a8a8659c539268d9aa2eee248b1bf454b8920d5068ac2a789b43f91f9c7d7dd4

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96dfd746072335ddf7c341a1a4fa3c80N.exe
Size

128KB
MD5

96dfd746072335ddf7c341a1a4fa3c80
SHA1

063fd74cb9f3f4b75e15ae7e4a2a78c1431fffe0
SHA256

a8a8659c539268d9aa2eee248b1bf454b8920d5068ac2a789b43f91f9c7d7dd4
SHA512

b0ef882253afe453ea402bedc2023df9c2072c4a8bc5c0a98ed0a0e4d74e882844aff225b1c8df289d2a9174ba6af29ac955a9f7d41f11875b0df127d9d5cc9b
SSDEEP

1536:0kADEf/dz4rZAzW0nVPsugkQ4GVes7vwlp37ZIEBtFQoXa+dJnEBctOPpB:pnuLAue1lx7Zd3FQo7fnEBctcp

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ikldqile.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcnoejch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcnoejch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdeaelok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inmmbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khldkllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaeme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlnmel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	96dfd746072335ddf7c341a1a4fa3c80N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	96dfd746072335ddf7c341a1a4fa3c80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfaeme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igebkiof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlnmel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kambcbhb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igebkiof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibfmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmmfnb32.exe

Executes dropped EXE 32 IoCs

pid	Process
2688	Ikldqile.exe
2736	Ibfmmb32.exe
2572	Inmmbc32.exe
2600	Igebkiof.exe
2620	Imbjcpnn.exe
2508	Ieibdnnp.exe
2420	Jmdgipkk.exe
2328	Jcnoejch.exe
580	Jjhgbd32.exe
2960	Jpepkk32.exe
2492	Jjjdhc32.exe
2880	Jllqplnp.exe
544	Jfaeme32.exe
2144	Jlnmel32.exe
2148	Jbhebfck.exe
2116	Jhenjmbb.exe
1808	Kbjbge32.exe
1052	Kambcbhb.exe
812	Kidjdpie.exe
2876	Kjeglh32.exe
1900	Kbmome32.exe
1136	Kdnkdmec.exe
2256	Klecfkff.exe
3044	Kjhcag32.exe
2216	Khldkllj.exe
2732	Kfodfh32.exe
1920	Kdbepm32.exe
2060	Kipmhc32.exe
2264	Kdeaelok.exe
2040	Kgcnahoo.exe
2424	Lmmfnb32.exe
2388	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
1596	96dfd746072335ddf7c341a1a4fa3c80N.exe
1596	96dfd746072335ddf7c341a1a4fa3c80N.exe
2688	Ikldqile.exe
2688	Ikldqile.exe
2736	Ibfmmb32.exe
2736	Ibfmmb32.exe
2572	Inmmbc32.exe
2572	Inmmbc32.exe
2600	Igebkiof.exe
2600	Igebkiof.exe
2620	Imbjcpnn.exe
2620	Imbjcpnn.exe
2508	Ieibdnnp.exe
2508	Ieibdnnp.exe
2420	Jmdgipkk.exe
2420	Jmdgipkk.exe
2328	Jcnoejch.exe
2328	Jcnoejch.exe
580	Jjhgbd32.exe
580	Jjhgbd32.exe
2960	Jpepkk32.exe
2960	Jpepkk32.exe
2492	Jjjdhc32.exe
2492	Jjjdhc32.exe
2880	Jllqplnp.exe
2880	Jllqplnp.exe
544	Jfaeme32.exe
544	Jfaeme32.exe
2144	Jlnmel32.exe
2144	Jlnmel32.exe
2148	Jbhebfck.exe
2148	Jbhebfck.exe
2116	Jhenjmbb.exe
2116	Jhenjmbb.exe
1808	Kbjbge32.exe
1808	Kbjbge32.exe
1052	Kambcbhb.exe
1052	Kambcbhb.exe
812	Kidjdpie.exe
812	Kidjdpie.exe
2876	Kjeglh32.exe
2876	Kjeglh32.exe
1900	Kbmome32.exe
1900	Kbmome32.exe
1136	Kdnkdmec.exe
1136	Kdnkdmec.exe
2256	Klecfkff.exe
2256	Klecfkff.exe
3044	Kjhcag32.exe
3044	Kjhcag32.exe
2216	Khldkllj.exe
2216	Khldkllj.exe
2732	Kfodfh32.exe
2732	Kfodfh32.exe
1920	Kdbepm32.exe
1920	Kdbepm32.exe
2060	Kipmhc32.exe
2060	Kipmhc32.exe
2264	Kdeaelok.exe
2264	Kdeaelok.exe
2040	Kgcnahoo.exe
2040	Kgcnahoo.exe
2424	Lmmfnb32.exe
2424	Lmmfnb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aiomcb32.dll	Kambcbhb.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kfodfh32.exe
File created	C:\Windows\SysWOW64\Jfaeme32.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Jlnmel32.exe	Jfaeme32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhebfck.exe	Jlnmel32.exe
File created	C:\Windows\SysWOW64\Blbjlj32.dll	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Kidjdpie.exe	Kambcbhb.exe
File created	C:\Windows\SysWOW64\Kbmome32.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Mkehop32.dll	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Ikldqile.exe	96dfd746072335ddf7c341a1a4fa3c80N.exe
File created	C:\Windows\SysWOW64\Caejbmia.dll	Ikldqile.exe
File opened for modification	C:\Windows\SysWOW64\Jlnmel32.exe	Jfaeme32.exe
File created	C:\Windows\SysWOW64\Kidjdpie.exe	Kambcbhb.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Cgngaoal.dll	Jmdgipkk.exe
File created	C:\Windows\SysWOW64\Dgcgbb32.dll	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Kdeaelok.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Eghoka32.dll	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Kfodfh32.exe	Khldkllj.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Ibfmmb32.exe	Ikldqile.exe
File opened for modification	C:\Windows\SysWOW64\Ibfmmb32.exe	Ikldqile.exe
File created	C:\Windows\SysWOW64\Igebkiof.exe	Inmmbc32.exe
File created	C:\Windows\SysWOW64\Dfaaak32.dll	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Khldkllj.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Bcbonpco.dll	Jcnoejch.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jhenjmbb.exe
File created	C:\Windows\SysWOW64\Jbhebfck.exe	Jlnmel32.exe
File created	C:\Windows\SysWOW64\Hgajdjlj.dll	Jlnmel32.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Lpmdgf32.dll	96dfd746072335ddf7c341a1a4fa3c80N.exe
File created	C:\Windows\SysWOW64\Leoebflm.dll	Inmmbc32.exe
File created	C:\Windows\SysWOW64\Ieibdnnp.exe	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Jcnoejch.exe	Jmdgipkk.exe
File created	C:\Windows\SysWOW64\Jpepkk32.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jpepkk32.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Jcnoejch.exe	Jmdgipkk.exe
File opened for modification	C:\Windows\SysWOW64\Kbmome32.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Kjhcag32.exe	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Khldkllj.exe	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Faphfl32.dll	Ibfmmb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjjdhc32.exe	Jpepkk32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jhenjmbb.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Kidjdpie.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Igebkiof.exe	Inmmbc32.exe
File created	C:\Windows\SysWOW64\Imbjcpnn.exe	Igebkiof.exe
File opened for modification	C:\Windows\SysWOW64\Jmdgipkk.exe	Ieibdnnp.exe
File opened for modification	C:\Windows\SysWOW64\Jjhgbd32.exe	Jcnoejch.exe
File opened for modification	C:\Windows\SysWOW64\Jfaeme32.exe	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Kdeaelok.exe	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kdeaelok.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kgcnahoo.exe
File opened for modification	C:\Windows\SysWOW64\Ieibdnnp.exe	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Jjhgbd32.exe	Jcnoejch.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Kjeglh32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Kdnkdmec.exe	Kbmome32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1972	2388	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaeme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlnmel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhenjmbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibfmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikldqile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igebkiof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdeaelok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcnoejch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khldkllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmdgipkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kambcbhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	96dfd746072335ddf7c341a1a4fa3c80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inmmbc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlnmel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	96dfd746072335ddf7c341a1a4fa3c80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caejbmia.dll"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll"	Jcnoejch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	96dfd746072335ddf7c341a1a4fa3c80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khldkllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	96dfd746072335ddf7c341a1a4fa3c80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kdeaelok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	96dfd746072335ddf7c341a1a4fa3c80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcnoejch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll"	Igebkiof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ikldqile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpcafifg.dll"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blbjlj32.dll"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll"	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbmome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igebkiof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kambcbhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgjdnbkd.dll"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoebflm.dll"	Inmmbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khldkllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faphfl32.dll"	Ibfmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgajdjlj.dll"	Jlnmel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjhgbd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 2688	1596	96dfd746072335ddf7c341a1a4fa3c80N.exe	30
PID 1596 wrote to memory of 2688	1596	96dfd746072335ddf7c341a1a4fa3c80N.exe	30
PID 1596 wrote to memory of 2688	1596	96dfd746072335ddf7c341a1a4fa3c80N.exe	30
PID 1596 wrote to memory of 2688	1596	96dfd746072335ddf7c341a1a4fa3c80N.exe	30
PID 2688 wrote to memory of 2736	2688	Ikldqile.exe	31
PID 2688 wrote to memory of 2736	2688	Ikldqile.exe	31
PID 2688 wrote to memory of 2736	2688	Ikldqile.exe	31
PID 2688 wrote to memory of 2736	2688	Ikldqile.exe	31
PID 2736 wrote to memory of 2572	2736	Ibfmmb32.exe	32
PID 2736 wrote to memory of 2572	2736	Ibfmmb32.exe	32
PID 2736 wrote to memory of 2572	2736	Ibfmmb32.exe	32
PID 2736 wrote to memory of 2572	2736	Ibfmmb32.exe	32
PID 2572 wrote to memory of 2600	2572	Inmmbc32.exe	33
PID 2572 wrote to memory of 2600	2572	Inmmbc32.exe	33
PID 2572 wrote to memory of 2600	2572	Inmmbc32.exe	33
PID 2572 wrote to memory of 2600	2572	Inmmbc32.exe	33
PID 2600 wrote to memory of 2620	2600	Igebkiof.exe	34
PID 2600 wrote to memory of 2620	2600	Igebkiof.exe	34
PID 2600 wrote to memory of 2620	2600	Igebkiof.exe	34
PID 2600 wrote to memory of 2620	2600	Igebkiof.exe	34
PID 2620 wrote to memory of 2508	2620	Imbjcpnn.exe	35
PID 2620 wrote to memory of 2508	2620	Imbjcpnn.exe	35
PID 2620 wrote to memory of 2508	2620	Imbjcpnn.exe	35
PID 2620 wrote to memory of 2508	2620	Imbjcpnn.exe	35
PID 2508 wrote to memory of 2420	2508	Ieibdnnp.exe	36
PID 2508 wrote to memory of 2420	2508	Ieibdnnp.exe	36
PID 2508 wrote to memory of 2420	2508	Ieibdnnp.exe	36
PID 2508 wrote to memory of 2420	2508	Ieibdnnp.exe	36
PID 2420 wrote to memory of 2328	2420	Jmdgipkk.exe	37
PID 2420 wrote to memory of 2328	2420	Jmdgipkk.exe	37
PID 2420 wrote to memory of 2328	2420	Jmdgipkk.exe	37
PID 2420 wrote to memory of 2328	2420	Jmdgipkk.exe	37
PID 2328 wrote to memory of 580	2328	Jcnoejch.exe	38
PID 2328 wrote to memory of 580	2328	Jcnoejch.exe	38
PID 2328 wrote to memory of 580	2328	Jcnoejch.exe	38
PID 2328 wrote to memory of 580	2328	Jcnoejch.exe	38
PID 580 wrote to memory of 2960	580	Jjhgbd32.exe	39
PID 580 wrote to memory of 2960	580	Jjhgbd32.exe	39
PID 580 wrote to memory of 2960	580	Jjhgbd32.exe	39
PID 580 wrote to memory of 2960	580	Jjhgbd32.exe	39
PID 2960 wrote to memory of 2492	2960	Jpepkk32.exe	40
PID 2960 wrote to memory of 2492	2960	Jpepkk32.exe	40
PID 2960 wrote to memory of 2492	2960	Jpepkk32.exe	40
PID 2960 wrote to memory of 2492	2960	Jpepkk32.exe	40
PID 2492 wrote to memory of 2880	2492	Jjjdhc32.exe	41
PID 2492 wrote to memory of 2880	2492	Jjjdhc32.exe	41
PID 2492 wrote to memory of 2880	2492	Jjjdhc32.exe	41
PID 2492 wrote to memory of 2880	2492	Jjjdhc32.exe	41
PID 2880 wrote to memory of 544	2880	Jllqplnp.exe	42
PID 2880 wrote to memory of 544	2880	Jllqplnp.exe	42
PID 2880 wrote to memory of 544	2880	Jllqplnp.exe	42
PID 2880 wrote to memory of 544	2880	Jllqplnp.exe	42
PID 544 wrote to memory of 2144	544	Jfaeme32.exe	43
PID 544 wrote to memory of 2144	544	Jfaeme32.exe	43
PID 544 wrote to memory of 2144	544	Jfaeme32.exe	43
PID 544 wrote to memory of 2144	544	Jfaeme32.exe	43
PID 2144 wrote to memory of 2148	2144	Jlnmel32.exe	44
PID 2144 wrote to memory of 2148	2144	Jlnmel32.exe	44
PID 2144 wrote to memory of 2148	2144	Jlnmel32.exe	44
PID 2144 wrote to memory of 2148	2144	Jlnmel32.exe	44
PID 2148 wrote to memory of 2116	2148	Jbhebfck.exe	45
PID 2148 wrote to memory of 2116	2148	Jbhebfck.exe	45
PID 2148 wrote to memory of 2116	2148	Jbhebfck.exe	45
PID 2148 wrote to memory of 2116	2148	Jbhebfck.exe	45

C:\Users\Admin\AppData\Local\Temp\96dfd746072335ddf7c341a1a4fa3c80N.exe
"C:\Users\Admin\AppData\Local\Temp\96dfd746072335ddf7c341a1a4fa3c80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\Ikldqile.exe
  C:\Windows\system32\Ikldqile.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Ibfmmb32.exe
    C:\Windows\system32\Ibfmmb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\SysWOW64\Inmmbc32.exe
      C:\Windows\system32\Inmmbc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Igebkiof.exe
        
        C:\Windows\system32\Igebkiof.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Ieibdnnp.exe
        
        C:\Windows\system32\Ieibdnnp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Jmdgipkk.exe
        
        C:\Windows\system32\Jmdgipkk.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Jcnoejch.exe
        
        C:\Windows\system32\Jcnoejch.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Jjhgbd32.exe
        
        C:\Windows\system32\Jjhgbd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Jfaeme32.exe
        
        C:\Windows\system32\Jfaeme32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:544
        
        C:\Windows\SysWOW64\Jlnmel32.exe
        
        C:\Windows\system32\Jlnmel32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Jhenjmbb.exe
        
        C:\Windows\system32\Jhenjmbb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Kambcbhb.exe
        
        C:\Windows\system32\Kambcbhb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1136
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Khldkllj.exe
        
        C:\Windows\system32\Khldkllj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Kdeaelok.exe
        
        C:\Windows\system32\Kdeaelok.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 140
        34⤵
        Program crash
        
        PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jfaeme32.exe

Filesize
128KB

MD5
b6323a184cda5be43d352bf985cc9e00

SHA1
c7c4d103ee9dd7862fbcd4ea397580c077501537

SHA256
1386d45177214e592b1e663cce2f12b9963de9608f458a2860147e2318deb66c

SHA512
c65b6a257306e6e1496b963e06586ec391fa078b307c990b3755dfe85df3d626a9aa90e49faebca56bbc0093b5befece70a86382fdf85562ccf48d49ce053c18

Download Submit
C:\Windows\SysWOW64\Jjhgbd32.exe

Filesize
128KB

MD5
ff42440f69b30b3170eb3d3b80d4d4fe

SHA1
e032cf51c791051e6bd85309db2f60986d9f56c8

SHA256
b92d12ce0c107980a4db8f2a431a4ddaed5f2a54399f05efe295cfe5c089fc33

SHA512
c7f40a601a08f18ad1823b95f0a7428c2eddd55b6f1afc4853374c866fb3c2cb065f5bf2da06d9eb837d8df5ddaca5ddf23afcd66f2b0fd7254462002ce9a938

Download Submit
C:\Windows\SysWOW64\Jjjdhc32.exe

Filesize
128KB

MD5
bd89ac66d2d0a8dcfecf2b57170b85ac

SHA1
902ca8f95aa229677d015905ad7674157f749bb8

SHA256
a1b734346ef18df42cedd77c02c24eda54a0f37d4b00d42e5e58b74c864fc6ce

SHA512
12dd8707d2c5acf933ce1de39a5d18f44a5202c574425a01d88c8f7d6bf93ad6a76060b57d2e556dc895f558bfe36bee7d2d22827973952154204ad2333e3cdb

Download Submit
C:\Windows\SysWOW64\Kambcbhb.exe

Filesize
128KB

MD5
7a2d3e48b96384aa94ef44125e13f3bb

SHA1
00b9cd66bfe286cf7dd571f3424b392d7f17afbb

SHA256
409177cc5c9dcb650f403a18f1b962035ea464a5c59e91af2cddc2e8392567df

SHA512
98dc62a3d7aaff4f6fd0dba6f91f4c34af824622555518ae5a92f744d90d48abb1b0bd3b76b89fc50c50f8a2a4f00dd3d09da61d20e69227eb743789baa10932

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
128KB

MD5
5f35ed3b77c2f479cb5385bffbcbd721

SHA1
6c6e220d461c067f4fae6f314cc6a93f169a5142

SHA256
5e499cbf17c1568cd069d85dee29a50b06d0fe4cac994a6c2fb0921f40957e77

SHA512
9be92063f006f2f608f2d646b0bb5652c17f072caeca9b641ca51cc03d8ae72658b5e123722b841e86275755932b252d47123d555e312c85cd3efcaf54d7f4f0

Download Submit
C:\Windows\SysWOW64\Kbmome32.exe

Filesize
128KB

MD5
911bd451008813313233195df24a3104

SHA1
6f008b221d0339b2d8070a4ceef7e7753b97a658

SHA256
48c2f0ae3123c93784fe7fb12152ead628cbd8a7ffe3879bfd86132b88153cf9

SHA512
3c7f5970b165d04c24068f52d099396f63ce0881d54ac065a7794ebc59dc88dbb710d0ed5b0e4bcdfbbe0ad10e6ef7f215c50135f02b72fd351ff54cea184eec

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
128KB

MD5
ad1a59ff56eeb0b5443f68456c5d7b8d

SHA1
f163c11cfbbe4996e1bc410c012aae8bcc03bf41

SHA256
f4d07e00b6c0219bcf295c88cb393c0c4ec0a18f3439f252f1cc9c0daa76020a

SHA512
2b96a2a3726e7381452bed3776b3aef73346f9735c230cab4bbd4f35e001eb15778223be129235eab0cf7dedab9b12e0474fbd060258df2c2f6c71cc3a842410

Download Submit
C:\Windows\SysWOW64\Kdeaelok.exe

Filesize
128KB

MD5
273e8f567a2a53de73fdbeae3fa9f496

SHA1
7b8c96ff75513c1d5efc17b487b7481a31191596

SHA256
ff2534d540d468d87cc1eca8d2bc60ca1c23de357c1fad76ba278bb7d6ee92fe

SHA512
07a0b33984cc3511549644d956041e9b843eff92a78025c460327e5aa638d403e219aa9bc80d2b18bd2ca472d9eac57d920f3e1a1e66dbecfdf734ebb1674410

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
128KB

MD5
f7993d9035203092a2e70dfcb9612a0f

SHA1
b9ccd851b1b076e95a10e7e4b38c64e330480e3a

SHA256
1a2a1cd6353b0f0eaa867304aeff6373041d5fd869d59720a181412f544bedf0

SHA512
8ef090a26aa4d096e1e987f7f82f229566b14d3c37f6c304e9a8b7bfa14f3248657b48124302420023c98955519f77a136c4d19b18b82327ce521a41f97f58df

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
128KB

MD5
94630458f6fdf868f250bcca0c23d7b5

SHA1
a72c43f859afb8faff9ace1d2b48d8df3669ace0

SHA256
ff558ddfd6c5501e70a89000c1e5eb33d3feb377e7f1f8661bdc5ab5910e861f

SHA512
0e456dec5d5b4626f26298cef841085b6b1f2e1153ca2e7cb7e234047fa1bf830ad849a622e151e3b8b7d5d441e639631d084605e2f34d028a18e19b87831e54

Download Submit
C:\Windows\SysWOW64\Kgcnahoo.exe

Filesize
128KB

MD5
86cf07563478a7103d65823c3ce2362c

SHA1
310fb7b902853a78eedbc7a7f47295dee8249f87

SHA256
e50415116bb7b213ba55a27ea127daa0c34993250ebd062c4921a0632bcf7729

SHA512
fe1e1afd60df2771428e7770cff6680090ebc6e0d86ccbda1a142ac04eb67027e0c47d5f5ac48bb23cfb548130ff2193b3de63e2b4085fd59007b4eb534245b5

Download Submit
C:\Windows\SysWOW64\Khldkllj.exe

Filesize
128KB

MD5
f04da193e9d13b04c088c821ebfd804b

SHA1
f623f5d79487f7f2c892fc2fb008d1f5d5f59af8

SHA256
f646f2302ca389cc6e487f3f32525c37f39010c14c41a6a0285e84bd2423adbd

SHA512
c29163143fc6d48cb1e3287675a45abb4b748889ecc6a07b77a4664f4c9244ae125fb4cac2a7c479a7018a0d8e6ea0a52ffc7af5655f3a6d435c06c1907e438f

Download Submit
C:\Windows\SysWOW64\Kidjdpie.exe

Filesize
128KB

MD5
92c2d23d9c38dcdff7d555674a5f2464

SHA1
73de72ec8451a5b4ac6eaa09cc16f0e74e917548

SHA256
9bfba09af605b96240643a04b39d4652e617fa41805a95a866b73fc06f899e0e

SHA512
154d9f7a119408c2f6359f53ea358770beea558781059c9a3c97fcab4a5ad0d87402094d86911f1b0be323b39630d571a657d1f5c13570fbcce7cfda231013f7

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
128KB

MD5
15a15766bc9f6b03ef92cfd676d2e7c4

SHA1
72a2793c97d057a293abc21bd18cd8192d59fa31

SHA256
35bc0655994f16d10b4ed7ef085eea46b22dc67041fbd6841394dd9f0e50c6bb

SHA512
7c020cbdfbc8f11442c052f34e17013b38974b45dc3950ebe677d76cae7c98d54aeb5219397d44fa478878dd9a3947e5f3cc0e3dd17f6e59a0b09f23d3935602

Download Submit
C:\Windows\SysWOW64\Kjeglh32.exe

Filesize
128KB

MD5
d72f271141b2d00abe60d09cecbcca01

SHA1
b770d2efe708dca07d25fcef057545c0904c7b23

SHA256
60eca2fdc007f45d2605e88ce6b66b378b09a636aef39767678c679efca242fe

SHA512
22bbeb963865753389ecf44490a14812c9816d77da539e578382b5fdb3f1ba7a12016634d366b11e6816621119f62fd6c5dae19037e46b9adfc639cc7aae2660

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
128KB

MD5
06908f88c8e249d370bf1ee065e8fa7a

SHA1
f4ed7b332e6accad8a80dbc4b5464174ed62f248

SHA256
6baf23c3275b9b2f9a150be891e7eabd8c8ab58ebd6a4c111c238dbf6c2a3cc4

SHA512
dc6916905be4daac86f33d018a90633997c8a82d14759dfd0bab1dc2f17e4adf3f8004890a75988cd1b55679b69118a9767bb168f7bca996bd21a88796fcb4a5

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
128KB

MD5
c79fb5727228d7f7903196ade9957183

SHA1
f314f9ad4c35e1ec778845f1977732bdb97cf9dd

SHA256
9df834326e5ed84a38853eb75cc3a41e047c19f124aeacc9e09b2be360c5ece4

SHA512
79b8d8575072bce9131eb31edc8dc4c3e1bac2d9024c00864f86a4af30f7ff3ffaf4a02957ba994cdcfce6a5ce726e62391b0c794deb0e20d9e5875c5c46e662

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
128KB

MD5
18698cdeafa59a8bd783a43829ad7771

SHA1
dcd959aef082b6e002e045a8cd70cca2b6b16745

SHA256
319416b1320a4d048a923185fac8f2f730ff677e428a7f4c633fca457a4d05fc

SHA512
04d0b07d2eb4470675f627818abbd682f37da8a9b09649bca2363cb667acce22e202d3fa8fb5c6fff7a62799f33d859f2279d43c633fda3ac95cf2dde8813b5c

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
128KB

MD5
bf9fb3333ecdfa276d9b69db847f5f54

SHA1
584f3ea69ab7f7ae14172a0304e9fe8394318e8a

SHA256
e908276c60f5bc270d35bb8519dd6ed70083b7643341ec30c298cd78a2382a49

SHA512
cac2e29d2c4b736fa0f3be9413ae570a4661da0dc56cbf9b7dc19fddd406a71be5384c4cbedd9aec7b066fe46a1dff971610b82c2c02b305a140c8dbe81a11a9

Download Submit
C:\Windows\SysWOW64\Mlpckqje.dll

Filesize
7KB

MD5
a55590692bb506b1fc26255794eefe13

SHA1
891f72095287a214ce474195b56a3023dfb777d6

SHA256
b7fb15662dcc33dc9425fff90e3fb8d5cc1dfdb55704ee22797ccaf576f80aa0

SHA512
7915243529a557e8f0c4984b490c92a86652271622cccee1ebaf3392be0d4a14b0a909ab6a35acd859264d462882347f541e8bf564077871b7e9a989fb1e39d5

Download Submit
\Windows\SysWOW64\Ibfmmb32.exe

Filesize
128KB

MD5
ee320ade5def263674714c8bcee81442

SHA1
6b8ba0cbbd0b37df8ad95d67b52c0514073bc224

SHA256
ab627153f574e536079245bbba588a0abaa42d96ae005fc367b9a8db6e20fef0

SHA512
fa48e92fe14b884f525a927d1ac0202f9f53780c0dcf3a318974105655afc3b6f8a89dc0b7b3ab182b242bb2470def5fa57278f5645f2d9f905b903180615665

Download Submit
\Windows\SysWOW64\Ieibdnnp.exe

Filesize
128KB

MD5
aa1271dbe9998b2b5fd60335260b5dcf

SHA1
c6a586970db23400c7beb155c8fabc0fef39fe30

SHA256
3a7c8ad87bbc235336584277f1e6a7c04a414dcbeced0d834fdebeb70c5c1267

SHA512
02984332dfc13bcec163d84aecf491911f4438180791beea995247749f7d34dff0f7533416cdf75b2abea6b08b2a0f88ef6b926bc58ff3d187d57d82bc90a237

Download Submit
\Windows\SysWOW64\Igebkiof.exe

Filesize
128KB

MD5
abe22499dca20abf50dd862baf84b6fa

SHA1
7eb353b6c9c560039469e6caf3d4e6bdc4ed7177

SHA256
ce0b3a40e3b11ad13b3c7339da063e7e22dcf98e5290a7830f51a4e4870cde1e

SHA512
f87050dc7cdb3f0733f952705bbf2ee0f5dd223b351ce1fde50355cf61d8ab58efdf9996dfc32cd6630567cf10f461ce1c12edf7b75f3fb5f1ece9771e343d84

Download Submit
\Windows\SysWOW64\Ikldqile.exe

Filesize
128KB

MD5
43a057505754b86910ba49fc03471ed6

SHA1
616ba1f0e5de1ea35aae472103ca48c30c835bc7

SHA256
d015d1306e8d84b03740302372aa50637fb2edec674e362977cdd2562b567b23

SHA512
6c8ca2f0046f4064211b10a2e79e9364f4a54fa1a31c1cca532d2f67e76e8945e90dbef574140cb241709025458fb696f75f85591c0a30ac4c4de25467a70b7a

Download Submit
\Windows\SysWOW64\Imbjcpnn.exe

Filesize
128KB

MD5
91258f7681bb268132c43ae5d478e51f

SHA1
eea820f3ab7c14ae7d17a93b09b4f551d52968f9

SHA256
f38a8461d8597e0b2c912c1f179d62e807f9ed9dfc2aea3956ef7c0028cdadd7

SHA512
72efaa3a34932d5b5c746b7a0b62c209d25a8c440af57aefb58f00b038183ec3e7b409cfc88cf5e1c56a59fc523982fa2be008b045467dd3864c98b3b0c08fcf

Download Submit
\Windows\SysWOW64\Inmmbc32.exe

Filesize
128KB

MD5
a1d2ceb5e50b516dbd1c096ee0a8e78e

SHA1
a8373bb5216113ee8000f3b9bab184444bfbfa4d

SHA256
aae87e34157de8dd556173e17763c02e31bb9898f540a1dbed67b821ff9d2898

SHA512
8d9810dcdf2c22a3435691c4179139c316e0c6c88065612058dafeaa71e6d0cf562f14d907fb210cd29786249babd61679db42e91eec5b6368ab0e2166ae2395

Download Submit
\Windows\SysWOW64\Jbhebfck.exe

Filesize
128KB

MD5
fa5952caa8a83f5d81050611ee91be87

SHA1
28b278afdde80c11b8c4f820121dedf576701c68

SHA256
771ff121491a00307e78d2f8d2b008438cd18f0a725f349c0937351c61083478

SHA512
4fe3c06bd67bbedcc0736b8e3b2ee006446d07ef93c9be3420a0e2a705c4430b8005c5291a87ccfb767af8423e59cff0b582ec8985239c1a9038ca108b660285

Download Submit
\Windows\SysWOW64\Jcnoejch.exe

Filesize
128KB

MD5
1b02d0d63a4552403f5c2aab9b1feac1

SHA1
bfcbfc14c125dfd53bac5dc98c38c50bc16268ed

SHA256
efef88d13397810acb7fee18df1ae9678e90f0bab747d914ae8336fbf6434cca

SHA512
99f9691ddef39f532d15b876cf11d31ea0d3cc1fc0ce0370e696f58f541d1ad17902c3fdc3144d0f514e552804fc10d9db69cd48b1255ee614391a2a0f227174

Download Submit
\Windows\SysWOW64\Jhenjmbb.exe

Filesize
128KB

MD5
f6bc2ee4d509acf1163234d8228c2d8e

SHA1
6d9f37af9cd7753fdb1faa77207b777cdfd4a807

SHA256
fcbe063e0a9be1307741134a0e85869d5dcb4e1bca7aaa78f3b0e991c1d3a998

SHA512
09fdc64f6caaef9a74e27b758fb05df9efead9e4a90482c8c7ff7ed9da1b1cd3ec1b150c55a6f1f3a17be280dfd95ea828d114e8431c62f9d124784f3581bbdf

Download Submit
\Windows\SysWOW64\Jllqplnp.exe

Filesize
128KB

MD5
4ff15113e37f633fd330cd2e198f0351

SHA1
43a553e39699e10593a9419000ad75958da084a4

SHA256
a785e22cae05f89aaa369ea2c122f7cf21bbabb44762f319ad9f8e99d785d908

SHA512
61cc01530de7de8dfd2709920f91b0e24d47a6f3e6cd3e6e48242a9bfa5f45f77838ea902a0df0ba54461e9980a8a0d1e20d82eaed29c804c05b4111f3d0ba14

Download Submit
\Windows\SysWOW64\Jlnmel32.exe

Filesize
128KB

MD5
c1eb7864d6b2a7aa0b2ec0329458f1dc

SHA1
f6ac33bac7906183f8a7ea4810e640d32530490f

SHA256
caa03305ddfc79c27d00597dabba32f9c8384c37fdf3f495b6b8ecbb940a6ec6

SHA512
c7789cc3b5a4ca6a874cbaca3bbb44344d754bb324de388862250a3cfa452b8ab050fe31db7306cda8d3b6d289553fb3ec78ec55b61be4e449f31a2c5976764f

Download Submit
\Windows\SysWOW64\Jmdgipkk.exe

Filesize
128KB

MD5
de71201d136c058201c5bd965b6ad5f3

SHA1
2ef113e5512d0abb511888895857c1aeb7d9cbb1

SHA256
6e990a88a15c39cd042063929e04d5957ed03812dac44685167adf46c61b9475

SHA512
0caefe0959d634673d9daac890a40e694109b77c3a0ebd93b07c18936eb86277ee1402fec1c348dc916f4c3b02e218a0d912655eaee46994306e56f66dbf9c54

Download Submit
\Windows\SysWOW64\Jpepkk32.exe

Filesize
128KB

MD5
32de94b9406aeac8d589c79593f612c2

SHA1
b2d24d8e80d131a42e4cdc0887b32470eb297e4c

SHA256
8b3601e188e980bd193f1976d27b87e7e7edc4db24774af4d387b7acb1284751

SHA512
240301bff1373747cc43a9c59850fa376876992cb483349f762496e251d5274a1ab016e3c5b360811545245dac11fc8a243fe2264be1f8e40eb7111287150c85

Download Submit
memory/544-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/544-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/580-121-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/580-129-0x0000000000330000-0x0000000000364000-memory.dmp

Filesize
208KB

Download
memory/580-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/812-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-280-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1136-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1136-282-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1596-19-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1596-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-20-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1808-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1808-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1900-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-336-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1920-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-335-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2040-365-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2040-369-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2040-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2040-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-346-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2060-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-347-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2116-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2116-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-202-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2144-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-203-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2148-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2216-309-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2216-314-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2256-291-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2256-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2256-292-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2264-358-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2264-357-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2264-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2264-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2328-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-104-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2424-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-380-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2424-379-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2492-157-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2492-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2492-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-90-0x0000000001FC0000-0x0000000001FF4000-memory.dmp

Filesize
208KB

Download
memory/2572-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-54-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2600-68-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2600-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2600-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2620-77-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2688-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-26-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2732-329-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2732-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-327-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2736-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2736-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2880-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-148-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2960-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-302-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/3044-303-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads