1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae

Analysis

max time kernel
78s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe
Size

128KB
MD5

9847c6324a39d0cd7ff14f9299a04360
SHA1

f471ec1015b97ced0aa34581beb1a799b7b84882
SHA256

1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae
SHA512

600033d92f5b43de4355742cb8ad6d121772554b11bfa67602aa60138f766382a48c9f92a3f944bf23fd8ab4c19e457a4c69672078e8c8cada9ce00cf3e8e1b8
SSDEEP

3072:WUkewKuC5kuDFYK654grqEznYfzB9BSwW:DWKt5kSYygrqYOzLc

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgcdlj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkaolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbncof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nanhihno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oacbdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odoakckp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elbmkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfpmifoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcamln32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmemoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjilde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfpmifoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbncof32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbpibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Elbmkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehlkfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehlkfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlecmkel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hadhjaaa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbdbml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oingii32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjgfomh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Neghdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhckloge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Magfjebk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enmqjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmpbja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikoehj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpeafo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nanhihno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ebdoocdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikoehj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmngof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmngof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmemoe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebdoocdk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iboghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbijcgbc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmcdkbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fqkieogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhckloge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oobiclmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkhnmfle.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclbgj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilhlan32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neghdg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbijcgbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Manljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkaolm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgmekpmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Naionh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpeafo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbpibm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oobiclmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odckfb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ehinpnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kheofahm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbkchj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Manljd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ehinpnpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlecmkel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlqfqo32.exe

Executes dropped EXE 58 IoCs

pid	Process
868	Dkhnmfle.exe
2332	Enkdda32.exe
2904	Enmqjq32.exe
2748	Elbmkm32.exe
2740	Ehinpnpm.exe
2760	Ehlkfn32.exe
2696	Ebdoocdk.exe
2180	Fgcdlj32.exe
1236	Fqkieogp.exe
2800	Fclbgj32.exe
1648	Hlecmkel.exe
3000	Hadhjaaa.exe
800	Hjmmcgha.exe
1660	Hlqfqo32.exe
2060	Hmpbja32.exe
2168	Iboghh32.exe
560	Ilhlan32.exe
2572	Ioheci32.exe
1828	Ikoehj32.exe
2624	Jdjgfomh.exe
3060	Jlekja32.exe
2024	Jjilde32.exe
2240	Jfpmifoa.exe
1448	Jpeafo32.exe
1736	Jbijcgbc.exe
1672	Kkaolm32.exe
2708	Kheofahm.exe
2336	Kbncof32.exe
2920	Kcamln32.exe
2900	Kngaig32.exe
2792	Lbkchj32.exe
2688	Lmcdkbao.exe
2640	Lfkhch32.exe
2608	Lgmekpmn.exe
820	Magfjebk.exe
2972	Mmngof32.exe
2524	Mhckloge.exe
2988	Manljd32.exe
1848	Mbpibm32.exe
3052	Mmemoe32.exe
2128	Nilndfgl.exe
2312	Nbdbml32.exe
2032	Naionh32.exe
1540	Neghdg32.exe
600	Nkdpmn32.exe
680	Nanhihno.exe
1552	Nhhqfb32.exe
2244	Oobiclmh.exe
1892	Odoakckp.exe
1148	Okijhmcm.exe
288	Oacbdg32.exe
2300	Ocdnloph.exe
2944	Oingii32.exe
2776	Odckfb32.exe
2968	Onlooh32.exe
2092	Ocihgo32.exe
2604	Olalpdbc.exe
1908	Ockdmn32.exe

Loads dropped DLL 64 IoCs

pid	Process
2276	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe
2276	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe
868	Dkhnmfle.exe
868	Dkhnmfle.exe
2332	Enkdda32.exe
2332	Enkdda32.exe
2904	Enmqjq32.exe
2904	Enmqjq32.exe
2748	Elbmkm32.exe
2748	Elbmkm32.exe
2740	Ehinpnpm.exe
2740	Ehinpnpm.exe
2760	Ehlkfn32.exe
2760	Ehlkfn32.exe
2696	Ebdoocdk.exe
2696	Ebdoocdk.exe
2180	Fgcdlj32.exe
2180	Fgcdlj32.exe
1236	Fqkieogp.exe
1236	Fqkieogp.exe
2800	Fclbgj32.exe
2800	Fclbgj32.exe
1648	Hlecmkel.exe
1648	Hlecmkel.exe
3000	Hadhjaaa.exe
3000	Hadhjaaa.exe
800	Hjmmcgha.exe
800	Hjmmcgha.exe
1660	Hlqfqo32.exe
1660	Hlqfqo32.exe
2060	Hmpbja32.exe
2060	Hmpbja32.exe
2168	Iboghh32.exe
2168	Iboghh32.exe
560	Ilhlan32.exe
560	Ilhlan32.exe
2572	Ioheci32.exe
2572	Ioheci32.exe
1828	Ikoehj32.exe
1828	Ikoehj32.exe
2624	Jdjgfomh.exe
2624	Jdjgfomh.exe
3060	Jlekja32.exe
3060	Jlekja32.exe
2024	Jjilde32.exe
2024	Jjilde32.exe
2240	Jfpmifoa.exe
2240	Jfpmifoa.exe
1448	Jpeafo32.exe
1448	Jpeafo32.exe
1736	Jbijcgbc.exe
1736	Jbijcgbc.exe
1672	Kkaolm32.exe
1672	Kkaolm32.exe
2708	Kheofahm.exe
2708	Kheofahm.exe
2336	Kbncof32.exe
2336	Kbncof32.exe
2920	Kcamln32.exe
2920	Kcamln32.exe
2900	Kngaig32.exe
2900	Kngaig32.exe
2792	Lbkchj32.exe
2792	Lbkchj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fgcdlj32.exe	Ebdoocdk.exe
File created	C:\Windows\SysWOW64\Ilhlan32.exe	Iboghh32.exe
File opened for modification	C:\Windows\SysWOW64\Kheofahm.exe	Kkaolm32.exe
File created	C:\Windows\SysWOW64\Oeoedmpg.dll	Mmemoe32.exe
File opened for modification	C:\Windows\SysWOW64\Oobiclmh.exe	Nhhqfb32.exe
File created	C:\Windows\SysWOW64\Djakgb32.dll	Ehinpnpm.exe
File created	C:\Windows\SysWOW64\Nhmiqo32.dll	Nkdpmn32.exe
File created	C:\Windows\SysWOW64\Hlecmkel.exe	Fclbgj32.exe
File created	C:\Windows\SysWOW64\Mdmlljbm.dll	Jlekja32.exe
File created	C:\Windows\SysWOW64\Kheofahm.exe	Kkaolm32.exe
File created	C:\Windows\SysWOW64\Magfjebk.exe	Lgmekpmn.exe
File opened for modification	C:\Windows\SysWOW64\Mhckloge.exe	Mmngof32.exe
File created	C:\Windows\SysWOW64\Hnfgbfba.dll	Nilndfgl.exe
File created	C:\Windows\SysWOW64\Jngakhdp.dll	Okijhmcm.exe
File created	C:\Windows\SysWOW64\Fqkieogp.exe	Fgcdlj32.exe
File opened for modification	C:\Windows\SysWOW64\Iboghh32.exe	Hmpbja32.exe
File opened for modification	C:\Windows\SysWOW64\Ioheci32.exe	Ilhlan32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjgfomh.exe	Ikoehj32.exe
File opened for modification	C:\Windows\SysWOW64\Jpeafo32.exe	Jfpmifoa.exe
File opened for modification	C:\Windows\SysWOW64\Fclbgj32.exe	Fqkieogp.exe
File created	C:\Windows\SysWOW64\Fgcdlj32.exe	Ebdoocdk.exe
File created	C:\Windows\SysWOW64\Miafbgjl.dll	Fgcdlj32.exe
File created	C:\Windows\SysWOW64\Jcqoqi32.dll	Hlqfqo32.exe
File created	C:\Windows\SysWOW64\Ecgckc32.dll	Iboghh32.exe
File created	C:\Windows\SysWOW64\Mhckloge.exe	Mmngof32.exe
File opened for modification	C:\Windows\SysWOW64\Odckfb32.exe	Oingii32.exe
File opened for modification	C:\Windows\SysWOW64\Enmqjq32.exe	Enkdda32.exe
File opened for modification	C:\Windows\SysWOW64\Onlooh32.exe	Odckfb32.exe
File created	C:\Windows\SysWOW64\Ocihgo32.exe	Onlooh32.exe
File created	C:\Windows\SysWOW64\Ehlkfn32.exe	Ehinpnpm.exe
File created	C:\Windows\SysWOW64\Libiii32.dll	Enmqjq32.exe
File created	C:\Windows\SysWOW64\Jpeafo32.exe	Jfpmifoa.exe
File created	C:\Windows\SysWOW64\Nilndfgl.exe	Mmemoe32.exe
File created	C:\Windows\SysWOW64\Naionh32.exe	Nbdbml32.exe
File created	C:\Windows\SysWOW64\Enmqjq32.exe	Enkdda32.exe
File opened for modification	C:\Windows\SysWOW64\Hmpbja32.exe	Hlqfqo32.exe
File opened for modification	C:\Windows\SysWOW64\Nbdbml32.exe	Nilndfgl.exe
File created	C:\Windows\SysWOW64\Hlqfqo32.exe	Hjmmcgha.exe
File opened for modification	C:\Windows\SysWOW64\Ebdoocdk.exe	Ehlkfn32.exe
File created	C:\Windows\SysWOW64\Hmpbja32.exe	Hlqfqo32.exe
File created	C:\Windows\SysWOW64\Cokdhpcc.dll	Kbncof32.exe
File opened for modification	C:\Windows\SysWOW64\Mbpibm32.exe	Manljd32.exe
File created	C:\Windows\SysWOW64\Okhbco32.dll	Neghdg32.exe
File created	C:\Windows\SysWOW64\Ijjhkqme.dll	Enkdda32.exe
File created	C:\Windows\SysWOW64\Hjmmcgha.exe	Hadhjaaa.exe
File created	C:\Windows\SysWOW64\Ajmnmj32.dll	Hjmmcgha.exe
File created	C:\Windows\SysWOW64\Jdjgfomh.exe	Ikoehj32.exe
File opened for modification	C:\Windows\SysWOW64\Lbkchj32.exe	Kngaig32.exe
File opened for modification	C:\Windows\SysWOW64\Mmemoe32.exe	Mbpibm32.exe
File created	C:\Windows\SysWOW64\Oacbdg32.exe	Okijhmcm.exe
File created	C:\Windows\SysWOW64\Ehinpnpm.exe	Elbmkm32.exe
File opened for modification	C:\Windows\SysWOW64\Ikoehj32.exe	Ioheci32.exe
File created	C:\Windows\SysWOW64\Hjidml32.dll	Lbkchj32.exe
File opened for modification	C:\Windows\SysWOW64\Lgmekpmn.exe	Lfkhch32.exe
File created	C:\Windows\SysWOW64\Jjmoge32.dll	Ilhlan32.exe
File opened for modification	C:\Windows\SysWOW64\Ilhlan32.exe	Iboghh32.exe
File created	C:\Windows\SysWOW64\Ioheci32.exe	Ilhlan32.exe
File opened for modification	C:\Windows\SysWOW64\Jbijcgbc.exe	Jpeafo32.exe
File created	C:\Windows\SysWOW64\Agpmcpfm.dll	Naionh32.exe
File opened for modification	C:\Windows\SysWOW64\Nkdpmn32.exe	Neghdg32.exe
File created	C:\Windows\SysWOW64\Oobiclmh.exe	Nhhqfb32.exe
File opened for modification	C:\Windows\SysWOW64\Hlecmkel.exe	Fclbgj32.exe
File created	C:\Windows\SysWOW64\Fclbgj32.exe	Fqkieogp.exe
File opened for modification	C:\Windows\SysWOW64\Hlqfqo32.exe	Hjmmcgha.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2864	1908	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjgfomh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kheofahm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okijhmcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclbgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neghdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdnloph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enkdda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmngof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhhqfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkhnmfle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfkhch32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nanhihno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odckfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehlkfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikoehj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijcgbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbpibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjilde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbncof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ehinpnpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkaolm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmcdkbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgmekpmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhckloge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Manljd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmemoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oacbdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onlooh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enmqjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgcdlj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlqfqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iboghh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naionh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkdpmn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elbmkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilhlan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oingii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olalpdbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebdoocdk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlecmkel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjmmcgha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odoakckp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqkieogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmpbja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlekja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nilndfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpeafo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcamln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kngaig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioheci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magfjebk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hadhjaaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfpmifoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbkchj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdbml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oobiclmh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmnmj32.dll"	Hjmmcgha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odnmig32.dll"	Jfpmifoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lfkhch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oobiclmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbglkj32.dll"	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlecmkel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobecg32.dll"	Hlecmkel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lfkhch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmngof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmjolll.dll"	Nhhqfb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlecmkel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfpmifoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpeafo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbdbml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpmcpfm.dll"	Naionh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlqfqo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoge32.dll"	Ilhlan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kngaig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbpibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhhqfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kheofahm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgmekpmn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmemoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocihgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Olalpdbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ehlkfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmpbja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjlbg32.dll"	Jbijcgbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kheofahm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nilndfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfgbfba.dll"	Nilndfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onlooh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjhkqme.dll"	Enkdda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miafbgjl.dll"	Fgcdlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilhlan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgigok32.dll"	Ioheci32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hadhjaaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjmmcgha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgmekpmn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmiqo32.dll"	Nkdpmn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jikljfbm.dll"	Fqkieogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmpbja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cokdhpcc.dll"	Kbncof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpeafo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbncof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nanhihno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcihik32.dll"	Ocdnloph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onlooh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libiii32.dll"	Enmqjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fclbgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhjcncb.dll"	Fclbgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbijcgbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbkchj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhhqfb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdnloph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldchnbji.dll"	Dkhnmfle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djakgb32.dll"	Ehinpnpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fgcdlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fclbgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iboghh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffhfj32.dll"	Kngaig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oacbdg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 868	2276	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe	30
PID 2276 wrote to memory of 868	2276	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe	30
PID 2276 wrote to memory of 868	2276	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe	30
PID 2276 wrote to memory of 868	2276	1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe	30
PID 868 wrote to memory of 2332	868	Dkhnmfle.exe	31
PID 868 wrote to memory of 2332	868	Dkhnmfle.exe	31
PID 868 wrote to memory of 2332	868	Dkhnmfle.exe	31
PID 868 wrote to memory of 2332	868	Dkhnmfle.exe	31
PID 2332 wrote to memory of 2904	2332	Enkdda32.exe	32
PID 2332 wrote to memory of 2904	2332	Enkdda32.exe	32
PID 2332 wrote to memory of 2904	2332	Enkdda32.exe	32
PID 2332 wrote to memory of 2904	2332	Enkdda32.exe	32
PID 2904 wrote to memory of 2748	2904	Enmqjq32.exe	33
PID 2904 wrote to memory of 2748	2904	Enmqjq32.exe	33
PID 2904 wrote to memory of 2748	2904	Enmqjq32.exe	33
PID 2904 wrote to memory of 2748	2904	Enmqjq32.exe	33
PID 2748 wrote to memory of 2740	2748	Elbmkm32.exe	34
PID 2748 wrote to memory of 2740	2748	Elbmkm32.exe	34
PID 2748 wrote to memory of 2740	2748	Elbmkm32.exe	34
PID 2748 wrote to memory of 2740	2748	Elbmkm32.exe	34
PID 2740 wrote to memory of 2760	2740	Ehinpnpm.exe	35
PID 2740 wrote to memory of 2760	2740	Ehinpnpm.exe	35
PID 2740 wrote to memory of 2760	2740	Ehinpnpm.exe	35
PID 2740 wrote to memory of 2760	2740	Ehinpnpm.exe	35
PID 2760 wrote to memory of 2696	2760	Ehlkfn32.exe	36
PID 2760 wrote to memory of 2696	2760	Ehlkfn32.exe	36
PID 2760 wrote to memory of 2696	2760	Ehlkfn32.exe	36
PID 2760 wrote to memory of 2696	2760	Ehlkfn32.exe	36
PID 2696 wrote to memory of 2180	2696	Ebdoocdk.exe	37
PID 2696 wrote to memory of 2180	2696	Ebdoocdk.exe	37
PID 2696 wrote to memory of 2180	2696	Ebdoocdk.exe	37
PID 2696 wrote to memory of 2180	2696	Ebdoocdk.exe	37
PID 2180 wrote to memory of 1236	2180	Fgcdlj32.exe	38
PID 2180 wrote to memory of 1236	2180	Fgcdlj32.exe	38
PID 2180 wrote to memory of 1236	2180	Fgcdlj32.exe	38
PID 2180 wrote to memory of 1236	2180	Fgcdlj32.exe	38
PID 1236 wrote to memory of 2800	1236	Fqkieogp.exe	39
PID 1236 wrote to memory of 2800	1236	Fqkieogp.exe	39
PID 1236 wrote to memory of 2800	1236	Fqkieogp.exe	39
PID 1236 wrote to memory of 2800	1236	Fqkieogp.exe	39
PID 2800 wrote to memory of 1648	2800	Fclbgj32.exe	40
PID 2800 wrote to memory of 1648	2800	Fclbgj32.exe	40
PID 2800 wrote to memory of 1648	2800	Fclbgj32.exe	40
PID 2800 wrote to memory of 1648	2800	Fclbgj32.exe	40
PID 1648 wrote to memory of 3000	1648	Hlecmkel.exe	41
PID 1648 wrote to memory of 3000	1648	Hlecmkel.exe	41
PID 1648 wrote to memory of 3000	1648	Hlecmkel.exe	41
PID 1648 wrote to memory of 3000	1648	Hlecmkel.exe	41
PID 3000 wrote to memory of 800	3000	Hadhjaaa.exe	42
PID 3000 wrote to memory of 800	3000	Hadhjaaa.exe	42
PID 3000 wrote to memory of 800	3000	Hadhjaaa.exe	42
PID 3000 wrote to memory of 800	3000	Hadhjaaa.exe	42
PID 800 wrote to memory of 1660	800	Hjmmcgha.exe	43
PID 800 wrote to memory of 1660	800	Hjmmcgha.exe	43
PID 800 wrote to memory of 1660	800	Hjmmcgha.exe	43
PID 800 wrote to memory of 1660	800	Hjmmcgha.exe	43
PID 1660 wrote to memory of 2060	1660	Hlqfqo32.exe	44
PID 1660 wrote to memory of 2060	1660	Hlqfqo32.exe	44
PID 1660 wrote to memory of 2060	1660	Hlqfqo32.exe	44
PID 1660 wrote to memory of 2060	1660	Hlqfqo32.exe	44
PID 2060 wrote to memory of 2168	2060	Hmpbja32.exe	45
PID 2060 wrote to memory of 2168	2060	Hmpbja32.exe	45
PID 2060 wrote to memory of 2168	2060	Hmpbja32.exe	45
PID 2060 wrote to memory of 2168	2060	Hmpbja32.exe	45

C:\Users\Admin\AppData\Local\Temp\1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe
"C:\Users\Admin\AppData\Local\Temp\1466a9bb4ce9adb8e023f3753f777b23fd7d0d8eeea170bdd4e1da4eab886bae.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\Dkhnmfle.exe
  C:\Windows\system32\Dkhnmfle.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\Enkdda32.exe
    C:\Windows\system32\Enkdda32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\Enmqjq32.exe
      C:\Windows\system32\Enmqjq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Elbmkm32.exe
        
        C:\Windows\system32\Elbmkm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\Ehinpnpm.exe
        
        C:\Windows\system32\Ehinpnpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Ehlkfn32.exe
        
        C:\Windows\system32\Ehlkfn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Ebdoocdk.exe
        
        C:\Windows\system32\Ebdoocdk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Fgcdlj32.exe
        
        C:\Windows\system32\Fgcdlj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Fqkieogp.exe
        
        C:\Windows\system32\Fqkieogp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\SysWOW64\Fclbgj32.exe
        
        C:\Windows\system32\Fclbgj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Hlecmkel.exe
        
        C:\Windows\system32\Hlecmkel.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Hadhjaaa.exe
        
        C:\Windows\system32\Hadhjaaa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Hjmmcgha.exe
        
        C:\Windows\system32\Hjmmcgha.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\SysWOW64\Hlqfqo32.exe
        
        C:\Windows\system32\Hlqfqo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Hmpbja32.exe
        
        C:\Windows\system32\Hmpbja32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Iboghh32.exe
        
        C:\Windows\system32\Iboghh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Ilhlan32.exe
        
        C:\Windows\system32\Ilhlan32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Ioheci32.exe
        
        C:\Windows\system32\Ioheci32.exe
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\Ikoehj32.exe
        
        C:\Windows\system32\Ikoehj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Jdjgfomh.exe
        
        C:\Windows\system32\Jdjgfomh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Jlekja32.exe
        
        C:\Windows\system32\Jlekja32.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Jjilde32.exe
        
        C:\Windows\system32\Jjilde32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Jfpmifoa.exe
        
        C:\Windows\system32\Jfpmifoa.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Jpeafo32.exe
        
        C:\Windows\system32\Jpeafo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Jbijcgbc.exe
        
        C:\Windows\system32\Jbijcgbc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Kkaolm32.exe
        
        C:\Windows\system32\Kkaolm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Kheofahm.exe
        
        C:\Windows\system32\Kheofahm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2708
        
        C:\Windows\SysWOW64\Kbncof32.exe
        
        C:\Windows\system32\Kbncof32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Kcamln32.exe
        
        C:\Windows\system32\Kcamln32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\Kngaig32.exe
        
        C:\Windows\system32\Kngaig32.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Lbkchj32.exe
        
        C:\Windows\system32\Lbkchj32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Lmcdkbao.exe
        
        C:\Windows\system32\Lmcdkbao.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\Lfkhch32.exe
        
        C:\Windows\system32\Lfkhch32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Lgmekpmn.exe
        
        C:\Windows\system32\Lgmekpmn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Magfjebk.exe
        
        C:\Windows\system32\Magfjebk.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\Mmngof32.exe
        
        C:\Windows\system32\Mmngof32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Mhckloge.exe
        
        C:\Windows\system32\Mhckloge.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Manljd32.exe
        
        C:\Windows\system32\Manljd32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\Mbpibm32.exe
        
        C:\Windows\system32\Mbpibm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Mmemoe32.exe
        
        C:\Windows\system32\Mmemoe32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Nilndfgl.exe
        
        C:\Windows\system32\Nilndfgl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Nbdbml32.exe
        
        C:\Windows\system32\Nbdbml32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Naionh32.exe
        
        C:\Windows\system32\Naionh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Neghdg32.exe
        
        C:\Windows\system32\Neghdg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\Nkdpmn32.exe
        
        C:\Windows\system32\Nkdpmn32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:600
        
        C:\Windows\SysWOW64\Nanhihno.exe
        
        C:\Windows\system32\Nanhihno.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Nhhqfb32.exe
        
        C:\Windows\system32\Nhhqfb32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Oobiclmh.exe
        
        C:\Windows\system32\Oobiclmh.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Odoakckp.exe
        
        C:\Windows\system32\Odoakckp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1892
        
        C:\Windows\SysWOW64\Okijhmcm.exe
        
        C:\Windows\system32\Okijhmcm.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\Oacbdg32.exe
        
        C:\Windows\system32\Oacbdg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Ocdnloph.exe
        
        C:\Windows\system32\Ocdnloph.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Oingii32.exe
        
        C:\Windows\system32\Oingii32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Odckfb32.exe
        
        C:\Windows\system32\Odckfb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Onlooh32.exe
        
        C:\Windows\system32\Onlooh32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Ocihgo32.exe
        
        C:\Windows\system32\Ocihgo32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Olalpdbc.exe
        
        C:\Windows\system32\Olalpdbc.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Ockdmn32.exe
        
        C:\Windows\system32\Ockdmn32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1908 -s 140
        60⤵
        Program crash
        
        PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ehinpnpm.exe

Filesize
128KB

MD5
652c8794aee35443500a863d16a6a0e4

SHA1
6cd3f9345afb5d4f0ae4817c6bd89abdb69614e4

SHA256
49e7fe4039cee21a6bc8bc48f2ca0fbc6f0f51a96f3d9167f86a1170ff044961

SHA512
c1146e65cb5901494fd6993c0c102ddbdcd0f3c64f550f4f50ffd6fea1ca8da3a3ed872b2ad5e3676a45608ecc9231512607ae6e594465696a479182c6bd9ae9

Download Submit
C:\Windows\SysWOW64\Hlecmkel.exe

Filesize
128KB

MD5
a629feaab5560462ae6685aafca8eeec

SHA1
19f7b82c65dce70c6001bd38fac45b66999ed2f4

SHA256
596bfed9a3d277489ba5b26f80fe7e947ec157083c9973942e6558c8debde9a7

SHA512
7e2e8a017d7a1732df213e4690bbca43ff1772df4152e81794a19b39dfc36e08593cfbc87abdf158c4c5c3f50c761080aee5f2b9d9f21366358ebb64e5995d73

Download Submit
C:\Windows\SysWOW64\Ikoehj32.exe

Filesize
128KB

MD5
3857873cca7a952ff0114678a4172fba

SHA1
0bdd80413b7fbc2f1b0f1c416652e97a7050bfb2

SHA256
d4f6f59ab6642e304ccf3be1b238f511ee7109f25d104ebee6f7b5672f15f7ad

SHA512
f860df9eeda5bacc717e23b16a8fa3e13adec4b12c4cdd3588371b61267afc9944a252ba5cce0eaa2f0ab227db5acac219074a0bb2cb218de27a487523122bec

Download Submit
C:\Windows\SysWOW64\Ilhlan32.exe

Filesize
128KB

MD5
91bbb3d8fd4574b317e485086d017a9f

SHA1
8086e56935d7e76cfadaae3a2259186fa58cd5bf

SHA256
2872a78a493589d92b8c7adcae26b34145054ff8c3fd7bf69abf42986e75a833

SHA512
1bd080441a65d96ede9689b06884fe4481a5a27adf921b934c4f73890d9de23c7d1633df54ab39103bf3cf6e2a42938fdc36dd9a7458af6cf59332d6e5078d36

Download Submit
C:\Windows\SysWOW64\Ioheci32.exe

Filesize
128KB

MD5
85994a110364cd4da7e39d01aeca09b5

SHA1
35bdbdaf732155c367dad60054505d88d798691a

SHA256
f394417455eba9a84e0aaff1cf418d08f35e3a8a4e9674e9096aa9e20e0fbc2e

SHA512
a551767b805c61715fe82e47f6d686276ec6d61960ece185142ca601dbbd4f1867588e5cb91d4891d3afb973dc27c29a4f8796c61e83fe24649b046a2f68a907

Download Submit
C:\Windows\SysWOW64\Jbijcgbc.exe

Filesize
128KB

MD5
290b6f16cc52a2a622a7daa4fa34e7f7

SHA1
798b7087f96af691405a777f7eed68bea115ef52

SHA256
ced8807dcb7b66d318189e1e25cee255bedd2268fa07f08a569fcf2c2ec24430

SHA512
f7e89b1d13e179568ac6c635b115cbd495b59f7f6c1996ad1ebb68f8871899cd1adfe8080b5f9f596f671395c478c3064855492737ac9bfb28209f27dc25c07b

Download Submit
C:\Windows\SysWOW64\Jdjgfomh.exe

Filesize
128KB

MD5
72ae1529228ca0c5f0a211609443cd87

SHA1
97e00526068f2771377428bdb0fce5889b2fa29b

SHA256
d1ed28392be649e1e149e6d2dc11ed7a695739e4f7262a6e6a6f29a3af9ffa77

SHA512
89ccc5892a7e89aa80824681adbe6148b3c2290404abe977d7a260278c5000ed1d1852a0d1cd0147aedc73f16efd2258b2df9b0b6c3ba7577f55a696d1b896a9

Download Submit
C:\Windows\SysWOW64\Jfpmifoa.exe

Filesize
128KB

MD5
71021cdc2ea8f9f7f6a93bb4b2f42f2d

SHA1
c133b3f53d417494cac0c362721e0cfc9f35de9c

SHA256
6ffebe62ae501e4abc015f23da1834fcdcf9e5ab6ca21f60e63dedbebe0215c2

SHA512
34826c3b73e6076808e6b3d07e44be9f0a7329d379e8df61f1715ad3a44684780ce6175e9f3335ceb90f3b865f9d59f354b7bfe12d632b8faed7120f38d9a36b

Download Submit
C:\Windows\SysWOW64\Jjilde32.exe

Filesize
128KB

MD5
0fda9d4f0bf002ad38a13dece3809e5b

SHA1
eaa175f62c3e078fba2c800858dbd6c2c0f87391

SHA256
60fd412b9c15a7b08fc0bd789356d2c921e6ada99abb5601ae02d51076f939e2

SHA512
b844208a70147ceea59ecf94f77df402d3fc8c208804aaf20f6216baa72a1ea5dc67b8baa68cff97897118956ba663965532cd4779ddc8186f8cb6e9958beed8

Download Submit
C:\Windows\SysWOW64\Jlekja32.exe

Filesize
128KB

MD5
f03060c26f5e5ab1950e6f97de13d995

SHA1
7e978b68bd39edc336c86b23dca73a9fe668257f

SHA256
54726f349437a5f5fcc89bb45c355a0713a9b51ce915cfe774e5f40843efa0c7

SHA512
fe3f46799f80e3bdb92da0f15027adc1c0c3541c73b5a7a4c59b7dc7726225fe2d7df423823b9fffdf81452aaae6fb16bb359edfa750f873bd8642663273a0b7

Download Submit
C:\Windows\SysWOW64\Jpeafo32.exe

Filesize
128KB

MD5
b5c92b343181ddb2139ceaf11267ca7d

SHA1
22d7b9fb70bb1aabd8b7f42ac70849fba5b0bab1

SHA256
55b5006a461692e19d08590086819ce6b994d25ee51069e38c0f24c5cb6f10f6

SHA512
139eb9b6021b1e43bcce39acdba61a8ff4ebca5b4387da53d05d0e11fdf1bad3c477cf386455f3d3c079bf22be2172c9aad8e63b2bd6a94d8fb9c13709ed2227

Download Submit
C:\Windows\SysWOW64\Kbncof32.exe

Filesize
128KB

MD5
7dcc17418e37acaffa84194f0c76174f

SHA1
b470bd8d95575c2cca0a7a7f0a117f66ecbff73c

SHA256
6d01533e70331de36ad48874543dc60000dd1ddd9238a194347d8d287f21d8a4

SHA512
21ef5f077d300e06503be5892fd98ceaa9557ca2654c9da3d72ca9f5d7110511ac01f27f18f622918c876021c429356118e4c148767daca77884ab8364a24914

Download Submit
C:\Windows\SysWOW64\Kcamln32.exe

Filesize
128KB

MD5
2e92ce65dc9f82e8bc70ca3d5de08932

SHA1
5b550c1b0b62c8f44b14c49cec0d613f1c8001ef

SHA256
d50363b22fa2a1fbbd0a4eb4871a5d0568a4f1e6b2825fcb4ebf9eeecddb910c

SHA512
78e4f426f06697b2bce5fb0212ec4fc8ed2dc02d7d4fb2454475fb81d162b99463e5e41ce605b302d8a876dd04df804c2d06fdaa18cc3527e8425400a7da0dfd

Download Submit
C:\Windows\SysWOW64\Kheofahm.exe

Filesize
128KB

MD5
a3072ca7910df5c8d08085f517dd80f6

SHA1
f3aea50a3a3eb9834f8a081387f07b88b633f858

SHA256
5c601f624f0680a6d10a370599e01d47ae0301879cb5b19baae6d0214707e6d7

SHA512
676ce167c8326f0dd8187993f416dcb75a9a09595a6219785038b8b4764d6c0ed4355a6869326cae5bcb7a33e2657018a9dd47891c2b8b7e7c1d8062d7c7e52c

Download Submit
C:\Windows\SysWOW64\Kkaolm32.exe

Filesize
128KB

MD5
393b1282d26ce6de1128055b3da909ab

SHA1
aa2d717d646757743ccf5d2521ff22f9f357648c

SHA256
ce6a6360a5b7bc73ef80b7af98ceacbadaa5c94fc6792ac108ab4a4ad10c0fc1

SHA512
2ca328022fb4def7a68b6b1047c8d4d926f93017064b9021b096a6f18e3ce63ac1e55648d65deac4c918be4f94c1ec05f5eab82823dfa25654099057a6a44972

Download Submit
C:\Windows\SysWOW64\Kngaig32.exe

Filesize
128KB

MD5
933a3da1265d2655b7d3bcece0ce6271

SHA1
d37ac2e1b20c22283576e24942407a151c36e0d2

SHA256
d950217fd16272a7617b215d53bf154e4561a40568d44944aebbdfecd14eef86

SHA512
2c3fb4b1cf2c113ce50b7303947b490d6ad00842bb3592617f415ddef5d742bcc8bb437e9f13b2aca021c956f5789e896e1416c9c06bed8d4167d380a992f99c

Download Submit
C:\Windows\SysWOW64\Lbkchj32.exe

Filesize
128KB

MD5
9a12021ff875676da6ba8184017bfc06

SHA1
058fecaa55fbec95b6161fe491ff9e2e9e58aef2

SHA256
a3df667bd923aca6a76b5b8e9795e58022242036d154a1d6d9849114488c332e

SHA512
e174fde5f9216f2b8adb0ff3bf1e332ebebb03c7c5033a2ba8c2b1654f9c1c682f7b1bdc7ade28dfd71c1b008deb035d51a76a9d29acd08641d33b7105fac8ea

Download Submit
C:\Windows\SysWOW64\Lfkhch32.exe

Filesize
128KB

MD5
3b39ca6cc102f313441ea803a7f00a8d

SHA1
fb778a80e6162aa944f6d58cac038b2eb10d0bfc

SHA256
3af52f86b1b4b617ac69b0f645c345a3366d44281f6e5a1923c5a89326c1c893

SHA512
c1e160fad1c27297f7e94b637977139d65810d43651d606910c5889e1ca2f0044968368d19c98ed4e2ec1dc14d39b0c0311b40c2ae745e0aa227b7f4423ad711

Download Submit
C:\Windows\SysWOW64\Lgmekpmn.exe

Filesize
128KB

MD5
d4c67bd21a4421a5d4e3c6e0026fe63f

SHA1
4092b0954323cd0d8ce65831e7a3bd8e8c08683a

SHA256
466997bd73a496249f1bf63aafd0efe2879ecf97de9eb51195615f792fc06cab

SHA512
d7adaecb203519497ce255057a7cae39b08aa45cdb57a444f69bbee965c03ecd1c4b15b2ac959ac112c439589e71046a470f8113d28faca7f8581a7b04f7405e

Download Submit
C:\Windows\SysWOW64\Lmcdkbao.exe

Filesize
128KB

MD5
8b689393c645f0a642f2be4dec2a63a7

SHA1
95124b63abf7423d4ea62ce8fda89e170aa7ccd3

SHA256
80bcbbf986d9be6cd619d45238b28a8b983367a10390d498f466c5968ad8cd9b

SHA512
e7e0939b61b66ffb95b349bf24174bd05cc9c4106bded14545160b8b3bf986e72c8afae6a1a102097a739edfdcbabb7f6cc8fc99a3671467f35c09e2bcb30d65

Download Submit
C:\Windows\SysWOW64\Magfjebk.exe

Filesize
128KB

MD5
a5f9583200bf1715aaa84854774b697c

SHA1
0c254769b06e80cd452ef942f1f7154022152064

SHA256
92a275de6a5842709da1c351c1015cfb541d6e5e77e7f3a70b7d17655e611146

SHA512
61fdde40f5440dfc24acf1c9908063114fb744c429e5bace8f226c3caa600975306b5f0ad123d88b429561f0c0449b766b6076d772349590c2406e3b1f0b2e3b

Download Submit
C:\Windows\SysWOW64\Manljd32.exe

Filesize
128KB

MD5
1d62285e0f2e167df446edc3b4c18a74

SHA1
27c1d35f4aa786a9282aec0e2f2043e9942fee45

SHA256
f2822405a851799f9a49d54b628cc3f1bd1ecd8bca9e6e4bc4bcfc5618a11e9d

SHA512
d3b3434f057b8466616713b66b1f74b28245d9af1437d31b10f63f36a285bb94e4dc9e1b9434ca24a1112eb7230dadff2a32f74fd461963d19fc8d896e599a33

Download Submit
C:\Windows\SysWOW64\Mbpibm32.exe

Filesize
128KB

MD5
81beec88daa1f287cfdb2a6f9a6d4c43

SHA1
2215a182d338686449bb03759ea68b0f422bb5d3

SHA256
f076d9b77a610a69e32aaa2b5ae1bd42bcea35e88115f28228a37c870a08e8eb

SHA512
2857b3c1563b28e952b326a2d89a1650d76a9cce23477d343fa646f2fac67b31db9dd82592bb90082a2430460af3eb17d983371592c20f3cb6d391f77ba68673

Download Submit
C:\Windows\SysWOW64\Mhckloge.exe

Filesize
128KB

MD5
59233b52dfe4b326290dcb50dc323294

SHA1
8cd2b6ea5dea2d79466e4a5a461aa313e1cd5e86

SHA256
b522770e0239d904fbd3823b5af14d23f4bb7cdd60f068e759ca4fc1ad9b7e6b

SHA512
865eaff2a29fec1330bf205a8db74b8849a74755c35052d1a3dc4e21e219c774c33bcb461f60d98381c61b9ecf9f87301f507e4f85e0caf59129a38903d9540e

Download Submit
C:\Windows\SysWOW64\Mmemoe32.exe

Filesize
128KB

MD5
a9004d23b4f3090edbcca38fca25fb23

SHA1
0eb852ff474375a9849d95b2c469bbdf81d38193

SHA256
80265e540580805f8787a7ca80e321999d0b1365789e26eba7ab909649c0d5cd

SHA512
8aa683f5ba1afb30de97d69101edda1a8afd9266e0cf3076d2d7961a778b46be604c7aa485b2367661ffdebb6cee98df08801c07e039b01c3a5ce246a79d2ee4

Download Submit
C:\Windows\SysWOW64\Mmngof32.exe

Filesize
128KB

MD5
ee8ad2ae3793d3f256f8ce535214ff90

SHA1
51065a2302e3bc2ecc03baf27dda3ced7b492270

SHA256
214c68de7537fc9f053052515603bdf3a0c6847c69825a5d4e51bddc11045345

SHA512
07465c4c9a44ef1b194d77ed46d46f784c6641070bec621f4e4964ef94cb9d9335dd7735c43b639f7a18d67aad69065f91ea6e92a5f8818ae388a30754f3cea4

Download Submit
C:\Windows\SysWOW64\Naionh32.exe

Filesize
128KB

MD5
2f54e4a6c8459aa829bafa9f71680e0b

SHA1
76a6b6c1118b971598480ec0f7ca533fa5d77224

SHA256
18db32f10909a0670775adfa94aca4e775af4904787cc7adb10efee7b5ce96e4

SHA512
d08ac83612b65010194b5279bdc0aeb9602ef4ceef15861457f0675a37afb5301162243bda4cc68c3640a3d724369466d3e83930175e48e6591edb86eff149f9

Download Submit
C:\Windows\SysWOW64\Nanhihno.exe

Filesize
128KB

MD5
b5989e7383cf08b5ca2fcefa68eb0a8a

SHA1
7c769155b9417da9cb77d3827c78756cf7ff1932

SHA256
a61df3e7c8a979301ee3eda9987a896bff56eb38b8571219b47445bc5b8d5f22

SHA512
0bbb6f06b9886758a6d7e28bb4ae14369d23463762ff51e952102c535b15e1dbaa17c2e894862d5ccf9efa629398b166cc4a6878be6fa53abf707e4a84c5ae65

Download Submit
C:\Windows\SysWOW64\Nbdbml32.exe

Filesize
128KB

MD5
5441867807fa4dd8593aab15547e00e8

SHA1
15933cc847fceebafb8c18d731a7793a35d06663

SHA256
919828e215b28b9f1c96b64e98753358c7bec6ca037788b1767767be4b055f83

SHA512
cb43ae81e54c76d84f1a32cf14c05b56472f4ff0bba429891a6068bbb7eddc6799f0410333d4d49ef217853c8926fe0b7346d82d6da791a5b0a701dda1dc0ea8

Download Submit
C:\Windows\SysWOW64\Ncndladm.dll

Filesize
7KB

MD5
a48f20ab869c691f415ed724c37ff1f2

SHA1
5125be32759b5f67ac707d931d6a2758c79bd8bc

SHA256
ed4befd20f2ab69b56ca1cf34235001f8e3a567ba55bb0dd0e5ac4c3519891a4

SHA512
a431ff47fff25cdabdc167d7e8095d7365f8c21dce983e24c4345db46bf005d0e388695ddb45deb0c728ac5085fcf34812d54f1a364202b1ed99beb744fcfedb

Download Submit
C:\Windows\SysWOW64\Neghdg32.exe

Filesize
128KB

MD5
1fc0c74d8d5e934fee24e72b5b31b846

SHA1
40823c16ee9a068efd219becc255e267d875c826

SHA256
6da4485a49a89a5cc5c05eb2ae67c841bed0876cb1f59f4c9d5af5415ba70165

SHA512
e651a0844d9e17540a1c73830773f10415be5940df798ae9c272b3390ce70713b2d3fec7016b9899b1ba6ab6614232d3842c62cc05cdb64f09059c399eee0fb5

Download Submit
C:\Windows\SysWOW64\Nhhqfb32.exe

Filesize
128KB

MD5
25c1267f8d4a0002cb83fd1a77b00c7f

SHA1
7e34182357b701b9753d3191ba169557159e04c1

SHA256
854f29c57d4d9a988d34a0493e4002ec05ce71f93bb80fe29464b22490e1c9d1

SHA512
da82356361018acd57c951a2a3a5807349285c976d86c7a3006ed80d73fe21085c4e13ac95659295b1b09d434e77624caf2b64c1219ee02f466da8d1d7cb4a4b

Download Submit
C:\Windows\SysWOW64\Nilndfgl.exe

Filesize
128KB

MD5
3af59cbc875dd0ed9c4b2d1ef16ca17d

SHA1
7ca0d48110987f162da7c544f613b068030f5015

SHA256
c42a2c608dcfcf4657b5856579810471ec0be0a980d3827b7b2cfd7d595f7768

SHA512
987b4062a82905531ba50e06ec8d05fa5718e6f707c943ed074882347cd65f1083bf46120d1300ad3908e256bd920951d4ccd080ca193786f7d58bc7b3a3d244

Download Submit
C:\Windows\SysWOW64\Nkdpmn32.exe

Filesize
128KB

MD5
2d937a65f2c67b560fed6b5284e43073

SHA1
2517e702640e37c4f28f39b71c9a9398808f92a3

SHA256
37ec832be0520f3b69fa6f7cf5fbcc0076938692f1d4df0e8d33648a2321a2e5

SHA512
dee148cc1b06ac4cd4ea242112321baad7d98d03b9beb4bccb8b3cece9e7ba3739599dd4b112e42883de40fe7a6577a11369447af791d1b7288ed4ba52d807c4

Download Submit
C:\Windows\SysWOW64\Oacbdg32.exe

Filesize
128KB

MD5
b592281e2a1860c4bd61e0c3eecadd55

SHA1
871bca039d7456a7fba3137cab7a2dcd3a3a9bdd

SHA256
f7949e9063f915dd0322cb847b3de4b2678056b48ce6bb03bf495fa947cebd9f

SHA512
fa76a626e57cf781c77f2a7b4cb25817ff6620c387ed3947e77ce2b1dc9136b0765885828ca8611df838ec758cd7e379a89b22d2da65107138c0fae71181b021

Download Submit
C:\Windows\SysWOW64\Ocdnloph.exe

Filesize
128KB

MD5
af6dfe90c6795ea269f20b70e01c423e

SHA1
32f1086a22f2c8cb872336d6846d96e11fff21ca

SHA256
299fae772e3089127a7ad30199ce1001ba6bd99e79a120f7cdafeee7ee96c6ad

SHA512
c52b2d3dcc5278ab7b9eacc3f6ab5b45d1dceb1e5ce12791b3ac1b374b952fad9f1b8655010beed79336719d9695313929345b0ba6a4e8931583cf0f3dc60082

Download Submit
C:\Windows\SysWOW64\Ocihgo32.exe

Filesize
128KB

MD5
ccc166ceaa309c0f26e33605ed5f7333

SHA1
2c0ef9e12570b801ae350a7e42deae2e0c138c1b

SHA256
6c0450703b2b80deaed6d3b0644a883120b451da9724be6829067a1c75a09ea6

SHA512
196db3e95f291f9dd979b0b183990996b8bc0379e72b506e38de528a6d10bd00a71ef5d7905b402a91ffc7ebe18aafa0ea1a581156dde9a22d7816dc38e5fa18

Download Submit
C:\Windows\SysWOW64\Ockdmn32.exe

Filesize
128KB

MD5
3e74a168ba3d239b80793b61c53f2b27

SHA1
9c498eb14a7c386c910cf1ef788b5f532ec8dc14

SHA256
baabbd57eef44caaef18c4b51031a5e9dd1ad5496b442c42b20f28e78a8593ac

SHA512
30ceb9ac00ac9d634c5726499c3e67675f663e21c160822af00c9010c78991af67653eaeb7121ecc8092b1d50e239563453a5751373789a72668ae2ee5877493

Download Submit
C:\Windows\SysWOW64\Odckfb32.exe

Filesize
128KB

MD5
7247da747a6487b5d561f94109c6acf2

SHA1
052123bf15cb57c81a44e8142876e1a639e51321

SHA256
b7b6efa91c0abe56b14bcf5575fd6754a6dee7a0b14069b878220247b8f45d3c

SHA512
b5f5bfc258015b5f96bf93906ba73ba1bacb70150ce423547ed5672a57c29f2cc21e2491aca630d950f1981f120bbdb7927ba4a3c43f42b3be78d0b83b6a3cbb

Download Submit
C:\Windows\SysWOW64\Odoakckp.exe

Filesize
128KB

MD5
8c848ce5c598fd4db79d1eeea8f4e9f9

SHA1
ed81b74b69ad9a2731c40e4adf3e3cd04b0e7a8c

SHA256
ba3e9d17bd3110b71e4b323c967751ec87f1185a1c2ebafe8279b9fcdf571f5b

SHA512
5d22d6acf794d1cd7153846f510b18cf154d8d00096ebfc6b582db65bfc40cafd7f9e06a0175eb04e8a9eae6bd59a40148146c44056ad876a8ea83acda0829a5

Download Submit
C:\Windows\SysWOW64\Oingii32.exe

Filesize
128KB

MD5
d2d31cc1f12720e6a41615b3acd832c7

SHA1
65f29547be0ca9424999699856277f503285c190

SHA256
0a8319b4dfd41557bc75879e8f42e5210ad13871ffe4a52b15b011e7203d8ad3

SHA512
0191eb31f453b39c287525d36a7d89d35b7990194d4861fcdf99a974a7de74278c4f71a61bce191c645db45beeb8531bd0d7dd68a18d30ce84c86395b33b8249

Download Submit
C:\Windows\SysWOW64\Okijhmcm.exe

Filesize
128KB

MD5
c5d521da0ab1c5fbb946deef78d34084

SHA1
15210e8f31d5b1a1bdb1e28f9517412968381bf6

SHA256
61734c2638d83d7187323074868a9c41f74fc601b4e4588f665231e98df117ba

SHA512
e3809d2ecb6701be0bb2534b2c17b7351c997af70d0bae3f3b71ed172be5b26fc620bfa5d9eeeaf77654857082dcbd9bbb8a10efcf718d19c66017cb73f2cb9c

Download Submit
C:\Windows\SysWOW64\Olalpdbc.exe

Filesize
128KB

MD5
fc977e7f89cd13223ac3e3fa344706d0

SHA1
f6bf8edfcb895d7a9a9e175d65d5e16cf6223b3e

SHA256
3291b53a873eb3cc8693acf08922b6090c87862ed71aff83a32712b8132d9bc3

SHA512
46e6fb8c3e378aece3a2ecb6808f7db5ff266a2dea7c6e122b85d6f6a5c894720eec9263e153e6967778dd40ba723308c1fb2624e7af34f092a1037cddb65cb1

Download Submit
C:\Windows\SysWOW64\Onlooh32.exe

Filesize
128KB

MD5
e0e3ddf8f412fccfd251b8d5f7a1ed63

SHA1
c3cfd1d5bff51fa4cdfd6b07ebcd504f6615769a

SHA256
01cead38d660467798437826f035922c1cb0c208e459ad5b4aadd969301bf902

SHA512
d5c11bd5e56e7cdf83f66f87f5c4b789e396e6163da0e548d471aef2171ed894342f7f676f36d656796a792975f695435621bb4422732caa880ecd9b33773a7c

Download Submit
C:\Windows\SysWOW64\Oobiclmh.exe

Filesize
128KB

MD5
96b4ecf1adcdfac141b60cd8a1355578

SHA1
4788044e552eb37acdcc2c111f433796b1331406

SHA256
69ee577c6339c7f445e89ce4a38f08162f14e3e4021e5beae155781188db5839

SHA512
77416ab9d0b04a8e72a55de4f4c56358baeae4088939b9e19336a915dffa54784846ea6839cb89960a1b3c049880e00910bb83e110927c2683cc3f0b1a48bc6e

Download Submit
\Windows\SysWOW64\Dkhnmfle.exe

Filesize
128KB

MD5
7545a99e83951a54b4ba794f3717ad60

SHA1
d5d8015f510afb2f68dc9451d2f06ffac112f924

SHA256
46bc111fed6762547cae9dda71be1280c90ec054f0e65a909447129b6df44882

SHA512
fb0f6c567c96e84e6b6d9fb56ff35f14e32db51a652e0af0e00e5ad22fef060db90fced3d763eec9f1514f39f26be2e466a05408becac95d488445c30b1658b1

Download Submit
\Windows\SysWOW64\Ebdoocdk.exe

Filesize
128KB

MD5
ae9b9df5617d3b5952afac2969b1a6cd

SHA1
58fbfbe0ee81eac9eb11dcc80bf3ff7fa334f408

SHA256
b045b9eaa50cbcfade98ee37565a5ff9671e08452c73524adf61b6e506df9be4

SHA512
2cda35a38a572e1714b5e9386dd6b27efc1a1cc61db5b9050ab6ba907901df8b7a5ebed52da7c8da79e234df272aa7758ed9256e132aac730d4620b7a88fdbcd

Download Submit
\Windows\SysWOW64\Ehlkfn32.exe

Filesize
128KB

MD5
106cd6ad71079f426625c30de477b4db

SHA1
4e6812f31349d42442ed2f408426d705fb986b7d

SHA256
1fb5899b09ae3df0316ccf1b65af3294965476a94243b6a72561a2284e1766ef

SHA512
5c75d91b9ac211c26e1f102f8bf9d768488fff7d0403722483ac565cc856359b310c7d283817d4a3b0f46566d88912b65da81f652d8a112e7c714aacd2db5091

Download Submit
\Windows\SysWOW64\Elbmkm32.exe

Filesize
128KB

MD5
4bd5464d41b3736f16642669179d8a76

SHA1
9d48af08ef7296aeb08057c75bd8ddc66d7ee52b

SHA256
fe1334cb18e98b10a9482ddce01bc331cc4bdf4c6dad6cf3ed3f9da9342b1b05

SHA512
e814558600afbb815dbb6e094287d53bba1eb29b913787f910984b9f34b40d07d38a43744ea12e1b3b3375b89aee6783df61d37d82bed5e88c379263aafcfadd

Download Submit
\Windows\SysWOW64\Enkdda32.exe

Filesize
128KB

MD5
cf1a325cdbe1ee1856ff4b2780a70294

SHA1
842bafd281dbde76c7467ba3ed13372354ba998f

SHA256
b6d78e5f13486dc122f8acee65ab307dfbed4d360eab919073bedfc6ab217197

SHA512
77724e094c2b7f3d3dbb5290bcef2a32b074262f22dd11bc669f4a6a44976a0e278bebacfc4d991dba90a1e76036272513fad2a95f0af5820b92932eb0c87b37

Download Submit
\Windows\SysWOW64\Enmqjq32.exe

Filesize
128KB

MD5
6251a2d3818729442d26ec10478378cc

SHA1
6bd9819ed4a6005c5a23f09067a4a3f4ac1a3d21

SHA256
38edeb45843c40af683cd5aa23e30acc8cadf2def49d3aa5918178f5a7d4fc55

SHA512
286563793e759523ef57a5f321c913928ca77eda191fe622581edb4211264fa20e4d6f965aa29ba83f73a489a22015853e2df173a0c7532907ac8e5522970632

Download Submit
\Windows\SysWOW64\Fclbgj32.exe

Filesize
128KB

MD5
551fa7887bea703c7f7337b9e9d67f9d

SHA1
ba81c6c879209918bc80117cd02174e8d5dc910c

SHA256
4930c7e7b64b00d4f2dc788052ab44bf49f03b00cf86b8f72220dd9909bb7e38

SHA512
2bcd70df0eeca23376bc8536f40b62755f7b7bb3a0477ccdb7ee866a96748f1593ddbf77cf22b0a4a28beef1cf88901901c6b87e738353cf3fc762c9a9fcfbc7

Download Submit
\Windows\SysWOW64\Fgcdlj32.exe

Filesize
128KB

MD5
95dbbdd12d991c9b743e94b69641e8d4

SHA1
780d1c1908840484f46195815c2b01f2f5efc0bf

SHA256
cc12c663b041097180151ddd8e831e9cd6f4b4b7beb4816665d2ff042eb8f7ed

SHA512
79fab8ab904cbed96e5f3be8716c22c8234b80001c1a79b98510a882699f2eb057278b58a90a8dafebae04acf338939ed7dfe33b8f6ac12a68d7301e24d8af60

Download Submit
\Windows\SysWOW64\Fqkieogp.exe

Filesize
128KB

MD5
9031e6166fd56bc5eedcd04b29c4e6c2

SHA1
6bba3ab5b6a94aaa2e6b37324a8f9a49fb6563de

SHA256
5292597d3285c3954d0494302a25542af396907df7fd3c088153fe95328d09a9

SHA512
982e4406b943ca471dbbcddcafdf44395e41a379e95b97acbc22785a29bf19a8d357da9f0a4e9d99bcb8cd560f77c8bea28f2c23c22e759e7f4c84344ed4b8fb

Download Submit
\Windows\SysWOW64\Hadhjaaa.exe

Filesize
128KB

MD5
e12891a18849a9909a653dac59b27987

SHA1
a33a78cd33e1b9fa86e82b87bc1bf0e22d056c2c

SHA256
b0931d79f939b0efcb809b25e58eab32a42f59e5bd6c13b6df9b93ea8f1a1898

SHA512
a39db16a2925bd89b863ae56ae23af8223c972289c9fc2c83e3b41f7d5fafcc3a19f25a747b626b52beb09fe0f94089c0204d9403fcca15da82709d018f24352

Download Submit
\Windows\SysWOW64\Hjmmcgha.exe

Filesize
128KB

MD5
98e9921ad76b01cf172ef4f875d730ae

SHA1
beb6403717af179ee229de4ffa9d4ab8b716638c

SHA256
bc9c7f31f54a089e7fef82412e04de0114fdbdb70a502cb7d188ad78b295eb59

SHA512
73929638666d89e35e98028c3ee84cbac1954fddc3a9780d758b1955e8205c51bdd83db80141372c8f391e85a5ae96b2c7b01a0e87eda223c463558793b68337

Download Submit
\Windows\SysWOW64\Hlqfqo32.exe

Filesize
128KB

MD5
9a5f74a46c3501bb25ea29f45c8513fe

SHA1
e390ce3ce09ead8069c41d5fcc2d1a3bfa33f06f

SHA256
78b2eaad6ac88a1ad16922f119e2c343fb346c79dd4225c50305835cffba30e0

SHA512
bde661f0f7ccf4dae9c74c8f4a9712bdf9ff28ef6cf4d74e574837fc7fb3f9eb3d3b90770e31841006c2674f4d880dfa45938a650f9c78e0da3bb7134fbf2d3c

Download Submit
\Windows\SysWOW64\Hmpbja32.exe

Filesize
128KB

MD5
950ee30f6d56ff47dfd2c29388dfad69

SHA1
f16823fb4f6565300f4900c79c84b0b832e039e0

SHA256
be152c7dcb825961ad687ba03cb5c2298333c242adf9741c780e9223f7118cde

SHA512
c21d088b8d4893b8ab36225f0a51e6a10bbbdedbc6b842cd893b4975d8c7121f2ec89ae8cc344e55d91d7653ffad51a2d7d90877803d806fe2749ba530144f5b

Download Submit
\Windows\SysWOW64\Iboghh32.exe

Filesize
128KB

MD5
e16f78f924f896be7c1bfd9612ee7c7f

SHA1
3e5c83c45fd3cdf39b74abe37330e96f9e746c70

SHA256
7def798bb715833bc7a8c8cea0f56537ebaf8c9de168d44f5559432e7a6aefc7

SHA512
d5ebbdbb8af701498d2372120ea649e1c61a14bf2501797a98e508af74cc4c7fca4cd77098c7ea9a426735d4388f60a45f2060c02d79ac75e573929381045dc1

Download Submit
memory/560-231-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/560-233-0x0000000000450000-0x0000000000494000-memory.dmp

Filesize
272KB

Download
memory/800-182-0x0000000000270000-0x00000000002B4000-memory.dmp

Filesize
272KB

Download
memory/800-174-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/820-425-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-14-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-378-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/868-21-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/868-397-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1236-133-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/1236-120-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1236-132-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/1236-498-0x00000000002F0000-0x0000000000334000-memory.dmp

Filesize
272KB

Download
memory/1236-491-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1448-304-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1448-309-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1448-310-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1648-148-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1648-499-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1660-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1672-332-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1672-329-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1672-330-0x00000000002B0000-0x00000000002F4000-memory.dmp

Filesize
272KB

Download
memory/1736-319-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1736-320-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/1828-255-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1828-246-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1828-256-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/1848-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2024-286-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2024-287-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2024-292-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/2060-201-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2128-481-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2128-493-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2128-492-0x00000000002E0000-0x0000000000324000-memory.dmp

Filesize
272KB

Download
memory/2168-221-0x0000000000230000-0x0000000000274000-memory.dmp

Filesize
272KB

Download
memory/2168-215-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2180-468-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2180-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2240-293-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2240-295-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2240-299-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2276-366-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2276-11-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2276-365-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2276-13-0x00000000003A0000-0x00000000003E4000-memory.dmp

Filesize
272KB

Download
memory/2276-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2332-404-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2332-35-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/2336-353-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2336-344-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-352-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2524-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2524-451-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2572-235-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2572-244-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2572-245-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2608-416-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-265-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2624-266-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/2624-267-0x00000000004A0000-0x00000000004E4000-memory.dmp

Filesize
272KB

Download
memory/2640-409-0x0000000000300000-0x0000000000344000-memory.dmp

Filesize
272KB

Download
memory/2640-403-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-393-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2688-402-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2696-93-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2696-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2696-101-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2708-331-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-342-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/2708-341-0x0000000000360000-0x00000000003A4000-memory.dmp

Filesize
272KB

Download
memory/2740-74-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2740-66-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2740-427-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-420-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2760-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2792-382-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2800-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2900-376-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2900-377-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2900-370-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2904-410-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2904-48-0x00000000001B0000-0x00000000001F4000-memory.dmp

Filesize
272KB

Download
memory/2920-364-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2920-363-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2920-354-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2972-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2972-441-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/2988-456-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3000-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-480-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3052-486-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/3060-277-0x0000000000220000-0x0000000000264000-memory.dmp

Filesize
272KB

Download
memory/3060-268-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads