67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
Size

93KB
MD5

2678eaceea3c460f2dba2d53f2fe99f5
SHA1

b5aff7b04149a68053f61803a7cf5fcc7568268d
SHA256

67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632
SHA512

ccdf4598e965b9114035938254eeee6339fac66e8ec6fb6aa8cb24e5e8998117ee6c13cbe1a9f89cfe18668b1c744b80d02c0dc8ba1f232ace6c2788ecbe5fe8
SSDEEP

1536:xziKbs0y6ci5ezoaoGuNy8SKguJyw/o82o8tQ5t3saMiwihtIbbpkp:tbs0y6ci8zojQqQY8tQ5pdMiwaIbbpkp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odacbpee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oiokholk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caokmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pehebbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bknmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egcfdn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjpgdik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bimphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bimphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caokmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdhna32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njalacon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aocbokia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfjildbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pehebbbh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbglpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qhkkim32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apkihofl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Boeoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cceapl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njnokdaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pimkbbpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djafaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbdagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbglpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ppdfimji.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dboglhna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njalacon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odacbpee.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiokholk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efhcej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njnokdaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Onamle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apkihofl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efhcej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aocbokia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chggdoee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Egcfdn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhaeldn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onamle32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dboglhna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicmadmm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dbdagg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfjildbp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qhkkim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amjpgdik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boeoek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkqiek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cceapl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojceef32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppdfimji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aicmadmm.exe

Executes dropped EXE 34 IoCs

pid	Process
908	Njnokdaq.exe
2756	Njalacon.exe
2104	Nfjildbp.exe
3032	Odacbpee.exe
2500	Oiokholk.exe
2108	Ojceef32.exe
1656	Onamle32.exe
2352	Ppdfimji.exe
2088	Pimkbbpi.exe
2364	Pbglpg32.exe
2148	Pehebbbh.exe
2072	Qhkkim32.exe
2080	Amjpgdik.exe
3056	Apkihofl.exe
2388	Aicmadmm.exe
1368	Aocbokia.exe
1248	Boeoek32.exe
2444	Bimphc32.exe
1352	Bknmok32.exe
920	Bkqiek32.exe
1528	Bakaaepk.exe
1916	Chggdoee.exe
2392	Caokmd32.exe
864	Cpdhna32.exe
2560	Cceapl32.exe
2612	Djafaf32.exe
2616	Ddkgbc32.exe
2776	Dboglhna.exe
2820	Dqddmd32.exe
2468	Dbdagg32.exe
3048	Egcfdn32.exe
880	Efhcej32.exe
1028	Enhaeldn.exe
2944	Flnndp32.exe

Loads dropped DLL 64 IoCs

pid	Process
2992	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
2992	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
908	Njnokdaq.exe
908	Njnokdaq.exe
2756	Njalacon.exe
2756	Njalacon.exe
2104	Nfjildbp.exe
2104	Nfjildbp.exe
3032	Odacbpee.exe
3032	Odacbpee.exe
2500	Oiokholk.exe
2500	Oiokholk.exe
2108	Ojceef32.exe
2108	Ojceef32.exe
1656	Onamle32.exe
1656	Onamle32.exe
2352	Ppdfimji.exe
2352	Ppdfimji.exe
2088	Pimkbbpi.exe
2088	Pimkbbpi.exe
2364	Pbglpg32.exe
2364	Pbglpg32.exe
2148	Pehebbbh.exe
2148	Pehebbbh.exe
2072	Qhkkim32.exe
2072	Qhkkim32.exe
2080	Amjpgdik.exe
2080	Amjpgdik.exe
3056	Apkihofl.exe
3056	Apkihofl.exe
2388	Aicmadmm.exe
2388	Aicmadmm.exe
1368	Aocbokia.exe
1368	Aocbokia.exe
1248	Boeoek32.exe
1248	Boeoek32.exe
2444	Bimphc32.exe
2444	Bimphc32.exe
1352	Bknmok32.exe
1352	Bknmok32.exe
920	Bkqiek32.exe
920	Bkqiek32.exe
1528	Bakaaepk.exe
1528	Bakaaepk.exe
1916	Chggdoee.exe
1916	Chggdoee.exe
2392	Caokmd32.exe
2392	Caokmd32.exe
864	Cpdhna32.exe
864	Cpdhna32.exe
2560	Cceapl32.exe
2560	Cceapl32.exe
2612	Djafaf32.exe
2612	Djafaf32.exe
2616	Ddkgbc32.exe
2616	Ddkgbc32.exe
2776	Dboglhna.exe
2776	Dboglhna.exe
2820	Dqddmd32.exe
2820	Dqddmd32.exe
2468	Dbdagg32.exe
2468	Dbdagg32.exe
3048	Egcfdn32.exe
3048	Egcfdn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Egfdjljo.dll	Amjpgdik.exe
File created	C:\Windows\SysWOW64\Idcoaaei.dll	Boeoek32.exe
File opened for modification	C:\Windows\SysWOW64\Bknmok32.exe	Bimphc32.exe
File opened for modification	C:\Windows\SysWOW64\Bakaaepk.exe	Bkqiek32.exe
File created	C:\Windows\SysWOW64\Jhibakgh.dll	Caokmd32.exe
File created	C:\Windows\SysWOW64\Lbpihjem.dll	Nfjildbp.exe
File created	C:\Windows\SysWOW64\Qhkkim32.exe	Pehebbbh.exe
File created	C:\Windows\SysWOW64\Pgmicg32.dll	Aicmadmm.exe
File created	C:\Windows\SysWOW64\Flnndp32.exe	Enhaeldn.exe
File created	C:\Windows\SysWOW64\Onamle32.exe	Ojceef32.exe
File created	C:\Windows\SysWOW64\Bimphc32.exe	Boeoek32.exe
File created	C:\Windows\SysWOW64\Jbaajccm.dll	Dboglhna.exe
File created	C:\Windows\SysWOW64\Bedoacoi.dll	Bkqiek32.exe
File created	C:\Windows\SysWOW64\Ipoidefp.dll	Bakaaepk.exe
File opened for modification	C:\Windows\SysWOW64\Oiokholk.exe	Odacbpee.exe
File created	C:\Windows\SysWOW64\Ppdfimji.exe	Onamle32.exe
File created	C:\Windows\SysWOW64\Aicmadmm.exe	Apkihofl.exe
File created	C:\Windows\SysWOW64\Boeoek32.exe	Aocbokia.exe
File opened for modification	C:\Windows\SysWOW64\Enhaeldn.exe	Efhcej32.exe
File opened for modification	C:\Windows\SysWOW64\Pbglpg32.exe	Pimkbbpi.exe
File created	C:\Windows\SysWOW64\Qklhgdgp.dll	Pbglpg32.exe
File opened for modification	C:\Windows\SysWOW64\Cpdhna32.exe	Caokmd32.exe
File created	C:\Windows\SysWOW64\Djafaf32.exe	Cceapl32.exe
File created	C:\Windows\SysWOW64\Oamcoejo.dll	Dqddmd32.exe
File created	C:\Windows\SysWOW64\Efhcej32.exe	Egcfdn32.exe
File opened for modification	C:\Windows\SysWOW64\Caokmd32.exe	Chggdoee.exe
File opened for modification	C:\Windows\SysWOW64\Efhcej32.exe	Egcfdn32.exe
File created	C:\Windows\SysWOW64\Mofapq32.dll	Efhcej32.exe
File created	C:\Windows\SysWOW64\Njnokdaq.exe	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
File created	C:\Windows\SysWOW64\Qdkcda32.dll	Pimkbbpi.exe
File created	C:\Windows\SysWOW64\Bakaaepk.exe	Bkqiek32.exe
File opened for modification	C:\Windows\SysWOW64\Aicmadmm.exe	Apkihofl.exe
File opened for modification	C:\Windows\SysWOW64\Bimphc32.exe	Boeoek32.exe
File created	C:\Windows\SysWOW64\Ddkgbc32.exe	Djafaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddkgbc32.exe	Djafaf32.exe
File created	C:\Windows\SysWOW64\Dqddmd32.exe	Dboglhna.exe
File created	C:\Windows\SysWOW64\Bflpbe32.dll	Ppdfimji.exe
File created	C:\Windows\SysWOW64\Imcplf32.dll	Aocbokia.exe
File created	C:\Windows\SysWOW64\Dboglhna.exe	Ddkgbc32.exe
File opened for modification	C:\Windows\SysWOW64\Dqddmd32.exe	Dboglhna.exe
File created	C:\Windows\SysWOW64\Mdkiio32.dll	Njnokdaq.exe
File opened for modification	C:\Windows\SysWOW64\Nfjildbp.exe	Njalacon.exe
File created	C:\Windows\SysWOW64\Dilmaf32.dll	Bknmok32.exe
File opened for modification	C:\Windows\SysWOW64\Qhkkim32.exe	Pehebbbh.exe
File created	C:\Windows\SysWOW64\Aocbokia.exe	Aicmadmm.exe
File created	C:\Windows\SysWOW64\Onndkg32.dll	Enhaeldn.exe
File opened for modification	C:\Windows\SysWOW64\Njalacon.exe	Njnokdaq.exe
File created	C:\Windows\SysWOW64\Odacbpee.exe	Nfjildbp.exe
File created	C:\Windows\SysWOW64\Ogaceogh.dll	Qhkkim32.exe
File opened for modification	C:\Windows\SysWOW64\Boeoek32.exe	Aocbokia.exe
File created	C:\Windows\SysWOW64\Bkqiek32.exe	Bknmok32.exe
File created	C:\Windows\SysWOW64\Panfjh32.dll	Egcfdn32.exe
File created	C:\Windows\SysWOW64\Moiihmhq.dll	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
File opened for modification	C:\Windows\SysWOW64\Odacbpee.exe	Nfjildbp.exe
File created	C:\Windows\SysWOW64\Hkagib32.dll	Ojceef32.exe
File created	C:\Windows\SysWOW64\Eoeadjbl.dll	Njalacon.exe
File opened for modification	C:\Windows\SysWOW64\Pimkbbpi.exe	Ppdfimji.exe
File created	C:\Windows\SysWOW64\Pehebbbh.exe	Pbglpg32.exe
File created	C:\Windows\SysWOW64\Bknmok32.exe	Bimphc32.exe
File created	C:\Windows\SysWOW64\Fiqechmg.dll	Apkihofl.exe
File opened for modification	C:\Windows\SysWOW64\Flnndp32.exe	Enhaeldn.exe
File created	C:\Windows\SysWOW64\Lbogaf32.dll	Cceapl32.exe
File created	C:\Windows\SysWOW64\Nfjildbp.exe	Njalacon.exe
File opened for modification	C:\Windows\SysWOW64\Pehebbbh.exe	Pbglpg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3020	2944	WerFault.exe	63

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbglpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjpgdik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dboglhna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknmok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnndp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njnokdaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cceapl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djafaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbdagg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojceef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppdfimji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egcfdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Efhcej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apkihofl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bakaaepk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chggdoee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njalacon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pimkbbpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pehebbbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qhkkim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boeoek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bimphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdhna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddkgbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqddmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odacbpee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aocbokia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkqiek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caokmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enhaeldn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfjildbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiokholk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onamle32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicmadmm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfjh32.dll"	Egcfdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll"	Enhaeldn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdajpkkj.dll"	Bimphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mofapq32.dll"	Efhcej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nliqma32.dll"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkagib32.dll"	Ojceef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amjpgdik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdkcda32.dll"	Pimkbbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pehebbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfdjljo.dll"	Amjpgdik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apkihofl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dbdagg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qklhgdgp.dll"	Pbglpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbglpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enhaeldn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoeadjbl.dll"	Njalacon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qhkkim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnkeqd.dll"	Oiokholk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkebqmfj.dll"	Onamle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmicg32.dll"	Aicmadmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedoacoi.dll"	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojceef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njalacon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Onamle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddkgbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcplf32.dll"	Aocbokia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcoaaei.dll"	Boeoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oamcoejo.dll"	Dqddmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Egcfdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moiihmhq.dll"	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipklb32.dll"	Odacbpee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Boeoek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chggdoee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efhcej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Onamle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflpbe32.dll"	Ppdfimji.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aocbokia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbglpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqechmg.dll"	Apkihofl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aicmadmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bknmok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpdhna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cceapl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dqddmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojceef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apkihofl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcphaglh.dll"	Ddkgbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Odacbpee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pimkbbpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bimphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bimphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbogaf32.dll"	Cceapl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Boeoek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipoidefp.dll"	Bakaaepk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ppdfimji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bknmok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkqiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baboljno.dll"	Djafaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchhdfem.dll"	Pehebbbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkqiek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Caokmd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 908	2992	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe	30
PID 2992 wrote to memory of 908	2992	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe	30
PID 2992 wrote to memory of 908	2992	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe	30
PID 2992 wrote to memory of 908	2992	67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe	30
PID 908 wrote to memory of 2756	908	Njnokdaq.exe	31
PID 908 wrote to memory of 2756	908	Njnokdaq.exe	31
PID 908 wrote to memory of 2756	908	Njnokdaq.exe	31
PID 908 wrote to memory of 2756	908	Njnokdaq.exe	31
PID 2756 wrote to memory of 2104	2756	Njalacon.exe	32
PID 2756 wrote to memory of 2104	2756	Njalacon.exe	32
PID 2756 wrote to memory of 2104	2756	Njalacon.exe	32
PID 2756 wrote to memory of 2104	2756	Njalacon.exe	32
PID 2104 wrote to memory of 3032	2104	Nfjildbp.exe	33
PID 2104 wrote to memory of 3032	2104	Nfjildbp.exe	33
PID 2104 wrote to memory of 3032	2104	Nfjildbp.exe	33
PID 2104 wrote to memory of 3032	2104	Nfjildbp.exe	33
PID 3032 wrote to memory of 2500	3032	Odacbpee.exe	34
PID 3032 wrote to memory of 2500	3032	Odacbpee.exe	34
PID 3032 wrote to memory of 2500	3032	Odacbpee.exe	34
PID 3032 wrote to memory of 2500	3032	Odacbpee.exe	34
PID 2500 wrote to memory of 2108	2500	Oiokholk.exe	35
PID 2500 wrote to memory of 2108	2500	Oiokholk.exe	35
PID 2500 wrote to memory of 2108	2500	Oiokholk.exe	35
PID 2500 wrote to memory of 2108	2500	Oiokholk.exe	35
PID 2108 wrote to memory of 1656	2108	Ojceef32.exe	36
PID 2108 wrote to memory of 1656	2108	Ojceef32.exe	36
PID 2108 wrote to memory of 1656	2108	Ojceef32.exe	36
PID 2108 wrote to memory of 1656	2108	Ojceef32.exe	36
PID 1656 wrote to memory of 2352	1656	Onamle32.exe	37
PID 1656 wrote to memory of 2352	1656	Onamle32.exe	37
PID 1656 wrote to memory of 2352	1656	Onamle32.exe	37
PID 1656 wrote to memory of 2352	1656	Onamle32.exe	37
PID 2352 wrote to memory of 2088	2352	Ppdfimji.exe	38
PID 2352 wrote to memory of 2088	2352	Ppdfimji.exe	38
PID 2352 wrote to memory of 2088	2352	Ppdfimji.exe	38
PID 2352 wrote to memory of 2088	2352	Ppdfimji.exe	38
PID 2088 wrote to memory of 2364	2088	Pimkbbpi.exe	39
PID 2088 wrote to memory of 2364	2088	Pimkbbpi.exe	39
PID 2088 wrote to memory of 2364	2088	Pimkbbpi.exe	39
PID 2088 wrote to memory of 2364	2088	Pimkbbpi.exe	39
PID 2364 wrote to memory of 2148	2364	Pbglpg32.exe	40
PID 2364 wrote to memory of 2148	2364	Pbglpg32.exe	40
PID 2364 wrote to memory of 2148	2364	Pbglpg32.exe	40
PID 2364 wrote to memory of 2148	2364	Pbglpg32.exe	40
PID 2148 wrote to memory of 2072	2148	Pehebbbh.exe	41
PID 2148 wrote to memory of 2072	2148	Pehebbbh.exe	41
PID 2148 wrote to memory of 2072	2148	Pehebbbh.exe	41
PID 2148 wrote to memory of 2072	2148	Pehebbbh.exe	41
PID 2072 wrote to memory of 2080	2072	Qhkkim32.exe	42
PID 2072 wrote to memory of 2080	2072	Qhkkim32.exe	42
PID 2072 wrote to memory of 2080	2072	Qhkkim32.exe	42
PID 2072 wrote to memory of 2080	2072	Qhkkim32.exe	42
PID 2080 wrote to memory of 3056	2080	Amjpgdik.exe	43
PID 2080 wrote to memory of 3056	2080	Amjpgdik.exe	43
PID 2080 wrote to memory of 3056	2080	Amjpgdik.exe	43
PID 2080 wrote to memory of 3056	2080	Amjpgdik.exe	43
PID 3056 wrote to memory of 2388	3056	Apkihofl.exe	44
PID 3056 wrote to memory of 2388	3056	Apkihofl.exe	44
PID 3056 wrote to memory of 2388	3056	Apkihofl.exe	44
PID 3056 wrote to memory of 2388	3056	Apkihofl.exe	44
PID 2388 wrote to memory of 1368	2388	Aicmadmm.exe	45
PID 2388 wrote to memory of 1368	2388	Aicmadmm.exe	45
PID 2388 wrote to memory of 1368	2388	Aicmadmm.exe	45
PID 2388 wrote to memory of 1368	2388	Aicmadmm.exe	45

C:\Users\Admin\AppData\Local\Temp\67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe
"C:\Users\Admin\AppData\Local\Temp\67707d41d0968fedbdfab605ee826e0aa8d8abffb966a467f141e1165853d632.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\Njnokdaq.exe
  C:\Windows\system32\Njnokdaq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\SysWOW64\Njalacon.exe
    C:\Windows\system32\Njalacon.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\Nfjildbp.exe
      C:\Windows\system32\Nfjildbp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2104
    - - C:\Windows\SysWOW64\Odacbpee.exe
        
        C:\Windows\system32\Odacbpee.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\SysWOW64\Oiokholk.exe
        
        C:\Windows\system32\Oiokholk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Ojceef32.exe
        
        C:\Windows\system32\Ojceef32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Onamle32.exe
        
        C:\Windows\system32\Onamle32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Ppdfimji.exe
        
        C:\Windows\system32\Ppdfimji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Pimkbbpi.exe
        
        C:\Windows\system32\Pimkbbpi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Pbglpg32.exe
        
        C:\Windows\system32\Pbglpg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Pehebbbh.exe
        
        C:\Windows\system32\Pehebbbh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Qhkkim32.exe
        
        C:\Windows\system32\Qhkkim32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Amjpgdik.exe
        
        C:\Windows\system32\Amjpgdik.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Apkihofl.exe
        
        C:\Windows\system32\Apkihofl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Aicmadmm.exe
        
        C:\Windows\system32\Aicmadmm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Aocbokia.exe
        
        C:\Windows\system32\Aocbokia.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Boeoek32.exe
        
        C:\Windows\system32\Boeoek32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Bimphc32.exe
        
        C:\Windows\system32\Bimphc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Bknmok32.exe
        
        C:\Windows\system32\Bknmok32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Bkqiek32.exe
        
        C:\Windows\system32\Bkqiek32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Bakaaepk.exe
        
        C:\Windows\system32\Bakaaepk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Chggdoee.exe
        
        C:\Windows\system32\Chggdoee.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Caokmd32.exe
        
        C:\Windows\system32\Caokmd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Cpdhna32.exe
        
        C:\Windows\system32\Cpdhna32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Cceapl32.exe
        
        C:\Windows\system32\Cceapl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2560
        
        C:\Windows\SysWOW64\Djafaf32.exe
        
        C:\Windows\system32\Djafaf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ddkgbc32.exe
        
        C:\Windows\system32\Ddkgbc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Dboglhna.exe
        
        C:\Windows\system32\Dboglhna.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Dqddmd32.exe
        
        C:\Windows\system32\Dqddmd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Dbdagg32.exe
        
        C:\Windows\system32\Dbdagg32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Egcfdn32.exe
        
        C:\Windows\system32\Egcfdn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3048
        
        C:\Windows\SysWOW64\Efhcej32.exe
        
        C:\Windows\system32\Efhcej32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:880
        
        C:\Windows\SysWOW64\Enhaeldn.exe
        
        C:\Windows\system32\Enhaeldn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Flnndp32.exe
        
        C:\Windows\system32\Flnndp32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 140
        36⤵
        Program crash
        
        PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bakaaepk.exe

Filesize
93KB

MD5
424b93f6226dccac20ec1cddfcc0481c

SHA1
4e4ffdc39859d6ca7526ba40d1c3070b802a38f2

SHA256
157d4f5562cb270c59008b17ddb72c96c855a83cb83a7a7ec618bdd55c70d37e

SHA512
6de91477c5509b552c708dc5837ab91306fe53a7737f225d9113167352cc2d0fca6c62fcb3d703cacd39b08bff0edeb48dbe5b6c90cf1c164f4898cae8db7a04

Download Submit
C:\Windows\SysWOW64\Bimphc32.exe

Filesize
93KB

MD5
d4caaac8e393643e24c74b529256fef6

SHA1
144a981323484a46109afd597fae3f12aed0af5c

SHA256
fa7bdbe05e8868ece8280e47dc726640ab57b478d392a77f48d3363ceb31f361

SHA512
a01727dd2f0c053aaa8f21ab0b4312c85957c932fdecd9a39dce2925d1937b33bb66b40355ee91640f8fd14b260d0a9d87b396d75aabcda3e78c392b39c4f97c

Download Submit
C:\Windows\SysWOW64\Bknmok32.exe

Filesize
93KB

MD5
e32e220fc11603f0083df677c5ac78aa

SHA1
563005a56ea0d0b884b057f0fd00516d9c78db3f

SHA256
e2840af599ed2efec16315ce3874c79a5f726d0a5e60b24b0107209791e5283e

SHA512
ff03f3f7dc9e53f56a1cff8faa27c7e4f40c066896a5c7761381d24b6bf0426221216cd4f82c1657e8ef6d89d62465f552b372f8df5ba8373d4c6544ae9f1d42

Download Submit
C:\Windows\SysWOW64\Bkqiek32.exe

Filesize
93KB

MD5
aca9a00418667dbd8121b95ae3b273ca

SHA1
e7ce598c8711ca7a375a33926e552b4cd8e12603

SHA256
1fcc596be56d41e09ac7415fd57e66120095a5740b5a774c4367056455a9ea10

SHA512
fa0439097e07bb56714eb809f438df5af46cc3cec1e26d4accf891a6c246f02c89fdc4fed7bb734047b5b455cdc558c50e6bab870e4dffb2c91767a7d69fd653

Download Submit
C:\Windows\SysWOW64\Boeoek32.exe

Filesize
93KB

MD5
fe5147cdde3241ad7b751d27c9bf2af9

SHA1
00356fefcf1eb8712b52d5b181b60925691b0c78

SHA256
146bb95ed21c99252df2b3fe181177e603c4b2d8a00ea4bb876f0f24b06aeb42

SHA512
920385660fae9c4396d979bf7e0ce0331aae8857e6025d905d7cd7d1eba00256ad345e2b904f03ebdd28460280abd410c87183bcdbbf6c8e4b51d993c7d875db

Download Submit
C:\Windows\SysWOW64\Caokmd32.exe

Filesize
93KB

MD5
34774afc01fd7adf056b75d7daa79186

SHA1
91061048a56ba51b22975478bd2f6d58cb963922

SHA256
e0052bdb89d22ec800b9759c43cb46a680e1870f1f39718850d3de7c7bc8ba01

SHA512
5d1333612faedde70e86efcec736fb5461bf4ed86e386da6382688767b1a4624a878b49d89df08a749d3d2685ec4938c3f999aebc62c5743d3da28d1de423d2f

Download Submit
C:\Windows\SysWOW64\Cceapl32.exe

Filesize
93KB

MD5
6762bbf82c395d22f97c338940851ffb

SHA1
2ac99449a9bcb8daffb059583ec427665c90367c

SHA256
4772c85007d8e0530e06434506faa1b9153898db58c15f7f079520e70b542bf4

SHA512
426cc4d5254b5c13c05afe6e655be564127f92bbdf62384f0f7d4c7eb69b250ee467e5d00031b275a0f6465dc089cb8d3b6b4a0b941ce86949883c87f3b64ab2

Download Submit
C:\Windows\SysWOW64\Chggdoee.exe

Filesize
93KB

MD5
634b4aee50ab97f6b135a53233d5d94f

SHA1
e865cd71577133be0886af51efb9b664b8973bb9

SHA256
ecf1438702e6bb7ce7de67787a8611967092016856f83380db2f2e809203bcdd

SHA512
a5fd628f148dcc6368c53a073706950f4e606d105a759fb6528a8b9ce3030567bde040c56c8762393852e515b4c875be6abb2804e78650ce6f0aa6a07eb236e3

Download Submit
C:\Windows\SysWOW64\Cpdhna32.exe

Filesize
93KB

MD5
9bee9792688ff0faa5dff7a6ff94f93e

SHA1
1373b95856f072b5d005bfd7c1793a63ad168c1e

SHA256
94421b96cd37ae61980244a8b4ae96477911d7696cfb96e0e264471732fcbabc

SHA512
16fef8a2fe5bd238fe40d66ecab792b059e5b0ac2a88c0025f936a10cd5c4d3e9ed04d274ea45a0a5c7f242a4b40b87d870241956f0529bf303b707872f67480

Download Submit
C:\Windows\SysWOW64\Dbdagg32.exe

Filesize
93KB

MD5
5f920881b0140d23829795af4876c816

SHA1
69414f3bbe77d2f5a9d72ac8ba957e4c104d0815

SHA256
9c363b9e145d7995c53e58c9d48be2fdc5cfa04d9b4f648f56a281f0fce57be7

SHA512
6712d0ad901ccda2cf56ba274cf73dc9347b66105268cae3a26df14822045c757fdb898601fbb84cba0a5c87735ca9aec6ba44c66dda9aea1db566a58030330f

Download Submit
C:\Windows\SysWOW64\Dboglhna.exe

Filesize
93KB

MD5
1428b4eaa620adbc0e3e08741b94d6b1

SHA1
ad55059b4dfb3e39af23151c9997b085da762d62

SHA256
9f134b08088d180c3b498bd6a67d31e5107b5f455614e9e46a32255064aa5a59

SHA512
0873b23a763d4c559fbff55b21dcea080593dc0cf68c8e49943da5f169383d62e781f2f8336c3da9bfaf9a8c05a1932c7e95c79128928bc221be3ecd67b0f313

Download Submit
C:\Windows\SysWOW64\Ddkgbc32.exe

Filesize
93KB

MD5
a580961ab675e5692b21ea70dc7e1042

SHA1
ccd6a12524c5bf33fd923eb83f0497820dc0709c

SHA256
784d4b18a4039aa4296c550acc3be9f1ee9fd5dd9b42467420c7cd5aff39eafa

SHA512
0c765f5b861b70726565215a698e10babdbca031160c94017f871f7f0d5c808dc5058f4b311fcca883c0027f56cf184ec0dc0fe7967260a19d5f5d7c60f09dd2

Download Submit
C:\Windows\SysWOW64\Djafaf32.exe

Filesize
93KB

MD5
31fac916d9581d46a54358cdae652e1c

SHA1
b15a8607c00c63a489d171b5179365506fd1bab2

SHA256
323faa5eeaa7894f4aae04dcc202ff7284d64355a1b294a1c5090dc09571ec00

SHA512
aca2cc5d1fda73aea496774ad2851c5e063ab59fc70ee5632c22d245e569f432a5bf2235b9995b616d12c635b40118a3f2518ce00e1c0971644a213587fe079b

Download Submit
C:\Windows\SysWOW64\Dqddmd32.exe

Filesize
93KB

MD5
ad916b78fa61c6faa0a892aea5d1d444

SHA1
62a8479bb5494d954e501cb16b0690b7ad28772a

SHA256
49d1b94c358ca91d413920b773f4c547d6bc6d351e7351de93e390e1e3e0f1ec

SHA512
7eb8e0e3bf2b84b1362c12ab2980419e1292bb8bf7b636bacdb360028956bd2c1e587494e2bfbce5d8571a22f4eeefe82555f76f99f6fd6e6f595b02311bcd47

Download Submit
C:\Windows\SysWOW64\Efhcej32.exe

Filesize
93KB

MD5
f3691214d3d6a08fd685c1ee9dd9656a

SHA1
787d8b74dbe59fbe49c58c839c73d0a17f927dd8

SHA256
e37b0db0cba9c221f24171e1aeb84b6c6284b698bda2f7d6b52923ac47d33f2a

SHA512
0fb2e9be9a85a0c4609be88557b7abe50dc394f1e3b13faec301a3b78a5da2351efb5e81d3e3d431fd59a3dda6f8b8b0f7b0aaa6cdff4054998f1d31bc30a8fb

Download Submit
C:\Windows\SysWOW64\Egcfdn32.exe

Filesize
93KB

MD5
81d52f806da7dca6cd10f3d434744995

SHA1
6def0616bc235ca1e90206fa48420fb97bbd74df

SHA256
d45daef3e8efcf830238e0082cbac98a43689d8af2195e8bc2930fc8a88d7c32

SHA512
5bfe77d9555bb829bb468d21d8eab7d62ed674c38b94a9ac7b41431bebfc856c6dec68e319645e8f36d4c9e11e144d9e8e43c434ae05b81d0c62f77c87f673a1

Download Submit
C:\Windows\SysWOW64\Enhaeldn.exe

Filesize
93KB

MD5
cc2e020e67cc0df844598435a8ca90c9

SHA1
32edab82b64a21fd050bd44bae6fe9e8b58883be

SHA256
601688fe05e82c812514dd15405e3cff0e78644d1693a38f337a522e1efd8089

SHA512
c1c1604f1e2dc514c9d4ec7a4b0b24fa5252a8329d86f61a005f4286f4378712744d0dd3411e0dbedc612e7714aa22f6d895b095ce80a390b9a1e169635c79ee

Download Submit
C:\Windows\SysWOW64\Flnndp32.exe

Filesize
93KB

MD5
23b479ea223ae4742fa61c819b2d6c97

SHA1
2612984801cfb93e52e3df7b34e7f648e962592b

SHA256
cc6687d5f4f03f24641fed35157ebbb34e94cdfe111f9aa0249c094032232a45

SHA512
4abf349d007feddd4dbc36716dca27c217570e6267bd67bf67da589e71da0feedc50d480dd86afc5a0fe167fe8c452a44bae64d950f0c9f2bcd3cee5617a7042

Download Submit
C:\Windows\SysWOW64\Oipklb32.dll

Filesize
7KB

MD5
0f7b3fd2b812e90fce19ef3d13dcab29

SHA1
e9494a39bdc2f384df3abca77112869011c75628

SHA256
95b206eb1ecda682d51dd99ef9dc3267cb17f194cb32bbc92120670bc246ce91

SHA512
72ae569465cf2197f07570aeb767c84a72d71c5081e558fbe10a1f2f3af3b655bd6e9badf2b00b3162aa2633da91744eef19c81f3b1cd7b74bc539d60bfa8eaf

Download Submit
C:\Windows\SysWOW64\Ppdfimji.exe

Filesize
93KB

MD5
c973730ac7afa018537cb6b80d0e81a3

SHA1
4ab7079abd83bfdd40b028cdf26e6ca857f7a43c

SHA256
828f411dc2fc6418def5c1e8395c2fcd887ad28b874028c6bfec68d420c00c10

SHA512
f4ad76614035f8a839958e469564de9a97f225d6d60e81441949e20b8347908ca6bb4bfbe68fb3c11ebdc873983de43405bb32f2aa37ae3c1aff9733d549f444

Download Submit
\Windows\SysWOW64\Aicmadmm.exe

Filesize
93KB

MD5
43029205b84b5df4997e4a0e0a9f7e9e

SHA1
af6f5d16517884661353d06b295c76d102ad17b6

SHA256
5cf85b94f79ba6db97367a18191757e8af392672a3a759223be678952fd6d2da

SHA512
111dfd581ed371035f3397a6d2e9dc015f599994bcf7eb362d9da7774de30f3a98b68ceb67e6124180b47239ac1a43d3939e93ae1baf34ba8a6357f41986d8ab

Download Submit
\Windows\SysWOW64\Amjpgdik.exe

Filesize
93KB

MD5
cbcfdb5ab8047807bc8428569ac82bff

SHA1
b018992df0998737335209ee0b48f3ee54b4fc35

SHA256
27038332d56d502833cae8dae3dd4f74a2fec409139b2a2bfd28466ad10b317e

SHA512
654b09473ad7eaa636a4455599eb3ace0ce7939a762713edab29fb5634c9faf9e2055620ecee1ccda674dfddf72157bfc106bc4ac5341cd18f242cd31c4b7628

Download Submit
\Windows\SysWOW64\Aocbokia.exe

Filesize
93KB

MD5
d5f6d55e929b42cb155ef4f4baa539af

SHA1
c3c406eabbffa23bb64f1c3f0572b35d0842ff71

SHA256
7ab62276c8b342d99f38974d624370e834b020d0a0d393fad632671ebad6d24e

SHA512
e5210c08fcc24f49e496fa3200b32ab54f6174d96e1e36a43d16e1c4a350a428306afc68e9cbe60270c7fdbcff4c07794a4ac71d96b6da5cad234c2ab3fce2a6

Download Submit
\Windows\SysWOW64\Apkihofl.exe

Filesize
93KB

MD5
94da96fbabca94d406e8e3f8081ecf22

SHA1
96a8c6005cc492cb8f31a070b41a154a364fc860

SHA256
2d9cf12f726db1401ab5005e4bf611caa86d231becde6bc09ea5dc812218c24e

SHA512
e09ebfc92eb7be5e6093c0c3b3eb3c1b2e4077d220148139672613c0bf5a88460faeccba7c456280aec6e14176051e9bd45e2f229d3f38fdd21ec170698b3085

Download Submit
\Windows\SysWOW64\Nfjildbp.exe

Filesize
93KB

MD5
72f497c3d9c2b635489fe874742f0206

SHA1
dffc32eeadc63e2678dc34dda85955cf34ab4642

SHA256
ed6df22e4a1da40d018963828dc4de360608eafa63384b0d5d5218028101072f

SHA512
57bc3051d11f3250220ff70f38767419c7915a7ec876a0b8432ee3cccc3b748a39da8254275040b2c21bf429ae012e57595dbbf109c99a324977508adb5e69bb

Download Submit
\Windows\SysWOW64\Njalacon.exe

Filesize
93KB

MD5
e03f5ca02ef057c599d8a36549ae572d

SHA1
be536852a5c9f06d923c1516a375e8e2f95e8cf4

SHA256
16dac3a109e3d69490bdf7fd5362b19d84761da1ee1887afc522bf66ce55d318

SHA512
57bd19e5942e12b727d4ce3d72f16c66611fb4d45d5440ec8a540f7ac2b932a5b3669bcafa59c60f90633133b4c0f14488f068eeadd5ca22d6278d29c9ff0582

Download Submit
\Windows\SysWOW64\Njnokdaq.exe

Filesize
93KB

MD5
ce3c1c4abe0133e2edcff02b271d856b

SHA1
6c317d2f7406011480e1706336da9b666c88f32a

SHA256
e1e31bd1d424ce892122f71a861c435a0a0fe16401a915e57477c9b8f40a7e64

SHA512
d355bdb8502de7408effe03297a00544ba39a5f169d2435e2e7ce30b8b5b8805e85c4c1c6e98efe9f61316079c7b1b931132fec9fb14107f7cbd8f6a1444a5b6

Download Submit
\Windows\SysWOW64\Odacbpee.exe

Filesize
93KB

MD5
eac2206f142f6617443959b54a31b532

SHA1
84365b32268355d56388e0e4a1c13d848947dd22

SHA256
adaf11289eab78b13651a1ee8253896a6437a2d9342739cd639e842e3063692b

SHA512
5664681814c0e7f7ae09d4b038447cea44cf7db57b92d06f1c2870298cfa7b894425107a3dedc2bd9b568d84059bdcc7f9625d19bab484b98775ac0fe6cdd3b7

Download Submit
\Windows\SysWOW64\Oiokholk.exe

Filesize
93KB

MD5
ada48bbc3cfba51d68446a8338204bde

SHA1
d375ce73f4de6973c93da87d23b56c1b0d8281b2

SHA256
0e4a4599c9224b73386cdd602c61cd3150b01c8036501a6b172e81c489b1460a

SHA512
7cc0737a2f43afbac87d7fe824fb3488577e102fb75e0410cf95f0c9bdad0d80835d89068d568cf39c7f0c99a3fd349d955ab5878066910725a2f0de3507e866

Download Submit
\Windows\SysWOW64\Ojceef32.exe

Filesize
93KB

MD5
755192954c2c2d69ef1f41c49412379e

SHA1
ee1c0d62ec66e7052841b746e86d2299e6141022

SHA256
7a31a373e98b77d15aa6e57ac32f3c625a9524580eb49344f99c2a6db255267a

SHA512
84865478ba6157760f66bd3d3f8d6e2e2047e0192dea78a8c91ea6c28b8eb00f72780f3ad6b988ed38d001f5a50a21e372e4fd891b8c7738c517c12401aa8cf1

Download Submit
\Windows\SysWOW64\Onamle32.exe

Filesize
93KB

MD5
5056afceae25cc6c3bb7a5769ad69529

SHA1
8ac2e4c105a0f34be9430cfc1418503458e8aea2

SHA256
78ed4b58c028b59b8843c3f85804a3797d0f17829fba2690819f398054c8a35e

SHA512
571e3d018d542b3cbda3e81bd8df69348508ef879f4d0b645bbe03713ea506d8ddbfab6bb18dfeeec3063315fd2cbbdbd3a35dc711083f7edbb3e7a77f4bea11

Download Submit
\Windows\SysWOW64\Pbglpg32.exe

Filesize
93KB

MD5
413c6c8ae0f9768c136e6fd644ce4475

SHA1
c3a1bee3c69186091a2007c4e2edb8077c849648

SHA256
0ab416f49816f6f65e8ac738d1ce508f020de0fcac60e007e5354d02ef1c1d5f

SHA512
b69f97fb9eb80708c427aeb8c067bdf01b975a66fd5555c0899271c080dbcbffc2b12765f3e54d01f2b4299b3ce7e23bdf29ccb7911c208a81eed5de05b84d09

Download Submit
\Windows\SysWOW64\Pehebbbh.exe

Filesize
93KB

MD5
d2093be8b659b36e680d87ba750bb4cc

SHA1
49530ab716eafc13c498a31142c4df5dacd78be6

SHA256
c4357ff5ff792fecb4fd91bb1b5f6a54604bb3cb011acfd04a92c77ee0ae9d47

SHA512
0d8e3be9ef39eaf2e62290c04908bf16d23fca683747fe60d00393569ce50c7e8b4ffffa8f67bc9246431e7caa90012b4cf4f6ffc86af01f78d99ef42bf1427c

Download Submit
\Windows\SysWOW64\Pimkbbpi.exe

Filesize
93KB

MD5
d07c4dcfaf96f682cbc9a6657c5dba6b

SHA1
837001ece86e5e356fd30f4ee34dc3b13853163f

SHA256
b56badfac7ac8965ce001aecc2cf9393c9e203d5d15b806c91fc9b2edf6fb2fa

SHA512
46bb42d06695eeeceeb6d2ccc051bbeb381c698cc616ba1841d78dc91356f60d3b4b826f625551227387a173698995209592011912dbfac57b478bfd0dad9f29

Download Submit
\Windows\SysWOW64\Qhkkim32.exe

Filesize
93KB

MD5
5a48886385f7ca326a8edbbbcf9a87e7

SHA1
1365d011e80ce5c4ec705e33a40a6b4f648fe7cc

SHA256
15d04eddf7d5caab670b2f4907be13d87e45414b6f8570f96925cc53e64e0f01

SHA512
56f253601c04ef0b25ebe38a3b9b5cb701f628fa310bf309ba9b7f796554d9df385237eb38ab1c647751c0a9614f614052f855d17ec75e5093d94ca88e8c71b5

Download Submit
memory/864-315-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/864-314-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/864-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/880-403-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/880-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/908-380-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/908-396-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/908-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/908-27-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/920-271-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/920-272-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/920-266-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1028-408-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1028-418-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/1028-419-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/1248-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1248-241-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1352-257-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/1352-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1352-261-0x00000000002B0000-0x00000000002EE000-memory.dmp

Filesize
248KB

Download
memory/1368-231-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-279-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1528-283-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1528-273-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1656-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1656-108-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1656-97-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1656-425-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1916-294-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1916-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1916-293-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2072-431-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2072-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2072-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-189-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2088-131-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2088-427-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-124-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-138-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2104-43-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-414-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2104-51-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/2108-84-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-423-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2148-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2148-166-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/2148-429-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2148-164-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/2352-426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2352-122-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2364-152-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/2364-140-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2364-428-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-218-0x0000000000230000-0x000000000026E000-memory.dmp

Filesize
248KB

Download
memory/2392-304-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2392-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2444-242-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2468-382-0x00000000001B0000-0x00000000001EE000-memory.dmp

Filesize
248KB

Download
memory/2468-381-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-78-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2500-422-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2500-70-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-325-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2560-326-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2560-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-337-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2612-336-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2616-348-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2616-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2616-347-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2756-407-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2756-36-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2756-41-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2776-363-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2776-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2776-362-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/2820-371-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2820-370-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2820-364-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2944-420-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-385-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/2992-384-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/2992-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2992-12-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/2992-13-0x00000000003C0000-0x00000000003FE000-memory.dmp

Filesize
248KB

Download
memory/3032-421-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3032-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-395-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/3048-383-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3048-394-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/3056-196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads