12c7b037d93662dc32e6b3687fb192acb237bfbff88d5a372129a352258b98fc

Analysis

max time kernel
33s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02/08/2024, 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b5fe8339ed69e2fd6726462911c3e30N.exe
Size

94KB
MD5

6b5fe8339ed69e2fd6726462911c3e30
SHA1

53ecc6aa17413b385be48b952d0f1679f064a1ca
SHA256

12c7b037d93662dc32e6b3687fb192acb237bfbff88d5a372129a352258b98fc
SHA512

54170fb3d787ecbda857182cc57fc936dfe20339eb27dc070b750f4f47afa595d619c56ec39947aa2221a5ad16b56f6892a8b65c98fdcd529cb94892ffbefbdf
SSDEEP

1536:0H4kqu6Odtks2FeO2IsG5if9tqW8LPHq39KUIC0uGmVJHQj1BEsCOyiKbZ9rQJg:E4TKk9sOH5SqW8jH6KU90uGimj1ieybl

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igqhpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ioeclg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmpaom32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdkjmip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6b5fe8339ed69e2fd6726462911c3e30N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnfkba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifolhann.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlqjkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnfkba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igebkiof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iocgfhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iegeonpc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koflgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iocgfhhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioeclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6b5fe8339ed69e2fd6726462911c3e30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hbofmcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnhgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khnapkjg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjohmbpd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqiqjlga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koflgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaagcpdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqgddm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Japciodd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe

Executes dropped EXE 58 IoCs

pid	Process
2764	Gnfkba32.exe
2556	Gaagcpdl.exe
2736	Hnhgha32.exe
2752	Hqgddm32.exe
3064	Hjohmbpd.exe
1572	Hqiqjlga.exe
1516	Hffibceh.exe
2652	Hmpaom32.exe
1740	Hgeelf32.exe
1056	Hifbdnbi.exe
2380	Hqnjek32.exe
536	Hbofmcij.exe
1976	Hmdkjmip.exe
1788	Iocgfhhc.exe
2192	Ifmocb32.exe
2120	Iikkon32.exe
288	Ioeclg32.exe
1620	Ifolhann.exe
2156	Igqhpj32.exe
1536	Ikldqile.exe
1996	Iipejmko.exe
1468	Igceej32.exe
3056	Ibhicbao.exe
2800	Iegeonpc.exe
2632	Igebkiof.exe
2844	Imbjcpnn.exe
2604	Jnagmc32.exe
2500	Japciodd.exe
2680	Jpbcek32.exe
2256	Jabponba.exe
2972	Jjjdhc32.exe
2740	Jllqplnp.exe
2440	Jbfilffm.exe
1156	Jedehaea.exe
2136	Jpjifjdg.exe
292	Jnmiag32.exe
1896	Jlqjkk32.exe
1960	Jplfkjbd.exe
2236	Jnofgg32.exe
2464	Khgkpl32.exe
616	Kbmome32.exe
1804	Kapohbfp.exe
1676	Kjhcag32.exe
2504	Kablnadm.exe
2280	Kdphjm32.exe
1756	Kkjpggkn.exe
980	Koflgf32.exe
2240	Kpgionie.exe
2484	Khnapkjg.exe
2328	Kkmmlgik.exe
3036	Kipmhc32.exe
2728	Kmkihbho.exe
1988	Kpieengb.exe
2016	Kbhbai32.exe
1772	Kkojbf32.exe
2372	Lmmfnb32.exe
1484	Lplbjm32.exe
2264	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
824	6b5fe8339ed69e2fd6726462911c3e30N.exe
824	6b5fe8339ed69e2fd6726462911c3e30N.exe
2764	Gnfkba32.exe
2764	Gnfkba32.exe
2556	Gaagcpdl.exe
2556	Gaagcpdl.exe
2736	Hnhgha32.exe
2736	Hnhgha32.exe
2752	Hqgddm32.exe
2752	Hqgddm32.exe
3064	Hjohmbpd.exe
3064	Hjohmbpd.exe
1572	Hqiqjlga.exe
1572	Hqiqjlga.exe
1516	Hffibceh.exe
1516	Hffibceh.exe
2652	Hmpaom32.exe
2652	Hmpaom32.exe
1740	Hgeelf32.exe
1740	Hgeelf32.exe
1056	Hifbdnbi.exe
1056	Hifbdnbi.exe
2380	Hqnjek32.exe
2380	Hqnjek32.exe
536	Hbofmcij.exe
536	Hbofmcij.exe
1976	Hmdkjmip.exe
1976	Hmdkjmip.exe
1788	Iocgfhhc.exe
1788	Iocgfhhc.exe
2192	Ifmocb32.exe
2192	Ifmocb32.exe
2120	Iikkon32.exe
2120	Iikkon32.exe
288	Ioeclg32.exe
288	Ioeclg32.exe
1620	Ifolhann.exe
1620	Ifolhann.exe
2156	Igqhpj32.exe
2156	Igqhpj32.exe
1536	Ikldqile.exe
1536	Ikldqile.exe
1996	Iipejmko.exe
1996	Iipejmko.exe
1468	Igceej32.exe
1468	Igceej32.exe
3056	Ibhicbao.exe
3056	Ibhicbao.exe
2800	Iegeonpc.exe
2800	Iegeonpc.exe
2632	Igebkiof.exe
2632	Igebkiof.exe
2844	Imbjcpnn.exe
2844	Imbjcpnn.exe
2604	Jnagmc32.exe
2604	Jnagmc32.exe
2500	Japciodd.exe
2500	Japciodd.exe
2680	Jpbcek32.exe
2680	Jpbcek32.exe
2256	Jabponba.exe
2256	Jabponba.exe
2972	Jjjdhc32.exe
2972	Jjjdhc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hjohmbpd.exe	Hqgddm32.exe
File created	C:\Windows\SysWOW64\Leoebflm.dll	Iegeonpc.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kablnadm.exe
File opened for modification	C:\Windows\SysWOW64\Iocgfhhc.exe	Hmdkjmip.exe
File created	C:\Windows\SysWOW64\Ecfgpaco.dll	Ifmocb32.exe
File created	C:\Windows\SysWOW64\Ffdmihcc.dll	Ioeclg32.exe
File opened for modification	C:\Windows\SysWOW64\Iipejmko.exe	Ikldqile.exe
File opened for modification	C:\Windows\SysWOW64\Jnmiag32.exe	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Ifolhann.exe	Ioeclg32.exe
File created	C:\Windows\SysWOW64\Kbmome32.exe	Khgkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Jplfkjbd.exe	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Koflgf32.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Dllmckbg.dll	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Hpdjnn32.dll	Jnagmc32.exe
File opened for modification	C:\Windows\SysWOW64\Jjjdhc32.exe	Jabponba.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Koflgf32.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Hqiqjlga.exe	Hjohmbpd.exe
File created	C:\Windows\SysWOW64\Hifbdnbi.exe	Hgeelf32.exe
File opened for modification	C:\Windows\SysWOW64\Iikkon32.exe	Ifmocb32.exe
File opened for modification	C:\Windows\SysWOW64\Japciodd.exe	Jnagmc32.exe
File created	C:\Windows\SysWOW64\Knfddo32.dll	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Jnofgg32.exe	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Hnhgha32.exe	Gaagcpdl.exe
File created	C:\Windows\SysWOW64\Gfbaonni.dll	Hnhgha32.exe
File created	C:\Windows\SysWOW64\Mjcccnbp.dll	Ikldqile.exe
File created	C:\Windows\SysWOW64\Mlpckqje.dll	Igebkiof.exe
File opened for modification	C:\Windows\SysWOW64\Jabponba.exe	Jpbcek32.exe
File created	C:\Windows\SysWOW64\Lpfhdddb.dll	Iocgfhhc.exe
File created	C:\Windows\SysWOW64\Ikldqile.exe	Igqhpj32.exe
File created	C:\Windows\SysWOW64\Aekabb32.dll	Ibhicbao.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Koflgf32.exe
File created	C:\Windows\SysWOW64\Gnfkba32.exe	6b5fe8339ed69e2fd6726462911c3e30N.exe
File opened for modification	C:\Windows\SysWOW64\Ikldqile.exe	Igqhpj32.exe
File opened for modification	C:\Windows\SysWOW64\Jpbcek32.exe	Japciodd.exe
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jplfkjbd.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Gaagcpdl.exe	Gnfkba32.exe
File created	C:\Windows\SysWOW64\Iocgfhhc.exe	Hmdkjmip.exe
File created	C:\Windows\SysWOW64\Npneccok.dll	Igceej32.exe
File opened for modification	C:\Windows\SysWOW64\Jllqplnp.exe	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Jkbcekmn.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Bbdofg32.dll	Gaagcpdl.exe
File created	C:\Windows\SysWOW64\Ekdjjm32.dll	Hqnjek32.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Iddiakkl.dll	Hmpaom32.exe
File created	C:\Windows\SysWOW64\Jabponba.exe	Jpbcek32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfilffm.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Gaagcpdl.exe	Gnfkba32.exe
File created	C:\Windows\SysWOW64\Gflfedag.dll	Hqgddm32.exe
File created	C:\Windows\SysWOW64\Ifolhann.exe	Ioeclg32.exe
File created	C:\Windows\SysWOW64\Igceej32.exe	Iipejmko.exe
File created	C:\Windows\SysWOW64\Omfpmb32.dll	Japciodd.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Khnapkjg.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Mkehop32.dll	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Kapohbfp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1832	2264	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbofmcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifbdnbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmocb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnagmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koflgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnhgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b5fe8339ed69e2fd6726462911c3e30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hffibceh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iocgfhhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipejmko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikldqile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnfkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqiqjlga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igceej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Japciodd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gaagcpdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmdkjmip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igebkiof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhicbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iegeonpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ioeclg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjohmbpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifolhann.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlqjkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmpaom32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqnjek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapohbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqgddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igqhpj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll"	Igebkiof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnagmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knfddo32.dll"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Japciodd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaagcpdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqiqjlga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npneccok.dll"	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll"	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll"	Ioeclg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6b5fe8339ed69e2fd6726462911c3e30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflfedag.dll"	Hqgddm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbaonni.dll"	Hnhgha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6b5fe8339ed69e2fd6726462911c3e30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcllk32.dll"	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmdgf32.dll"	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoebflm.dll"	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll"	Jpbcek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faibdo32.dll"	Hjohmbpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqiqjlga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll"	Hbofmcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbqi32.dll"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll"	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Japciodd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igebkiof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll"	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifolhann.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibhicbao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll"	Ikldqile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll"	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6b5fe8339ed69e2fd6726462911c3e30N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 824 wrote to memory of 2764	824	6b5fe8339ed69e2fd6726462911c3e30N.exe	30
PID 824 wrote to memory of 2764	824	6b5fe8339ed69e2fd6726462911c3e30N.exe	30
PID 824 wrote to memory of 2764	824	6b5fe8339ed69e2fd6726462911c3e30N.exe	30
PID 824 wrote to memory of 2764	824	6b5fe8339ed69e2fd6726462911c3e30N.exe	30
PID 2764 wrote to memory of 2556	2764	Gnfkba32.exe	31
PID 2764 wrote to memory of 2556	2764	Gnfkba32.exe	31
PID 2764 wrote to memory of 2556	2764	Gnfkba32.exe	31
PID 2764 wrote to memory of 2556	2764	Gnfkba32.exe	31
PID 2556 wrote to memory of 2736	2556	Gaagcpdl.exe	32
PID 2556 wrote to memory of 2736	2556	Gaagcpdl.exe	32
PID 2556 wrote to memory of 2736	2556	Gaagcpdl.exe	32
PID 2556 wrote to memory of 2736	2556	Gaagcpdl.exe	32
PID 2736 wrote to memory of 2752	2736	Hnhgha32.exe	33
PID 2736 wrote to memory of 2752	2736	Hnhgha32.exe	33
PID 2736 wrote to memory of 2752	2736	Hnhgha32.exe	33
PID 2736 wrote to memory of 2752	2736	Hnhgha32.exe	33
PID 2752 wrote to memory of 3064	2752	Hqgddm32.exe	34
PID 2752 wrote to memory of 3064	2752	Hqgddm32.exe	34
PID 2752 wrote to memory of 3064	2752	Hqgddm32.exe	34
PID 2752 wrote to memory of 3064	2752	Hqgddm32.exe	34
PID 3064 wrote to memory of 1572	3064	Hjohmbpd.exe	35
PID 3064 wrote to memory of 1572	3064	Hjohmbpd.exe	35
PID 3064 wrote to memory of 1572	3064	Hjohmbpd.exe	35
PID 3064 wrote to memory of 1572	3064	Hjohmbpd.exe	35
PID 1572 wrote to memory of 1516	1572	Hqiqjlga.exe	36
PID 1572 wrote to memory of 1516	1572	Hqiqjlga.exe	36
PID 1572 wrote to memory of 1516	1572	Hqiqjlga.exe	36
PID 1572 wrote to memory of 1516	1572	Hqiqjlga.exe	36
PID 1516 wrote to memory of 2652	1516	Hffibceh.exe	37
PID 1516 wrote to memory of 2652	1516	Hffibceh.exe	37
PID 1516 wrote to memory of 2652	1516	Hffibceh.exe	37
PID 1516 wrote to memory of 2652	1516	Hffibceh.exe	37
PID 2652 wrote to memory of 1740	2652	Hmpaom32.exe	38
PID 2652 wrote to memory of 1740	2652	Hmpaom32.exe	38
PID 2652 wrote to memory of 1740	2652	Hmpaom32.exe	38
PID 2652 wrote to memory of 1740	2652	Hmpaom32.exe	38
PID 1740 wrote to memory of 1056	1740	Hgeelf32.exe	39
PID 1740 wrote to memory of 1056	1740	Hgeelf32.exe	39
PID 1740 wrote to memory of 1056	1740	Hgeelf32.exe	39
PID 1740 wrote to memory of 1056	1740	Hgeelf32.exe	39
PID 1056 wrote to memory of 2380	1056	Hifbdnbi.exe	40
PID 1056 wrote to memory of 2380	1056	Hifbdnbi.exe	40
PID 1056 wrote to memory of 2380	1056	Hifbdnbi.exe	40
PID 1056 wrote to memory of 2380	1056	Hifbdnbi.exe	40
PID 2380 wrote to memory of 536	2380	Hqnjek32.exe	41
PID 2380 wrote to memory of 536	2380	Hqnjek32.exe	41
PID 2380 wrote to memory of 536	2380	Hqnjek32.exe	41
PID 2380 wrote to memory of 536	2380	Hqnjek32.exe	41
PID 536 wrote to memory of 1976	536	Hbofmcij.exe	42
PID 536 wrote to memory of 1976	536	Hbofmcij.exe	42
PID 536 wrote to memory of 1976	536	Hbofmcij.exe	42
PID 536 wrote to memory of 1976	536	Hbofmcij.exe	42
PID 1976 wrote to memory of 1788	1976	Hmdkjmip.exe	43
PID 1976 wrote to memory of 1788	1976	Hmdkjmip.exe	43
PID 1976 wrote to memory of 1788	1976	Hmdkjmip.exe	43
PID 1976 wrote to memory of 1788	1976	Hmdkjmip.exe	43
PID 1788 wrote to memory of 2192	1788	Iocgfhhc.exe	44
PID 1788 wrote to memory of 2192	1788	Iocgfhhc.exe	44
PID 1788 wrote to memory of 2192	1788	Iocgfhhc.exe	44
PID 1788 wrote to memory of 2192	1788	Iocgfhhc.exe	44
PID 2192 wrote to memory of 2120	2192	Ifmocb32.exe	45
PID 2192 wrote to memory of 2120	2192	Ifmocb32.exe	45
PID 2192 wrote to memory of 2120	2192	Ifmocb32.exe	45
PID 2192 wrote to memory of 2120	2192	Ifmocb32.exe	45

C:\Users\Admin\AppData\Local\Temp\6b5fe8339ed69e2fd6726462911c3e30N.exe
"C:\Users\Admin\AppData\Local\Temp\6b5fe8339ed69e2fd6726462911c3e30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\SysWOW64\Gnfkba32.exe
  C:\Windows\system32\Gnfkba32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\Gaagcpdl.exe
    C:\Windows\system32\Gaagcpdl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Hnhgha32.exe
      C:\Windows\system32\Hnhgha32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\Hqgddm32.exe
        
        C:\Windows\system32\Hqgddm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\Hjohmbpd.exe
        
        C:\Windows\system32\Hjohmbpd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Hqiqjlga.exe
        
        C:\Windows\system32\Hqiqjlga.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Hffibceh.exe
        
        C:\Windows\system32\Hffibceh.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Hmpaom32.exe
        
        C:\Windows\system32\Hmpaom32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Hgeelf32.exe
        
        C:\Windows\system32\Hgeelf32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Hifbdnbi.exe
        
        C:\Windows\system32\Hifbdnbi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Hqnjek32.exe
        
        C:\Windows\system32\Hqnjek32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Hbofmcij.exe
        
        C:\Windows\system32\Hbofmcij.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Hmdkjmip.exe
        
        C:\Windows\system32\Hmdkjmip.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Iocgfhhc.exe
        
        C:\Windows\system32\Iocgfhhc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Ifmocb32.exe
        
        C:\Windows\system32\Ifmocb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Iikkon32.exe
        
        C:\Windows\system32\Iikkon32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Ioeclg32.exe
        
        C:\Windows\system32\Ioeclg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Ifolhann.exe
        
        C:\Windows\system32\Ifolhann.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Igqhpj32.exe
        
        C:\Windows\system32\Igqhpj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ikldqile.exe
        
        C:\Windows\system32\Ikldqile.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Iipejmko.exe
        
        C:\Windows\system32\Iipejmko.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Igceej32.exe
        
        C:\Windows\system32\Igceej32.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Ibhicbao.exe
        
        C:\Windows\system32\Ibhicbao.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Iegeonpc.exe
        
        C:\Windows\system32\Iegeonpc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2800
        
        C:\Windows\SysWOW64\Igebkiof.exe
        
        C:\Windows\system32\Igebkiof.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Jnagmc32.exe
        
        C:\Windows\system32\Jnagmc32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Japciodd.exe
        
        C:\Windows\system32\Japciodd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\Jpbcek32.exe
        
        C:\Windows\system32\Jpbcek32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Jabponba.exe
        
        C:\Windows\system32\Jabponba.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2440
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:292
        
        C:\Windows\SysWOW64\Jlqjkk32.exe
        
        C:\Windows\system32\Jlqjkk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1896
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:616
        
        C:\Windows\SysWOW64\Kapohbfp.exe
        
        C:\Windows\system32\Kapohbfp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Koflgf32.exe
        
        C:\Windows\system32\Koflgf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2728
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 140
        60⤵
        Program crash
        
        PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gaagcpdl.exe

Filesize
94KB

MD5
32e8c438295618ae262730d8e41b9301

SHA1
6ae4e1a0df02ddbd77a4de724b2aff08a248431a

SHA256
83879c076af79d0b2725b9eee5e09415b45ebf6ee43acb3a27128d844f2017b7

SHA512
8611fe2949c85d982d04c136309cee3820a6d35710592f45812aa3aeefa96a9c5e167a3b2d32b1665a5513b60686f1b7545dbce22f5dade367a214314df8213d

Download Submit
C:\Windows\SysWOW64\Hnhgha32.exe

Filesize
94KB

MD5
398f82be292e6e912181825d7c7691a6

SHA1
beaee12a1572b42850c1041a8e9213c05902459b

SHA256
1ec945d7c6247e12c4e81a7e694dc6a5410c8eb82989dc150d58ae528d7ebb93

SHA512
b34260313f20eb6e9b97a6b7c59ba13974672c19c6b9a8a371e95b0bf315c909187c059c58d33d0cfa7b32eaa0cf503b516be76ecd3026a8089d1d8144827334

Download Submit
C:\Windows\SysWOW64\Hqiqjlga.exe

Filesize
94KB

MD5
8ce7d13437dd313904b340c98a93ca90

SHA1
9b8cc15ce69fa7905653023f649461bcfbcacb24

SHA256
ea0de01eeb81a5f8a9ff849f16d55e24fbda11e94a545b72838918874dcd8cc5

SHA512
29115432c4b562699fe1ce3fb7b6ca4cb99bc63d2b75d8b1952bbcd38fc9c37730810d77c1a71518eeaa081bf998fa7c1546b7c3d4aef83eb358c91e1748f538

Download Submit
C:\Windows\SysWOW64\Ibhicbao.exe

Filesize
94KB

MD5
a877556381caa9e19994c44cb9fe5446

SHA1
a04dab14ff1ff3a3731595c2ac19347d16973686

SHA256
5ab69989b61b5454574e24bf7d2bc46e9f7f35414f39e2e3f57746bb10c7ba08

SHA512
ef4e16e8293f77cad51a570d4220a392564dce293e477dee4ef54a5383f42d6ae86b77418f162868f58a2d4233f7d66d19c2860041d1dd47056236d323df9c3e

Download Submit
C:\Windows\SysWOW64\Iegeonpc.exe

Filesize
94KB

MD5
d70033be845798b3bf476585a068bb04

SHA1
fdac70a59e69bc01f0eadaa2c94d3607184e73d3

SHA256
3b80ffe138f425f577e129e0982c4bdac11744572d088dc248af9e11eb1a55b5

SHA512
dc021dff4849a3b257c73ff8b60fcc8faf4ddf98c4b8e0f3b6efbae4953446e5b5e4ce05f8cea5b903ff9f1792d4b4dfe1d09e147e8cec695e3682553ae6ff0e

Download Submit
C:\Windows\SysWOW64\Ifolhann.exe

Filesize
94KB

MD5
c9d256fbe6059e69f6cfee114b6f81b1

SHA1
31653bbb931987a5e798ee1a62fd21d4d7922477

SHA256
e78d58d6a2b3e71d62b3f98496ea921aedc055945c06fc313ce823de3a67f23d

SHA512
a0956a1ff1ad0eaff475b7e4ce555e2e525c719ce2ed0a98ec2e3c2bd6865ae7cfd2423b2d77cb95fc70f83996c9874ffc88189112b1aab552b43152d39d8acb

Download Submit
C:\Windows\SysWOW64\Igceej32.exe

Filesize
94KB

MD5
df9c0d32bc0e4408dd6bf7a595db59ef

SHA1
ac5dceeed5a72494d7fcbf82d732954d36790f53

SHA256
f2dce2f0ac094355ced105e0f9bc1718873fc5854915987990a51fd77187f961

SHA512
dab4688a05f9dcf4879989073ac46c372f8f5205e00b119d46b54bb50fba505af41fad081966992e2130be6b62761cb94d3a02472ab241994ba517a8c5c0a379

Download Submit
C:\Windows\SysWOW64\Igebkiof.exe

Filesize
94KB

MD5
06ccf97860d8ea22a0dd7583fcbf0335

SHA1
52b65f8d8a52f5ff4694c5b1ebef728b17dd0fa5

SHA256
df5e883221f57a2a21a715daa5ea047b076ac47a1bc6725493c91dd95990c7f3

SHA512
06baaff18750990d4738ba2b15d383d17d0eef43a3c58472749544455b1aa9c97cffb537520dc621f620e4fef0db9d9679f74b38f3c2c77bc5288c9438a39e4c

Download Submit
C:\Windows\SysWOW64\Igqhpj32.exe

Filesize
94KB

MD5
b3d6127bf6af07e3ed6813ce0879776f

SHA1
f4d58cd477aa52f2843e1b73c35eb25500e025e4

SHA256
770dd60c813f84c48500ba04b9aaca1e61929464ce74902615ded5726109a25c

SHA512
fb97ffc8fc0bee1185f15a20e35e45ef06c6dec716581f95390d15d279c503d80618a056dbf83383db647a300b73a7dc8167fda3f403d237551d6b866f0de0d8

Download Submit
C:\Windows\SysWOW64\Iipejmko.exe

Filesize
94KB

MD5
6ac0c6416e1b1367eb462e27754b2920

SHA1
f35a5e12a25443d8e19c0cabf82231f4727f9f62

SHA256
081ce8c6bcd35fb0da2291aa2ec11118082037b52a9358016edacdc4006c62b4

SHA512
f1c36f6c700d64b77fa1a8d0e5e43cf86f95ea70da1b9230b4ec0243d95d547268b036f23ee36a9abac24881fd31a097b5f036d091b4ba4722a8905f97847e60

Download Submit
C:\Windows\SysWOW64\Ikldqile.exe

Filesize
94KB

MD5
12b7327c898f3909cffeed291b23de96

SHA1
2e259ce37e5db535ce46d71f386e8af7beed9c27

SHA256
d42edab4e404086db901e1b4a2875de4c28d072239677e150e0a2b4c08a2ec49

SHA512
bb7ac3b5ae1a883e45870f0cbeed5022fe1116083e12f7b7fd1b9516208cdf26a3257b78ee474e749a52fc7eeded34f6dd645576dfa9c5f00cf090a8e07d6cac

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
94KB

MD5
60bd605ac077fbf14303d41f7547a587

SHA1
9a929b0e182d7805730e78825771b9db9c72b549

SHA256
cd4770f003a17fa0ac94f478e4aa60c6c6b0805d93905d06ba57b198d8734b61

SHA512
182c0e8177369c274af042e0720e8de628cfa8adb0622f93f26702c9ba38a0ca12b7aa42cf5caea93a9e50cbdf5af15bb596a58fedf9e433ef04731cf06efd61

Download Submit
C:\Windows\SysWOW64\Iocgfhhc.exe

Filesize
94KB

MD5
c9c15c94836aca272ed829d45c08a7f5

SHA1
967908daba3c83d1e847fe56fa8088abfcf1d096

SHA256
feebb5c7b5e98c60a3e5d8ef39b77af3783b79843b89fd6a1f5e94961c188339

SHA512
01c39ab5cf5dbd86c2d892dc14eef521a5f75fda47b15498c863d9b426edb4a21b287bf1394254b4183dcac88efcd6143623f441e8bc730edd1b117b0f15cd3d

Download Submit
C:\Windows\SysWOW64\Ioeclg32.exe

Filesize
94KB

MD5
1808d5f3e7d153b14dfaa544e6e36f33

SHA1
6f6308b264b234119db05d47b6b1497756e904a1

SHA256
bb41371fb001e4896ce7f0be14296d31f638c97e68003a38dd6e6262e8f352d4

SHA512
90fd3a6898dc249ed3d4b12d98b4b0392b5e1bff40fd6e6ff03922e98235934446e630aee914ce2f0f9bd5c36c6d176ce83d95bafe12307f7ca6fb820d7cdb62

Download Submit
C:\Windows\SysWOW64\Jabponba.exe

Filesize
94KB

MD5
0c78acbbc6f350428581f4e56a260999

SHA1
d414236e9e3eee87ff985bbdbbc59085d670d354

SHA256
af4b512cb24a956cb357e674246a326dd550a35564553f852ef2c8cb9ee4cc07

SHA512
009a1893a783ea6d35559c2c0b747d16b173859599075301eb75b92815302b862d4603ef243bcc1083493b814a9d50a1313b3a9bacbf1aa84ee4a740962aa777

Download Submit
C:\Windows\SysWOW64\Japciodd.exe

Filesize
94KB

MD5
8a67b97a5fc75d1160686d5b52f8c00c

SHA1
fe887827b38a4a1ce9b19c0afb2f56f2cf156574

SHA256
7f5c8eb22f6cf351d525c044855aeb50443169ea8db71413dc00662acb05986f

SHA512
adbebfe3a6972a40d475b0ddf0802d0d48f29655fed15a07bc21724ad195c2cd7369f0ba70ee52fa6f568ee1c4e37dfba3a2e51b4124c751214b267e25c25c99

Download Submit
C:\Windows\SysWOW64\Jbfilffm.exe

Filesize
94KB

MD5
2d5c256aa19b6f586b35eccd242a303b

SHA1
b2944ef5d6cad0f20fb5cbe7a369cd744910ebca

SHA256
b4e63c9cd44917a45f024b69500064ff6c2f231b3af9177fcbfe931b2277f6f2

SHA512
5371d8f2294984ff5f50f10e50e52762093ff5f480275df9f7dc847f2eaa9c9c56e880549d4948b326d76f178118b78642686e9a342cb52d172439d04942e715

Download Submit
C:\Windows\SysWOW64\Jedehaea.exe

Filesize
94KB

MD5
fe09c36337962f9d3023712d92c5d3ed

SHA1
524d798b1c285f38de61daf767541f2ec7f6f081

SHA256
bbece1b5f3986743ff384a3de5f0d6fa3f52909f516bc05c8ba7aebc03c99994

SHA512
f067d4a6521fe30926897ccad728752d1f35346765ef4b92bb76981c80e136f23d934a9c7b8bf4474414a0d7da16ea40c194ebb4092c1f7320dcc01df6913be4

Download Submit
C:\Windows\SysWOW64\Jjjdhc32.exe

Filesize
94KB

MD5
808b8dfd199291701cba1d68d5e7d373

SHA1
6326a1900e26f8281e252b79fd1111953a2b1ba0

SHA256
fc89de637d4ae45e387f637b60e39626fabd3c11f07c2ad7c72139deada09eda

SHA512
fec2bae34417ae40b1a4eaacc2ef6af028a75a7aa7324a8d43fabe430726e3065376b53346ab995bf4e1d8f8a7ea490ff5046bbd507fdd4dea2d0952028eb468

Download Submit
C:\Windows\SysWOW64\Jllqplnp.exe

Filesize
94KB

MD5
596c4a9eecbaa77a7e8a7557b2b516f2

SHA1
943c9a5bb2408a045966a56343a2352a46b78ada

SHA256
9eea3dd75fc8c166192d0f613110c68114fa9af7b430dd2a69882ca6e42ddad6

SHA512
2bbddf94275b8148a3f341057ec1325e4e6c9c2ce6f9110df8adb52db61c8ab11de54979a1db171d8c3e53654075cd4d3822e0ff2a9d45439dd1909630ddf620

Download Submit
C:\Windows\SysWOW64\Jlqjkk32.exe

Filesize
94KB

MD5
85a259a4fd59bf3f1822ac2c0e95f52b

SHA1
c0993b9ca06647a1df7fede3fb55894ba4a715e1

SHA256
a29022994ad00ab4be2c52068056c89d78b285976e6a324d49e069e5a27a150f

SHA512
de2f1e181229eed476259c4059bf78c98e208f73249157ff394133e158590e31f030455cefefe6641884dcc34f0777a359078e32f7a012ff122e95a7aad5788a

Download Submit
C:\Windows\SysWOW64\Jnagmc32.exe

Filesize
94KB

MD5
41d289ac15743f82c10a6c7f01acfb20

SHA1
63b17173214b6d5025e9128dc08ca9a72b35a4cd

SHA256
eb26bc265004bfad25d29cb9629e1a4a2e56e0ed0ed4459f3483af3295bcdded

SHA512
4a854b919bf56f8d71652c31a7740ae379aa1c2ce17958fb89f8bc0d6735425bf67e156928838876cfea8a4f9dc842f46ef34138aa9f0a81c601aad264097bba

Download Submit
C:\Windows\SysWOW64\Jnmiag32.exe

Filesize
94KB

MD5
3b01b3d0d9af70a61a97d1c2b795fa27

SHA1
b12a8abef1f512de0504572ec51ad80ca9706cf1

SHA256
e32333935cd5a7f833b939d1e2c3a6a2b97fe0b764d7709b223b3e8a05465539

SHA512
2139876266290316dc05d06308ff861d6ead6d3a84e30bc9cf581033da88517c8e3449f300bea201399b36f847d95393bc9e8c57158a0ec80db28a2368755e6e

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
94KB

MD5
57496c4f13df44d287c551c8ef38f62e

SHA1
cabdae554d42de0257f7862f5836a672bc4a3ff2

SHA256
a6d98ecb6debe5a3e363c0c98e14be126ae0db62028ecc5b14febfd57c74df74

SHA512
00a7e6abbb28fff154cc26bada23a2c91de850e83d5e88f22ef83e59aa8ebc75c3a3a485a7fbcbab8e56b072b217bb8a2422b44649b89412fde0ad32119cd141

Download Submit
C:\Windows\SysWOW64\Jpbcek32.exe

Filesize
94KB

MD5
ed91e708286518320a570fe7528c7663

SHA1
07ce3006b5f92828fae2d6b2c7e82f16ef1ff8ff

SHA256
c81324358fa0857e6d153aca1a8c85d84333b615da50cac069cd89fc7327b961

SHA512
81ea5a5fbb0ce68a0d23a5bf64a1214e7faba82aa50837ac008398900c7655fd280edbdd9493dda44f2538bd8eb6d3736bed8c1809e0b5ba5e035cbbfc657de9

Download Submit
C:\Windows\SysWOW64\Jpjifjdg.exe

Filesize
94KB

MD5
495b8f2768fe5752a27a78fadd8dbf40

SHA1
e2d846ce8bcf99e0b0b3f00fb8ab8f2849ca218c

SHA256
2a098c3beffa22f6448b1f50136df70fa7ea631cd8e066baffef6d8e29ddc912

SHA512
c8d2e02a6133ead5db115960859566dabc1097417079872e4a7b86c331784d1c95dda6079d1abf365e968eae3e53ec318423587656155fddcd97946a267ddff3

Download Submit
C:\Windows\SysWOW64\Jplfkjbd.exe

Filesize
94KB

MD5
6a9889f22f22ec910607ec755dba2dd9

SHA1
f9d067b08473ace01a968be54f166a8a14ca0532

SHA256
dd6cb8c7c26fc266cc0ee1716a4bd356be4aaac48a85ddf0ff5ef5e41343fd60

SHA512
3d36faa5b5eef0c8bd86adfcdd4ca66af012e804ae07eb9b2e008ac41c6955522486526eaa59e50f484c48cb0d925914909e1b12a5e932a624056b16bb896920

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
94KB

MD5
8a883ce75ae59b91ea617dde2439b651

SHA1
b10f9a445efeaf176d633792a661edfd4bb0492e

SHA256
cf7d8696dc97b02f4f05a69b0fc9c1b2f7d84b094c3fbde666c024b6510de8f5

SHA512
5853b26824c4fe3aaee6f95e54c70efe62458f6ec2ea775477036745511255823847805260e76b1022006f3bd08075b18b0dde10fc707e4694b03424c15bcb2c

Download Submit
C:\Windows\SysWOW64\Kapohbfp.exe

Filesize
94KB

MD5
ff7caad36980fddb553c29f215e6c86b

SHA1
093c61b49942cafd5c3135a907e1d419b4500b4c

SHA256
132035dd76e0c429157c3fde466abd0b5230f23b10c622f0b4dbaf60c6b45986

SHA512
f4c8965b7cd8e1fb21eb822b535a143c363711c4c138774f92f617989465e659b3c0edc06638dbc376b7980469065c7c4a6dc6839eccec96c3898d7f37858d40

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
94KB

MD5
72aca386b9bc16f4ddab08da51a928cd

SHA1
f22535b1839e3275d9e15be48905ba2bdfcededc

SHA256
79c628bd00a48ad3e9471fe45cc1022558aaf811918e45eb650b803e876541f0

SHA512
3d451c20277c1ec62f30d03834a4335e15107d45b2daae1ba1aa6360ab76e7b29305d1c783588843e1c038374ba574be9da251f3dcb50077ad6bce294d860588

Download Submit
C:\Windows\SysWOW64\Kbmome32.exe

Filesize
94KB

MD5
7b9b2ccb56f48813fac2b8a3902f5651

SHA1
527ffcf1556440ce69818e049b352ef8e50544a0

SHA256
754f6365b83f2c3a05743ce583c3b320ea961fafcc8b1a3485b5c8166f644606

SHA512
81ab028cba6c412a3f673e895ddd911bf96dc68ee9704f181b1aabd2afd0f608d4fb690302098e8c15cfd87f63aa22a39e62708e49fa4818b32fe4075e862423

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
94KB

MD5
ee662d9d8c29a1c1e3073ed4334de563

SHA1
123ffd8f4234878d72a7bd63c4bb94f3e936a044

SHA256
6a10da8d2a2b311f3c17b67fc7db6bdf92f6d30044cf722ca6ed717defec2065

SHA512
6978b076c082308f9d9db2a1774c1355b0bc67647251e34d3fea9781684df7ab8f5da621e0f8ec1faa88561796ff8a886a25a1c39191ae05de9613c798f707b8

Download Submit
C:\Windows\SysWOW64\Khgkpl32.exe

Filesize
94KB

MD5
8ac7861131a217b59235ffbe64bca15b

SHA1
a909b04a21a66ee17c759e9766e186d48e90e317

SHA256
96fc60fa2e5ebde60173740c333ddbc3c5178d9862801deeb90f175ae3d2d94f

SHA512
8da282d0590fa6d1fb3bdd00db0eea10d86825634cfae0f62d47f3689d7870aa5a2f1fc3c0e8d727950e0a6c1a266e3818ef53e656bcf0a9b498b6e8b0c036ea

Download Submit
C:\Windows\SysWOW64\Khnapkjg.exe

Filesize
94KB

MD5
e861cd2cb7d4b15e9935b271b542bbee

SHA1
456fd25c7b32c12dce88bf6645fcd006f7b2772d

SHA256
7dbf50873a5a2aa3aede50489ef1bfe76eb4a649d1d349157d7eb39de4ef4c21

SHA512
cc20e1d13ba61f4e3fd94e3b3c8a7cbca3c9e91f06e6f15f6577fb83708ac358d01f30932c9e97aeaf95312ce602d2409ba8f715d42f03f5c04885269e37e70f

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
94KB

MD5
2a1c32158fe1869ddd73d72e3a22b955

SHA1
dfc1b5562321f097b801c4ef142048f9d07bda47

SHA256
f34d706896bd69a076d20f0f960da371ecea30dfe1512c6095175e49d05d3546

SHA512
5ee62c671f885fb4113d9d80950cf9228936b79b7f321400b538d7a765df7dfdf2dc8ac45cb264346f982122521fd33b7d9c110f523c322f3d1330babd417aa1

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
94KB

MD5
41d31cb39936fa26f3168a2569e71d1c

SHA1
ea97735c1ea0eb95e3c810a181bebe30bb182b53

SHA256
1d28938bd740e5071da02c64c21b745b1576ffc09561318ad92a8179383e866c

SHA512
c9cbf8a1005c0e07e39604363b11ba851d792604218dbdda3942d179b2dfb98a8e690ea88b912bcc429b32628763984ec94a991ad0500724f8495cd42811cce0

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
94KB

MD5
35ea81594152b7a7585444aa6c35452a

SHA1
e7ac2c17f2f295e5b2a8c89cce3e04a5936ab626

SHA256
9831edd1eee18ae77b169d166eafb20990806ee18ee5e9b9779938e9902eb4e4

SHA512
5360f404daea83fbfdf5c8d7623fbaf59361f15a77859708d413ead96f2f565fa8f77af25ae9b56ac772811d76fdbae27bcf2fbf550e84b8ad19742e4d37436e

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
94KB

MD5
1e9cc6b26bcd3fb54a67ab4b016b5fb1

SHA1
d4da87f30042754a0572a3811bb6f5091f304ae7

SHA256
0bc273a02c16cd46e1b957854f05f6b8d1d02d3712a9cfdd208fef60f0df1811

SHA512
fb4776cd629a2c86df5aec282165ce0d551b2fb43aba79a80d36abe6edbf1b5aa4ce57a730e53ae5621610f5ea2be0903d196e988d1ef522e29228d3e3c22bc8

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
94KB

MD5
9d8f8355726a19482c54ec5a48541621

SHA1
e47d72ecfa3119d79912fb482ca58b18554a1533

SHA256
dd21e5cef92ac1017c20568fccc203bf2455fd90632cd1b6fbda3f1ad97aea87

SHA512
a431a716d31d9587a22df5eb9e29191d5d5675fea3e0129d2ae50364537068b04bfd959473716e4952da4f9d5e1268b11080a29ff4a3b3cb57a685e80703d7a7

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
94KB

MD5
144537c988cba5b258f9b0a7a280f29a

SHA1
80144f3b7917e20c49611846a039445bb0f5e16d

SHA256
6b0b4d1d33b64024fc6a032a556a6370e7461345975fe01577fcd35cf7ed2bf3

SHA512
60959476492f4997d16db124a8064ec95c45e49198fb67e0507df4f8c290cb8584b122e9e66ca9c3dbfffbad8db6cf265b6ba71d1fdc880e6b2472daa4d63f0a

Download Submit
C:\Windows\SysWOW64\Koflgf32.exe

Filesize
94KB

MD5
6aeab3723f52431849e5ee2c0720587a

SHA1
e9d8abf7f57695419471451b2957f94117849a88

SHA256
0f3c83c499b8436843e1b30b9495a1978824e53b443aed9f8fbc470278c4c8a7

SHA512
9b0ec76a6a5674c6584438433a72949cd794ae6f39cd5d5df63043b3d4f2ff556724ba9fab2b3319fd652e37ad04064cc99a7220db1b15d0687d7af09ce32bef

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
94KB

MD5
0164dd6af4b3b547f66d6eb20a3e3b65

SHA1
c3420272874da44fd40b60bf86b038e3dbc3b430

SHA256
94ee4446c591531e8edba5ac71353797b898001c0a5066ecd43bdd2a34a1b95e

SHA512
f041c0525afe83077b438c4af7a7721a68841fde9e635b5a9300df29eb28642421bf23aa4887a1e046e75417e378b4d7c70e3b0237479521ec01e23d9aa1ba29

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
94KB

MD5
971be1f819bd72c8003c4e1b10498cdd

SHA1
3f53b74d6ac716029cb25902a0eba09f2beb579a

SHA256
3de9666c03cbe356cc15e973000ced1a7f7a8a3983972931d4cf33bf13bd39e9

SHA512
d410f1fd58babf303c816440aa2b428de7c21ef6abb3da4a4f95d37e85a90a509529191aec97e65aac360cdc273ea683b09a62f11027b9b9df4c461950818016

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
94KB

MD5
38c7bd373ec4a6b6a3cbeb6ee4a2f15c

SHA1
24ac6cfa675782c6ee5df949cc89c65eec924db8

SHA256
d0738471d207a6cd995d938b7106da9ce96a3471615bc27f2c7eaec7b112ee9c

SHA512
c2c9e02d0f25a0caabbb43922f1b71168d483868aa67b1091beb7172488722bae34f1ef203adece2c0a1ca2afa52b4d58de1d303e916531859426d6eb58e885a

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
94KB

MD5
f4c366d377368f413c608c78f4f6a1c7

SHA1
7ab676717d3fc15405295fea732993750c0133a1

SHA256
9b61d258799c0cd01c8c7c39ef5c819b7c460a11b3ce8455328613ed70ca6e76

SHA512
622f428b4af1e19a26838b0f0374af6f39ce17d35f5b12000d8e434061b524f4f2ebb1f6e3518986c3977e89b4d7ef6b7ab6dea30ef34622cd52efd180c19687

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
94KB

MD5
a03224661ce19377b69b82320657e390

SHA1
af7be7dd3579fa994deb51a049faa7c8e444ffb2

SHA256
6641bffc21e548043ee88ee54056a1f5350866b1af109b3c2c9ac3799736329b

SHA512
89e660316df79be1c774b4ee1147c1c5c3711a37ac51d8ad27bfe8e4c0d3669f2b966507e618fe5daead981a415546feb4ef173c8a7832a5e10c688969f09268

Download Submit
\Windows\SysWOW64\Gnfkba32.exe

Filesize
94KB

MD5
8b34733d2a541d023607a1451bd4c7ec

SHA1
d26a90fd2be47bf971f45cacbede8d61ed58830e

SHA256
0dff2f45b248484b05f96a8747cdfd551167e1ac291275e2814463bff801e19e

SHA512
7a965e5ff73f680d50ad8d69de3ff5b5482d2c215e5f100b212682189721412fd61c448891e30ed44c1288f59c582656b006c68436e9bdf958c7884941cf4094

Download Submit
\Windows\SysWOW64\Hbofmcij.exe

Filesize
94KB

MD5
6cb92f39acea83c7639e8d27dd5072c2

SHA1
93ee814806505fac24d22a00f80178ba787fcc12

SHA256
94d2f1a456e69f1dcea234383fc2751e99d2c8fcb3e689b7e5b3859f1db335c6

SHA512
85f3622affa0f73efc48e4d1e4c09ff1399aa33bc0563f79f7dbf3e0034a4da161d7e898ba8e825c6312e96dc6490ea300a7e57a198c922b07f037913705054e

Download Submit
\Windows\SysWOW64\Hffibceh.exe

Filesize
94KB

MD5
70d936d43bd0078d1768fb2c87ba000c

SHA1
87c133343a4d2d65c4228cf690302cb8e90df1da

SHA256
39530f9a48eec0a083242b4cb58d20e6806884e3b39f4a5fc795eec94a02cf3c

SHA512
e4de47e8cb90229084c5c28f988cf72d03d4e139fb4ca3b199faf00c47c969ba13f5da797be132863b43590794ce22b22c4481f86755a0040a1071f83186e577

Download Submit
\Windows\SysWOW64\Hgeelf32.exe

Filesize
94KB

MD5
faf91d70b9216b15f96d3c3d1473a5cb

SHA1
112d0c7c7f2658ad0f31652d1ff4f644cdbde142

SHA256
546e3e2b70c8b609d474e26e844300d61be13984d00b3561f4f084d23aa76266

SHA512
deeade5aa8eba70241d76ccfac2fb16ef0c1a19d583cc2232da4cac91d3c0fde9faf2340dffd20a6a7e330ae1bd89fae6917c880d9bc08c38b91967fc56f09db

Download Submit
\Windows\SysWOW64\Hifbdnbi.exe

Filesize
94KB

MD5
264e029ff72e8837cb87301a60940365

SHA1
ea8b9333f2217b4b5825dee9a77319d38963eded

SHA256
b8f64761dad8bfe3649aa0c6b3027c2740c45f47c291c40cca31f0ffa00547dc

SHA512
36ae923dca80db9a73101441b62643c161c60109a546c72926f9864abb3c92f1375f448560f373472ee181e550b047cc16bfc890161daa3470de1aa920e0b760

Download Submit
\Windows\SysWOW64\Hjohmbpd.exe

Filesize
94KB

MD5
8184cf9b019a0082478d5f6a8335cd45

SHA1
2bd5f1f2eeb4c21811cfbea49dbc6dd322d08a12

SHA256
2f7b5a55232a09ceb02a577f7532f37c6bf9aef7d1e5b3e69960d64b6c7f5f3d

SHA512
9974bdfb4e2da4f84233350f0346fb134c7f4221b8db44e36d92d3ce65b23858d13ba2ea6a46cd5063199672f72a6f2e572afb1a31a9d09b94cc193d64d865fb

Download Submit
\Windows\SysWOW64\Hmdkjmip.exe

Filesize
94KB

MD5
c197baade7cb32e5c36c386f4c7be9fa

SHA1
5ebb3cb094545a9270b373c158f8ffdee0c7e578

SHA256
b5a2fd29a6542bb8692abb07ce2fdde71f841c063cecf5bc0facaf0b2f8a4866

SHA512
505642934d04a5828fdadd71346bb097cb0bd81e1837073185b9c177acbfce2fa75088bda16074752d2af044a6b6e04965b75c6182d64b54ceb02f8c825c6798

Download Submit
\Windows\SysWOW64\Hmpaom32.exe

Filesize
94KB

MD5
281db4f48b5ee99081502adc18692640

SHA1
3cad1c30eedee4b56b36ef5a7e1a1509c9e2761f

SHA256
5e3f944fa1d5586a987c6bfdd0f9ff2f0d5db2c9b2aae643fc13e5980acfe808

SHA512
67cbb553ef11d293e1bfb167d4aae5d31bfd4f5a1128b4aa19aeb6bb1a35ae42a8f075ea77bd655d9fcf950448c076dcd4fb1487da6423bd4f4cf6a07111a45c

Download Submit
\Windows\SysWOW64\Hqgddm32.exe

Filesize
94KB

MD5
3acff6258c4e63962e3523f5db3672ae

SHA1
071202f509eea6a5b2b728933cbb318791b5b6ad

SHA256
d213a8ed7d9873f7fe7183f58f056888ba62291ac9c4005c937f0a4c87f739ee

SHA512
41f2859b851ca74128e686dd87898dc6438d86bf7a1ae6f19b383be003ac3ed4d026184044690d31b00eabe0ebfbd4a2d41d7c04f9cf5579dfa4f417bb9ddd3c

Download Submit
\Windows\SysWOW64\Hqnjek32.exe

Filesize
94KB

MD5
ae2de3fd9286f94a1dbdabe469de81d6

SHA1
de86c6329d5f0f830836398524420edd5a75c6f3

SHA256
a79b161a9b7bb2ef8b958c08f6cc08a4bbfcd1950c9c2d54f396a5181723c867

SHA512
5699a1e8eb6a7e54cf3c8823edf70857adcf42545770cac70941a9e1c9c54be3363863a71013c9985e7f69b0c8ea07a1a249732a8608f2d70cd5c2b1fa45410f

Download Submit
\Windows\SysWOW64\Ifmocb32.exe

Filesize
94KB

MD5
73d292b9162809b3c276ff5ff45c2c92

SHA1
dc023934188275dce62934783046b5efea112497

SHA256
53e165f46a9e7eefbda07a2bcc45572591158ed6d5fce3024bedf3b506f29839

SHA512
c88d3fb04a36ac70f7f48eb26ec3743c6016fc1b6b8e745be4235ca79c6955c44db8a3343b81ac0dd73207e71b70109a976298bfc90a8372f57bf40566c92bc4

Download Submit
\Windows\SysWOW64\Iikkon32.exe

Filesize
94KB

MD5
2057f9fb083e7352caf4c0665bee578b

SHA1
8dc9a2aa45cfae3ae2f8aa9258a79cb2d484cccb

SHA256
ae4b1012223d1549e71efafffb00cc9bbd5eebc72db52757745bfeecbf5abf99

SHA512
e142f719b74b5ebea340d9e8d52f6ab52eb5c7c4d0980c62ccc26af795c8f9bc930874469888e0e44965d36cab3dd565dd22a76d52244c4add3959701cf900aa

Download Submit
memory/288-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/292-446-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/292-445-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/292-428-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-180-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/616-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/616-492-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/616-493-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/824-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/824-12-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/824-18-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1056-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-421-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1156-420-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1156-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1468-284-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1468-285-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1516-102-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1536-263-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1536-264-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1536-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1572-89-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1620-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1620-246-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1740-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1804-503-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/1804-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1896-449-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1896-448-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/1896-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-463-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1960-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1960-462-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1976-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-275-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1996-274-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2120-220-0x0000000000260000-0x00000000002A0000-memory.dmp

Filesize
256KB

Download
memory/2120-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-427-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2156-252-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2156-247-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-253-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2192-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-473-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2236-467-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2256-363-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2256-372-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2256-373-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2380-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2440-405-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2440-406-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2464-485-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2464-486-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2464-476-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-351-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2500-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2500-347-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2556-40-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2556-28-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-338-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2604-339-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2604-340-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/2632-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2632-317-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2632-318-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2652-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-361-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2680-352-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2680-362-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2736-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-399-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2740-385-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-394-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/2752-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-26-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2764-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-306-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2800-307-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2844-336-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2844-319-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2844-337-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2972-374-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2972-384-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2972-383-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/3056-295-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/3056-297-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/3056-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads