f7d242d3fa0bea231d41156e22f8be144d1364ba69ac8274f80cd79518b96bee

Analysis

max time kernel
111s
max time network
21s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab200323c41f9e841f6dfa58d985a9a0N.exe
Size

395KB
MD5

ab200323c41f9e841f6dfa58d985a9a0
SHA1

cff416616f77479891b8d2e0bd2781453602af7f
SHA256

f7d242d3fa0bea231d41156e22f8be144d1364ba69ac8274f80cd79518b96bee
SHA512

1091e582fbe35eb63369272333c18421e17a6e58014c59dbe70ec05572fdfcfc717f96fbdb71704e1e2afb18519a3bf68bd4ec2d310f44846ba35d06a33970ae
SSDEEP

6144:qGe8VZUs4y70u4HXs4yr0u490u4Ds4yvW8lM:qoVx4O0dHc4i0d90dA4X

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ab200323c41f9e841f6dfa58d985a9a0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpjifjdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ab200323c41f9e841f6dfa58d985a9a0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jabponba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe

Executes dropped EXE 22 IoCs

pid	Process
2600	Jjhgbd32.exe
2740	Jabponba.exe
2340	Jcqlkjae.exe
2948	Jjjdhc32.exe
2732	Jpgmpk32.exe
2628	Jedehaea.exe
1224	Jpjifjdg.exe
2980	Jfcabd32.exe
2064	Jhenjmbb.exe
1492	Jnofgg32.exe
1732	Keioca32.exe
1692	Kjeglh32.exe
1636	Kapohbfp.exe
1896	Klecfkff.exe
2212	Kmfpmc32.exe
1080	Kdphjm32.exe
760	Kkjpggkn.exe
828	Kadica32.exe
1308	Kmkihbho.exe
316	Kbhbai32.exe
3044	Lmmfnb32.exe
1236	Lbjofi32.exe

Loads dropped DLL 48 IoCs

pid	Process
2868	ab200323c41f9e841f6dfa58d985a9a0N.exe
2868	ab200323c41f9e841f6dfa58d985a9a0N.exe
2600	Jjhgbd32.exe
2600	Jjhgbd32.exe
2740	Jabponba.exe
2740	Jabponba.exe
2340	Jcqlkjae.exe
2340	Jcqlkjae.exe
2948	Jjjdhc32.exe
2948	Jjjdhc32.exe
2732	Jpgmpk32.exe
2732	Jpgmpk32.exe
2628	Jedehaea.exe
2628	Jedehaea.exe
1224	Jpjifjdg.exe
1224	Jpjifjdg.exe
2980	Jfcabd32.exe
2980	Jfcabd32.exe
2064	Jhenjmbb.exe
2064	Jhenjmbb.exe
1492	Jnofgg32.exe
1492	Jnofgg32.exe
1732	Keioca32.exe
1732	Keioca32.exe
1692	Kjeglh32.exe
1692	Kjeglh32.exe
1636	Kapohbfp.exe
1636	Kapohbfp.exe
1896	Klecfkff.exe
1896	Klecfkff.exe
2212	Kmfpmc32.exe
2212	Kmfpmc32.exe
1080	Kdphjm32.exe
1080	Kdphjm32.exe
760	Kkjpggkn.exe
760	Kkjpggkn.exe
828	Kadica32.exe
828	Kadica32.exe
1308	Kmkihbho.exe
1308	Kmkihbho.exe
316	Kbhbai32.exe
316	Kbhbai32.exe
3044	Lmmfnb32.exe
3044	Lmmfnb32.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe
2932	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Eplpdepa.dll	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Lpgcln32.dll	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Jhenjmbb.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Jpjifjdg.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Jnofgg32.exe	Jhenjmbb.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Bcbonpco.dll	ab200323c41f9e841f6dfa58d985a9a0N.exe
File created	C:\Windows\SysWOW64\Mebgijei.dll	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Ciqmoj32.dll	Keioca32.exe
File opened for modification	C:\Windows\SysWOW64\Jhenjmbb.exe	Jfcabd32.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Kjeglh32.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Kapohbfp.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Cmojeo32.dll	Jabponba.exe
File created	C:\Windows\SysWOW64\Khljoh32.dll	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Ebenek32.dll	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Kapohbfp.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jhenjmbb.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Jfcabd32.exe	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kkjpggkn.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kmkihbho.exe
File opened for modification	C:\Windows\SysWOW64\Jabponba.exe	Jjhgbd32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jjjdhc32.exe
File created	C:\Windows\SysWOW64\Kmfpmc32.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Jjhgbd32.exe	ab200323c41f9e841f6dfa58d985a9a0N.exe
File created	C:\Windows\SysWOW64\Jmegnj32.dll	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Klecfkff.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Oiahkhpo.dll	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Jjjdhc32.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjjdhc32.exe	Jcqlkjae.exe
File opened for modification	C:\Windows\SysWOW64\Jpjifjdg.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Keioca32.exe	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Kjeglh32.exe	Keioca32.exe
File created	C:\Windows\SysWOW64\Jabponba.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Jabponba.exe
File created	C:\Windows\SysWOW64\Kapohbfp.exe	Kjeglh32.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jabponba.exe
File opened for modification	C:\Windows\SysWOW64\Jedehaea.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Abqcpo32.dll	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Jjhgbd32.exe	ab200323c41f9e841f6dfa58d985a9a0N.exe
File created	C:\Windows\SysWOW64\Jfcabd32.exe	Jpjifjdg.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2932	1236	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpjifjdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhenjmbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjeglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapohbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab200323c41f9e841f6dfa58d985a9a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhenjmbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ab200323c41f9e841f6dfa58d985a9a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll"	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ab200323c41f9e841f6dfa58d985a9a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ab200323c41f9e841f6dfa58d985a9a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abqcpo32.dll"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll"	Keioca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjeglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnofgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll"	ab200323c41f9e841f6dfa58d985a9a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll"	Jhenjmbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ab200323c41f9e841f6dfa58d985a9a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ab200323c41f9e841f6dfa58d985a9a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jabponba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Keioca32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll"	Jjhgbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpjifjdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmegnj32.dll"	Kjeglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Kadica32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2600	2868	ab200323c41f9e841f6dfa58d985a9a0N.exe	30
PID 2868 wrote to memory of 2600	2868	ab200323c41f9e841f6dfa58d985a9a0N.exe	30
PID 2868 wrote to memory of 2600	2868	ab200323c41f9e841f6dfa58d985a9a0N.exe	30
PID 2868 wrote to memory of 2600	2868	ab200323c41f9e841f6dfa58d985a9a0N.exe	30
PID 2600 wrote to memory of 2740	2600	Jjhgbd32.exe	31
PID 2600 wrote to memory of 2740	2600	Jjhgbd32.exe	31
PID 2600 wrote to memory of 2740	2600	Jjhgbd32.exe	31
PID 2600 wrote to memory of 2740	2600	Jjhgbd32.exe	31
PID 2740 wrote to memory of 2340	2740	Jabponba.exe	32
PID 2740 wrote to memory of 2340	2740	Jabponba.exe	32
PID 2740 wrote to memory of 2340	2740	Jabponba.exe	32
PID 2740 wrote to memory of 2340	2740	Jabponba.exe	32
PID 2340 wrote to memory of 2948	2340	Jcqlkjae.exe	33
PID 2340 wrote to memory of 2948	2340	Jcqlkjae.exe	33
PID 2340 wrote to memory of 2948	2340	Jcqlkjae.exe	33
PID 2340 wrote to memory of 2948	2340	Jcqlkjae.exe	33
PID 2948 wrote to memory of 2732	2948	Jjjdhc32.exe	34
PID 2948 wrote to memory of 2732	2948	Jjjdhc32.exe	34
PID 2948 wrote to memory of 2732	2948	Jjjdhc32.exe	34
PID 2948 wrote to memory of 2732	2948	Jjjdhc32.exe	34
PID 2732 wrote to memory of 2628	2732	Jpgmpk32.exe	35
PID 2732 wrote to memory of 2628	2732	Jpgmpk32.exe	35
PID 2732 wrote to memory of 2628	2732	Jpgmpk32.exe	35
PID 2732 wrote to memory of 2628	2732	Jpgmpk32.exe	35
PID 2628 wrote to memory of 1224	2628	Jedehaea.exe	36
PID 2628 wrote to memory of 1224	2628	Jedehaea.exe	36
PID 2628 wrote to memory of 1224	2628	Jedehaea.exe	36
PID 2628 wrote to memory of 1224	2628	Jedehaea.exe	36
PID 1224 wrote to memory of 2980	1224	Jpjifjdg.exe	37
PID 1224 wrote to memory of 2980	1224	Jpjifjdg.exe	37
PID 1224 wrote to memory of 2980	1224	Jpjifjdg.exe	37
PID 1224 wrote to memory of 2980	1224	Jpjifjdg.exe	37
PID 2980 wrote to memory of 2064	2980	Jfcabd32.exe	38
PID 2980 wrote to memory of 2064	2980	Jfcabd32.exe	38
PID 2980 wrote to memory of 2064	2980	Jfcabd32.exe	38
PID 2980 wrote to memory of 2064	2980	Jfcabd32.exe	38
PID 2064 wrote to memory of 1492	2064	Jhenjmbb.exe	39
PID 2064 wrote to memory of 1492	2064	Jhenjmbb.exe	39
PID 2064 wrote to memory of 1492	2064	Jhenjmbb.exe	39
PID 2064 wrote to memory of 1492	2064	Jhenjmbb.exe	39
PID 1492 wrote to memory of 1732	1492	Jnofgg32.exe	40
PID 1492 wrote to memory of 1732	1492	Jnofgg32.exe	40
PID 1492 wrote to memory of 1732	1492	Jnofgg32.exe	40
PID 1492 wrote to memory of 1732	1492	Jnofgg32.exe	40
PID 1732 wrote to memory of 1692	1732	Keioca32.exe	41
PID 1732 wrote to memory of 1692	1732	Keioca32.exe	41
PID 1732 wrote to memory of 1692	1732	Keioca32.exe	41
PID 1732 wrote to memory of 1692	1732	Keioca32.exe	41
PID 1692 wrote to memory of 1636	1692	Kjeglh32.exe	42
PID 1692 wrote to memory of 1636	1692	Kjeglh32.exe	42
PID 1692 wrote to memory of 1636	1692	Kjeglh32.exe	42
PID 1692 wrote to memory of 1636	1692	Kjeglh32.exe	42
PID 1636 wrote to memory of 1896	1636	Kapohbfp.exe	43
PID 1636 wrote to memory of 1896	1636	Kapohbfp.exe	43
PID 1636 wrote to memory of 1896	1636	Kapohbfp.exe	43
PID 1636 wrote to memory of 1896	1636	Kapohbfp.exe	43
PID 1896 wrote to memory of 2212	1896	Klecfkff.exe	44
PID 1896 wrote to memory of 2212	1896	Klecfkff.exe	44
PID 1896 wrote to memory of 2212	1896	Klecfkff.exe	44
PID 1896 wrote to memory of 2212	1896	Klecfkff.exe	44
PID 2212 wrote to memory of 1080	2212	Kmfpmc32.exe	45
PID 2212 wrote to memory of 1080	2212	Kmfpmc32.exe	45
PID 2212 wrote to memory of 1080	2212	Kmfpmc32.exe	45
PID 2212 wrote to memory of 1080	2212	Kmfpmc32.exe	45

C:\Users\Admin\AppData\Local\Temp\ab200323c41f9e841f6dfa58d985a9a0N.exe
"C:\Users\Admin\AppData\Local\Temp\ab200323c41f9e841f6dfa58d985a9a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\SysWOW64\Jjhgbd32.exe
  C:\Windows\system32\Jjhgbd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\SysWOW64\Jabponba.exe
    C:\Windows\system32\Jabponba.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\Jcqlkjae.exe
      C:\Windows\system32\Jcqlkjae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
      - C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Jpjifjdg.exe
        
        C:\Windows\system32\Jpjifjdg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\Jhenjmbb.exe
        
        C:\Windows\system32\Jhenjmbb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Kjeglh32.exe
        
        C:\Windows\system32\Kjeglh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Kapohbfp.exe
        
        C:\Windows\system32\Kapohbfp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1236 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jabponba.exe

Filesize
395KB

MD5
d27fa4ad257d40c19eba9408193ef121

SHA1
63905c642ece173e119467598678c8486fed9438

SHA256
ce007dbb7178687ec301812e2f475e6f64fc5e0571b3f632d292ae26f5770b06

SHA512
e59993cb7b51705ea270f5ba7653dcd522c2a41075702721776a68dc59475cb4fe1399181f36e2f1b87e56854811b2096508ff54092b719e7bb8c8e99f153e3f

Download Submit
C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
395KB

MD5
6ab088485daf7ca4e9fcd2e17cb3d85d

SHA1
883aa982845c4c98dac8f725c6127d906bb79109

SHA256
52c7be5682850bd091405d15ee2d61733570eef273688694a36c0f8848deb241

SHA512
a7277b029a2eb1f06764272324be3c4bb5d95472b3a3bfbe5648e0fa34def9885ac0fe3118c1ff25f6998227df3ae4aa77baf1d3368f53330d3415a1793cfff6

Download Submit
C:\Windows\SysWOW64\Jedehaea.exe

Filesize
395KB

MD5
7789a4363002cbc0f08892300f8bd421

SHA1
5f8b496875ce52dc8ff1f6d0ce533ad0a202addf

SHA256
bf1cae503df708cb40bb516e2223fabdad0c8151369c46ef77bbf05b89ef5e4d

SHA512
b72a82c689072d9f2637eddb4e6a6f674de1845885d956961e32a703d75ca7bf921b57998633ed9884b9df95d575b9a8769ccfd79d9d58898f0d6608e4026b55

Download Submit
C:\Windows\SysWOW64\Jfcabd32.exe

Filesize
395KB

MD5
3c2cc5d45732d67625f1814cabfc0d7f

SHA1
4fad732b11c190dc89eaa6e5018e7fb7f304e390

SHA256
8db677d6449e408cc8131d40b47b855405f0679885726c49dc59a12ec390e733

SHA512
3e8072d633a9e96780a6c4e371a4629f5a947b5b4cbc04a88a39e7ae2292a763ca514eb8f40f0c10f82760b3163ee6b1daea00fb545072fce1be752291968171

Download Submit
C:\Windows\SysWOW64\Jhenjmbb.exe

Filesize
395KB

MD5
938371e5cd64e41aa63195b3dc6df055

SHA1
875de5563452edd7587707a13f70593aeb5e942e

SHA256
8e78705c52fff32b9c955daa466d38316c4d74f32bd6f4b79d0700314dec6d69

SHA512
8742cad163a74e5bf5f7341de5f6e472f1a2f5e2c121e2d197b1df625e3a5c94fb2fb6270213bf616e6820e690b8e7843b38e74082eab01736f4263f0dfcdaed

Download Submit
C:\Windows\SysWOW64\Jjhgbd32.exe

Filesize
395KB

MD5
3fe1fcff7725d3abe498690b73286a1b

SHA1
2b1674e4ce5adcb21d356862469fac5313d791c9

SHA256
a4921e355702a4caeb5ecb8285b5580c2e2c0b456fae140ef5de3912188df8d8

SHA512
fd6deefa4442d4ce63f5343cf7f1b6cd6c304da65ce57eb1e5f5794b2777088bef88aa9407598103f770c9f2dc9647a0759735dc37d2dcd740bdeb814f26f2f1

Download Submit
C:\Windows\SysWOW64\Jjjdhc32.exe

Filesize
395KB

MD5
aa1e27db2f29e3bbace418e25b1ae3de

SHA1
4fdf46021371b458580acf4a843fe37454c2dce3

SHA256
b9b8053a332889bf0f2493a955b15f47443c91db7a58d816c9fa98df8ddec30d

SHA512
9c41f8b0f3a1accbae447ecbf537d81f3cc4351172886d4a9985e0ac644d0c6fca76db3c0d4aa28694fe58f683e81bede8f8c5fe5fe0b545b8c2f9450e13bd65

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
395KB

MD5
eccec0da79a13ab1b46dac41005a6bfb

SHA1
8cdd84794551a3a403559826675b498d0801de22

SHA256
b061f8b87ab377ae595cd250887917b2efead9051cd25c852f635a523591902f

SHA512
a1deb728de537389f9525abed89bce8ad2eb0a771ae8cb19e1e240223c2f4e86a89513c7bd440aae6e846af4eb7f27a05e80377c105a0208357c253c7c6232b9

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
395KB

MD5
5ff1eb2922b25a4107e3758afeffd6e0

SHA1
59639e0e57247cc01c966c4b3ea4b4b89261aa32

SHA256
5eca482e81ec14f8795c9d609944d3e978895b10e4ac4d9da244b80c5c4a2b3e

SHA512
c10f468b356bec36affd37376eae3460b8ee6f155012d19b08c16fe800dc94c61e39c3d6f4a83316731e94c7a54dba42fc1835b1f0d494e9956147ef2f8ce182

Download Submit
C:\Windows\SysWOW64\Jpjifjdg.exe

Filesize
395KB

MD5
823c012489db95fe9f866be1305dc218

SHA1
a06c2e4febaa6396fdcc60126f0edb13d7b9fa43

SHA256
2909b3b1a9fa1888d19c0ce5c8b0d819157fb422f63e0cc994adbac59427e5bf

SHA512
2ca93e69109230c46c16225b3eaadde8e602ea703da37d6a04488ecaa24f1c149dd17e3a1c3a9c831cd9fd138e6965c5f354f2a474409b2a565d146225db330e

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
395KB

MD5
5edb00f016daeb0756069ba1e2be2e4a

SHA1
31c76f61b8079b04ad2bfc52cf802d900624c284

SHA256
8524b37a1b7ad111842f01bd7642a96cbe47058274473bd00b4f5800b28ee6e5

SHA512
8f324b63a0fdee26fd27c39d55b739f0d717a4de99ea3a7fab3fe1dff8346f310635c4d842da0c410ef09c0d47b0169e68a597a549dacde62ad4b73549cf6959

Download Submit
C:\Windows\SysWOW64\Kapohbfp.exe

Filesize
395KB

MD5
77da8d4f6c82fb247582a591e3f2202d

SHA1
20e9cf636b48d8a7fa51477689133edf970f631e

SHA256
c781883bc10a33b09140027b88f6f07f8e41fc8b449a054981bd2177049a39b8

SHA512
81a7e5158399da6e332eb461bb563bbfe7915dea6e1f39feba507ebb1065f1d98c06f4c9af942e4bec5833dfe0aaa4226cdff2481a4e4dd864c11bf34aff3980

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
395KB

MD5
4040b92ed620f78cd97063da6ac68e71

SHA1
49a14b9eb1b287d1c5c9ee7ce3139fbd589df7be

SHA256
408d1b1cc0a0e23f7c35b6929e7be3be78040e46e82c90766ed7706f1bf87b5b

SHA512
4faf38b03030f83cf9f35c51aed4f77995fe29e5bb19bfbb087c382a128333a213c4ca379badc8165fdd36c1442362cd9f32e76f71418028f4ea5f829855fdbc

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
395KB

MD5
91ae8461ec68656bbf456bfe1da27dbb

SHA1
7058da845c063321d6675e449d123ffb5a73a960

SHA256
a39825419fdeea56010dd7c8c5bb18ee90e1ba604bdbcb832bcdb79402894915

SHA512
70eeb12a305767d26b334cc8b69e427d322bfd22ea635023de5cad123752a85688a04be6adb28eefc55551bc55db563422f81ea88bd1f1d385beb5ff49b20ff0

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
395KB

MD5
26c965d5c110e786039237930aa8503b

SHA1
567cada069bdcb9a16dffe5bd7212a0f9f5a428a

SHA256
fea72f84738b80b620c76988e04ab2e7b423a70a62bb9d06e0563839a1675798

SHA512
c66d7c2ab9a944fbb949b3b5582c87787de802702291e616333fbbf8b82748afc7c1a9fa5a4ff504c6fb61a32b64654485a452cc13fe1ac4c31295e914d0a7aa

Download Submit
C:\Windows\SysWOW64\Kjeglh32.exe

Filesize
395KB

MD5
2065ce38b417ac9f7dc0f7a940b1f026

SHA1
df893b60ca2bc471b9bdaa3ca30683d33e14fb69

SHA256
61e2b3de1e720ed7bb2e4ed60c261c7edc1a770a7ad28745e48cfa38a19920e8

SHA512
005b44788e5b82530c40295c164406f586e6b4f01e1a83411d07c4313a1a318d854afd33a4a389c62971a8452a9b94dcfba22c556278a5de74db82c864c3d1cf

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
395KB

MD5
87197880fe5145997a0f1f5d7d6fa703

SHA1
037d6e473034a426b41cb8cc7a9ecb684d5fdad9

SHA256
41b23b559cf6a529088368e8641a7633442b9d745edd665ac731bc7d41b6457c

SHA512
2c381a29d2a201cb4e5afcc79a2378fda473b332707f3d1df6a507effbe95dcb15b06d2ee30dfb067fbc195d2dacd42072c85ae4df2eb86dca70322f05e866af

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
395KB

MD5
5131463158e0164fae84c9a720f2eb73

SHA1
7c4f3699ca84621b673e83e0656267ee7017e3ab

SHA256
71859efea0f2d53ad55bc614b120775d4c3e2684ddc0410fd1fe3bb2a187788d

SHA512
293ec16df304c8f763ebb5e8d28b14925382d74082000ca37805a3eef1de763af28dd4a4adbe9eae49936b0397b75176cfc6c3b2f26d27d0a1a65cd07c3c718f

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
395KB

MD5
91a986e904e3d36c8408e062cab504a0

SHA1
5906db49e6df6ff3b673184a0230f428325e6020

SHA256
3cb3689cba072f1eb991a5f5afb6cf3f431113a8869d3baaa41971276a02e758

SHA512
05f8d48860c3c0406ef1ac39708e28266b14b4a7e265e364ef8cc8fa37740cff5b27185bc626d28cacbc1303e21a07c8fdac31f412317bda69727275d7826a8f

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
395KB

MD5
39255401088cc309dae27a447c59f279

SHA1
554eb0ffbfc6872a14415b55ea6b7a6ab14350ca

SHA256
78d680da2b3ef9bd857595a19e03c7360c92b01abb85e6d560d9ee981164e06d

SHA512
ace9a2fc8acbb1f644c271adc8e02cf29e69090548041a6e5331e6b25634ada106fc761ce86e4111e798f98e6cda9208a6cbe8374459237fbfce1d88b8a57184

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
395KB

MD5
a4eff09f912c9b15310c0a6fa82d8224

SHA1
b5411965600cfaf8ce22fcbfc796ffb02d6a5c04

SHA256
0c0b832e85c9d139358f8d261a0f643b64e887d8885df330f84a60356fa58c9e

SHA512
9deb4e71ca00ce8bb68c38d080e51c9ea634b588369d4b0f369f3d9481ed70631357586408de38779b8297e8c6651ab3953d825d87b5deaa5ad13fadeecc2707

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
395KB

MD5
743a6d5e0d79ac33130e5ee533a6f08b

SHA1
d9e2f1fcbcca8acc3de32bae231c8624cb49854c

SHA256
0d6d066d27fe589c31b056aec07857663f10c31daa9f78b12a6dcf7a94fe112a

SHA512
8157df869961e76eaeb4d6f2e1c0dc312c9d8af3dc43d86755bb881b71f950752577b1856d1a29d36d8e515f1d0685ff5ad1ef4773337f512cc2d9b36e011425

Download Submit
memory/316-371-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/760-363-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/828-367-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1080-357-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1224-246-0x00000000002E0000-0x0000000000362000-memory.dmp

Filesize
520KB

Download
memory/1224-245-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1224-247-0x00000000002E0000-0x0000000000362000-memory.dmp

Filesize
520KB

Download
memory/1224-339-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1236-266-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1236-379-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1308-369-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1492-256-0x0000000000340000-0x00000000003C2000-memory.dmp

Filesize
520KB

Download
memory/1492-345-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1492-255-0x0000000000340000-0x00000000003C2000-memory.dmp

Filesize
520KB

Download
memory/1492-254-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1636-351-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1636-263-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-349-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-260-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1692-261-0x0000000000300000-0x0000000000382000-memory.dmp

Filesize
520KB

Download
memory/1692-262-0x0000000000300000-0x0000000000382000-memory.dmp

Filesize
520KB

Download
memory/1732-347-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1732-257-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1732-258-0x00000000002D0000-0x0000000000352000-memory.dmp

Filesize
520KB

Download
memory/1732-259-0x00000000002D0000-0x0000000000352000-memory.dmp

Filesize
520KB

Download
memory/1896-353-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-253-0x0000000000300000-0x0000000000382000-memory.dmp

Filesize
520KB

Download
memory/2064-343-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2064-252-0x0000000000300000-0x0000000000382000-memory.dmp

Filesize
520KB

Download
memory/2064-251-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2212-355-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2340-331-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2600-267-0x00000000002D0000-0x0000000000352000-memory.dmp

Filesize
520KB

Download
memory/2600-327-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2600-243-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2628-337-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2732-335-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2740-244-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2740-329-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2868-325-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2868-15-0x0000000002080000-0x0000000002102000-memory.dmp

Filesize
520KB

Download
memory/2868-18-0x0000000002080000-0x0000000002102000-memory.dmp

Filesize
520KB

Download
memory/2868-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2948-333-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2980-248-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2980-250-0x0000000002010000-0x0000000002092000-memory.dmp

Filesize
520KB

Download
memory/2980-341-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2980-249-0x0000000002010000-0x0000000002092000-memory.dmp

Filesize
520KB

Download
memory/3044-265-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/3044-264-0x0000000000250000-0x00000000002D2000-memory.dmp

Filesize
520KB

Download
memory/3044-373-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads