1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/08/2024, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe
Size

91KB
MD5

a80a260c4cf616fc62171141bc602483
SHA1

3d2b8c2b4190daaddc3697f8aa0d23a614c029b6
SHA256

1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be
SHA512

f0f446632cdfe605047b030eb1914a7c6f70b37cbff502d1490842737a4461b6eaecf69aa4ede8bed3c85bd9df3721e2700ea09c3f65af209f35fecb94aa8e86
SSDEEP

1536:06YV6ed7xvmfnuYWfZZKuxEC6dn8iwlLBsLnVLdGUHyNwtN4/nLLVaBlEaaaaaaa:0bVJKus8iwlLBsLnVUUHyNwtN4/nEBlX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kageia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnagmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inhdgdmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcjilgdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcjilgdb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibcphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijaaae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcnoejch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakino32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibcphc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igqhpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifmocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfodfh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inhdgdmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikqnlh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbmome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmdgipkk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjifjdg.exe

Executes dropped EXE 52 IoCs

pid	Process
2632	Hcjilgdb.exe
2828	Hmbndmkb.exe
2856	Hclfag32.exe
2676	Hiioin32.exe
2560	Ikgkei32.exe
2296	Ifmocb32.exe
2468	Imggplgm.exe
1468	Inhdgdmk.exe
2800	Ibcphc32.exe
2928	Igqhpj32.exe
1040	Iogpag32.exe
2248	Iaimipjl.exe
2892	Iipejmko.exe
1936	Ijaaae32.exe
2172	Iakino32.exe
2424	Ikqnlh32.exe
696	Imbjcpnn.exe
2064	Ieibdnnp.exe
1620	Jggoqimd.exe
1532	Jnagmc32.exe
2168	Jmdgipkk.exe
1636	Jpbcek32.exe
1176	Jcnoejch.exe
1924	Jjhgbd32.exe
348	Jikhnaao.exe
1676	Jabponba.exe
2780	Jfohgepi.exe
2788	Jimdcqom.exe
2968	Jpgmpk32.exe
2732	Jedehaea.exe
1652	Jipaip32.exe
1056	Jpjifjdg.exe
2976	Jfcabd32.exe
3024	Jplfkjbd.exe
2920	Kbjbge32.exe
1768	Keioca32.exe
1796	Khgkpl32.exe
1128	Kbmome32.exe
292	Kekkiq32.exe
1852	Kjhcag32.exe
2160	Kmfpmc32.exe
1916	Kfodfh32.exe
1380	Kkjpggkn.exe
3068	Kpgionie.exe
2084	Kfaalh32.exe
1688	Kageia32.exe
2516	Kbhbai32.exe
2488	Kkojbf32.exe
2620	Lmmfnb32.exe
2352	Llpfjomf.exe
2696	Lplbjm32.exe
2228	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
3032	1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe
3032	1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe
2632	Hcjilgdb.exe
2632	Hcjilgdb.exe
2828	Hmbndmkb.exe
2828	Hmbndmkb.exe
2856	Hclfag32.exe
2856	Hclfag32.exe
2676	Hiioin32.exe
2676	Hiioin32.exe
2560	Ikgkei32.exe
2560	Ikgkei32.exe
2296	Ifmocb32.exe
2296	Ifmocb32.exe
2468	Imggplgm.exe
2468	Imggplgm.exe
1468	Inhdgdmk.exe
1468	Inhdgdmk.exe
2800	Ibcphc32.exe
2800	Ibcphc32.exe
2928	Igqhpj32.exe
2928	Igqhpj32.exe
1040	Iogpag32.exe
1040	Iogpag32.exe
2248	Iaimipjl.exe
2248	Iaimipjl.exe
2892	Iipejmko.exe
2892	Iipejmko.exe
1936	Ijaaae32.exe
1936	Ijaaae32.exe
2172	Iakino32.exe
2172	Iakino32.exe
2424	Ikqnlh32.exe
2424	Ikqnlh32.exe
696	Imbjcpnn.exe
696	Imbjcpnn.exe
2064	Ieibdnnp.exe
2064	Ieibdnnp.exe
1620	Jggoqimd.exe
1620	Jggoqimd.exe
1532	Jnagmc32.exe
1532	Jnagmc32.exe
2168	Jmdgipkk.exe
2168	Jmdgipkk.exe
1636	Jpbcek32.exe
1636	Jpbcek32.exe
1176	Jcnoejch.exe
1176	Jcnoejch.exe
1924	Jjhgbd32.exe
1924	Jjhgbd32.exe
348	Jikhnaao.exe
348	Jikhnaao.exe
1676	Jabponba.exe
1676	Jabponba.exe
2780	Jfohgepi.exe
2780	Jfohgepi.exe
2788	Jimdcqom.exe
2788	Jimdcqom.exe
2968	Jpgmpk32.exe
2968	Jpgmpk32.exe
2732	Jedehaea.exe
2732	Jedehaea.exe
1652	Jipaip32.exe
1652	Jipaip32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jnagmc32.exe	Jggoqimd.exe
File opened for modification	C:\Windows\SysWOW64\Kekkiq32.exe	Kbmome32.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Pncadjah.dll	Hmbndmkb.exe
File created	C:\Windows\SysWOW64\Bcbonpco.dll	Jcnoejch.exe
File created	C:\Windows\SysWOW64\Eplpdepa.dll	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Gmiflpof.dll	Hiioin32.exe
File created	C:\Windows\SysWOW64\Ogbogkjn.dll	Ibcphc32.exe
File created	C:\Windows\SysWOW64\Lgjdnbkd.dll	Jnagmc32.exe
File opened for modification	C:\Windows\SysWOW64\Jjhgbd32.exe	Jcnoejch.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Igqhpj32.exe	Ibcphc32.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Jpjifjdg.exe	Jipaip32.exe
File opened for modification	C:\Windows\SysWOW64\Jplfkjbd.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Pcdapknb.dll	Keioca32.exe
File created	C:\Windows\SysWOW64\Kndkfpje.dll	Igqhpj32.exe
File created	C:\Windows\SysWOW64\Jnagmc32.exe	Jggoqimd.exe
File created	C:\Windows\SysWOW64\Jipaip32.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Jfcabd32.exe	Jpjifjdg.exe
File created	C:\Windows\SysWOW64\Kcjeje32.dll	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Hclfag32.exe	Hmbndmkb.exe
File created	C:\Windows\SysWOW64\Mjcccnbp.dll	Iaimipjl.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Keioca32.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Kekkiq32.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Iogpag32.exe	Igqhpj32.exe
File created	C:\Windows\SysWOW64\Iakino32.exe	Ijaaae32.exe
File created	C:\Windows\SysWOW64\Oiahkhpo.dll	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Khljoh32.dll	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Kfodfh32.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Khgkpl32.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Hclfag32.exe	Hmbndmkb.exe
File created	C:\Windows\SysWOW64\Ifmocb32.exe	Ikgkei32.exe
File opened for modification	C:\Windows\SysWOW64\Iipejmko.exe	Iaimipjl.exe
File created	C:\Windows\SysWOW64\Ijaaae32.exe	Iipejmko.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jimdcqom.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Ibcphc32.exe	Inhdgdmk.exe
File opened for modification	C:\Windows\SysWOW64\Jpbcek32.exe	Jmdgipkk.exe
File created	C:\Windows\SysWOW64\Qmgaio32.dll	Jabponba.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Kjhcag32.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Jmdgipkk.exe	Jnagmc32.exe
File opened for modification	C:\Windows\SysWOW64\Jpjifjdg.exe	Jipaip32.exe
File opened for modification	C:\Windows\SysWOW64\Kbmome32.exe	Khgkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Hmbndmkb.exe	Hcjilgdb.exe
File created	C:\Windows\SysWOW64\Dgmjmajn.dll	Hclfag32.exe
File created	C:\Windows\SysWOW64\Imggplgm.exe	Ifmocb32.exe
File created	C:\Windows\SysWOW64\Fkaamgeg.dll	Iogpag32.exe
File opened for modification	C:\Windows\SysWOW64\Ijaaae32.exe	Iipejmko.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kfodfh32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Miqnbfnp.dll	Inhdgdmk.exe
File created	C:\Windows\SysWOW64\Ikqnlh32.exe	Iakino32.exe
File created	C:\Windows\SysWOW64\Ieibdnnp.exe	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Jfohgepi.exe	Jabponba.exe
File created	C:\Windows\SysWOW64\Khgkpl32.exe	Keioca32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2240	2228	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 53 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikgkei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakino32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnagmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmocb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipejmko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igqhpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijaaae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimdcqom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imggplgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kekkiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfodfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmbndmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikqnlh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhdgdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcnoejch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcjilgdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpbcek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmdgipkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibcphc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jggoqimd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hclfag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaimipjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcjilgdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaamgeg.dll"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keioca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iogpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iipejmko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikqnlh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnagmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll"	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kekkiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaimipjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jggoqimd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hclfag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijaaae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcnoejch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfodfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakino32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkoadgf.dll"	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll"	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcjilgdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieibdnnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibcphc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclfag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdmhnfl.dll"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncadjah.dll"	Hmbndmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ibcphc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpbcek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2632	3032	1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe	30
PID 3032 wrote to memory of 2632	3032	1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe	30
PID 3032 wrote to memory of 2632	3032	1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe	30
PID 3032 wrote to memory of 2632	3032	1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe	30
PID 2632 wrote to memory of 2828	2632	Hcjilgdb.exe	31
PID 2632 wrote to memory of 2828	2632	Hcjilgdb.exe	31
PID 2632 wrote to memory of 2828	2632	Hcjilgdb.exe	31
PID 2632 wrote to memory of 2828	2632	Hcjilgdb.exe	31
PID 2828 wrote to memory of 2856	2828	Hmbndmkb.exe	32
PID 2828 wrote to memory of 2856	2828	Hmbndmkb.exe	32
PID 2828 wrote to memory of 2856	2828	Hmbndmkb.exe	32
PID 2828 wrote to memory of 2856	2828	Hmbndmkb.exe	32
PID 2856 wrote to memory of 2676	2856	Hclfag32.exe	33
PID 2856 wrote to memory of 2676	2856	Hclfag32.exe	33
PID 2856 wrote to memory of 2676	2856	Hclfag32.exe	33
PID 2856 wrote to memory of 2676	2856	Hclfag32.exe	33
PID 2676 wrote to memory of 2560	2676	Hiioin32.exe	34
PID 2676 wrote to memory of 2560	2676	Hiioin32.exe	34
PID 2676 wrote to memory of 2560	2676	Hiioin32.exe	34
PID 2676 wrote to memory of 2560	2676	Hiioin32.exe	34
PID 2560 wrote to memory of 2296	2560	Ikgkei32.exe	35
PID 2560 wrote to memory of 2296	2560	Ikgkei32.exe	35
PID 2560 wrote to memory of 2296	2560	Ikgkei32.exe	35
PID 2560 wrote to memory of 2296	2560	Ikgkei32.exe	35
PID 2296 wrote to memory of 2468	2296	Ifmocb32.exe	36
PID 2296 wrote to memory of 2468	2296	Ifmocb32.exe	36
PID 2296 wrote to memory of 2468	2296	Ifmocb32.exe	36
PID 2296 wrote to memory of 2468	2296	Ifmocb32.exe	36
PID 2468 wrote to memory of 1468	2468	Imggplgm.exe	37
PID 2468 wrote to memory of 1468	2468	Imggplgm.exe	37
PID 2468 wrote to memory of 1468	2468	Imggplgm.exe	37
PID 2468 wrote to memory of 1468	2468	Imggplgm.exe	37
PID 1468 wrote to memory of 2800	1468	Inhdgdmk.exe	38
PID 1468 wrote to memory of 2800	1468	Inhdgdmk.exe	38
PID 1468 wrote to memory of 2800	1468	Inhdgdmk.exe	38
PID 1468 wrote to memory of 2800	1468	Inhdgdmk.exe	38
PID 2800 wrote to memory of 2928	2800	Ibcphc32.exe	39
PID 2800 wrote to memory of 2928	2800	Ibcphc32.exe	39
PID 2800 wrote to memory of 2928	2800	Ibcphc32.exe	39
PID 2800 wrote to memory of 2928	2800	Ibcphc32.exe	39
PID 2928 wrote to memory of 1040	2928	Igqhpj32.exe	40
PID 2928 wrote to memory of 1040	2928	Igqhpj32.exe	40
PID 2928 wrote to memory of 1040	2928	Igqhpj32.exe	40
PID 2928 wrote to memory of 1040	2928	Igqhpj32.exe	40
PID 1040 wrote to memory of 2248	1040	Iogpag32.exe	41
PID 1040 wrote to memory of 2248	1040	Iogpag32.exe	41
PID 1040 wrote to memory of 2248	1040	Iogpag32.exe	41
PID 1040 wrote to memory of 2248	1040	Iogpag32.exe	41
PID 2248 wrote to memory of 2892	2248	Iaimipjl.exe	42
PID 2248 wrote to memory of 2892	2248	Iaimipjl.exe	42
PID 2248 wrote to memory of 2892	2248	Iaimipjl.exe	42
PID 2248 wrote to memory of 2892	2248	Iaimipjl.exe	42
PID 2892 wrote to memory of 1936	2892	Iipejmko.exe	43
PID 2892 wrote to memory of 1936	2892	Iipejmko.exe	43
PID 2892 wrote to memory of 1936	2892	Iipejmko.exe	43
PID 2892 wrote to memory of 1936	2892	Iipejmko.exe	43
PID 1936 wrote to memory of 2172	1936	Ijaaae32.exe	44
PID 1936 wrote to memory of 2172	1936	Ijaaae32.exe	44
PID 1936 wrote to memory of 2172	1936	Ijaaae32.exe	44
PID 1936 wrote to memory of 2172	1936	Ijaaae32.exe	44
PID 2172 wrote to memory of 2424	2172	Iakino32.exe	45
PID 2172 wrote to memory of 2424	2172	Iakino32.exe	45
PID 2172 wrote to memory of 2424	2172	Iakino32.exe	45
PID 2172 wrote to memory of 2424	2172	Iakino32.exe	45

C:\Users\Admin\AppData\Local\Temp\1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe
"C:\Users\Admin\AppData\Local\Temp\1bf735994504a9371ddae5312ba90df8943a03636f91f1b47ab132982ad352be.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\Hcjilgdb.exe
  C:\Windows\system32\Hcjilgdb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\Hmbndmkb.exe
    C:\Windows\system32\Hmbndmkb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\Hclfag32.exe
      C:\Windows\system32\Hclfag32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\SysWOW64\Hiioin32.exe
        
        C:\Windows\system32\Hiioin32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\Ikgkei32.exe
        
        C:\Windows\system32\Ikgkei32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Ifmocb32.exe
        
        C:\Windows\system32\Ifmocb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Imggplgm.exe
        
        C:\Windows\system32\Imggplgm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Inhdgdmk.exe
        
        C:\Windows\system32\Inhdgdmk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\Ibcphc32.exe
        
        C:\Windows\system32\Ibcphc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Igqhpj32.exe
        
        C:\Windows\system32\Igqhpj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Iogpag32.exe
        
        C:\Windows\system32\Iogpag32.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Iaimipjl.exe
        
        C:\Windows\system32\Iaimipjl.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Iipejmko.exe
        
        C:\Windows\system32\Iipejmko.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Ijaaae32.exe
        
        C:\Windows\system32\Ijaaae32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Iakino32.exe
        
        C:\Windows\system32\Iakino32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Ikqnlh32.exe
        
        C:\Windows\system32\Ikqnlh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Ieibdnnp.exe
        
        C:\Windows\system32\Ieibdnnp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Jggoqimd.exe
        
        C:\Windows\system32\Jggoqimd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Jnagmc32.exe
        
        C:\Windows\system32\Jnagmc32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Jmdgipkk.exe
        
        C:\Windows\system32\Jmdgipkk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\Jpbcek32.exe
        
        C:\Windows\system32\Jpbcek32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Jcnoejch.exe
        
        C:\Windows\system32\Jcnoejch.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Jjhgbd32.exe
        
        C:\Windows\system32\Jjhgbd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Jabponba.exe
        
        C:\Windows\system32\Jabponba.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Jfohgepi.exe
        
        C:\Windows\system32\Jfohgepi.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Jimdcqom.exe
        
        C:\Windows\system32\Jimdcqom.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Kekkiq32.exe
        
        C:\Windows\system32\Kekkiq32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:292
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\Kfodfh32.exe
        
        C:\Windows\system32\Kfodfh32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 140
        54⤵
        Program crash
        
        PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hcjilgdb.exe

Filesize
91KB

MD5
9b67dbe74fde313e5243a4be66f24aab

SHA1
e508c4b114c382b54eac103fac76b3bcf84b55ad

SHA256
042c428ee06b19d1268802c0bc11eac517d0e6db5cb180323644e38f9ee1346a

SHA512
e0c94b75e8ea06b5e254a6115258f830c1897628711f3fb7f56aad19cdf9362db6f367f050de044f63e68012ca4206b7415dd970aa6641668dd0aa0bb00519b3

Download Submit
C:\Windows\SysWOW64\Hclfag32.exe

Filesize
91KB

MD5
2c030711e4aefaae26144ec2fae2f001

SHA1
4b9ef0872557d74fc6fec9070daddef26e836b94

SHA256
99547fabbc167ebccf2a050a7a1c85a341cef0575b2a83861b2b565fcdeb476b

SHA512
8227457ba9951556aac0b8e37b3cfe60305d04cc3a200503e80945472fafcfc5fc9fe006f78869ce75d698aa43feac9a63282d2454912c1580f8f268eb6e1333

Download Submit
C:\Windows\SysWOW64\Iakino32.exe

Filesize
91KB

MD5
9a111b22807defe1c6a9bd370166c2b7

SHA1
170971409f9fdf2a941c6437c9d06615df51663c

SHA256
7dbb322fdf8b8c26d06208e1136fec4e0a1c92307d3d09769bb2b729eb892c83

SHA512
07ce14a7d4865a8c7b82fab957f60be5b7fa96481b937bb8acea5cdb57f1d53bd1f07a90454d2431645738f205b8c7b6ccae4364b9081c2b5aac26f34a9841b9

Download Submit
C:\Windows\SysWOW64\Ibcphc32.exe

Filesize
91KB

MD5
7c0798f2e45ffa0cd401de3e4e9d5258

SHA1
14abb2a053001ab5729a49f27b5b62682eee28d8

SHA256
05a3f8e285fd9070554a6de4b22e6cc40c2d1802423232390877e4842a4dceee

SHA512
bb3dce5c2f09da81d242b8aab2e8b3438cc6363d8d2e247f504d467472eecda3ffc4a8673f073d6518d0916a296a6c18d73b62454c9f75cb89756ccd5c5d193f

Download Submit
C:\Windows\SysWOW64\Ieibdnnp.exe

Filesize
91KB

MD5
4081cc722f65a9b16143cbc637ccd3a9

SHA1
97fb7e1d560936fc635c363d8100563f1e7619c8

SHA256
c36652df843ef5fe3ed72f94a14adbce1fa8e05f64e84a11740c8c2789d1cf60

SHA512
ccfa00f506905a150e298c2669c33f47e7ce61587d6d3dc0bcf96e3335ce504c2200a2c0ae81a9df76a4423e5789fc99e1a2f4f8c079db0aade86c0a33be093a

Download Submit
C:\Windows\SysWOW64\Iipejmko.exe

Filesize
91KB

MD5
1452648a9a3aea69704155bf555a0dff

SHA1
b8969dcf3db9bc4a32e17300c4ef3fc79fa58ee2

SHA256
85c3cb1c5697e56c7e812c06100072c48c2c5240ab24d96da39b85cc5de12ab6

SHA512
13e38c69688e295f9f308ecc89c03090655de8ae438f2ab8d25df92b3bd4e0280e842d1221b25fbf35e681a463354a89869b2d888683e39159d3b934267c2fd2

Download Submit
C:\Windows\SysWOW64\Ikgkei32.exe

Filesize
91KB

MD5
0d3cac0c02fd3f5bdc7f024122e2cc7e

SHA1
65bb30880ba7f3b1b9d77776ddf304636e048186

SHA256
92e9daa56f11f21be86045fb2b19754db2b32efa684ad0a27573ff59d58b1185

SHA512
f5dc2d25945b08ce68577ee381c2c9788f00e58868c1e7fe2fd81d1ab574a41ef7c51917b90e5a7a5c8a761de2996748d3f7473eb6f4a58e3854f6de8bfe895e

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
91KB

MD5
bf2700b0301a708930e2741997ab0a3f

SHA1
5b8a435838594fbab3c70af90e08daaf2a24d849

SHA256
67f0501d78f28df48f6f07e569c22826d2b129c63d8bf5ddfcc3112d42c5fcaf

SHA512
a24c754988fc0aba2344bf28eef813821ab2f1b557a68158b22d161da90e98de71d93e657b4a4bb32bd5723817eb9fa78c98679dd60f19a4396d3ae027f19434

Download Submit
C:\Windows\SysWOW64\Imggplgm.exe

Filesize
91KB

MD5
f3b8157c3caf5a4d40038e66f27f177f

SHA1
52f63d7af69ce52e0bd01c593c53d6903b1b5661

SHA256
be9b67954c61998ad052f22deeab1777bc585235873d3c266ac7b16edfa1a777

SHA512
e3798525b8812737c8b124eca5bb6d6b1d7120af6f659772ec2741eab89fa9cace93c2d0e210a16a1976963e5d45aa3a5f1ebd5c8a5f9defa2e7c561e1afeb06

Download Submit
C:\Windows\SysWOW64\Iogpag32.exe

Filesize
91KB

MD5
fada8e0c99c6a0ab64b9000c35d04877

SHA1
3c766b8202b29fcb2d943e3368c9efceff1b33f4

SHA256
a1050ea0811480048ff3eb8bc34ce690d3b6a912937a8df919102cedab3ee962

SHA512
ded65b27bd953acfb9730d7eccc04038d0a26199bfe191e36ed96b98b6c374a010c73815e381870dc23cf790b97d1e7e34a9ed24bbb1d57fdee26d15e5b6a429

Download Submit
C:\Windows\SysWOW64\Jabponba.exe

Filesize
91KB

MD5
f2e59d0ded4e74e4a02c52b889334602

SHA1
db92c987800b36013d4089a9efe3d15dab494587

SHA256
a09ee5f406fa4168b70323681ff4c87a8ba530808d1c543f36277f819ea415a3

SHA512
1ad84a673d31d920387ee0acd9d71ea8da3f960ddf8a1a0900fdfd7154b1caee9b9646cc13887e944aed4184111159febff7332307c26896bbe4f4b08ee1b282

Download Submit
C:\Windows\SysWOW64\Jcnoejch.exe

Filesize
91KB

MD5
e30678f82b7eb192ef53e13c4e69edf5

SHA1
cb96631c204e789d37f72473da4fd87a32590008

SHA256
604aaa8b2b20decf589b5337039a508c052679d7f206fbb9d0e91475b3ecdd3f

SHA512
35bb6e44f8ef15289a18eda55aaa8189e68e4600208a041bb3000f82b4f9f3e869b3835d72c89531680544eb406df567e4bead2b2ec24ac588c5db0ee3faa3db

Download Submit
C:\Windows\SysWOW64\Jedehaea.exe

Filesize
91KB

MD5
67668b29d5f28189edd0e453463873f1

SHA1
e33b5679716c16b66458e85c862dd77feaf2f054

SHA256
b27bc56978308a7b5525ea217e66a130114fdb14f2fcfa2f4e128601be72e301

SHA512
c6073e7efbe71a35872c6df0b569876af3345fc1d679e2828d6615fc592d3d10628b5cb40f580b7e668c5a243b0a521fc642e94d6b20ef2d5f5aaa2e85541a04

Download Submit
C:\Windows\SysWOW64\Jfcabd32.exe

Filesize
91KB

MD5
50661b7f6d3705b5685cfa7f381922b0

SHA1
40c2e29140c2014d241d28aca0457b324b11fa71

SHA256
6da51cc33ca20dd436e019846295a2df48f4da50bb5b391ea554cb409a5b498c

SHA512
a8f186d33992fba84e90e6a83d8656ff222f5fcc4287a068fb8826dc968b4cffc94b1dd2d41a4ccabcbc81bc1a4424e26fc9cdde8b0a7066a06766842ab1cb4b

Download Submit
C:\Windows\SysWOW64\Jfohgepi.exe

Filesize
91KB

MD5
6523ec3db9681d8c817429225d907698

SHA1
d69c429a2a020995fd7170ad96b85b43ac3d1c3c

SHA256
9df0b6734c1d37310ca9fe86ada4e90f29ea871ef4bfa76e446e38d46bfa2424

SHA512
9a486de79ae29945038de7a72afdd634b74aafbbebea0ddc1acebc6fe706bb303e075b1e1f2fcfb4a79341820d8ea202271f4ee5066194c9323c58d25d4adf92

Download Submit
C:\Windows\SysWOW64\Jggoqimd.exe

Filesize
91KB

MD5
c743b62120b0adb8320e2c4676c3d7e5

SHA1
2f1e78cd6881055904c4a6bce9ce643164974053

SHA256
fd1899b17fa8654af84ec25e18de0f961871d3e3ad133ba221c5b234a924701e

SHA512
3858b9b5d4d3ccf924bb221d1cdc1b48f4d840e88d2fcf521769750b4b00c4b990d88f81291b7f78f613aaa70d7378432f5acd2b05f5ebc72a2781c60cc82095

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
91KB

MD5
b0d4ae0da63bd81a1921a895d9b25adf

SHA1
c7bb74a2ae58e27902084671abd75d86fc7742fc

SHA256
9d9a8c001651cf1acd7ac7462f69b2ab1ee3311b81b76e23fc12dbcd637009d4

SHA512
0024e3c02ae934fcd317b9de75528d3051df9e07598b7ad34ff3ac8110dfe7e0a522318e8414047f2615ad234c2fe0a48f0ef6106dc9f4942159a270fd5fced3

Download Submit
C:\Windows\SysWOW64\Jimdcqom.exe

Filesize
91KB

MD5
cd1745f93fc409d87d8404f7881b8149

SHA1
bb1dbd905c6a299190341b946b9d04c1e2f4d3fe

SHA256
94e6217b9d9f5d3000192ebadf221474ea2095f1a1f342a5b4e944127354f129

SHA512
665128258ffdb25decc2331695c51c40dd79b8f0e9041668f50b0f16af58c644c8dad7e89931c4ccad744b443f897c929500e2eee5a4846b1095eb7d173967e9

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
91KB

MD5
e7f27cfe653dd659525954fdd5653297

SHA1
ef5615be2c1558f841646def032e5069dfd7a891

SHA256
9e5d1de3bfab7de91832038a9780f0e59fa7806b62b083f19b74def7eef72b2b

SHA512
fd72226d3968bb3fecbad5bc5df34b273d6d4fa22a6aceadb532072688730eae9e08c6b2f1224ca216ae7715b86fb0280298d0b1824ee639e228150e8966a17d

Download Submit
C:\Windows\SysWOW64\Jjhgbd32.exe

Filesize
91KB

MD5
94345f6f21ba16e5384a357593e70727

SHA1
51c187604248d59d72ec975f32be444f7f99ee21

SHA256
10efb3c45f147e95106bb5f90f69a09c1352cb22b61ab49fa2225e188304c7aa

SHA512
8a6d14c7e9d092427112765e722120c29be6640214c403d5d40a69f730f762cfbf8b06d0729cfb891c5377d693a69850f26f98fa1de251d4fa2290d6d02149cd

Download Submit
C:\Windows\SysWOW64\Jmdgipkk.exe

Filesize
91KB

MD5
9473e85daf29ee1f453cffa78d8abbac

SHA1
4d9426d4e0a0ea5539597b288c8a7ddc6ae2d741

SHA256
d4c4685b6af337f6b93af78a7ffb8dddc8707c9a7d6cd68ab36a431206ef2ab0

SHA512
3f9b18999ef445150529dccb2d0387d51a89f251982bf3ec62c9460fe115f29f1d6e55e5122d23800538ac507f24c012a193d8f4e1c0f19d2aedb91bd8ac1fc2

Download Submit
C:\Windows\SysWOW64\Jnagmc32.exe

Filesize
91KB

MD5
b59763658431ca62164d4a9e32975adc

SHA1
0c871842a1bce66cd5e4e7806023981b4f48ff9b

SHA256
59d2e1c26249c7418188369a7c136e9b900dcefa508713feca33930549642265

SHA512
79aa26cfc9b22f0153557a6f61284aa3c89c627665104d3f4eb991c2c41383b1819a15085c603e9e34d4c08d5fba338ec35059eae890c5e68a1bf1e48f8f85eb

Download Submit
C:\Windows\SysWOW64\Jpbcek32.exe

Filesize
91KB

MD5
41705fe2cfbb142696e9c1d9097c2dfb

SHA1
a6b52827e2e70b2ba25707a6484ad7aa1875d6e5

SHA256
b3a78f9492a26b493e9a78c41f72a25e6109badf7a914ce49348e2fb16fae474

SHA512
d3b0bac988d1722fc8850b726be88fe03db2b2d63b8d48f5b4173bd0e1d5eea7d34dbea45445e4765e3b075b9ca9c78044b70bfd684b437b436d192f25087d67

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
91KB

MD5
eb79acb18bdf4e9180407c0628316eeb

SHA1
8ff5e68de2d06a844ea56f568732c3163e4595b3

SHA256
97210bbcc8dd7616bc8ffeeefcc801d38f1f8d17921e35edf54df60ec1cf9590

SHA512
d832a2c42fe0039e8d51226111e5aed0a20ac793bc757629bb1ef0c6af477e2dbdf301c37c23f6f77d8f60d4c172c5c19bf1e6aedd3e377cc68adf8a8e43a800

Download Submit
C:\Windows\SysWOW64\Jpjifjdg.exe

Filesize
91KB

MD5
c082e2ba8e5d31cacca78febc1aa3b6a

SHA1
d4cb6a532212a8a87d1cbf0cb9c9537737791b35

SHA256
2c34816a7263eb6e2d910284f18940dbf031a1f29adf70e6668b952a780adf5c

SHA512
50dcbde7032b0dc9a2d69acfcfedabbeaffef07287e3292cf136c0235562d6bda97cab137445a954ed0ed078555767b8942b4f91e2bc11ab8ffdd472f7935706

Download Submit
C:\Windows\SysWOW64\Jplfkjbd.exe

Filesize
91KB

MD5
1235378a20006a62d4d87713dc42dedc

SHA1
61de4898fae5dc64ce5005ea73bb739539b6f782

SHA256
10f9d20f655c152b3cdcfff739327f1fa5c027993a164380ee1ad9edbfcdf043

SHA512
a104a12ac7674116f4f53e0951d11dba0fe9ae2a4a23573dbcdc89e663d28e70b4c0394e9b73fe61a02e26d90a43af92cb38fe6bd796485450739668906974b0

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
91KB

MD5
9cd7f977a900101e7c4fd4e9de23f7cd

SHA1
164e72758846bb0a3f903d58742559869d2bbb9f

SHA256
f058e88c1a9489b8b27db96e51a6263322d568d9ac4e1cd3cc714d075c221d86

SHA512
6a602a30cc0e478165a9aa3be378af17ccf2111b18fcacb9b919ff1d1694fa5367604f5c4869fc9e6f7981a7f2f450b7d9dcd7a560d264c94a5a51120b927385

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
91KB

MD5
727b9928a866d5b4aded7deb31e03172

SHA1
bf0c7ec589663bd878a360a36042188f7e9ee684

SHA256
30a75b6498ed86ee1529541bbd1a380672cac6e6e9f1b04167835efdbc8e3a94

SHA512
92f7e2280e76aac733c3c8cfaf0beeda04c67c7932861fa87d4e5f1cfbf48d15dabc3e4b3d09360b43458bbb8c0712762764e3c0460e30126004e25f4579fc8a

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
91KB

MD5
fbcf3d14f8d298bc0ca72d0a3f2bb713

SHA1
a3b58e13e302c74dcea201ab89d3639f9b073b54

SHA256
f63e053cd62484ddc0eb6d93000af1bd35f87ddaed50391dfcb313472e64a007

SHA512
2a9c1185ed143f900c0b2f035fb43357d357071de649aeb7ea3be01903e553ef9433f1e63d88005ac4caa833f488e863e03603bcd563b1f71858388159c59477

Download Submit
C:\Windows\SysWOW64\Kbmome32.exe

Filesize
91KB

MD5
a9ee05eb92d2707c2d9cafa5a544eb0a

SHA1
ce34856344e8d3fc62f3d9f9b448dddf1eabd7e4

SHA256
baa3de580637eb9916588c05da28c8d63f67eb48bc8c75ba696100666527df82

SHA512
df608da7775cd85d8ada8aae3fe40729edc4723ec1f81de53889d0ef8f6c5c5ff6dda36607b141bfaa53d3925cc5f51d6ee31680dc00e3be6150efe0abd7aa52

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
91KB

MD5
e4c4cf287312535d76c7ec7d2faf574a

SHA1
e5aaca98a4c7dea3b64bfc2a0f8b5d5f9b3c4478

SHA256
4ae056b1b309361700402e6afc05db6f1bf230620406bb7f760998b3e167f782

SHA512
ea09caa00f8b40cc340a992e76166757fc300636f307e6fb3451051446efb92841a14d8674ef042cf77390da114e8706e4cbdf5b67039abd0a051b27e3147c21

Download Submit
C:\Windows\SysWOW64\Kekkiq32.exe

Filesize
91KB

MD5
2b5e89dfdf909edb3ba2bfca28c41bde

SHA1
2831ed95d422415a8d1bfb495b607945714258d7

SHA256
2aa196e929cbca2eeb54392c0c43ac3bd7dc3a6faa74c0f2eea32840dd5cbf24

SHA512
5f22807bdbdfaacb996faa16e1f0414e6013b42967f25a1eb488225ea381dc6d2bc26d884db1472143f17038eb46aab14c099b0cd980163d49d6c98657ae9623

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
91KB

MD5
1bb3c911b2e681a47dfe033e4a1aebfe

SHA1
14214b9b6e991e1699659741bd7add23999151d2

SHA256
c3e5dd6fb4a292b7bf7ea5e5f0fdc60b8cf8dc3298923077cf9af99b859a0f9b

SHA512
705eb74b2cb1a42f45c0764152cf9ab559bc8a6edf4f9aff69309cb80b61873e99e7fe8e0cc6b7b6e057aaaacb2621612a56364ed0ba05b1f01d6726983debf0

Download Submit
C:\Windows\SysWOW64\Kfodfh32.exe

Filesize
91KB

MD5
97cdfc4ef56ac77bed14c44f2f5a5177

SHA1
4e06e9c356e64789f885f6c817fb88769682fa89

SHA256
805738301c1da0a6afc773b2ce70367173ebc96aceed91a86922ebb669b2ed73

SHA512
4c6cdd7065b1ced2d69aa62f0438c9340588c603ab37ccad82b5a6e959bad885c1e1ea3550097cffb2b47e46026a181fa93338c6df6dc06dbc4d0912e282fd59

Download Submit
C:\Windows\SysWOW64\Khgkpl32.exe

Filesize
91KB

MD5
60b543ce14e5b1669a7e70d4a1318232

SHA1
b67152e394015292fb67802f2c54273433337c49

SHA256
89a0f6b9c2ebcf8dc9db80a6e8735585c8b6942b1031994fe75f5ba8821f4360

SHA512
ceaa8e88a5a6a855b98995f956e35458a27c1dc63853bd6e8b6ec9cd286a5fe1bba5190e84f5d7e5d183a0219cf154d3959cf19eba72e58ffac1a2f046cabdb6

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
91KB

MD5
8e2d075848754065793d3cda0e748754

SHA1
e170d6de84e21b85c102f65cf0ee133ddbdade1a

SHA256
13da8256b50f235384ee72c5240e5ffc7bb968657b3f3db3c9d0046a017c8cb5

SHA512
9d5b738c2c58c8b8f9ff0c8381057abec80ee56d800665b154bf571bdf57818d461c4c3bae13f4c790c54cd233d1e0e3e8572cf2bc987a3b5cf02612e5716063

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
91KB

MD5
60c2f9217d1f50b723c180b34c40760f

SHA1
738f138f0b4b98892d422bf41dc3402c0a29e5c8

SHA256
b9514418081941938fe3c38c2a8ad491366a742d70cb3c496bfe84ebbd5cfee2

SHA512
114afb093475d0c51357d220a706f73db7651c7caf2038bc6c6ab2b28fdda467d94f7b32eedcfda183e5993c1a6ecfe0ac4946a590ebc3f4e4bf13c7971d19e4

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
91KB

MD5
13064740946e2f8e8885c685566d3a30

SHA1
8641d405d66f78f22902de2a6fe554b38edaa455

SHA256
e18ba85c9f27f2a45a353bad041df00ca66d967ddb319eb99449800f307f48d5

SHA512
8d2c581bcd390a7bddd145fcc7d963ebafb282151797b5d8f169961f526e9be7b3e71bee094f4dfdb10548a02cd7632b5021aa262cd8a51092752a7bfc860b81

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
91KB

MD5
1afe083622885ef50754068135e6689f

SHA1
5317e78048cfe894856c52c5e4f646b6b25a7ef6

SHA256
4a9cf14bf29c46df03433af87d0f4840a23e07e65d81ede4f735d791ceae933f

SHA512
929781cbbc6922ca83e63bcab2e307d3d4ce6681c3abc7ec44cf7e3e2689173613f25964b03441d20b315f5ea5e9cc5a8743a815c238a46a43c8cebdc3dc8165

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
91KB

MD5
44913a1837f07d7f2f45d326f35d5f22

SHA1
6a2ed6456642cba39836b1c1d5f657a3124c08b0

SHA256
581624e0594a967612b74093bef2da9eb48c9f0f02665c30b70dbf9aa7635f98

SHA512
1c4ae2ab27e11a4633289ff159c94552a6125f893a081af1acd983946cab0c5b418a592b4d6d13923019da57c0e1e112b1d993c45d132b400448b729ba263b81

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
91KB

MD5
00c512a209f245bd442f0cb222a284c1

SHA1
72ceb79584a251e62d91f7b4bcaa77665680369d

SHA256
952e6df8e0c3cd8d4fde6639fe93bb2c991db3d84eabd9af53999af4efc87824

SHA512
39cc2bef15035f90254d2cacb6a4299b2ad6db9790a729fd74b9f497d744e83d35dc710f0eb53f247e19211534d69f897bd410f62870a7d5698880cb7d36ca65

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
91KB

MD5
7d99eeb4cc561288e4633da6c1e85a8d

SHA1
9ef17b824926924bd3f92ffbd9504352670c67ee

SHA256
bca25a5f99586f95409668ed34871b220a7898840d35e21e7f2e2078646313d9

SHA512
6eb277d333a7b30c13f9ba2a4cf249af77f83bc5c375ceefd39ca3671e426da3492c3fe1308786e9ebdd28ca4c5d74c695212df3b053380bbbf6b38c72a09a95

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
91KB

MD5
8ad597eb4f40cc07e8651ecbbcf7475f

SHA1
c3665eda8aabcec2be4db9296ab56a70875f10cb

SHA256
c03dad5ba9d0189d334dd973de4e3d50b37c95c7c45997a1360deae31100dce8

SHA512
dc1472f86c5c90e8fa4396c66b1b45cd316b081dbadb63a8c58ddbc60e01072a94d1bee0b188bec3955a5f5d06da29981093f720f64d55da6713eee812cf3a6c

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
91KB

MD5
5ac500f128b77546367287560dba13a0

SHA1
5cf382ab0395be6cab67891fb7911d19698a81c9

SHA256
c5f74255444f006952efc522833102263f18c3f9f059e29eadfb3635e5d708d8

SHA512
475a17a80eb088860dbc264a5e181e3c2346119296030e086f4de011e69c507e4e5ec7afdf419d9c4f720fcc7605f268fbe3bb17a816120c31e23a0df45067b6

Download Submit
\Windows\SysWOW64\Hiioin32.exe

Filesize
91KB

MD5
e733a0cc3e33d211f1db15efdf02c488

SHA1
0f3922497405bc38c06afa2b0949389c92281859

SHA256
0d5dab313635993b2d32128c34e7cc4ad933a18295032a827101d3ee0e5d10de

SHA512
9a1f70a69f65c4d24996dcef7a8eabee516ecd4ed0b528fc8b88519bd928cdf6287bf1fb37bcb7d9bd2860da89f53bd3898b67064dbc4f59e951945903b48a1c

Download Submit
\Windows\SysWOW64\Hmbndmkb.exe

Filesize
91KB

MD5
f2bbcc40c17b112f8066719d883c494e

SHA1
98a8f1e200fd21e000bb192d9b982fb684b23fae

SHA256
9e3ee56a2e310c5cf1351d182705c1c1557850e78201cca8a81c2d7261c8c7ce

SHA512
fbccf12d04b1edc2d18f9aa5d75f01a140f93348392cfd896114240eb764c253912ee9cb0d55ac58062c3ea2af32c2cd191581a95a870d4bdd17ee7d0327f433

Download Submit
\Windows\SysWOW64\Iaimipjl.exe

Filesize
91KB

MD5
d035ac90ad1e8f50633ea728b005cbeb

SHA1
380a7c2ababcacef4d6813f839aa3ccb0fd507c1

SHA256
cdee9240d5b9a74b3014a2b2e1fd1b839fd31346eae8f906190df2eb48096176

SHA512
14d48637743b7dd9439f85767c304ecb6d1858380474c2598dd00ea951754ab78ffab0d0bf2664e30a2bd3db83609c654d1e404aa030ffe6e47c9510681aac74

Download Submit
\Windows\SysWOW64\Ifmocb32.exe

Filesize
91KB

MD5
793ce8f439063a5cfc1151d2821687e9

SHA1
c3453a5595bdff4b04ce377b0f690a116fe50cf2

SHA256
781ae1e6aff41b9b8ffed1672183849c260691809d5cce14ba2cf04af49ee167

SHA512
18dcefb63b0f410825cb4f950c59f4c731f790c43c3fb5c65de60614562dc9c59c13a0579c67be2bb285e47006d528eb56a961fd4810ccb614a7f749b9a0b00d

Download Submit
\Windows\SysWOW64\Igqhpj32.exe

Filesize
91KB

MD5
75dfa5b8c077c639a261d3e768c4c4e8

SHA1
c9e470b6d476d364caca83cd54ede18f85be0dcb

SHA256
a208b427dd9f441b7cbcc8f88216e1cfbde322f39cd93d0ad46bb43c20fe8085

SHA512
636df31a371504406c14505537b9001f1a014a6a9f84774c8529a76daf1e515d2e792f0c5166208f511c0c422b167fa8021d64045b7f0a3eeecbb20188b126f2

Download Submit
\Windows\SysWOW64\Ijaaae32.exe

Filesize
91KB

MD5
ab1344efe58f9e10047827d54670de44

SHA1
c8856ebc5eda3e29693eb8ac9e5f4fcd6adb87f4

SHA256
e8ad201a500dc11e165f63e3bdd310e41ff8d72832d477868462eb6f03b4125b

SHA512
3e6c018dab4374240065eafdaf696ff4a155f488b332b88e391d05a34ee19852657b99229c0e0dc9e68e03ffcbd261c3274d551fc4eb17b7e51009081056a8d5

Download Submit
\Windows\SysWOW64\Ikqnlh32.exe

Filesize
91KB

MD5
06ce7c949239b566c9f222a3b672a101

SHA1
456b1183fb3a263b86f8c547ab8d6ec138329134

SHA256
4e1efa94ae797a0bfe406fddc54844c8bff6b48c4dda594e66f9da6ef79c8a77

SHA512
7536fdcedadf27a49c0c248ab1f50566374bb34efe2e02f1a049ec4c3267312c2d8af093465449e9fd5c4fd387be1f74cba2ca243ae49440e7af2e19fad17b52

Download Submit
\Windows\SysWOW64\Inhdgdmk.exe

Filesize
91KB

MD5
254e209b7c094d7cba3ba53eb6fa5dc7

SHA1
bcda50e03cbc935358331f7778779972900fd445

SHA256
b713b5925a1f1eea822fcd796802a12b6a5a1cecb4bf7e5e1f6598196cf7aedb

SHA512
c889e411af39b75c1eb8e800f858280d2345d3c8ed39aeeee97d11c29725429335ec3ace2aea50be11ef7e690c4e23d8ff6f28053a12db0f4e0a1e1e2c0d09df

Download Submit
memory/292-450-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/292-459-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/292-460-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/348-621-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/348-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/348-305-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/348-309-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/696-613-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1040-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-386-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/1056-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-385-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/1128-449-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1128-448-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-288-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1176-619-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1468-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1532-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-615-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1636-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-374-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1652-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-627-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-375-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1676-319-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1676-310-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-622-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1676-320-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1688-535-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/1688-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-428-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1768-427-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1768-421-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-439-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1796-438-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1796-429-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-470-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1852-464-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1852-471-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1916-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-492-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1924-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-298-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1936-194-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-238-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2160-481-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2160-482-0x00000000001E0000-0x000000000020F000-memory.dmp

Filesize
188KB

Download
memory/2160-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-617-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-261-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-202-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-611-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2248-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-612-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2424-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-80-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2560-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-514-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2632-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-32-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2632-33-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2676-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-354-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-364-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2732-626-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-363-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2780-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-623-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-330-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2780-331-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2788-341-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2788-624-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2788-342-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2800-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-50-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2856-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2856-61-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2856-528-0x0000000000300000-0x000000000032F000-memory.dmp

Filesize
188KB

Download
memory/2892-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2892-187-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2892-609-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2920-417-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2920-416-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2928-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-353-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2968-352-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2968-343-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-625-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-403-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2976-393-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2976-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-503-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/3032-12-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/3032-498-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-11-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/3032-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads