ab6a88f7b14679c5926d9fb41e7f949c902efc6d8b4d12b6dace110babd2a37a

Analysis

max time kernel
32s
max time network
21s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0a799d689cf96786b85444dab3dc4a0N.exe
Size

80KB
MD5

d0a799d689cf96786b85444dab3dc4a0
SHA1

6700254c2f95c7a63f1c637eec22a175a6fb04fa
SHA256

ab6a88f7b14679c5926d9fb41e7f949c902efc6d8b4d12b6dace110babd2a37a
SHA512

db51ff39c511257aa29ed904fda8819270522726e8eda988136a23dc5343e9e9e6f922f85b434616ed2a213c0ee492e7afb080203f8d1d6537ad04f100a9c098
SSDEEP

1536:kMlv+UK2wWWTRPBlf+31bN6k+W05P+LsDRQA7ERJJ5R2xOSC4BG:Z+UKPWoZBlf+lx0IL4eHrJ5wxO344

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Injqmdki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknafhjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klcgpkhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakino32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iipejmko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Injqmdki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikqnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iakino32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iknafhjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	d0a799d689cf96786b85444dab3dc4a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ibcphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klcgpkhh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kekkiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikqnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfjolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d0a799d689cf96786b85444dab3dc4a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdeaelok.exe

Executes dropped EXE 32 IoCs

pid	Process
2160	Iikkon32.exe
2796	Ibcphc32.exe
2668	Igqhpj32.exe
2644	Injqmdki.exe
2536	Iipejmko.exe
3008	Iknafhjb.exe
2952	Iakino32.exe
2064	Ikqnlh32.exe
1884	Imbjcpnn.exe
2004	Jfjolf32.exe
2824	Japciodd.exe
2248	Jgjkfi32.exe
2212	Jikhnaao.exe
2076	Jcqlkjae.exe
1044	Jpgmpk32.exe
1916	Jbfilffm.exe
860	Jpjifjdg.exe
1536	Jbhebfck.exe
2084	Jlqjkk32.exe
2928	Keioca32.exe
3016	Klcgpkhh.exe
2376	Kjeglh32.exe
2940	Kekkiq32.exe
1760	Khjgel32.exe
2600	Kablnadm.exe
2764	Kdphjm32.exe
2628	Koflgf32.exe
2256	Kadica32.exe
1224	Kmkihbho.exe
1892	Kdeaelok.exe
2568	Lplbjm32.exe
1964	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
1988	d0a799d689cf96786b85444dab3dc4a0N.exe
1988	d0a799d689cf96786b85444dab3dc4a0N.exe
2160	Iikkon32.exe
2160	Iikkon32.exe
2796	Ibcphc32.exe
2796	Ibcphc32.exe
2668	Igqhpj32.exe
2668	Igqhpj32.exe
2644	Injqmdki.exe
2644	Injqmdki.exe
2536	Iipejmko.exe
2536	Iipejmko.exe
3008	Iknafhjb.exe
3008	Iknafhjb.exe
2952	Iakino32.exe
2952	Iakino32.exe
2064	Ikqnlh32.exe
2064	Ikqnlh32.exe
1884	Imbjcpnn.exe
1884	Imbjcpnn.exe
2004	Jfjolf32.exe
2004	Jfjolf32.exe
2824	Japciodd.exe
2824	Japciodd.exe
2248	Jgjkfi32.exe
2248	Jgjkfi32.exe
2212	Jikhnaao.exe
2212	Jikhnaao.exe
2076	Jcqlkjae.exe
2076	Jcqlkjae.exe
1044	Jpgmpk32.exe
1044	Jpgmpk32.exe
1916	Jbfilffm.exe
1916	Jbfilffm.exe
860	Jpjifjdg.exe
860	Jpjifjdg.exe
1536	Jbhebfck.exe
1536	Jbhebfck.exe
2084	Jlqjkk32.exe
2084	Jlqjkk32.exe
2928	Keioca32.exe
2928	Keioca32.exe
3016	Klcgpkhh.exe
3016	Klcgpkhh.exe
2376	Kjeglh32.exe
2376	Kjeglh32.exe
2940	Kekkiq32.exe
2940	Kekkiq32.exe
1760	Khjgel32.exe
1760	Khjgel32.exe
2600	Kablnadm.exe
2600	Kablnadm.exe
2764	Kdphjm32.exe
2764	Kdphjm32.exe
2628	Koflgf32.exe
2628	Koflgf32.exe
2256	Kadica32.exe
2256	Kadica32.exe
1224	Kmkihbho.exe
1224	Kmkihbho.exe
1892	Kdeaelok.exe
1892	Kdeaelok.exe
2568	Lplbjm32.exe
2568	Lplbjm32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgqbajfj.dll	Igqhpj32.exe
File created	C:\Windows\SysWOW64\Jikhnaao.exe	Jgjkfi32.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Klcgpkhh.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Iikkon32.exe	d0a799d689cf96786b85444dab3dc4a0N.exe
File opened for modification	C:\Windows\SysWOW64\Iikkon32.exe	d0a799d689cf96786b85444dab3dc4a0N.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Jbfilffm.exe	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfilffm.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Jbhebfck.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Kjeglh32.exe	Klcgpkhh.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Koflgf32.exe
File opened for modification	C:\Windows\SysWOW64\Iipejmko.exe	Injqmdki.exe
File created	C:\Windows\SysWOW64\Pbpifm32.dll	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Jfjolf32.exe	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Qmeedp32.dll	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Ogbogkjn.dll	Ibcphc32.exe
File created	C:\Windows\SysWOW64\Iknafhjb.exe	Iipejmko.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Mbbhfl32.dll	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Iknafhjb.exe	Iipejmko.exe
File opened for modification	C:\Windows\SysWOW64\Jlqjkk32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Hgajdjlj.dll	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Klcgpkhh.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Kekkiq32.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Agioom32.dll	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kablnadm.exe
File created	C:\Windows\SysWOW64\Ecfgpaco.dll	d0a799d689cf96786b85444dab3dc4a0N.exe
File created	C:\Windows\SysWOW64\Jpbpbbdb.dll	Japciodd.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Keioca32.exe	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Ikqnlh32.exe	Iakino32.exe
File opened for modification	C:\Windows\SysWOW64\Jikhnaao.exe	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Anafme32.dll	Iipejmko.exe
File opened for modification	C:\Windows\SysWOW64\Iakino32.exe	Iknafhjb.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjifjdg.exe	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Iakino32.exe	Iknafhjb.exe
File created	C:\Windows\SysWOW64\Jfjolf32.exe	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Ebenek32.dll	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Biklma32.dll	Jbhebfck.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Miqnbfnp.dll	Iikkon32.exe
File created	C:\Windows\SysWOW64\Jpjifjdg.exe	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Imbjcpnn.exe	Ikqnlh32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhebfck.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Jlqjkk32.exe	Jbhebfck.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Kekkiq32.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Khjgel32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Khjgel32.exe
File created	C:\Windows\SysWOW64\Iipejmko.exe	Injqmdki.exe
File created	C:\Windows\SysWOW64\Dmplbgpm.dll	Iknafhjb.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Mmofpf32.dll	Keioca32.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Mlpckqje.dll	Ikqnlh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2576	1964	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klcgpkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iknafhjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injqmdki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakino32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlqjkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d0a799d689cf96786b85444dab3dc4a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Japciodd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igqhpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipejmko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikqnlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfjolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	d0a799d689cf96786b85444dab3dc4a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miqnbfnp.dll"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	d0a799d689cf96786b85444dab3dc4a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agioom32.dll"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Koflgf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Injqmdki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofpf32.dll"	Keioca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	d0a799d689cf96786b85444dab3dc4a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll"	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll"	Injqmdki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Igqhpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ibcphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iknafhjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbbhfl32.dll"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll"	Jfjolf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbogkjn.dll"	Ibcphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpifm32.dll"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgajdjlj.dll"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	d0a799d689cf96786b85444dab3dc4a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmplbgpm.dll"	Iknafhjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll"	d0a799d689cf96786b85444dab3dc4a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqbajfj.dll"	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iakino32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ibcphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iknafhjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocndipc.dll"	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikqnlh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klcgpkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Igqhpj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 2160	1988	d0a799d689cf96786b85444dab3dc4a0N.exe	30
PID 1988 wrote to memory of 2160	1988	d0a799d689cf96786b85444dab3dc4a0N.exe	30
PID 1988 wrote to memory of 2160	1988	d0a799d689cf96786b85444dab3dc4a0N.exe	30
PID 1988 wrote to memory of 2160	1988	d0a799d689cf96786b85444dab3dc4a0N.exe	30
PID 2160 wrote to memory of 2796	2160	Iikkon32.exe	31
PID 2160 wrote to memory of 2796	2160	Iikkon32.exe	31
PID 2160 wrote to memory of 2796	2160	Iikkon32.exe	31
PID 2160 wrote to memory of 2796	2160	Iikkon32.exe	31
PID 2796 wrote to memory of 2668	2796	Ibcphc32.exe	32
PID 2796 wrote to memory of 2668	2796	Ibcphc32.exe	32
PID 2796 wrote to memory of 2668	2796	Ibcphc32.exe	32
PID 2796 wrote to memory of 2668	2796	Ibcphc32.exe	32
PID 2668 wrote to memory of 2644	2668	Igqhpj32.exe	33
PID 2668 wrote to memory of 2644	2668	Igqhpj32.exe	33
PID 2668 wrote to memory of 2644	2668	Igqhpj32.exe	33
PID 2668 wrote to memory of 2644	2668	Igqhpj32.exe	33
PID 2644 wrote to memory of 2536	2644	Injqmdki.exe	34
PID 2644 wrote to memory of 2536	2644	Injqmdki.exe	34
PID 2644 wrote to memory of 2536	2644	Injqmdki.exe	34
PID 2644 wrote to memory of 2536	2644	Injqmdki.exe	34
PID 2536 wrote to memory of 3008	2536	Iipejmko.exe	35
PID 2536 wrote to memory of 3008	2536	Iipejmko.exe	35
PID 2536 wrote to memory of 3008	2536	Iipejmko.exe	35
PID 2536 wrote to memory of 3008	2536	Iipejmko.exe	35
PID 3008 wrote to memory of 2952	3008	Iknafhjb.exe	36
PID 3008 wrote to memory of 2952	3008	Iknafhjb.exe	36
PID 3008 wrote to memory of 2952	3008	Iknafhjb.exe	36
PID 3008 wrote to memory of 2952	3008	Iknafhjb.exe	36
PID 2952 wrote to memory of 2064	2952	Iakino32.exe	37
PID 2952 wrote to memory of 2064	2952	Iakino32.exe	37
PID 2952 wrote to memory of 2064	2952	Iakino32.exe	37
PID 2952 wrote to memory of 2064	2952	Iakino32.exe	37
PID 2064 wrote to memory of 1884	2064	Ikqnlh32.exe	38
PID 2064 wrote to memory of 1884	2064	Ikqnlh32.exe	38
PID 2064 wrote to memory of 1884	2064	Ikqnlh32.exe	38
PID 2064 wrote to memory of 1884	2064	Ikqnlh32.exe	38
PID 1884 wrote to memory of 2004	1884	Imbjcpnn.exe	39
PID 1884 wrote to memory of 2004	1884	Imbjcpnn.exe	39
PID 1884 wrote to memory of 2004	1884	Imbjcpnn.exe	39
PID 1884 wrote to memory of 2004	1884	Imbjcpnn.exe	39
PID 2004 wrote to memory of 2824	2004	Jfjolf32.exe	40
PID 2004 wrote to memory of 2824	2004	Jfjolf32.exe	40
PID 2004 wrote to memory of 2824	2004	Jfjolf32.exe	40
PID 2004 wrote to memory of 2824	2004	Jfjolf32.exe	40
PID 2824 wrote to memory of 2248	2824	Japciodd.exe	41
PID 2824 wrote to memory of 2248	2824	Japciodd.exe	41
PID 2824 wrote to memory of 2248	2824	Japciodd.exe	41
PID 2824 wrote to memory of 2248	2824	Japciodd.exe	41
PID 2248 wrote to memory of 2212	2248	Jgjkfi32.exe	42
PID 2248 wrote to memory of 2212	2248	Jgjkfi32.exe	42
PID 2248 wrote to memory of 2212	2248	Jgjkfi32.exe	42
PID 2248 wrote to memory of 2212	2248	Jgjkfi32.exe	42
PID 2212 wrote to memory of 2076	2212	Jikhnaao.exe	43
PID 2212 wrote to memory of 2076	2212	Jikhnaao.exe	43
PID 2212 wrote to memory of 2076	2212	Jikhnaao.exe	43
PID 2212 wrote to memory of 2076	2212	Jikhnaao.exe	43
PID 2076 wrote to memory of 1044	2076	Jcqlkjae.exe	44
PID 2076 wrote to memory of 1044	2076	Jcqlkjae.exe	44
PID 2076 wrote to memory of 1044	2076	Jcqlkjae.exe	44
PID 2076 wrote to memory of 1044	2076	Jcqlkjae.exe	44
PID 1044 wrote to memory of 1916	1044	Jpgmpk32.exe	45
PID 1044 wrote to memory of 1916	1044	Jpgmpk32.exe	45
PID 1044 wrote to memory of 1916	1044	Jpgmpk32.exe	45
PID 1044 wrote to memory of 1916	1044	Jpgmpk32.exe	45

C:\Users\Admin\AppData\Local\Temp\d0a799d689cf96786b85444dab3dc4a0N.exe
"C:\Users\Admin\AppData\Local\Temp\d0a799d689cf96786b85444dab3dc4a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\Iikkon32.exe
  C:\Windows\system32\Iikkon32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\Ibcphc32.exe
    C:\Windows\system32\Ibcphc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\Igqhpj32.exe
      C:\Windows\system32\Igqhpj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\Injqmdki.exe
        
        C:\Windows\system32\Injqmdki.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\Iipejmko.exe
        
        C:\Windows\system32\Iipejmko.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Iknafhjb.exe
        
        C:\Windows\system32\Iknafhjb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Iakino32.exe
        
        C:\Windows\system32\Iakino32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Ikqnlh32.exe
        
        C:\Windows\system32\Ikqnlh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Jfjolf32.exe
        
        C:\Windows\system32\Jfjolf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Japciodd.exe
        
        C:\Windows\system32\Japciodd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Jgjkfi32.exe
        
        C:\Windows\system32\Jgjkfi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Jcqlkjae.exe
        
        C:\Windows\system32\Jcqlkjae.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\Jlqjkk32.exe
        
        C:\Windows\system32\Jlqjkk32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Klcgpkhh.exe
        
        C:\Windows\system32\Klcgpkhh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Kekkiq32.exe
        
        C:\Windows\system32\Kekkiq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1964 -s 140
        34⤵
        Program crash
        
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iikkon32.exe

Filesize
80KB

MD5
4a66642cf86eb5896937764ac9c33377

SHA1
574db4b04084ef5b3864ff7fecf96b40aed51e32

SHA256
025a72b7866bd89cd184f710fd69fc784b9a106e31a6d0827c2060e906783d2d

SHA512
e3b0f04311551e7f0b0ed80e118856c638bd7fe35e9275db76900fe341197887d9ec98180baf7e00f9fa276e4a748e65627931b89031251af3f6d2b4d0d8846a

Download Submit
C:\Windows\SysWOW64\Ikqnlh32.exe

Filesize
80KB

MD5
747ed6189d0b57acf378d26c70c284f6

SHA1
fc943708aa3906ed4bcc1575fdf0fc6e25c4779f

SHA256
33060d63cdd0b905fba6dd96809508a68093de9321a57e34f9f497748a39e6a0

SHA512
f772a13eb455920cbb47270a4d93dd40b060e55124cc260d8887e9ee00b62ca1b0ffbaa5245f70a9abd9bcdb5cfd173e3afb88c81784bda7d9d802e20454a2dc

Download Submit
C:\Windows\SysWOW64\Jbfilffm.exe

Filesize
80KB

MD5
b7511d42355f390e75172ba4a39df4f1

SHA1
fe78a4b013dcce0884faf0c6876de4accd1b8a38

SHA256
3fa6926e8cfe931efd19e3258583a35ed2dc36d99775b443e9842e03a8867e7f

SHA512
65c81af14031c84f9d7d2e6ba271be3f602465f031c901b2177b2315892f070735fce34f4995cc466bfbea6f51d344b9bb6f14e6a596dac806f0e4fe613a89a6

Download Submit
C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
80KB

MD5
967bddab4296c0fce97c54f8a5ff2887

SHA1
5d8fc8d875b28e4b9979ab204c450d3316f1aae8

SHA256
587db8a409cbfb75fc0ee9b94e153920de710b2035126e9220ca34ae6d89c109

SHA512
27f47db28233325ac5e18e716472bc199e31adff832b5374e18ee7f47e5aa22f404e6db0da46deff015af658a685bc4a8bc1b17ffbf0f12587ec06562609e1e8

Download Submit
C:\Windows\SysWOW64\Jlqjkk32.exe

Filesize
80KB

MD5
a494cf7c31152d2e593035d8bdcf1a38

SHA1
c34087d152aa3ebf66b85f75a1306eae91281295

SHA256
855595757d80b31578d293238910749e5ec718c87a295ff079109d194e5b8ecd

SHA512
2125170acb67f73fb5a8064092a45470bb7b96aaab5d6068a468d294e4ea80c213139b13852a41fb8d0a11833e78dc1c7823d150b46877a5e6c8a3dde32ff7af

Download Submit
C:\Windows\SysWOW64\Jpjifjdg.exe

Filesize
80KB

MD5
fcc8e38d78e327aeff538909097fde67

SHA1
9eb7e9201288cd3a7c9f31f182ce93bda140b48f

SHA256
e186e5e440c1d3c99ab2cefca8640d4e44acdf216fbddf1b8dfe3a0066db5c61

SHA512
fac921f2dd3c911fd2967417ee85d561d0a1704b3f030bb1d111b9cbc3c3bbf6b797169810444d0304e12d138f40a41e14bc0eea7712c38d7ac80ae628ce9b20

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
80KB

MD5
9b40f1ccbb5102bf8ba2b351ac22c018

SHA1
afbc932109f7aa04f0247460b9e7996b973d477c

SHA256
ddbf106e82a09413cb26dab55010936366c1955439a23af6f59b635c0a6108c3

SHA512
a7da251d4046f6f61b0fd983dfe14312ecb5ee69b77342047d8814cdcc90fd5bdb69d4b2304c515294d01484aa14bb6aa0d42caba10ae7f5e55b90199d757e62

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
80KB

MD5
0de6b7a4c128e295ff270c368e159857

SHA1
01d1446c8da7182a5abbf7d228b00eb042d32c33

SHA256
49c2ba24070aae6eb3843e8421bc9fa47a575f5606a9884308cf5852605c0d4c

SHA512
82fb21fc382602e021cc11fc2193b05988c882bb76ded71e94659a038922e2ef4fb2efbca78378c09b7c8f3ffb56208710aa8dee94a60115b70f7360eab5fcb2

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
80KB

MD5
d662d2a8dc8dca9379d3967f8c7d78ac

SHA1
c84543e8269bb3ebe40ce3d945c76ac727a71a2d

SHA256
90ca9635be4e2f58cb793c27df39e28d70ea99b10c9ab8f33fb28b6d4b452445

SHA512
84b1fc8e6db6cc2542a6128e19eed0a433ca24cca2236e696a4d619c1ce0f8a508658b24b64a154fa4caf2010bfe0442919b54f1263b9fbb77c11cf963e0dad6

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
80KB

MD5
4cc3a07e610758dbbf3fed9fe35c6f6b

SHA1
42457e9b9fa6005387873a577cecc21d75dd382a

SHA256
23f31916927d1df29e664ac5a05f1cd696b17294594ba7320048e025f5beb219

SHA512
4305b21fc256694f567d4d7ad8a313f72ba93272dfae35a53ad96778d50938a09b5bbf52e246fa45093ec5838da3dcfa5d70b4f5eb051afdbc686036ba3daac5

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
80KB

MD5
3dc03f3037598ab480b13075fa9f9cb6

SHA1
7bfb8a8ec3d108e69f1c1bbf21c8b989ace09c21

SHA256
5d1c5c19378f612427874b229840ad833face2adaa20fb0aaad62cbc6436f8ec

SHA512
6d2ef6732d84d6ae1963d909d95b0074d79ac69201844568d73f5f81df3232d68cc9d72aee0cbb33798c56565b7caf96e59e4a2eebd878c9706b3abc1b25df30

Download Submit
C:\Windows\SysWOW64\Kekkiq32.exe

Filesize
80KB

MD5
742b0f13f0fc3a68d75dc75400d1aaaa

SHA1
5157bd0369b2834876031ae877e361531b7bce9f

SHA256
e3bcfd1607155420282fe56e2a6f8a3f6ec1c89d2b6c55cf2ee800240a88ad27

SHA512
7b2f0052583ea021ca515bd83f2092c961e7809a70fd79e4f67eea28328ffd64679bb2beaa1ea7a15b814f4c9801a1bce5916637f14986e0edd22add6034ba37

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
80KB

MD5
1117c6524ffd905e8ed0b492887331a5

SHA1
1535a33964b3ca9bf0a10b8dbe4f642ae674ea4b

SHA256
4b09bc11b557b209b389bf78d43971f023c2ad3e8c15270ff9fd28e521ed5970

SHA512
c4362d2bb830468d8de801b938653b8f0a260f21fd932f3ee1e7c23f2e196c04b3531d9da51ac681a69057f2ba96725b1a9d38c8e2f7654b43913587f18cc87b

Download Submit
C:\Windows\SysWOW64\Kjeglh32.exe

Filesize
80KB

MD5
c4cb1e6fc5cbe216f9b3b1943b5c6b83

SHA1
a2f34f46b78946c83d434a3c52a4d5d31a621be2

SHA256
ea9086a91244c3e2cf297cb28eaa9c2ade43424ecd0f1babd5eca81716b0c631

SHA512
33b78b38f401751d12a96bc98e529846a68ea45859d9a4062458939af94194db1d55d4e39c7de1d358819562333ef30e1ddc906225664a47dc64fa016cc5ae40

Download Submit
C:\Windows\SysWOW64\Klcgpkhh.exe

Filesize
80KB

MD5
36eb83da0a613cd39b629e0f0e868464

SHA1
fd6a9bc9338158083ad634296a83ee1b778f63c7

SHA256
f805144f0bcbe7e308e953e4c2ac82569f1294318c701d0f54d1c3e37a9b1d6c

SHA512
c30f8997482eb0b14f40192e93f1ef8c416737c98fb0c317f1c3056fb69f314e85f03336494616513fbb0480e52a0c1d1a05b6d62af662c464404bc2993ace91

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
80KB

MD5
dd3a08a5f9ce31d134eba6f7d1496218

SHA1
84ad0a90765e84de364c0918dcc5126e37a374cc

SHA256
07c2753b2fbbc61076ba94b48477e82906794a512bda50a7fe9b3584e1fc4397

SHA512
0a71a2fcea3b2a6c27c3aa660cafd618caa780dfacd5dced4487ace68d994d61803d943315c7f05bdb8459636fb53d6fe92324c6d8a991a0c7b7274c4133c733

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
80KB

MD5
3262622a5c5e44017875c4c8bd953edd

SHA1
af43839a4ddf723640dbf00095c8f0f4e864eed9

SHA256
50b1c5129b0e092d5cdec610cc4ea718257f8d2b28f535511ac0d695aacf1f8d

SHA512
a88f8a7ccc3eaa98d172f736a9074767abf962969fb110a586af39bde81cc7a21d8b87385614b2098d41e10de9c8c830f4baa3a0a828ca8b6acf111a916eaee4

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
80KB

MD5
69a3381c424d2e68fb7aea36d2529595

SHA1
e3d6c27c4a1673362a7a3437e2f9da220e05b1c8

SHA256
7a976f6f30148d7fb8451d13837336af733eb074980b00c18fe725b70c9456a7

SHA512
453666d4b700bfe0d6800e30448fbbdd1343254e02bb9d688ce6ec92f1ea67b4d532d5ad0de4c149ef0aef98d2474a9709645d8e9b9b340d51fc56fcd137c86c

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
80KB

MD5
af20031294ec5e0488757cf1a5a388d5

SHA1
2bd216060e3b4801d15478c77d3adc0496e7cca4

SHA256
283f10d42f36c24476b951aa2284da3b314bdbc218920bd1a57eabad14662507

SHA512
a3ecf790bd91a8d723d10d6809b34d79da0d52d44f38ae25c1c737a140f90ae04e9e5dcf9aa5ca6bd14b0a29f57163fdf88d17f36238fe261371bc5e0a928c1a

Download Submit
C:\Windows\SysWOW64\Mjcccnbp.dll

Filesize
7KB

MD5
78335dee15cc3ec6b132e748a8d3abc3

SHA1
9d58b00e5a206e97063ec8a1080ecb546e9f04ed

SHA256
c10b246f0acc087c16c20bbb3c80371861ad94e463a06865187748dafef054a8

SHA512
a63c58677e6bb8d085145be30644c3885324a4be4a2f734a76dbf7f4b4e981bc3d326f8f942e0f51d5c8cf0a19297e1896ae086d800de4c6751d5f36b5952155

Download Submit
\Windows\SysWOW64\Iakino32.exe

Filesize
80KB

MD5
24301fdb773b31708d9aa62f48a9a55d

SHA1
69708a83d093b6f0acdf1303c8b36eb16bd24969

SHA256
61f45a911430fe3cbfd1dde1a9668e8e9e82f3103a4eb64a5cbeaab66f9bac23

SHA512
eecce521dafb16a9ce76f9c734d3e8eb1572415ec9776c8fffd2cfe4d72af5462ff06fd94728be79d954d0223d8d3aa74861cbc2dddea296032dfadae76a9179

Download Submit
\Windows\SysWOW64\Ibcphc32.exe

Filesize
80KB

MD5
27ce5b4cb19c674c17465be4468a3f7c

SHA1
c6026a13f0a9d96d27dbb6ddbb8cbb76be5e3187

SHA256
4e914880066d6193bc873d75783d4491f49e6cc071d1d8f89063beaf5ad4d9f8

SHA512
698d9dc4e586829a99bfcd3db11b8c250d69847d6bcb437e5c1bd814d2340e556b5953db71544b8d72ff62bb5bd65ec52e4460da0eb412cd08ecca9ce8b1b87f

Download Submit
\Windows\SysWOW64\Igqhpj32.exe

Filesize
80KB

MD5
da6ea852464858a5ee2661780197ef96

SHA1
e4528705c5491d6caa5d8dae71d8094c4e21ea74

SHA256
c54a1d2354597fe068c229d4d44be7d6959c12b971bbea14c76eb6843dde0c3e

SHA512
3caeac15a04368fe68555f5f21f972c204ab6b218fb76301f86b556f58eb6ddc165d1bb04855be69b2c50b439cb321a9fb8208c6b09c8d077a6529a8cafdbe84

Download Submit
\Windows\SysWOW64\Iipejmko.exe

Filesize
80KB

MD5
b0919e029070e59fd19e5fa1787c6fff

SHA1
8adbd966fbe1cfcad461d08bddfbfc35e943cac1

SHA256
786b076c5ae77d5960c6dc4bc269c0c521e4201b16c6bfca563e06e04a7a3ba1

SHA512
1f021c7557034890c1546940625731f1b446158bc1f01ea28fa1b74f8342cfabd60499b44f9739b41102d7cb0eb4167c9aa26bb3051564cd0e2f946c0029a625

Download Submit
\Windows\SysWOW64\Iknafhjb.exe

Filesize
80KB

MD5
5e08f1b402942cc3d223b1435fdb4ec7

SHA1
a9cd7cac00117a36d4d685f203ff9661271cd403

SHA256
afc2bd37f32387100f09126829fddd1acc68e33334cb1035a1badb2f064c9183

SHA512
cd2c264fa1bb75b1412af357b6240f1702d802c708b3bb6444ab60c1a5da2578f2d1e22deeb439fe07bab311ce353dbad17ed2b1379091e77c1e730d97ca95a9

Download Submit
\Windows\SysWOW64\Imbjcpnn.exe

Filesize
80KB

MD5
97fc6a2f4ca92fd3ba873714b3b674ff

SHA1
7b8e14b8e248cc7a2719f5a5935153686a9f0c0d

SHA256
8ce396e64d23f6064d03a171da0e682ae9b3e7bef2488223ff504e776a46d58a

SHA512
4545debf582ceda6f2ca3b4161464f797bfa8920aa72fe1135dbcb8ca2202f9f814cfa0074aac489453ea67526de705fbafdfa0670440de8898f30393e8060c2

Download Submit
\Windows\SysWOW64\Injqmdki.exe

Filesize
80KB

MD5
2ad51c89d750e0c7c18a517166e91849

SHA1
6c29c78e01162e2aeed5ecfa144996a4345e84cf

SHA256
ba14f44ac7d145c5233c2b962ad3e4f4d20213dc7bf5cb91c4ceb50adafca9de

SHA512
063cfd7a758f3925835113511a2555f01b660872e4e497a09ebbe3f5eab9cea4ab82c63745276c5e105a1efd528c9d8e8be651d51cd56dd5a9394395d0244cc2

Download Submit
\Windows\SysWOW64\Japciodd.exe

Filesize
80KB

MD5
2518809bc8ec149cea70fb9bd02bd118

SHA1
6e70759756c1693249a0eb8c4cdcac1cf8737c62

SHA256
b53be6b69f16b9a9cbae0aa646a4c7048f0171199c9aedcc67c532556708d1e8

SHA512
d2686dee5f571c16f651502d5647695d2fb5a84ad75e7d150b2c16acba572f5972745a36f2f8dbef6b94f2735e31be5572b67af4e1e3e31a147c4a56834783de

Download Submit
\Windows\SysWOW64\Jcqlkjae.exe

Filesize
80KB

MD5
47d24c5a19138bb460ec643bfaaa4602

SHA1
8635e264e0256a6307c7f9a62da0a18671878a69

SHA256
aac801650e3254a9eeb4686a31aebc108f431cec0441895bc2715e00d1605fec

SHA512
a9b8b41f828cd76433b0e6c63cad03627f52b6f212ca50b10ce5c1958400d3a32096ecc21f7564debf0875fa08ec3351795292c6d8cc75db25f535cc035ea260

Download Submit
\Windows\SysWOW64\Jfjolf32.exe

Filesize
80KB

MD5
938c10c1fbb1e238f3be112b4aaa7cc3

SHA1
ce205776a67ee80caa4cd6a30e0aab0815b589e6

SHA256
b07d3926f923a69291c2e050e60e19d42f6f15261f6e84ae92f4a80f548d03f8

SHA512
0d4b063c15b9370a480c6aa405500a6d4e9145cbc0610445ba324a239d8600b5b355aa15596ea02c5bc13ad1008e82d5f8618b29946db4378197b39be01e303a

Download Submit
\Windows\SysWOW64\Jgjkfi32.exe

Filesize
80KB

MD5
dfbf5931f98a09343d1377085ffe20aa

SHA1
6ee60b208b7a0b7c4be5a01346fd2f438b7af932

SHA256
cd1023eb636bd0360882d1af120c7c7babc5bfd2d9193783f063bd607726e172

SHA512
1012fc59fa2b63f2f8dc9c3713c94a6713c2d5a1b614910425071f9ef1b18fe0e6c1342d6606e85e85470accecd440a355e584ef0d078605e9d877bde2afff3d

Download Submit
\Windows\SysWOW64\Jikhnaao.exe

Filesize
80KB

MD5
5e3f4b305e56066e544c67a731a62f99

SHA1
d7b9814e94cf3c6ccc7fb427267150b9e874ae32

SHA256
c16fb9201949836268a699438b5fc4ca83b841dd40be59e2030e836e638fd6c7

SHA512
907b4354d93cf687eee398e4f3786ac20fb2f394a136b5a720856c401b91bd6c8b760766b610154e15c973a48ce41644e4ca1358fd92eba31d4d2f833199861b

Download Submit
\Windows\SysWOW64\Jpgmpk32.exe

Filesize
80KB

MD5
77c2db1e66cae5c37f953280916904d3

SHA1
2f35c4c4cc948ace793dc5b6ee936691a2c461c8

SHA256
7a1dc7f7415268b526ad7305d76b1bb4c60fdb693ede8557a6b6339a0d68e0fc

SHA512
5b404fa384bcfc676fb37a707660eba33562ec19bb578827550ee3e5a09227f050e4569c4f56c8c27addcf7f3ce5845c71681cfe428f8f73e4e34618cefc01bb

Download Submit
memory/860-323-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/860-247-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1044-230-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/1044-225-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1224-391-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/1224-390-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/1224-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1536-273-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1536-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1536-269-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1536-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1760-325-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1760-331-0x00000000004A0000-0x00000000004D9000-memory.dmp

Filesize
228KB

Download
memory/1760-401-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1884-142-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/1884-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1884-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1884-233-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/1892-392-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-313-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-235-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1964-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-11-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/1988-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-77-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-12-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2004-245-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2004-151-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2004-234-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2004-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2064-125-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2064-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2064-124-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2064-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2064-217-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2076-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2076-204-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2084-364-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/2084-354-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2084-282-0x0000000000310000-0x0000000000349000-memory.dmp

Filesize
228KB

Download
memory/2160-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2160-26-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2160-14-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2212-261-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2212-195-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2212-185-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2212-266-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2212-259-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2212-203-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2248-257-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2248-171-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2248-258-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2256-384-0x00000000002E0000-0x0000000000319000-memory.dmp

Filesize
228KB

Download
memory/2256-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2376-304-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2376-389-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2536-81-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/2536-157-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2568-402-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2568-411-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2600-341-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2600-413-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2628-366-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2628-367-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2628-415-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2628-355-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2644-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2644-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2644-63-0x0000000000280000-0x00000000002B9000-memory.dmp

Filesize
228KB

Download
memory/2668-42-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2764-345-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2764-414-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2796-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2796-28-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2796-37-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2824-246-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2824-256-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2824-170-0x0000000000270000-0x00000000002A9000-memory.dmp

Filesize
228KB

Download
memory/2928-365-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2928-293-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2928-381-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2928-283-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2928-292-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2940-324-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2940-322-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-110-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2952-194-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2952-201-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/2952-97-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3008-193-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/3008-96-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/3016-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-298-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-303-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads