmbhgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdoccg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnpcpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmbje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmjekahk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhjpnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdamao32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjkbpp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odqlhjbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podpoffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmmigjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkfkidmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkddd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnkiebib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Binikb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amglgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll"	Bhjpnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdnkanfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Podpoffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjfjc32.dll"	Qgfkchmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnpcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnpcpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfkgdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liibgkoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlgkbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aalofa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biqfpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onchdkoc.dll"	Mdgmbhgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipippm32.dll"	Anmbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Binikb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkohjbah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noojdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbglqg32.dll"	Pofldf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aphehidc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggdmb32.dll"	Biqfpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbiphidl.dll"	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkohjbah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbblkaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbblkaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Admgglep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhjpnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcoljb32.dll"	Mlgkbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchjfo32.dll"	Noojdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odqlhjbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnkiebib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmknff32.dll"	Aphehidc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caenkc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjhjkfi.dll"	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpfdhgca.dll"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dknnijed.dll"	Lkmldbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nedifo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofldf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pnkiebib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhdke32.dll"	Pjbjjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amjiln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqlidcln.dll"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dplclg32.dll"	Kmiolk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjhhm32.dll"	Okkddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ockbdebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Capdpcge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Admgglep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biccfalm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bopknhjd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhihab32.dll"	Ldjmidcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdgmbhgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmjekahk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoegqbp.dll"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlggmcob.dll"	Bdfjnkne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bongfjgo.dll"	Bopknhjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odqlhjbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkjqcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjbjjc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 2960	2752	cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe	29
PID 2752 wrote to memory of 2960	2752	cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe	29
PID 2752 wrote to memory of 2960	2752	cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe	29
PID 2752 wrote to memory of 2960	2752	cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe	29
PID 2960 wrote to memory of 2668	2960	Kjkbpp32.exe	30
PID 2960 wrote to memory of 2668	2960	Kjkbpp32.exe	30
PID 2960 wrote to memory of 2668	2960	Kjkbpp32.exe	30
PID 2960 wrote to memory of 2668	2960	Kjkbpp32.exe	30
PID 2668 wrote to memory of 2684	2668	Kmiolk32.exe	31
PID 2668 wrote to memory of 2684	2668	Kmiolk32.exe	31
PID 2668 wrote to memory of 2684	2668	Kmiolk32.exe	31
PID 2668 wrote to memory of 2684	2668	Kmiolk32.exe	31
PID 2684 wrote to memory of 2468	2684	Kgocid32.exe	32
PID 2684 wrote to memory of 2468	2684	Kgocid32.exe	32
PID 2684 wrote to memory of 2468	2684	Kgocid32.exe	32
PID 2684 wrote to memory of 2468	2684	Kgocid32.exe	32
PID 2468 wrote to memory of 2444	2468	Ldjmidcj.exe	33
PID 2468 wrote to memory of 2444	2468	Ldjmidcj.exe	33
PID 2468 wrote to memory of 2444	2468	Ldjmidcj.exe	33
PID 2468 wrote to memory of 2444	2468	Ldjmidcj.exe	33
PID 2444 wrote to memory of 2496	2444	Liibgkoo.exe	34
PID 2444 wrote to memory of 2496	2444	Liibgkoo.exe	34
PID 2444 wrote to memory of 2496	2444	Liibgkoo.exe	34
PID 2444 wrote to memory of 2496	2444	Liibgkoo.exe	34
PID 2496 wrote to memory of 1720	2496	Lkmldbcj.exe	35
PID 2496 wrote to memory of 1720	2496	Lkmldbcj.exe	35
PID 2496 wrote to memory of 1720	2496	Lkmldbcj.exe	35
PID 2496 wrote to memory of 1720	2496	Lkmldbcj.exe	35
PID 1720 wrote to memory of 2272	1720	Mkohjbah.exe	36
PID 1720 wrote to memory of 2272	1720	Mkohjbah.exe	36
PID 1720 wrote to memory of 2272	1720	Mkohjbah.exe	36
PID 1720 wrote to memory of 2272	1720	Mkohjbah.exe	36
PID 2272 wrote to memory of 1756	2272	Mdgmbhgh.exe	37
PID 2272 wrote to memory of 1756	2272	Mdgmbhgh.exe	37
PID 2272 wrote to memory of 1756	2272	Mdgmbhgh.exe	37
PID 2272 wrote to memory of 1756	2272	Mdgmbhgh.exe	37
PID 1756 wrote to memory of 2836	1756	Mlgkbi32.exe	38
PID 1756 wrote to memory of 2836	1756	Mlgkbi32.exe	38
PID 1756 wrote to memory of 2836	1756	Mlgkbi32.exe	38
PID 1756 wrote to memory of 2836	1756	Mlgkbi32.exe	38
PID 2836 wrote to memory of 1000	2836	Mdoccg32.exe	39
PID 2836 wrote to memory of 1000	2836	Mdoccg32.exe	39
PID 2836 wrote to memory of 1000	2836	Mdoccg32.exe	39
PID 2836 wrote to memory of 1000	2836	Mdoccg32.exe	39
PID 1000 wrote to memory of 2380	1000	Nedifo32.exe	40
PID 1000 wrote to memory of 2380	1000	Nedifo32.exe	40
PID 1000 wrote to memory of 2380	1000	Nedifo32.exe	40
PID 1000 wrote to memory of 2380	1000	Nedifo32.exe	40
PID 2380 wrote to memory of 2376	2380	Noojdc32.exe	41
PID 2380 wrote to memory of 2376	2380	Noojdc32.exe	41
PID 2380 wrote to memory of 2376	2380	Noojdc32.exe	41
PID 2380 wrote to memory of 2376	2380	Noojdc32.exe	41
PID 2376 wrote to memory of 1624	2376	Nkfkidmk.exe	42
PID 2376 wrote to memory of 1624	2376	Nkfkidmk.exe	42
PID 2376 wrote to memory of 1624	2376	Nkfkidmk.exe	42
PID 2376 wrote to memory of 1624	2376	Nkfkidmk.exe	42
PID 1624 wrote to memory of 1672	1624	Odqlhjbi.exe	43
PID 1624 wrote to memory of 1672	1624	Odqlhjbi.exe	43
PID 1624 wrote to memory of 1672	1624	Odqlhjbi.exe	43
PID 1624 wrote to memory of 1672	1624	Odqlhjbi.exe	43
PID 1672 wrote to memory of 1196	1672	Okkddd32.exe	44
PID 1672 wrote to memory of 1196	1672	Okkddd32.exe	44
PID 1672 wrote to memory of 1196	1672	Okkddd32.exe	44
PID 1672 wrote to memory of 1196	1672	Okkddd32.exe	44

C:\Users\Admin\AppData\Local\Temp\cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe
"C:\Users\Admin\AppData\Local\Temp\cda6f90ecdec00c5d4fe68278a521e5a3770b683484ceb4b72f53d1698b7cc60.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\Kjkbpp32.exe
  C:\Windows\system32\Kjkbpp32.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\Kmiolk32.exe
    C:\Windows\system32\Kmiolk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\Kgocid32.exe
      C:\Windows\system32\Kgocid32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\SysWOW64\Ldjmidcj.exe
        
        C:\Windows\system32\Ldjmidcj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
      - C:\Windows\SysWOW64\Liibgkoo.exe
        
        C:\Windows\system32\Liibgkoo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Lkmldbcj.exe
        
        C:\Windows\system32\Lkmldbcj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Mkohjbah.exe
        
        C:\Windows\system32\Mkohjbah.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Mdgmbhgh.exe
        
        C:\Windows\system32\Mdgmbhgh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Mlgkbi32.exe
        
        C:\Windows\system32\Mlgkbi32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Mdoccg32.exe
        
        C:\Windows\system32\Mdoccg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Nedifo32.exe
        
        C:\Windows\system32\Nedifo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\Noojdc32.exe
        
        C:\Windows\system32\Noojdc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Nkfkidmk.exe
        
        C:\Windows\system32\Nkfkidmk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Odqlhjbi.exe
        
        C:\Windows\system32\Odqlhjbi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Okkddd32.exe
        
        C:\Windows\system32\Okkddd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Ockbdebl.exe
        
        C:\Windows\system32\Ockbdebl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Pdnkanfg.exe
        
        C:\Windows\system32\Pdnkanfg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Podpoffm.exe
        
        C:\Windows\system32\Podpoffm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Pbblkaea.exe
        
        C:\Windows\system32\Pbblkaea.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Pkjqcg32.exe
        
        C:\Windows\system32\Pkjqcg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:780
        
        C:\Windows\SysWOW64\Pofldf32.exe
        
        C:\Windows\system32\Pofldf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Pkmmigjo.exe
        
        C:\Windows\system32\Pkmmigjo.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\Pnkiebib.exe
        
        C:\Windows\system32\Pnkiebib.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Pjbjjc32.exe
        
        C:\Windows\system32\Pjbjjc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Pegnglnm.exe
        
        C:\Windows\system32\Pegnglnm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\Qgfkchmp.exe
        
        C:\Windows\system32\Qgfkchmp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Qnpcpa32.exe
        
        C:\Windows\system32\Qnpcpa32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Qfkgdd32.exe
        
        C:\Windows\system32\Qfkgdd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Qijdqp32.exe
        
        C:\Windows\system32\Qijdqp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Ajipkb32.exe
        
        C:\Windows\system32\Ajipkb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Amglgn32.exe
        
        C:\Windows\system32\Amglgn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Amjiln32.exe
        
        C:\Windows\system32\Amjiln32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Aphehidc.exe
        
        C:\Windows\system32\Aphehidc.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\Anmbje32.exe
        
        C:\Windows\system32\Anmbje32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Aalofa32.exe
        
        C:\Windows\system32\Aalofa32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Admgglep.exe
        
        C:\Windows\system32\Admgglep.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Bjfpdf32.exe
        
        C:\Windows\system32\Bjfpdf32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\Bhjpnj32.exe
        
        C:\Windows\system32\Bhjpnj32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Bjiljf32.exe
        
        C:\Windows\system32\Bjiljf32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Binikb32.exe
        
        C:\Windows\system32\Binikb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Bmjekahk.exe
        
        C:\Windows\system32\Bmjekahk.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Bknfeege.exe
        
        C:\Windows\system32\Bknfeege.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
        
        C:\Windows\SysWOW64\Biqfpb32.exe
        
        C:\Windows\system32\Biqfpb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Bdfjnkne.exe
        
        C:\Windows\system32\Bdfjnkne.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\Biccfalm.exe
        
        C:\Windows\system32\Biccfalm.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Bopknhjd.exe
        
        C:\Windows\system32\Bopknhjd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Ceickb32.exe
        
        C:\Windows\system32\Ceickb32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\Ciepkajj.exe
        
        C:\Windows\system32\Ciepkajj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Capdpcge.exe
        
        C:\Windows\system32\Capdpcge.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Cabaec32.exe
        
        C:\Windows\system32\Cabaec32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Cdamao32.exe
        
        C:\Windows\system32\Cdamao32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\Cniajdkg.exe
        
        C:\Windows\system32\Cniajdkg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Caenkc32.exe
        
        C:\Windows\system32\Caenkc32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Chofhm32.exe
        
        C:\Windows\system32\Chofhm32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalofa32.exe

Filesize
768KB

MD5
3dcb16a92d3120280d35da6984183cfa

SHA1
5250400df033d60610869f7a6fe884b193b78542

SHA256
e59d9c27b100aecd452e61dfe30b8f37cec159e54ae4d49db9d8155a164664a1

SHA512
1e70612c869554b2db1c123d4f89e8b479adb5a7b72a05c029d0fe72551497cd931287ebd93ee031d0e8914ad66a6f3e2f8e9a21000e7cd009fc08575b6e95b8

Download Submit
C:\Windows\SysWOW64\Admgglep.exe

Filesize
768KB

MD5
5a2a3ab744c606480549813fe9583b6e

SHA1
e031ad2c3ecd2503140eaa085bf5cb93f87b8549

SHA256
a8c7d2cb2dfd00b4a42b92956e989985039cb638713f23b1dd42074661c286f7

SHA512
059b01fce68ecb416d4b800b0113cde0185e2db0b1312bd6dbcfe43e7e3e5514979182452e9bd031f0943110e4afdc2416bdbe40ae4a55cc203338c1415ce9cd

Download Submit
C:\Windows\SysWOW64\Ajipkb32.exe

Filesize
768KB

MD5
48a1352b00d747510e4b6aac53858242

SHA1
5155b5667cbec24621a392f891f6f504075a185a

SHA256
efbd76c86645c70875d4394e85e1b595645e2533c3389b11558e9f0b659f3c18

SHA512
c4f01582e1fafb0a7ab8078328db727a06dab52d27c7f74caa6a2cde67fa3730d1f6fa04dad81e457721b42c014b7e175babd988b741f1e3cdfd69aeb82cc769

Download Submit
C:\Windows\SysWOW64\Amglgn32.exe

Filesize
768KB

MD5
77583870bd604f88158b28970e4d86cb

SHA1
a14a832b6b641464b7cc06f5ad6bb1744ddcab41

SHA256
44b39f914753b133fbcb7739a3bdd4f4ca81b4e63dcadc3d40e1edd639c831bf

SHA512
50edbb68b1b0739661d9822c1d5546368c9ffd07925e4a418aba718e542e519aa562464d8bb7ca34482be428f9930a9e733f7892331210734687e65820776c8b

Download Submit
C:\Windows\SysWOW64\Amjiln32.exe

Filesize
768KB

MD5
a12d2ce365741203feae24711377bbd2

SHA1
9f1972bc6db8df2e8e757d9c19a7124f0800a38c

SHA256
730caab7d1c2a6353eac034a7df0bba89f5bb40bbef9dcec22f229eef4ee4c86

SHA512
764c0ee415aa024814b1727dc238041f8d8d6a6d79ba8f7c1a67de7ec42ac30f5e067a1b771be3af9b5e8e0b13a53b2534a7575f5b5e9bdaed790ab6587fb4f9

Download Submit
C:\Windows\SysWOW64\Anmbje32.exe

Filesize
768KB

MD5
2c104f7b95621ab213db68b97d15b71c

SHA1
02eddb73685f5b346b9524e7e8c64d52010e2617

SHA256
3e50c459003e295b751dd4c461543075968d1a9dd79465d3986c96d2d2d00ecf

SHA512
e6482e929384e8e697e60fe0df7f59d4108ae66f891c8fe08adebe35ddcc3655798d5669cf5328a6274ea5cfbd9d91b73f97ca49e405a64bdc12220ceba80028

Download Submit
C:\Windows\SysWOW64\Aphehidc.exe

Filesize
768KB

MD5
1180b6d3547b5a05964bb34c812e9eb7

SHA1
b8169ed94d82fe380f4191d7dcfde958ef37910e

SHA256
3f922375ae827b196731cc8e4646ce1be6213e9dc3c77429eff8eeacd65c9c3e

SHA512
33e4cb0a4ab8f517f0c7a3b5840ac88d428fe6d7ca2e74e02e898bfa171fbfa22557cc8b5627f22cd943dda1f17b005e1e56bb926389ab2c42e84dd322e33e14

Download Submit
C:\Windows\SysWOW64\Bdfjnkne.exe

Filesize
768KB

MD5
fcd08697b2eafda14cf470f8785bc149

SHA1
eb34e85cf87a00dcb38e634d7b9e75f6f7f14014

SHA256
70d6058dc4ab22b6335fa248faaa3cc2094955a423605ccf9c2736dbc22afe79

SHA512
d010ff5589c6d1ccd4ec1c2de8e85e2a3133734e62ade53e3318b20b9d91550d3e13b780585b6fcf8c78d280ae0a9ac2266be46d0c279e49d4c8fcc24ea8f3ff

Download Submit
C:\Windows\SysWOW64\Bhjpnj32.exe

Filesize
768KB

MD5
9dcf7fe1857ebc8cfd248e5fe4df4c82

SHA1
e88b5225668973c786a1a103642756cc4d64b644

SHA256
46ba302af5035bc83e4bf793082d582558444dc2c95e78e94ec4d181f5095361

SHA512
64bbb81b4c308e3add736e453070cf6b40d169bcccb133a7669356664d2512b5b39992832dd9b04b4d4fb4ed9288983b31bcfd302c6594126594a9d9a1c3d4d3

Download Submit
C:\Windows\SysWOW64\Biccfalm.exe

Filesize
768KB

MD5
f8efa241c05cef51b74952d595bc5bc2

SHA1
088536ee292d55216007737c5728385aa500003e

SHA256
8dee76e65c4ac29f520993b88cf23d88b1c5d50916e8dbaf7b9c70c292867837

SHA512
9421e7abd0630db50433766e84bb1eda14c6aa0d12055ffe8f58a409ac99e5d809ba6f5bd1303e084fd9018994ef3f9b2cc67265d45f18d00602960804310db3

Download Submit
C:\Windows\SysWOW64\Binikb32.exe

Filesize
768KB

MD5
97f4469329d8692f61483153df3d4ec7

SHA1
030c2716c0bd106f1b53bd95a0a2f845797e6f86

SHA256
656ac4228f4b8b154dbe00082538e167298c0d52291fa82e3a0cf484a84a1348

SHA512
051f13ee91407af638bcd2feb8f5a31f8bec395741add07c351726499aab70d6f6969c564c65fa3e2ab0363e2e4fea5a3f1dc2b4078b62cbff4b42626110a070

Download Submit
C:\Windows\SysWOW64\Biqfpb32.exe

Filesize
768KB

MD5
a7608a2ca536ae699611d832709abcee

SHA1
5e7159d706503bd77213f62e7d768e6b4e93b2d0

SHA256
ea6ec3bfc2dfcccb8381a0430fbd9e051046acdc248990d603a3fdcb83f53560

SHA512
57818824f29c4fe7bba199ace04f23bd828ebddbf1e168d1b3dcff1b6ae48410fa0cf16b62aa72005c3bba014bec32332e6026355812e1ded8bd9c82710bed45

Download Submit
C:\Windows\SysWOW64\Bjfpdf32.exe

Filesize
768KB

MD5
6e605b994c16ffa8c3e195d37258c01c

SHA1
58da16ca501dfa1a4864e48d46cebfcd9b450343

SHA256
9c8998d716f9823f240f3ee672806b0ba871b535a4c9f7f22bfdfffad883bb40

SHA512
d5eb2c0a65b480571a1ae531a0ebf2a7dd60a488f353c1c92c3fa6e05d58629d5a685510e5f1af4815f2dce29497176026fab2fd06edd32c16ac90b00f7826b9

Download Submit
C:\Windows\SysWOW64\Bjiljf32.exe

Filesize
768KB

MD5
8267bfc58ffdf682a82a985d5a4186a9

SHA1
ef0ab1a0ad53e2cefbbbdcfc1902a3241afc065d

SHA256
18c9a522f51b5d39822f8b0bef181d48a9ac84b4c759d2363d8e811be82beb38

SHA512
e471887cc32eaaf8e2bb65169f74a5bb85defddbddcf731b0b84ab6b3e0d45ff0dcbd89cbb295cd7b255778813f0d02a26caa3d4f136b87407434ff54856929c

Download Submit
C:\Windows\SysWOW64\Bknfeege.exe

Filesize
768KB

MD5
ed7135256ec39b7bb7e552b52da56969

SHA1
f6081b1c08bb4947e745d960d09bcbfc4cf13a9d

SHA256
2a3abfcc7895b6cbad7b8ce1470c7c691a98faf61dc2dfe3a8044a042359781a

SHA512
048a3eafe14e59f6894d29fb79a00d243f382db48becd3864d82585cde79c358404230014aad443aff04ad76a41326b4d4ca0a06932b563f5d369e776fc7ce03

Download Submit
C:\Windows\SysWOW64\Bmjekahk.exe

Filesize
768KB

MD5
4a3c4b02be51c6c8c3475cd4a318bd34

SHA1
ee547bb91f755cf35823c65d0f7e6a79d6e60cbf

SHA256
dae468e3e75face18b53f011f81ddd40626db3711189ddf380e02c8599b91db4

SHA512
174147580d5def335ffa6e2ca2bc1e2a1beaafdf2ebe5bc8269066403c91b57b261a8d47048b4771281b08301fcf32c3417d68b5f7031e0050ff9870ad0b8794

Download Submit
C:\Windows\SysWOW64\Bopknhjd.exe

Filesize
768KB

MD5
bc58e7051305c8c92ed4bad232d41cce

SHA1
dc71890ace882c581ea86ee1c2598be83dc1ad2b

SHA256
0baca311943830cf383111d4961b2d339e64c142605960bba8ef6e4fcb3d980e

SHA512
a021fbf530342e2d70a95558993fb0b6a595b47622c0ad38c2a4d5db78d83628cdbb2d40d9ac73d9860b7eb88912b97c3803a6db22c9858d7f7956c43c963c07

Download Submit
C:\Windows\SysWOW64\Cabaec32.exe

Filesize
768KB

MD5
ec4361d47642759de50545f8dbefdd49

SHA1
fba7184b2aee33c88f34c8ff1e914755e04e1753

SHA256
57e0ce5f7b8ed0b5f19b08a77147c5d65e9b3680993ebacf42311aa9b21ab7e0

SHA512
a63488827d3260d858dad2c259520b28af3f09453011d582d447ac35d6f88b14b2e45b797ddbd7fcd02026c3c16cd1a454e2275c7eb9ece23fa33f4640687f21

Download Submit
C:\Windows\SysWOW64\Caenkc32.exe

Filesize
768KB

MD5
6a934fb9560584a535770d02839f68d1

SHA1
63701f180ca3a82ca8b19c897b00a0360d6142e9

SHA256
10ade4f2b9586fbfd9942c2da5b91c52dcc5d3fc19ee0f49e65b346956ccb279

SHA512
3d28f9640d27d8c0c7d5dea0545e4a0f1dad4ec4870061c8fac6bb9c059c59d3f85961d558e87895c1b95f0368d4627062dbb8bcbf3adc96b7d24edd98143ec7

Download Submit
C:\Windows\SysWOW64\Capdpcge.exe

Filesize
768KB

MD5
a4641bda5ef13910252986b0c3f45979

SHA1
deb610a3a634d9885ee579258dd591aceb50a1ea

SHA256
2dc7f8cae5e93981d071ccb267f8101f165691d67cf0af966a16f8ede595f693

SHA512
b16d4993dc88da0d63d1f81254cc1d3bd5bf6596c225c6660bb6884fc395a8524f87db3d7a21fa04f8a9fa6df68feec6782a5474397bcc2b04654dfbe3a8ea41

Download Submit
C:\Windows\SysWOW64\Ceickb32.exe

Filesize
768KB

MD5
21fab6f83ecbe92ea4f36b69070bf9cc

SHA1
a602922a5ab6421bc72a6126b738edd4230e5e75

SHA256
7949b5aa449bcf6591ce8b34d6f528e49a90a0e255ed52dd7244c6d91cefcf68

SHA512
2b9f178a207496896833045deba4a23a0000e2a437c7581958770536471633228990aff118ed736f5a2b1c06a138a25e33571a9a5cba656a01a15e18a04150f8

Download Submit
C:\Windows\SysWOW64\Chofhm32.exe

Filesize
768KB

MD5
a2d772a56489a26016db548db3657372

SHA1
6192e59ec7a0eac1676ccec5125427cf181685fe

SHA256
04101bf77423e12f25853a768b364e31190d50c89ab529249ceb637ddbb15492

SHA512
a37d43267d9a67c857697d046ee97345d07d220ea69f9b85868eed454a60f5819cfd26284e01ff5ce65e3d6b4599697843d006d1a4da07937e4308a9243fff47

Download Submit
C:\Windows\SysWOW64\Ciepkajj.exe

Filesize
768KB

MD5
b020c263a557aeba7b19a0117bb009d4

SHA1
06e3d13495721309df562fe6bb20619845713e91

SHA256
1a50b7a221d49eb8d3cad761ca805a531aaf8c982e0a31e5264a1c66f0cb7c29

SHA512
606470c16f7ddadad7141609dd0d331e71dcc31e47c9fd5cbb73d479f141cc576f47ea1f801a85c1ea8a735bf7455836eb010355ce09c92c03eac11cb0f4ed50

Download Submit
C:\Windows\SysWOW64\Ckiiiine.exe

Filesize
768KB

MD5
361024d6166c2d109f44699924e78a2c

SHA1
041848d7eadb364e3c89f8d83c2ebe9be9a89299

SHA256
de920101c4334c1a4c14856facbd498d353511b269a43d2a585af0a3e9ddd150

SHA512
5e222968cc21c7dad7066ab5d2370a7491f62e681cbd8b0f95c462fbd4d41206a643b766cb4afd2c5ac64bec6a2c0e209efd63d7fd462b933462f43165ceee73

Download Submit
C:\Windows\SysWOW64\Cniajdkg.exe

Filesize
768KB

MD5
91a914535e08f41f70cd619ffcd4beb9

SHA1
fd07bd51292a28f0d55d667f6304e169ee9f874e

SHA256
f8511ad442cba7173f0cd7ed7daae460df937a9900bd8dd2daa839fffd380e33

SHA512
28d6d5a7cfac0d05d39cf2cc5ee82ef39a3bdf371d887bc9e265360fdec4401723b360ea451a4e0291f19ac341f3ac540d4adf7091e5bc3b590dcfc4d060a9bf

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
768KB

MD5
6dbd0f423228af646271971b7456c297

SHA1
c67ad6063436c71b4389cb3c63068cf38bed5721

SHA256
2d2c51ba948f02cab3b5ed184ff7eddaa8ff763634fe49c51e90764472cf492d

SHA512
4eda207da973982ca56e60fd5bc0bebc5326f58bd3c4d74f607406a9adb7bd85f4b379dfbfcc39b53e32df267a96d866713706ebbf13b9d9be4ddd25487e645e

Download Submit
C:\Windows\SysWOW64\Kgocid32.exe

Filesize
768KB

MD5
a33f0dde6891ec723bba5732df8b9663

SHA1
3e65df92efd6b76f40840d5488f8420c2ab14af3

SHA256
a96562de6e1951a5fdd5684d9d0f362945f45399cf8a39a0f5ae2e9e2ba7df1a

SHA512
d154e0e14481122021018ca593b79fa89ed5b967a6b3290b64dc3e4334ff5156ec541ed223725a76c7b5946402d0d1ded4fca618174f2cbc1f4bb53c34a98778

Download Submit
C:\Windows\SysWOW64\Mkohjbah.exe

Filesize
768KB

MD5
efa6d1c3ad88b95bf5d591b87f79df47

SHA1
1e61b8de9480a346166ffdfe287263113da10a53

SHA256
90236955aaba6fe5a98837d3412455f717ace5e43529490a7195db17f404e1e4

SHA512
1a06df23c891740b6e158bc4b34c418eb60a780a241606677b77919776287e311f62aed561b506630f5c23826230b63e2e8ea09ceb2e32aa5569471010cab5a1

Download Submit
C:\Windows\SysWOW64\Nedifo32.exe

Filesize
768KB

MD5
78a9889ace65f8077b0023491baf3db3

SHA1
b1a357198fb477854939ea764d82e26c0b87558f

SHA256
7b41ddda63110c306af7ca9b40afffa4865d377843ece0ad57852c803bcb8a9e

SHA512
b5fb021a2d8ad5d55066968a1dc98a52952b712bee63e631a5a6afe7631a990a325d7cb079aa1702baffd0a7934cc459cb1f718dfb1592ed605029393f235776

Download Submit
C:\Windows\SysWOW64\Nkfkidmk.exe

Filesize
768KB

MD5
de933dc4a661388a862ee0bd196e853b

SHA1
b0e8ce27eda54768cb289157e126828ef7c8e630

SHA256
49d51a800b3cc2d104ec447372c35ba9b7d53aef8679a68b9d86a1a58dcf6e74

SHA512
c008d665aa7427843b782b17c60a69814c9b6b89374a448adfed76440bb229ec508f9c4fa823363662af3c64114fb24ad945c10999613c2bc461a97f920693fa

Download Submit
C:\Windows\SysWOW64\Ockbdebl.exe

Filesize
768KB

MD5
8c015c315ffb50de5c1e8ae068938db3

SHA1
c606ea0acb9ddf8149fae82c603df7c7dad15b42

SHA256
8cf557cb96ae359bcfa57c19997dfdfb47aab40e7bbecd01a7166eb726cceab9

SHA512
576de6534cfed0a31b5e916b77c28039503c9596fa6754b731210cc748f2d90ea4a42e3f6c3846a3a40843e028f79d130a4659c5612c68fafb9aef382b6b3668

Download Submit
C:\Windows\SysWOW64\Okkddd32.exe

Filesize
768KB

MD5
a1d12446c694d771dda0e793485634a4

SHA1
e73fda07d302841677b4960e767fd7e62aa5b01a

SHA256
b7eac563036f7025e765d623828648d958c2ab4186fa6e0cb00a008c5ef9590e

SHA512
88d64b99ab6dd5a027d7ae7f65ea998d93c4702b7ca82f978416863a2d3e3be1046eaed3e2bd2c0f5cf6ca8551f1354dd8deedf21655ce7a885fd263e8aa0f66

Download Submit
C:\Windows\SysWOW64\Pbblkaea.exe

Filesize
768KB

MD5
a526164e2eb35d1b4cf48237e97cc52a

SHA1
a5a8778af6b9b9b6425acb27bb142b11093aa74d

SHA256
83933fcf477a7bec2c542a2182a2ec155b5fc87674e763c48f6f24a55b569952

SHA512
c27ef7529cf3dd0ac7253fae989633ff2c69f32c20379c864cecd9e16803894f43758c3b84c190ae6d07f87a9649006c2d7c6b0016550cb5d604768583c92076

Download Submit
C:\Windows\SysWOW64\Pdnkanfg.exe

Filesize
768KB

MD5
23855424297dbd3ee8c921a9fd9e21d3

SHA1
9c75b8d1b5faf5744d2c8132c39cc8f1dad8c413

SHA256
384ff1bb2eaaaef5f4ec3988a747965f78f00d6e03d57b383d8924a7370948d0

SHA512
bb86613300f3bc7c0ed99748c58335c30c4e46af7ecffa4eeb5772f064f539a3122cb473c28ecbab15102f0c4b3fd1b0a72534d111707a274e9515acf616dd4d

Download Submit
C:\Windows\SysWOW64\Pegnglnm.exe

Filesize
768KB

MD5
9acb30869b6e9e884e263785481e337f

SHA1
838f12f25b279a297a39df68da6417d9eff0cd43

SHA256
87f92df25e93734f325dcbd5523b27ac34190ebead255c2902170dcb36cef036

SHA512
0b416e96067095557a94cced90e36c5e73db36d6f18eaf479dcfa4a63dfa046c19c8affbe374bf0c61a1ef5a41f578429f8aa7c4a71b5d70d04f05bd3961bece

Download Submit
C:\Windows\SysWOW64\Pjbjjc32.exe

Filesize
768KB

MD5
f1622121d852dac44eccd45e41eb3782

SHA1
a2a9471c36f64a57da52080fe3516944387e820d

SHA256
8155a1827f900714348f8a601db1560dd42f9bf322d8e2d8840dc5582b000d66

SHA512
2f2413761c35a98bcd20e8eee32ba6a835ccfe743cc8fea82df6ac417779f18f8c6d655b0bc745bfb1b923158adab06466e5af0394b0b956508091c7bc7892b5

Download Submit
C:\Windows\SysWOW64\Pkjqcg32.exe

Filesize
768KB

MD5
5f54d0604ec5ebff830f98fa9361dab8

SHA1
3b9c0727eab6c80c11c28b2686724fa478e9e473

SHA256
d2f3bd0d9ef99e079c414fb552a72cb39226217eb8555ef76442bd8000069f27

SHA512
deabf33674689ec89ba450b4bf56adb8606cfd97b9b5626881dd53c690eef519da9a0278d304c9e5195af6f7e6ca69952f51a2ab5dbffe9a62f8b73d7a2721ba

Download Submit
C:\Windows\SysWOW64\Pkmmigjo.exe

Filesize
768KB

MD5
0745f1ccf6c9c8030744c7e8a366a3d0

SHA1
9261d8fd879ef814fbd7e7260e6a637a138e34d4

SHA256
377eddeaf139368626165b9c8ffee2b26aa13a200570c9a81543eff74fc4d0d3

SHA512
71366aa74ba5e58d7ac6ef2a2a4809efaf9e376aa46fafe1f9fb23f78b4b5dcf32e3ff1b57cac5769d0a7e9abeedd1f84fb7c17b2e87f9a29eb2b4f1784ad56e

Download Submit
C:\Windows\SysWOW64\Pnkiebib.exe

Filesize
768KB

MD5
0690121c08fdfeb0f916279979e6c28d

SHA1
fd9e8987c247251e624511907629cf7164dae89a

SHA256
131994cece08ea31f66555e27c126eef191c6b3240adce7f0b020d7646813f0e

SHA512
aa3a38a07950ee97384ba90d69c34b5260a12d546239acb1b245b2483ff0294293ed1b98dec48d7fad3efa8355d3c367b092170f453cdb70f38c7df65b842c41

Download Submit
C:\Windows\SysWOW64\Podpoffm.exe

Filesize
768KB

MD5
a6aa80c9ef564ece71df17bfcf361d6b

SHA1
593d7aca377893549dde80c80554b9716bfa4795

SHA256
efc1b01bdb1967b2cdd07bc68b24fbe8315706fbec881952d46fbbb19d468a25

SHA512
c754295fc0ef3c1edff98eafc9c4d2aa50076005179af05e2b46de37dae8d24d2795432692ca42b0c9c054a3a32b7ff62e00e606a8f8df692ea50abc86fbd550

Download Submit
C:\Windows\SysWOW64\Pofldf32.exe

Filesize
768KB

MD5
3bfd06d38f301e804ebe6a9c3efba602

SHA1
baa88436f51e8e53b21f2ebe1da9bb94be66aaad

SHA256
59a6489dbf0cddf79b3f8b0748dd3f6a15c1663116534139b0503c7cedff4216

SHA512
bb48ce46b3e50c6b004715825b78c2383b95284200ee929ea334e60902ed7772e1814c91d5e14abc46a8bea3e8cb6b65042a73fe2b23dc892428053c6096a856

Download Submit
C:\Windows\SysWOW64\Qfkgdd32.exe

Filesize
768KB

MD5
9a1c05048aefb19b41c35121f3e0e746

SHA1
96fe4caf45313b20d9db73feccd23f92565f3225

SHA256
282b2053fae4094447745e7fc7034a45698a996a42db9e48cce7c1a29b10d626

SHA512
fc8ddf3677010e25cb60a72fd6d6774757f0eba6a4e89d4763bdfc1fa815dfc42a4ca7b26df3c083b3a06d8e8f1849106dffa60cbe91d06fc7131e52a8aa4e61

Download Submit
C:\Windows\SysWOW64\Qgfkchmp.exe

Filesize
768KB

MD5
7107438b06aa26279f2b39b08d028072

SHA1
a09480266ea4e647bf2f053595ab67a56745c98c

SHA256
17368778e2dd1416b6b0769a59fa9ac9a09aa697d2aba7f45cf8fe13cc0d054d

SHA512
807926e8e85355dbc5f8555ff48347f4ae4b349e38864dd45233819f9294b396a58fc139fbbf4151544228cfc2d3d01e17c98e4879cccbde9c847ce0ec26dc5d

Download Submit
C:\Windows\SysWOW64\Qijdqp32.exe

Filesize
768KB

MD5
702f300b6c86fef85cca0e529b28eaa3

SHA1
bce0fdaaa1a6e5f8836895c6939a2d8c5273ed57

SHA256
c6f241914848a76c14b78511b45f358f560796dd5b5743fb558185d4365e613d

SHA512
e94827da92cc9f68d30d6dce2131cb0d6b6139a67f18a30892007275ae353e9d9df121c63c0bb5cc93a927d133a313eb7bdca840c509cac3432d7682b89cfafe

Download Submit
C:\Windows\SysWOW64\Qnpcpa32.exe

Filesize
768KB

MD5
4db4ff30f50a5cb624f26977c3d3c4b8

SHA1
639f999ab48b3783f1162679b4db0cdb68c3c5a3

SHA256
06f527e5fabc66cfa35b79db7ff5a63416e0654b30e36ccd9a9a7f6c4f781538

SHA512
6d43ac5c77c1dbbba0dccfca3f95e1206f2bc12a0f6aaa30b3ac7626f530443ec826cbd8ed7e25e8b63d7c8b7814736b3b679dca79282fa67bf2f7def52a3fc1

Download Submit
\Windows\SysWOW64\Kjkbpp32.exe

Filesize
768KB

MD5
c98138f009741a9f0203a9416785fbc0

SHA1
3ce3d2ec311e68e1b6133f76adb5c3005a9fd443

SHA256
db75d1ae5edfbc5e654309751956eb16e7c82f97204bf0c13290a27b5348efbf

SHA512
7a0843ae70116403ca78528a04025ac20f9887ef67c37534a56047d1475e0281a43ad926a262e48b9eda82db66fca7b7c108f35127626e3491b52860fafbbe5f

Download Submit
\Windows\SysWOW64\Kmiolk32.exe

Filesize
768KB

MD5
5c42020c7d3ed09fad2b3525b41fda18

SHA1
8eafa0d1650c77a3b327f9781aa9f75711f3f483

SHA256
8c77e78477128d7cae0b145b22df1e41b7a527e63d15f315143848fad5f56373

SHA512
47dea51414598e210c1f69d84147f3566cf48c64d82525e2234814e9c4d66854293c749a902fdbce1a2147e2e91cccaa5284c22a96c25c1888dd2a8fa04ee123

Download Submit
\Windows\SysWOW64\Ldjmidcj.exe

Filesize
768KB

MD5
8a8d9e2e627bc785b58669e77e79955b

SHA1
111e458e811e8c2ddafd2a6c7fab5ccc2af03bbb

SHA256
9b8ce14a1d9ca54e43db534204985225ea2add9808cf34984629fdc5ca4c7364

SHA512
1fc967ded530f6900d0ef588e107fd2c9fad7c1598f7d83640c7bbaa6245cbc50596ca8e2faac5fb5554d4877471edfda5965aa2e519ce5dad84d6c087e81ba6

Download Submit
\Windows\SysWOW64\Liibgkoo.exe

Filesize
768KB

MD5
af1578131874817e725a169547c78c21

SHA1
e0f69e753f3de625db02c0fe26f0eb8081519c4b

SHA256
d24e25d880a3259985820682f00b5356d5af21ab0e489b4f8bfcc71a62deb2fe

SHA512
08c853298692be72b9d7f21a132c4ed2a08d4bfac193e80308bd97069a3670b2e097b2ea71f29e613753564adf0230693fc244afb37a17af4e3885bcf14c540b

Download Submit
\Windows\SysWOW64\Lkmldbcj.exe

Filesize
768KB

MD5
eca9e628691d86710ee8eb78928a1af9

SHA1
8952dc844ca64a9c63c9b1520845b70750aa6a8c

SHA256
8bf7dd54d40157176febd30852585e516ff3aef211249191db5bd513a0422949

SHA512
535d8c11f4f6b168ccf59476def1a14f735e220145b79aba7ebf343aa0dd7b721c8af3e739c30a83e41e9daa259403d1141bda7de707579a2b968d4b17437476

Download Submit
\Windows\SysWOW64\Mdgmbhgh.exe

Filesize
768KB

MD5
7fbbd619057ecdd31b03970270918fbd

SHA1
0ccf1efc465b91ef61e29fd93a79851ce8d74ca4

SHA256
ad423615c0f77cecfef98f6e4861566042f49bbf7ecf31c2419475d2d74a353b

SHA512
f03f1ee23385d612bab641525750a6a885cdd42081ba294477e70c6928261861142c0211daed027cda4f38cb9749b98ff977b10d35f8cd4bc5b8efc56905bd52

Download Submit
\Windows\SysWOW64\Mdoccg32.exe

Filesize
768KB

MD5
d73c1910db87e23c3f6aaf33e58b5c81

SHA1
5380519c73811e3a903616aaaf341aa76ea851fb

SHA256
30d4ab284e09635201cbe11d62da8885785aeb2ab3075fde8954ef0ee40b6a17

SHA512
7e40707038dfa521f00836f4e08e6db71db6d7a0acfbf1c49ac1c0a2ca38ed13d37ace344931a3d0e5b610a61e74a8e268e89b612a04baa1b972d27f62b85947

Download Submit
\Windows\SysWOW64\Mlgkbi32.exe

Filesize
768KB

MD5
a83cde57ee65b3a74049e72c22ab9afe

SHA1
019709596377e7ee03e9b1ad18bf030b254c0ae2

SHA256
b7d223490470176c40eba57395179723818cd22109bacff06f337bc631f907ec

SHA512
cce3c525b0ca2cee07e8e8aee2a272073362305801c4d0e875fe00507652c7f50638a6c9b34ddbeafa175ada0bbf4e40d644039edaa613b72a75b9ce1dced3e0

Download Submit
\Windows\SysWOW64\Noojdc32.exe

Filesize
768KB

MD5
ae9d1dd000c613d6e3515e3e56ada460

SHA1
7df5b06a80971bdd07ee819622ea8f137e817611

SHA256
b5e1f443a9a9d9bf0fb386a965c6f27e9c45cce6be8e6f6d584339f2d291d0bf

SHA512
b0f8f3bafc825cebe13005a92de5e2bf0dcc116ae6a60afce1c9294b3cccb680c3081882d4b9f603ed1075531f477c8f7496a7c7227896a08454ad7734945994

Download Submit
\Windows\SysWOW64\Odqlhjbi.exe

Filesize
768KB

MD5
da0965e8da7b70c9075ed278246e7009

SHA1
2d09803e77636f24619a3cd642e64f07d2b5fbc3

SHA256
79a38b75cab7b8f351153e218760c3798f737f35610730705e39c9abf55a5fe3

SHA512
20796d9f70cd0f1ded965b8fecdc4cf472cf03cc263de0744e0c4b2d55c3ffcc88aa4058b3b645b9771f05f78bd0f8f4c91301a89c1447ab33511f3c476621d8

Download Submit
memory/756-677-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-268-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/780-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-673-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1000-162-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1160-679-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1160-300-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1160-301-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1160-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-672-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-408-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1228-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-407-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1552-314-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1552-680-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-343-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1588-342-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1588-683-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-668-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1648-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-669-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-223-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1720-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-675-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-265-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1756-139-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1756-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-440-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1952-441-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1952-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-477-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1956-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-462-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1964-463-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2064-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2064-419-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2064-415-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2240-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-495-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2240-494-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2272-125-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2272-126-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2272-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-451-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2292-452-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2292-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-332-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2308-331-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2308-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-289-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2332-290-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2332-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-484-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2372-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-483-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2376-667-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-200-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2380-181-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2380-182-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2380-666-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-78-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2444-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-64-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2468-70-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2476-397-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2476-396-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2476-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-97-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2496-98-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2528-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-325-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2528-324-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2572-352-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2572-684-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-353-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2652-364-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2652-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-685-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-363-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2668-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2668-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-41-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2684-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-51-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2684-56-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2740-386-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2740-385-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2740-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-687-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-13-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/2752-12-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/2752-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-154-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2840-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-430-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2840-429-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2860-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-686-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-375-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2860-374-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2960-25-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads