ab7a516591579be49fe4bf16649aefbe5624cb80bbc4a9f416657a96e3ba4fbd

Analysis

max time kernel
34s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/09/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc005074c54e2edbf376ca394f954540N.exe
Size

404KB
MD5

bc005074c54e2edbf376ca394f954540
SHA1

28d1b277790ed45ec8b387f1308c3a25ce97d325
SHA256

ab7a516591579be49fe4bf16649aefbe5624cb80bbc4a9f416657a96e3ba4fbd
SHA512

96257620f6c92f13ccc9860503f0b855927939d452a9b39896211a5a08161c6b2128190feee86703fd5893af7b965be84b8dd2eae7ce7c5304c96391a3834350
SSDEEP

6144:Sojw+OSMENm+3Mpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836S5:2qwcMpV6yYP4rbpV6yYPg058KS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ocihgo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioodg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Celbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkbnhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkpabqoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddhekfeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phmfpddb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbnhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlhdjh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngbcldl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bc005074c54e2edbf376ca394f954540N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfppgohb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cligkdlm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfief32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcmabnhm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfppgohb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciebdj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkqpg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aijfihip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbpnlcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmajdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cealdjcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dijgnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dlhdjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	bc005074c54e2edbf376ca394f954540N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbnfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmajdl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcmabnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Phmfpddb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfimhmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnpeijla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Biceoj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chohqebq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkpabqoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgnhhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pngbcldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciebdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbnfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Celbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfief32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcpoab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aijfihip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afbpnlcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caccnllf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panehkaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnpeijla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dlkqpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Panehkaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkplgoop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chohqebq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pkplgoop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caccnllf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddhekfeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcpoab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgnhhq32.exe

Executes dropped EXE 35 IoCs

pid	Process
1724	Ocihgo32.exe
2348	Panehkaj.exe
2912	Pcmabnhm.exe
2988	Pngbcldl.exe
3004	Phmfpddb.exe
2672	Pkplgoop.exe
2232	Qfimhmlo.exe
2108	Qnpeijla.exe
2056	Aijfihip.exe
1072	Aioodg32.exe
1464	Afbpnlcd.exe
1968	Aokdga32.exe
2188	Aicipgqe.exe
2004	Akbelbpi.exe
2552	Bfppgohb.exe
304	Biceoj32.exe
3044	Ciebdj32.exe
1708	Cbnfmo32.exe
2448	Celbik32.exe
1532	Caccnllf.exe
1592	Cligkdlm.exe
1484	Cealdjcm.exe
1608	Chohqebq.exe
2124	Cdfief32.exe
2948	Dkpabqoa.exe
2936	Ddhekfeb.exe
3032	Dkbnhq32.exe
2700	Dmajdl32.exe
2716	Dbnblb32.exe
2848	Dcpoab32.exe
1088	Dijgnm32.exe
2428	Dlhdjh32.exe
436	Dgnhhq32.exe
2876	Dlkqpg32.exe
2128	Eceimadb.exe

Loads dropped DLL 64 IoCs

pid	Process
2300	bc005074c54e2edbf376ca394f954540N.exe
2300	bc005074c54e2edbf376ca394f954540N.exe
1724	Ocihgo32.exe
1724	Ocihgo32.exe
2348	Panehkaj.exe
2348	Panehkaj.exe
2912	Pcmabnhm.exe
2912	Pcmabnhm.exe
2988	Pngbcldl.exe
2988	Pngbcldl.exe
3004	Phmfpddb.exe
3004	Phmfpddb.exe
2672	Pkplgoop.exe
2672	Pkplgoop.exe
2232	Qfimhmlo.exe
2232	Qfimhmlo.exe
2108	Qnpeijla.exe
2108	Qnpeijla.exe
2056	Aijfihip.exe
2056	Aijfihip.exe
1072	Aioodg32.exe
1072	Aioodg32.exe
1464	Afbpnlcd.exe
1464	Afbpnlcd.exe
1968	Aokdga32.exe
1968	Aokdga32.exe
2188	Aicipgqe.exe
2188	Aicipgqe.exe
2004	Akbelbpi.exe
2004	Akbelbpi.exe
2552	Bfppgohb.exe
2552	Bfppgohb.exe
304	Biceoj32.exe
304	Biceoj32.exe
3044	Ciebdj32.exe
3044	Ciebdj32.exe
1708	Cbnfmo32.exe
1708	Cbnfmo32.exe
2448	Celbik32.exe
2448	Celbik32.exe
1532	Caccnllf.exe
1532	Caccnllf.exe
1592	Cligkdlm.exe
1592	Cligkdlm.exe
1484	Cealdjcm.exe
1484	Cealdjcm.exe
1608	Chohqebq.exe
1608	Chohqebq.exe
2124	Cdfief32.exe
2124	Cdfief32.exe
2948	Dkpabqoa.exe
2948	Dkpabqoa.exe
2936	Ddhekfeb.exe
2936	Ddhekfeb.exe
3032	Dkbnhq32.exe
3032	Dkbnhq32.exe
2700	Dmajdl32.exe
2700	Dmajdl32.exe
2716	Dbnblb32.exe
2716	Dbnblb32.exe
2848	Dcpoab32.exe
2848	Dcpoab32.exe
1088	Dijgnm32.exe
1088	Dijgnm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Phmfpddb.exe	Pngbcldl.exe
File created	C:\Windows\SysWOW64\Eddmalde.dll	Dcpoab32.exe
File created	C:\Windows\SysWOW64\Dgnhhq32.exe	Dlhdjh32.exe
File created	C:\Windows\SysWOW64\Qnpeijla.exe	Qfimhmlo.exe
File opened for modification	C:\Windows\SysWOW64\Celbik32.exe	Cbnfmo32.exe
File created	C:\Windows\SysWOW64\Chohqebq.exe	Cealdjcm.exe
File created	C:\Windows\SysWOW64\Iifedg32.dll	bc005074c54e2edbf376ca394f954540N.exe
File created	C:\Windows\SysWOW64\Adaflhhb.dll	Dlhdjh32.exe
File opened for modification	C:\Windows\SysWOW64\Dlkqpg32.exe	Dgnhhq32.exe
File created	C:\Windows\SysWOW64\Glkimi32.dll	Afbpnlcd.exe
File created	C:\Windows\SysWOW64\Bfppgohb.exe	Akbelbpi.exe
File opened for modification	C:\Windows\SysWOW64\Dijgnm32.exe	Dcpoab32.exe
File created	C:\Windows\SysWOW64\Biepbeqa.dll	Qfimhmlo.exe
File opened for modification	C:\Windows\SysWOW64\Aioodg32.exe	Aijfihip.exe
File opened for modification	C:\Windows\SysWOW64\Dlhdjh32.exe	Dijgnm32.exe
File opened for modification	C:\Windows\SysWOW64\Ddhekfeb.exe	Dkpabqoa.exe
File created	C:\Windows\SysWOW64\Cdmbfk32.dll	Ddhekfeb.exe
File opened for modification	C:\Windows\SysWOW64\Aokdga32.exe	Afbpnlcd.exe
File created	C:\Windows\SysWOW64\Inceepmo.dll	Aokdga32.exe
File opened for modification	C:\Windows\SysWOW64\Akbelbpi.exe	Aicipgqe.exe
File created	C:\Windows\SysWOW64\Ddhekfeb.exe	Dkpabqoa.exe
File created	C:\Windows\SysWOW64\Dlhlca32.dll	Dbnblb32.exe
File created	C:\Windows\SysWOW64\Eceimadb.exe	Dlkqpg32.exe
File created	C:\Windows\SysWOW64\Anhaglgp.dll	Aioodg32.exe
File created	C:\Windows\SysWOW64\Ppldje32.dll	Cealdjcm.exe
File created	C:\Windows\SysWOW64\Cdfief32.exe	Chohqebq.exe
File opened for modification	C:\Windows\SysWOW64\Caccnllf.exe	Celbik32.exe
File created	C:\Windows\SysWOW64\Cligkdlm.exe	Caccnllf.exe
File created	C:\Windows\SysWOW64\Ngcjbg32.dll	Caccnllf.exe
File created	C:\Windows\SysWOW64\Aijfihip.exe	Qnpeijla.exe
File created	C:\Windows\SysWOW64\Akbelbpi.exe	Aicipgqe.exe
File created	C:\Windows\SysWOW64\Hhedee32.dll	Akbelbpi.exe
File created	C:\Windows\SysWOW64\Hhdkchcn.dll	Chohqebq.exe
File created	C:\Windows\SysWOW64\Dcpoab32.exe	Dbnblb32.exe
File opened for modification	C:\Windows\SysWOW64\Aijfihip.exe	Qnpeijla.exe
File created	C:\Windows\SysWOW64\Celbik32.exe	Cbnfmo32.exe
File created	C:\Windows\SysWOW64\Caccnllf.exe	Celbik32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfief32.exe	Chohqebq.exe
File opened for modification	C:\Windows\SysWOW64\Dbnblb32.exe	Dmajdl32.exe
File created	C:\Windows\SysWOW64\Fhgmpohp.dll	Pcmabnhm.exe
File created	C:\Windows\SysWOW64\Pkplgoop.exe	Phmfpddb.exe
File created	C:\Windows\SysWOW64\Maneecda.dll	Phmfpddb.exe
File created	C:\Windows\SysWOW64\Qfimhmlo.exe	Pkplgoop.exe
File created	C:\Windows\SysWOW64\Lgnabh32.dll	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Cfjjhnge.dll	Qnpeijla.exe
File opened for modification	C:\Windows\SysWOW64\Aicipgqe.exe	Aokdga32.exe
File created	C:\Windows\SysWOW64\Dkpabqoa.exe	Cdfief32.exe
File created	C:\Windows\SysWOW64\Dmajdl32.exe	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Cbnfmo32.exe	Ciebdj32.exe
File opened for modification	C:\Windows\SysWOW64\Cbnfmo32.exe	Ciebdj32.exe
File created	C:\Windows\SysWOW64\Ocihgo32.exe	bc005074c54e2edbf376ca394f954540N.exe
File created	C:\Windows\SysWOW64\Aioodg32.exe	Aijfihip.exe
File created	C:\Windows\SysWOW64\Apfamf32.dll	Aijfihip.exe
File opened for modification	C:\Windows\SysWOW64\Pcmabnhm.exe	Panehkaj.exe
File created	C:\Windows\SysWOW64\Dkbnhq32.exe	Ddhekfeb.exe
File created	C:\Windows\SysWOW64\Ecagpdpe.dll	Dmajdl32.exe
File opened for modification	C:\Windows\SysWOW64\Panehkaj.exe	Ocihgo32.exe
File opened for modification	C:\Windows\SysWOW64\Qnpeijla.exe	Qfimhmlo.exe
File opened for modification	C:\Windows\SysWOW64\Dmajdl32.exe	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Ciebdj32.exe	Biceoj32.exe
File created	C:\Windows\SysWOW64\Gkldecjp.dll	Celbik32.exe
File created	C:\Windows\SysWOW64\Cifoem32.dll	Dgnhhq32.exe
File opened for modification	C:\Windows\SysWOW64\Qfimhmlo.exe	Pkplgoop.exe
File opened for modification	C:\Windows\SysWOW64\Dgnhhq32.exe	Dlhdjh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2140	2128	WerFault.exe	64

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhekfeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbnhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcpoab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Celbik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caccnllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijfihip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlhdjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phmfpddb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbpnlcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cealdjcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfief32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfimhmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chohqebq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Panehkaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dijgnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akbelbpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biceoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciebdj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbnfmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cligkdlm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnpeijla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aokdga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicipgqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpabqoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbnblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngbcldl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkplgoop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmajdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgnhhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlkqpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc005074c54e2edbf376ca394f954540N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcmabnhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfppgohb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmajdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dbnblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chohqebq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dijgnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Panehkaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgmpohp.dll"	Pcmabnhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdkchcn.dll"	Chohqebq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqgpc32.dll"	Cdfief32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlhdjh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Panehkaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afbpnlcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cealdjcm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bc005074c54e2edbf376ca394f954540N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbbbhigf.dll"	Ciebdj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbnfmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caccnllf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppldje32.dll"	Cealdjcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfamf32.dll"	Aijfihip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnpeijla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddhekfeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkcpmmb.dll"	Panehkaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhedee32.dll"	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eobjmken.dll"	Bfppgohb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakhmhh.dll"	Biceoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlkqpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeahj32.dll"	Pkplgoop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbpkc32.dll"	Dijgnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Phmfpddb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bc005074c54e2edbf376ca394f954540N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifoem32.dll"	Dgnhhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	bc005074c54e2edbf376ca394f954540N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Biceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhlca32.dll"	Dbnblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifedg32.dll"	bc005074c54e2edbf376ca394f954540N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adaflhhb.dll"	Dlhdjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepbeqa.dll"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll"	Dlkqpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ocihgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Biceoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einkkn32.dll"	Pngbcldl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkldecjp.dll"	Celbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnabh32.dll"	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddmalde.dll"	Dcpoab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dcpoab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dijgnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnpeijla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cligkdlm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcpoab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagof32.dll"	Aicipgqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Celbik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmajdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aokdga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pkplgoop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciebdj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1724	2300	bc005074c54e2edbf376ca394f954540N.exe	30
PID 2300 wrote to memory of 1724	2300	bc005074c54e2edbf376ca394f954540N.exe	30
PID 2300 wrote to memory of 1724	2300	bc005074c54e2edbf376ca394f954540N.exe	30
PID 2300 wrote to memory of 1724	2300	bc005074c54e2edbf376ca394f954540N.exe	30
PID 1724 wrote to memory of 2348	1724	Ocihgo32.exe	31
PID 1724 wrote to memory of 2348	1724	Ocihgo32.exe	31
PID 1724 wrote to memory of 2348	1724	Ocihgo32.exe	31
PID 1724 wrote to memory of 2348	1724	Ocihgo32.exe	31
PID 2348 wrote to memory of 2912	2348	Panehkaj.exe	32
PID 2348 wrote to memory of 2912	2348	Panehkaj.exe	32
PID 2348 wrote to memory of 2912	2348	Panehkaj.exe	32
PID 2348 wrote to memory of 2912	2348	Panehkaj.exe	32
PID 2912 wrote to memory of 2988	2912	Pcmabnhm.exe	33
PID 2912 wrote to memory of 2988	2912	Pcmabnhm.exe	33
PID 2912 wrote to memory of 2988	2912	Pcmabnhm.exe	33
PID 2912 wrote to memory of 2988	2912	Pcmabnhm.exe	33
PID 2988 wrote to memory of 3004	2988	Pngbcldl.exe	34
PID 2988 wrote to memory of 3004	2988	Pngbcldl.exe	34
PID 2988 wrote to memory of 3004	2988	Pngbcldl.exe	34
PID 2988 wrote to memory of 3004	2988	Pngbcldl.exe	34
PID 3004 wrote to memory of 2672	3004	Phmfpddb.exe	35
PID 3004 wrote to memory of 2672	3004	Phmfpddb.exe	35
PID 3004 wrote to memory of 2672	3004	Phmfpddb.exe	35
PID 3004 wrote to memory of 2672	3004	Phmfpddb.exe	35
PID 2672 wrote to memory of 2232	2672	Pkplgoop.exe	36
PID 2672 wrote to memory of 2232	2672	Pkplgoop.exe	36
PID 2672 wrote to memory of 2232	2672	Pkplgoop.exe	36
PID 2672 wrote to memory of 2232	2672	Pkplgoop.exe	36
PID 2232 wrote to memory of 2108	2232	Qfimhmlo.exe	37
PID 2232 wrote to memory of 2108	2232	Qfimhmlo.exe	37
PID 2232 wrote to memory of 2108	2232	Qfimhmlo.exe	37
PID 2232 wrote to memory of 2108	2232	Qfimhmlo.exe	37
PID 2108 wrote to memory of 2056	2108	Qnpeijla.exe	38
PID 2108 wrote to memory of 2056	2108	Qnpeijla.exe	38
PID 2108 wrote to memory of 2056	2108	Qnpeijla.exe	38
PID 2108 wrote to memory of 2056	2108	Qnpeijla.exe	38
PID 2056 wrote to memory of 1072	2056	Aijfihip.exe	39
PID 2056 wrote to memory of 1072	2056	Aijfihip.exe	39
PID 2056 wrote to memory of 1072	2056	Aijfihip.exe	39
PID 2056 wrote to memory of 1072	2056	Aijfihip.exe	39
PID 1072 wrote to memory of 1464	1072	Aioodg32.exe	40
PID 1072 wrote to memory of 1464	1072	Aioodg32.exe	40
PID 1072 wrote to memory of 1464	1072	Aioodg32.exe	40
PID 1072 wrote to memory of 1464	1072	Aioodg32.exe	40
PID 1464 wrote to memory of 1968	1464	Afbpnlcd.exe	41
PID 1464 wrote to memory of 1968	1464	Afbpnlcd.exe	41
PID 1464 wrote to memory of 1968	1464	Afbpnlcd.exe	41
PID 1464 wrote to memory of 1968	1464	Afbpnlcd.exe	41
PID 1968 wrote to memory of 2188	1968	Aokdga32.exe	42
PID 1968 wrote to memory of 2188	1968	Aokdga32.exe	42
PID 1968 wrote to memory of 2188	1968	Aokdga32.exe	42
PID 1968 wrote to memory of 2188	1968	Aokdga32.exe	42
PID 2188 wrote to memory of 2004	2188	Aicipgqe.exe	43
PID 2188 wrote to memory of 2004	2188	Aicipgqe.exe	43
PID 2188 wrote to memory of 2004	2188	Aicipgqe.exe	43
PID 2188 wrote to memory of 2004	2188	Aicipgqe.exe	43
PID 2004 wrote to memory of 2552	2004	Akbelbpi.exe	44
PID 2004 wrote to memory of 2552	2004	Akbelbpi.exe	44
PID 2004 wrote to memory of 2552	2004	Akbelbpi.exe	44
PID 2004 wrote to memory of 2552	2004	Akbelbpi.exe	44
PID 2552 wrote to memory of 304	2552	Bfppgohb.exe	45
PID 2552 wrote to memory of 304	2552	Bfppgohb.exe	45
PID 2552 wrote to memory of 304	2552	Bfppgohb.exe	45
PID 2552 wrote to memory of 304	2552	Bfppgohb.exe	45

C:\Users\Admin\AppData\Local\Temp\bc005074c54e2edbf376ca394f954540N.exe
"C:\Users\Admin\AppData\Local\Temp\bc005074c54e2edbf376ca394f954540N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\Ocihgo32.exe
  C:\Windows\system32\Ocihgo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\Panehkaj.exe
    C:\Windows\system32\Panehkaj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\SysWOW64\Pcmabnhm.exe
      C:\Windows\system32\Pcmabnhm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\Pngbcldl.exe
        
        C:\Windows\system32\Pngbcldl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\SysWOW64\Phmfpddb.exe
        
        C:\Windows\system32\Phmfpddb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Pkplgoop.exe
        
        C:\Windows\system32\Pkplgoop.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Qfimhmlo.exe
        
        C:\Windows\system32\Qfimhmlo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Qnpeijla.exe
        
        C:\Windows\system32\Qnpeijla.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Aijfihip.exe
        
        C:\Windows\system32\Aijfihip.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Aioodg32.exe
        
        C:\Windows\system32\Aioodg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Afbpnlcd.exe
        
        C:\Windows\system32\Afbpnlcd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1464
        
        C:\Windows\SysWOW64\Aokdga32.exe
        
        C:\Windows\system32\Aokdga32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Aicipgqe.exe
        
        C:\Windows\system32\Aicipgqe.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Akbelbpi.exe
        
        C:\Windows\system32\Akbelbpi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Bfppgohb.exe
        
        C:\Windows\system32\Bfppgohb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Biceoj32.exe
        
        C:\Windows\system32\Biceoj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:304
        
        C:\Windows\SysWOW64\Ciebdj32.exe
        
        C:\Windows\system32\Ciebdj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Cbnfmo32.exe
        
        C:\Windows\system32\Cbnfmo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Celbik32.exe
        
        C:\Windows\system32\Celbik32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Caccnllf.exe
        
        C:\Windows\system32\Caccnllf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Cligkdlm.exe
        
        C:\Windows\system32\Cligkdlm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Cealdjcm.exe
        
        C:\Windows\system32\Cealdjcm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Chohqebq.exe
        
        C:\Windows\system32\Chohqebq.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Cdfief32.exe
        
        C:\Windows\system32\Cdfief32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Dkpabqoa.exe
        
        C:\Windows\system32\Dkpabqoa.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Ddhekfeb.exe
        
        C:\Windows\system32\Ddhekfeb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Dkbnhq32.exe
        
        C:\Windows\system32\Dkbnhq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Dmajdl32.exe
        
        C:\Windows\system32\Dmajdl32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Dbnblb32.exe
        
        C:\Windows\system32\Dbnblb32.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Dcpoab32.exe
        
        C:\Windows\system32\Dcpoab32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Dijgnm32.exe
        
        C:\Windows\system32\Dijgnm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Dlhdjh32.exe
        
        C:\Windows\system32\Dlhdjh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Dgnhhq32.exe
        
        C:\Windows\system32\Dgnhhq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Dlkqpg32.exe
        
        C:\Windows\system32\Dlkqpg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 140
        37⤵
        Program crash
        
        PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afbpnlcd.exe

Filesize
404KB

MD5
28042d4daed003f2e602d3a3e201953c

SHA1
52557999b9c28f0a8dc9e9ad57c1ade190c346b5

SHA256
2e92a9a8b6cd98febbf0a7f682b4a8ed6313bf518df9137c034c53b8c009607a

SHA512
f85de9e96c8ec1ea06a6a94c588ceec9fff88013d00bb47350ff47529181bf0c77273345d61b857c54613a1cf11077f779a0292d6e79125164c33437af6c2b6b

Download Submit
C:\Windows\SysWOW64\Aicipgqe.exe

Filesize
404KB

MD5
db38a3cb292b6f13d09d22eb6c1d4114

SHA1
2fb6f8d43c3246e1f7558c31527a66e441e7320c

SHA256
5a990e8e540a9544d57bd1f643d664050995d7b7f25ef242745013ad7d0dff99

SHA512
028e95a7d8681f0f6c86fe56dff1f0bdb9c52e10edada94bae3cfbf6b956c352bf458c39ded41c85f74e35513898b9312589642e21c565a6f785b3290aff13f4

Download Submit
C:\Windows\SysWOW64\Aokdga32.exe

Filesize
404KB

MD5
fce534f81369420c2af89044841c5db8

SHA1
bb35fbd43d047e4007dd44a2e25bd87e851da37c

SHA256
330426ec36e3f5a3ac42687a035f6381a7dd10d9c85f489b2bdb7addc7f5f134

SHA512
6ea48accc800ff8753a2b58280a5dd84a9b9e39a7c5f655c829ee5f72a03a1bb18b661a2292d312bf98671a90af288b6b51ec86d25da60efcdfa0e2ccc683428

Download Submit
C:\Windows\SysWOW64\Caccnllf.exe

Filesize
404KB

MD5
cfc1d2fc628128e4c926addcd0d174e1

SHA1
f5fc2b8c32d6ee9fe241c3e68938063e9e494419

SHA256
62c979cb0dabea3896ac0e4f99608e74c1b0a806b24f6140f30839a1d6a36581

SHA512
6175470c0174a61fe3b8f163ceacdcdf4f475e0d75d6f3d7e766314e4bab31644bb4d5dae6f970566d6b9b07d6c234b90a8053e2faa877c8d6c8c92533548378

Download Submit
C:\Windows\SysWOW64\Cbnfmo32.exe

Filesize
404KB

MD5
86ae5fdc8f3c7c06a9e1bd710219fc07

SHA1
77b6c4ff9cb894f83ce635310e63f67da649a5a2

SHA256
732bde9d04427c6fc036c215bf79b0d8ac4911462d5efea1385362a3e7a67a2d

SHA512
c23c198bebc71a9320a50f004fee615b8766f865545680ec3832674f912668091edcb313fd828fbba53d6fe5c0689942bb08bbdd153f42ffb68e45a1baacba00

Download Submit
C:\Windows\SysWOW64\Cdfief32.exe

Filesize
404KB

MD5
2dc9217864e6190283ad1714088c70c0

SHA1
be0ddb00aa1c0ca4807eb4cd0850cb64e9305805

SHA256
ab08ed02953929db1fb5c31c6c2dd233a0566e695f6e39192b476de454060eca

SHA512
fa335c526e47bbaf44af164af531198040d6ccfa612fb4f1d18f2f9d8c335e5ee37b939b1628498c4ed4ad2429635b2b7385ff6e8e13ab0033ad5dd9719dd3dd

Download Submit
C:\Windows\SysWOW64\Cealdjcm.exe

Filesize
404KB

MD5
f51af64bbbecf2147ab534c30df14bde

SHA1
77e66d1ad22a1a11399490689498ee599d377a39

SHA256
bf06e73a04445197a44f16474100f81f11d1530f62325bd6c969f96784d3648e

SHA512
cb49c559f19e8d80c401b0a907a055253a866026dcf2dc20bed9311b0c3f1e60ab7408e685efdba1decbabcbe5fec7ac18181f6b1b31e6de38d46b760c7ebf43

Download Submit
C:\Windows\SysWOW64\Celbik32.exe

Filesize
404KB

MD5
713fb7244a37b137de16716841f85b6a

SHA1
ba261abc3efd50bd08f02c7b0814e4f98a310b5a

SHA256
a320729e6dabf99f83a0d518b9b2443455f1fff902b38025e76694fc7ce098e1

SHA512
c7f62bb7da55bd046be4b7ec95048313ad1ef546df199dae91886aa3f0f552da31bf76bb7b2ae8d1cad7dfa1ff108e00bf64660846999dfd46afb247286633b8

Download Submit
C:\Windows\SysWOW64\Chohqebq.exe

Filesize
404KB

MD5
eb8b67b3abf24cfe384cfa69511be9fd

SHA1
5b0a67ca9938ebaa06e286300b8d2f19866f8d85

SHA256
44f574f0116618d1507fb54f7db1274eefc82f9862c86de57261270fd859c6c6

SHA512
f405000704b73333078ed87221c4c06933fe626f6076bc796d3295364af8bf770cea0a5dedc2f7262fc8182caab003064513673db2ed7a817023cbcb8b9aa5a2

Download Submit
C:\Windows\SysWOW64\Ciebdj32.exe

Filesize
404KB

MD5
fb1a87a7372cff7b3d1cf36d5f42d51f

SHA1
60891f130c5da4fe177237d0d1a1cd14a4183dd6

SHA256
0377b6f40828408f63898d3fdbe4afbb36658bc483ae5b63292276eb8aa922fe

SHA512
d2a3629d4173f3dc05522813df0e8cd427d4c018e456ab73569d6b451547f6b8e94ddf04ed5f8902e3875a929a63abf0a0ba4bfba5f78c17fe998828b00cf63c

Download Submit
C:\Windows\SysWOW64\Cligkdlm.exe

Filesize
404KB

MD5
9cbc3e0846c56622968593c70e307634

SHA1
444c0293f63db92b6f5089b29bf75f5d72180b28

SHA256
f15fa82d47d9ffbf8113f5bd9699bb2988bffbc70d9bf7977c9e835bd0dfd61f

SHA512
254f8d5106433a63b7464df1c7d8f3cafb1d70be60b43194933997e52419925828b818e90193831c37f6c2bb61343dd56efff4f6d2e0434a663925213cc43354

Download Submit
C:\Windows\SysWOW64\Dbnblb32.exe

Filesize
404KB

MD5
6d034b22848cbe1a0d8586d053f27910

SHA1
6034f6dace852f06a32eacfdf311cf0e048b44d8

SHA256
27a0811cebb65916689dd9d1702a819f8c51f3227877655909651f0e94a667d0

SHA512
229bf0d835654a609eac9bc58010b6e4d8768d8247eb59f0e2f00b035e4683366655b14bbc5f01cd89e6b66eabdd74594002defbef6c414f9960d0d0bfd99d0b

Download Submit
C:\Windows\SysWOW64\Dcpoab32.exe

Filesize
404KB

MD5
7daef5e82929f123d4a3245bcbf958c1

SHA1
9efd9863f1cafa904fdc8eab2dc7d169f615a348

SHA256
6aa43408d1ea5d00dd16105e6fffb4a4a46622e7cf3a9a0bb7ec5bbd0ca44b52

SHA512
d654bbb49fd0ba6fe0141b41e6b64e0cbcbf90d47517c4c3cb5bbaa7e7ec83b3dc7c5332fec414adeadf296c407d66cb66532213d147cd410f5814cf4a336fde

Download Submit
C:\Windows\SysWOW64\Ddhekfeb.exe

Filesize
404KB

MD5
d70e48ee6d6251b9527179cc840e4df2

SHA1
69936415aaf796253ee6b10d6b300be878cdb343

SHA256
7009acf0864360b551a4072549d592d54c95796f238cc925e8f63ed6abbebff0

SHA512
fcbb02d11d2165723f2473b2c70dcc787514a77c86971e9b630ae14a2b263ff9047d377f164e2471547dd8d4a3caad122505e12b240893d42093ec6aaa16fcc1

Download Submit
C:\Windows\SysWOW64\Dgnhhq32.exe

Filesize
404KB

MD5
b141d714ebe6af1feb0d73a9973cc7d1

SHA1
88155aef28d58da44cb6ef3203226476b4c53316

SHA256
cd8c021426291410781d5194d8885589997eac87ced6b19ab61e840b2ccbdce9

SHA512
d89610fc6b34f25a2a3a974035a591986bfc81814b6629ebdb5be1605674be0b09029b1fda52b94566f388245df9adebca5a9522ae69dae61d2a484a564fbb38

Download Submit
C:\Windows\SysWOW64\Dijgnm32.exe

Filesize
404KB

MD5
e7716ff0844f89d1d1c81647269492ff

SHA1
f15bc37dac71876481fe4d37ca8167291722d4bd

SHA256
8f4f9c8886c5ee832ca75dee63563a94427866cd6df236837858300049df829e

SHA512
8c579071adc805cd0bc705fc8286d2de0e864b8b673220ef32d499ee4c24568c6016500ad0f26ee22fe7752db63a344c73e51dadd15ec01bf5e5209acaf1c3ac

Download Submit
C:\Windows\SysWOW64\Dkbnhq32.exe

Filesize
404KB

MD5
1e75477088b8229623e66a82b8ff6f42

SHA1
aa26acd54d0657a7c7776eebbed908b367afdba6

SHA256
4151a994c361d114a1af5f41dbfa124a34e2067637784def57413f99eb2e16ff

SHA512
e44107886625b185b659bf5fd2213df88d189ddc9834a38e6205a0bf9c98dc7647a81746a0214a73639b920d119bbb738727de6f245cbefc0e908a04b3300d6c

Download Submit
C:\Windows\SysWOW64\Dkpabqoa.exe

Filesize
404KB

MD5
d58347493377e8f932112d54c243c1af

SHA1
7b8bebb703ff0e5dddf5e2eab3adcbbc68985ce0

SHA256
933c7dfa3b2b197b8cc86c6ff6873c7599745a2ce70e76abe4df3de07dbc57f8

SHA512
b6fe3aeeabb512f7094c9cd7e88ff5448854d5727f91b47f352b10b0c02c529364d6990e91c069bc9deaa2c0cfcbcd79800767c6bdffaf6e74d0449e0168eb77

Download Submit
C:\Windows\SysWOW64\Dlhdjh32.exe

Filesize
404KB

MD5
49d4e4b6dacb3c6986b91bf80653b3ff

SHA1
8ec3a73b32ab24339be48445ddfa49e619f38c8b

SHA256
cf97d8e3bceb622dad3e98e7be97949893dbcba443c43ddfac6f923a80dacc8e

SHA512
e9e8af709ef35c3e6c264eb02ed7f149a1c5574e69960677417349b0d7120c850a2136338b4e64f94804262c5c4874022810712d99c283ab02eeace980c8e139

Download Submit
C:\Windows\SysWOW64\Dlkqpg32.exe

Filesize
404KB

MD5
aca9d343417daa83d11b237226962101

SHA1
3e30010023f4512267e2c574cbf2821c506fd5a7

SHA256
417254664fc2876a7d02a664ccfcd246bff346daac4aa2478f7cfc71b35158a6

SHA512
751e0f9c89a76e67bbae7f5953b6e58e90abff38c0d583537c74adba94875a0d7268632cfef525d4cbf5aff488858e536fff1dba04cf8f516be811487fbb08b0

Download Submit
C:\Windows\SysWOW64\Dmajdl32.exe

Filesize
404KB

MD5
b0ddb99febc6a2f47bf57f4f6ed0470f

SHA1
496c6cd95f0bcd2caee48aebe45dfa89e2fef912

SHA256
e2a67b09fd989dfa85eec2aff9bfe2717e7a20745300d7b0b27a8b36245d61fe

SHA512
9671d0e3d9146a80b0dc7b59cb1fa9501abda0246ebf0b2b5dc9f086efe35a36623a9b8f2d4fcd01fe66871d90147b326394d5735f41d5810356a73f8ad08ff0

Download Submit
C:\Windows\SysWOW64\Eceimadb.exe

Filesize
404KB

MD5
3c5abdf26084bd63ac4cb1f2c4fcdf2b

SHA1
de8f0cc708f41ff607926847a9be0b5d6537db15

SHA256
7fc7604ddf45de1a4f8c236aee1f0662c76185209f6f69105bcce5a2081503e5

SHA512
126cfe877f7017be7f8aa095cc5804d677d99dfd914fb1bd6802d947ed8ca7bcbc433ad1b0e814b9aa3cb2ebb6563847a88fe310ceb13e6fa039005a5b5fba8a

Download Submit
C:\Windows\SysWOW64\Einkkn32.dll

Filesize
7KB

MD5
25d066dacc357f393a53878cddf1c6fc

SHA1
476da4118ef202f562ffcb55648750738d7ded4b

SHA256
85b8df2c28d201af5fda053220022232a1b21ca18a4614c2a4525c3e00efabf0

SHA512
f9ffa8064e592232cc294ce3b74941a3644244b2787e318a78405d3281a5a44145babf564d472b19023d57cdec2a66815dbe0c9c5d0cd46d95e4300a6e953a68

Download Submit
C:\Windows\SysWOW64\Panehkaj.exe

Filesize
404KB

MD5
43f773e2c5cea1ac221da85fb8220577

SHA1
561bdec713061753a41efffe3d285c2dcdb552d8

SHA256
bcd45ecd7ac43ab113f0f44b31476353e564ea05f368308007db1f0238887161

SHA512
2e0e68e6c06aa19889138109226f4af029b7153ccdbe8475730a44bda8625e605728f7ddc2b25baafd0de0c75cfff38f85a617f06162c97df0032fb1a872e5d2

Download Submit
C:\Windows\SysWOW64\Pcmabnhm.exe

Filesize
404KB

MD5
2a9da2ac6eda951fdabdbd79d60f1d3c

SHA1
f18681c5af79cef42b6ed4236450ac60abbf64c8

SHA256
79550ac227f78a40f46031b0a4287bb4253142d110e328f41a8d3b8a7c12f7f3

SHA512
0872a439160fe806fb49d883a437fc8968c7c1c735e6e3da720cb578fe56cf1f68ccb26ad9d6ce90b12d8ea7965c0313c6448982bf575f22ee68706dc83bcea9

Download Submit
C:\Windows\SysWOW64\Qfimhmlo.exe

Filesize
404KB

MD5
aa2fdfd14a3c395dde134ba3cffc925a

SHA1
16c1703db43f9b428645f2cbe955a50b51d5bf8c

SHA256
bd013eed10e11987740979e0a5f533445519369af7ca3af725b66bdb21b428da

SHA512
18a09beed837d3e84c2696e646a1db427526b357039f565c766a88fb0413509f461cb0eaaac670648310ac9f32be2957e8e5e6a70d9ad15202f5898a964c0b1d

Download Submit
\Windows\SysWOW64\Aijfihip.exe

Filesize
404KB

MD5
e8f959eb69a54bdd55b90054fab1cc6e

SHA1
745bb1ec5da4e518df8c0d613397fd7c876bcd1a

SHA256
ebdd383da0579f5f2acd44788af38ad2065063026abe7d2c26784f89466e016c

SHA512
ec79ade7d9655344a24841ad55801cc2e8b54024103358d50dd560721ff277717ff2f88e3b0aebcf2dabdf4022108775d21001c1848e4c729cee1971716c83e1

Download Submit
\Windows\SysWOW64\Aioodg32.exe

Filesize
404KB

MD5
687fe7f177c42ba2fe99c96659566a5e

SHA1
aeb115022e6c201d8b211210e23fe4145f5bece4

SHA256
e1944c4baf9d8a958154b360444a277d383ec6028134f0990a305450894acde7

SHA512
8e313f793bcf7a2e7f654492e7885b4072f2c3e8c2e914ee1a8e73b8582a5ddf5927b44b844cfcb73047b037f2a97d09cd9681db813daba71a4c22a8f27887dd

Download Submit
\Windows\SysWOW64\Akbelbpi.exe

Filesize
404KB

MD5
9fa4eefd3d758dc48a57189090fa38fb

SHA1
f368ebb007e284270e67a230084ce7922e138b6a

SHA256
3a40414d18adba0c252b2f6f2a85f918a03d5f5498cc1d8cc25f501c69c0baa0

SHA512
7cd695839071ab8c6c95538c51359f75c4e208a2c0335a66e3bab52c0056ad345f2150ddbc6a5f5ce7af4458c3612741e4ec269d4f001b614e0a30f3cb0cea79

Download Submit
\Windows\SysWOW64\Bfppgohb.exe

Filesize
404KB

MD5
75bc70a08a16a069cf587d932ea35afe

SHA1
1dc73013dbd2921c8f9c45f311ba54d54caa0fc3

SHA256
8584af0804ddb165a0105acee462abcffe8b1abf7e685a5db23f19cd5b2f35b6

SHA512
8fcf4f3f0c2ef1074722eec20cfcf184972e761618c71484f1857941d764d2f67cdee8a708522bfcae431cb44fa561981dddec0cc1674cfb93315d2825458d46

Download Submit
\Windows\SysWOW64\Biceoj32.exe

Filesize
404KB

MD5
1a146c8e09d4d37ce1b2f2c162ecfc48

SHA1
c8cad41b048c60dc94b9c42fb3c7dd5e677f2d90

SHA256
c7bed481775cf8e8cfd1f57e0777612d4fd9f686320f3023f4532922c12b9782

SHA512
22bf6efca52e43b4b1ca853412055644086ce8d2f5bc3a3dfaa3ecd8372c3107ab8d4c7bc290782d3c95b4c07a28c5a8f45d6671984a33119ce9861a36da909e

Download Submit
\Windows\SysWOW64\Ocihgo32.exe

Filesize
404KB

MD5
7b32702c6c684ed531296c89be7ee57e

SHA1
97d5479cab24f98cd2f87aa9477a4443a9c042bd

SHA256
61eda4995f635497689b1452d9ea3ae53f502251553b5005951663541333bbad

SHA512
38de1a5ecf351e7e4bf2ad68869c80cd8c8c3f70e0866ef7796a093360d7587cebf62513c39fe7b1ea6f0266e3a3d9075efebd1c2dd410b4b4f3beb2c14238eb

Download Submit
\Windows\SysWOW64\Phmfpddb.exe

Filesize
404KB

MD5
d55906603d3314bdaf25ff03865624e7

SHA1
a790319acc0765964109e7a1480bead847e07b5c

SHA256
7a28a4651bd2fdaf3e93ee2d4e013d30c151c98a6a6cdea2fd94efdec760445a

SHA512
a9317c14b7120a35c676cf29c670cb7a8d300bd7bf9e3e9371490677fecc12cee6f1d0dd5e03104f2a9de6f431da3e8d68eb83fba4ee0d0a08661818e2370485

Download Submit
\Windows\SysWOW64\Pkplgoop.exe

Filesize
404KB

MD5
0736ec002f23a072c41c07232a87201f

SHA1
4e14e5fc9f5a96f276db4f678d9f5fd343fa7343

SHA256
b4377fe0de9671d5252851f0c3c4151accb7b51d00d896aa9bd4d6bff4d27b26

SHA512
c15f76774c48ffd9cbf7a5576c64504c22a76f3a70f139e73958b300effe5dd7c938974e87e7ba7c9d2cf4a824767653dcccb4b0fd54c5e1c50971a78d4756c9

Download Submit
\Windows\SysWOW64\Pngbcldl.exe

Filesize
404KB

MD5
9eac6e6ed6a4bd1af9dedf83c381db26

SHA1
c9d4e95b2a79bb226ee449cd71f054de27b26865

SHA256
cf00fc0bb59ae6ff0869e5898774360024380a12612538ee9c142f6bfec7ba9f

SHA512
9237d5cd9eaf5ea390ea46e60098263b34cd8009db0044cc3d5a670641fc79223603455471ab67139c08c4294768a4d1dd2a67af0967b839d101c938b7afc649

Download Submit
\Windows\SysWOW64\Qnpeijla.exe

Filesize
404KB

MD5
1ec3d584e10d6a2f58001137e7fbd35e

SHA1
defa5d7e48a3e3d8f251c012d41311dc351a11ef

SHA256
7073a3e54dcdbc887c6f4fa35d6de14f0ddd0646c4a1a792d108d9dd42fbac8f

SHA512
c6a282d521401eda2f47f8810d9ff54783437d993d20d3a2d6e095b25176d9633b0b80175b8483e02c61f1c70d63f64aca27acaf5c7f39467a3478206cf218d0

Download Submit
memory/304-293-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/304-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/304-259-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1072-165-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1072-228-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1072-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-158-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/1072-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1464-186-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1464-239-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/1484-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-350-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1592-344-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1592-309-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1608-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1608-331-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1608-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-322-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1724-26-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1724-23-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1724-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1968-248-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1968-201-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2004-223-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2004-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2004-276-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2004-274-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2004-229-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2056-203-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-141-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/2108-122-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-131-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2108-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2108-200-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2108-125-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2124-379-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-218-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2188-207-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2188-260-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2188-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2232-114-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2232-113-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2232-168-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2232-164-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2232-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2300-13-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2300-12-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2300-63-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2348-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2348-40-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2448-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2448-288-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2552-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-241-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2552-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2672-98-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2672-149-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2672-99-0x00000000005D0000-0x0000000000610000-memory.dmp

Filesize
256KB

Download
memory/2672-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2700-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2716-393-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2848-407-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2912-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-397-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2936-366-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2948-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-386-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2948-352-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/2988-116-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2988-59-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2988-69-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/3004-78-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/3004-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-140-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/3032-367-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-406-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3044-265-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3044-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads