5f05301b7c30788065ed79f5fc348ac5d3b5fff405223785b00d0b0f430a527f

Analysis

max time kernel
32s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
02/09/2024, 11:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6437c8cf4fda2ad0ef989330854e2260N.exe
Size

64KB
MD5

6437c8cf4fda2ad0ef989330854e2260
SHA1

813d14cc1a45bbcbacc74909e1c77436dc34e5f1
SHA256

5f05301b7c30788065ed79f5fc348ac5d3b5fff405223785b00d0b0f430a527f
SHA512

18acb9d4a9d86dc15de8f157cc075ef7a4761568e581883c1cb7dbd9e27193ad42239108c6c0082b203f455e202929913a34820d0e31a645a439992be80be1c1
SSDEEP

1536:WQiU/796MbhdmY8tDU2cWQb92LhXdZgQe:WQRzBbhkt42uOhXds

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmbndmkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmdkjmip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6437c8cf4fda2ad0ef989330854e2260N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inojhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnagmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmdkjmip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Injqmdki.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jedehaea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6437c8cf4fda2ad0ef989330854e2260N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe

Executes dropped EXE 19 IoCs

pid	Process
1804	Hmbndmkb.exe
2620	Hmdkjmip.exe
2708	Iikkon32.exe
2792	Iebldo32.exe
2652	Injqmdki.exe
2560	Iegeonpc.exe
2364	Inojhc32.exe
2420	Jnagmc32.exe
2756	Jfmkbebl.exe
1708	Jllqplnp.exe
2220	Jedehaea.exe
2940	Jfcabd32.exe
2148	Jnofgg32.exe
2868	Koaclfgl.exe
596	Klecfkff.exe
1592	Kadica32.exe
624	Kbhbai32.exe
2164	Llpfjomf.exe
1696	Lbjofi32.exe

Loads dropped DLL 42 IoCs

pid	Process
2424	6437c8cf4fda2ad0ef989330854e2260N.exe
2424	6437c8cf4fda2ad0ef989330854e2260N.exe
1804	Hmbndmkb.exe
1804	Hmbndmkb.exe
2620	Hmdkjmip.exe
2620	Hmdkjmip.exe
2708	Iikkon32.exe
2708	Iikkon32.exe
2792	Iebldo32.exe
2792	Iebldo32.exe
2652	Injqmdki.exe
2652	Injqmdki.exe
2560	Iegeonpc.exe
2560	Iegeonpc.exe
2364	Inojhc32.exe
2364	Inojhc32.exe
2420	Jnagmc32.exe
2420	Jnagmc32.exe
2756	Jfmkbebl.exe
2756	Jfmkbebl.exe
1708	Jllqplnp.exe
1708	Jllqplnp.exe
2220	Jedehaea.exe
2220	Jedehaea.exe
2940	Jfcabd32.exe
2940	Jfcabd32.exe
2148	Jnofgg32.exe
2148	Jnofgg32.exe
2868	Koaclfgl.exe
2868	Koaclfgl.exe
596	Klecfkff.exe
596	Klecfkff.exe
1592	Kadica32.exe
1592	Kadica32.exe
624	Kbhbai32.exe
624	Kbhbai32.exe
2164	Llpfjomf.exe
2164	Llpfjomf.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe
1684	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ljnfmlph.dll	Jnagmc32.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Hmdkjmip.exe	Hmbndmkb.exe
File created	C:\Windows\SysWOW64\Ekhnnojb.dll	Inojhc32.exe
File opened for modification	C:\Windows\SysWOW64\Jedehaea.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kadica32.exe
File created	C:\Windows\SysWOW64\Ipafocdg.dll	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Aqgpml32.dll	Hmbndmkb.exe
File opened for modification	C:\Windows\SysWOW64\Inojhc32.exe	Iegeonpc.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Jedehaea.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Llpfjomf.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Iikkon32.exe	Hmdkjmip.exe
File created	C:\Windows\SysWOW64\Iebldo32.exe	Iikkon32.exe
File opened for modification	C:\Windows\SysWOW64\Jfcabd32.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Eplpdepa.dll	Jedehaea.exe
File opened for modification	C:\Windows\SysWOW64\Iikkon32.exe	Hmdkjmip.exe
File opened for modification	C:\Windows\SysWOW64\Jfmkbebl.exe	Jnagmc32.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Jfcabd32.exe	Jedehaea.exe
File created	C:\Windows\SysWOW64\Kmkkio32.dll	Jfcabd32.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Hmdkjmip.exe	Hmbndmkb.exe
File created	C:\Windows\SysWOW64\Ecfgpaco.dll	Hmdkjmip.exe
File created	C:\Windows\SysWOW64\Hmbndmkb.exe	6437c8cf4fda2ad0ef989330854e2260N.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Hmbndmkb.exe	6437c8cf4fda2ad0ef989330854e2260N.exe
File created	C:\Windows\SysWOW64\Iegeonpc.exe	Injqmdki.exe
File created	C:\Windows\SysWOW64\Inojhc32.exe	Iegeonpc.exe
File created	C:\Windows\SysWOW64\Koaclfgl.exe	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Iebldo32.exe	Iikkon32.exe
File created	C:\Windows\SysWOW64\Jfmkbebl.exe	Jnagmc32.exe
File opened for modification	C:\Windows\SysWOW64\Jllqplnp.exe	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Koaclfgl.exe	Jnofgg32.exe
File opened for modification	C:\Windows\SysWOW64\Injqmdki.exe	Iebldo32.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Iegeonpc.exe	Injqmdki.exe
File created	C:\Windows\SysWOW64\Iddpheep.dll	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Jnofgg32.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Injqmdki.exe	Iebldo32.exe
File opened for modification	C:\Windows\SysWOW64\Jnagmc32.exe	Inojhc32.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jfmkbebl.exe
File created	C:\Windows\SysWOW64\Jnofgg32.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Kbclpfop.dll	Iegeonpc.exe
File created	C:\Windows\SysWOW64\Pbkboega.dll	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Kbhbai32.exe	Kadica32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kadica32.exe
File created	C:\Windows\SysWOW64\Mgqbajfj.dll	Iebldo32.exe
File created	C:\Windows\SysWOW64\Jnagmc32.exe	Inojhc32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Nbhebh32.dll	6437c8cf4fda2ad0ef989330854e2260N.exe
File created	C:\Windows\SysWOW64\Lbfchlee.dll	Iikkon32.exe
File created	C:\Windows\SysWOW64\Aekabb32.dll	Injqmdki.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1684	1696	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6437c8cf4fda2ad0ef989330854e2260N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmbndmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmdkjmip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jedehaea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iegeonpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inojhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Injqmdki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnagmc32.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll"	Inojhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnagmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iegeonpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klecfkff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll"	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6437c8cf4fda2ad0ef989330854e2260N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfmkbebl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbhebh32.dll"	6437c8cf4fda2ad0ef989330854e2260N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6437c8cf4fda2ad0ef989330854e2260N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbclpfop.dll"	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll"	Jnagmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll"	Jedehaea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	6437c8cf4fda2ad0ef989330854e2260N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekabb32.dll"	Injqmdki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmdkjmip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfchlee.dll"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnofgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqbajfj.dll"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inojhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll"	Hmbndmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iikkon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koaclfgl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iegeonpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jedehaea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmbndmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Inojhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnagmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll"	Jfcabd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	6437c8cf4fda2ad0ef989330854e2260N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6437c8cf4fda2ad0ef989330854e2260N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Injqmdki.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1804	2424	6437c8cf4fda2ad0ef989330854e2260N.exe	30
PID 2424 wrote to memory of 1804	2424	6437c8cf4fda2ad0ef989330854e2260N.exe	30
PID 2424 wrote to memory of 1804	2424	6437c8cf4fda2ad0ef989330854e2260N.exe	30
PID 2424 wrote to memory of 1804	2424	6437c8cf4fda2ad0ef989330854e2260N.exe	30
PID 1804 wrote to memory of 2620	1804	Hmbndmkb.exe	31
PID 1804 wrote to memory of 2620	1804	Hmbndmkb.exe	31
PID 1804 wrote to memory of 2620	1804	Hmbndmkb.exe	31
PID 1804 wrote to memory of 2620	1804	Hmbndmkb.exe	31
PID 2620 wrote to memory of 2708	2620	Hmdkjmip.exe	32
PID 2620 wrote to memory of 2708	2620	Hmdkjmip.exe	32
PID 2620 wrote to memory of 2708	2620	Hmdkjmip.exe	32
PID 2620 wrote to memory of 2708	2620	Hmdkjmip.exe	32
PID 2708 wrote to memory of 2792	2708	Iikkon32.exe	33
PID 2708 wrote to memory of 2792	2708	Iikkon32.exe	33
PID 2708 wrote to memory of 2792	2708	Iikkon32.exe	33
PID 2708 wrote to memory of 2792	2708	Iikkon32.exe	33
PID 2792 wrote to memory of 2652	2792	Iebldo32.exe	34
PID 2792 wrote to memory of 2652	2792	Iebldo32.exe	34
PID 2792 wrote to memory of 2652	2792	Iebldo32.exe	34
PID 2792 wrote to memory of 2652	2792	Iebldo32.exe	34
PID 2652 wrote to memory of 2560	2652	Injqmdki.exe	35
PID 2652 wrote to memory of 2560	2652	Injqmdki.exe	35
PID 2652 wrote to memory of 2560	2652	Injqmdki.exe	35
PID 2652 wrote to memory of 2560	2652	Injqmdki.exe	35
PID 2560 wrote to memory of 2364	2560	Iegeonpc.exe	36
PID 2560 wrote to memory of 2364	2560	Iegeonpc.exe	36
PID 2560 wrote to memory of 2364	2560	Iegeonpc.exe	36
PID 2560 wrote to memory of 2364	2560	Iegeonpc.exe	36
PID 2364 wrote to memory of 2420	2364	Inojhc32.exe	37
PID 2364 wrote to memory of 2420	2364	Inojhc32.exe	37
PID 2364 wrote to memory of 2420	2364	Inojhc32.exe	37
PID 2364 wrote to memory of 2420	2364	Inojhc32.exe	37
PID 2420 wrote to memory of 2756	2420	Jnagmc32.exe	38
PID 2420 wrote to memory of 2756	2420	Jnagmc32.exe	38
PID 2420 wrote to memory of 2756	2420	Jnagmc32.exe	38
PID 2420 wrote to memory of 2756	2420	Jnagmc32.exe	38
PID 2756 wrote to memory of 1708	2756	Jfmkbebl.exe	39
PID 2756 wrote to memory of 1708	2756	Jfmkbebl.exe	39
PID 2756 wrote to memory of 1708	2756	Jfmkbebl.exe	39
PID 2756 wrote to memory of 1708	2756	Jfmkbebl.exe	39
PID 1708 wrote to memory of 2220	1708	Jllqplnp.exe	40
PID 1708 wrote to memory of 2220	1708	Jllqplnp.exe	40
PID 1708 wrote to memory of 2220	1708	Jllqplnp.exe	40
PID 1708 wrote to memory of 2220	1708	Jllqplnp.exe	40
PID 2220 wrote to memory of 2940	2220	Jedehaea.exe	41
PID 2220 wrote to memory of 2940	2220	Jedehaea.exe	41
PID 2220 wrote to memory of 2940	2220	Jedehaea.exe	41
PID 2220 wrote to memory of 2940	2220	Jedehaea.exe	41
PID 2940 wrote to memory of 2148	2940	Jfcabd32.exe	42
PID 2940 wrote to memory of 2148	2940	Jfcabd32.exe	42
PID 2940 wrote to memory of 2148	2940	Jfcabd32.exe	42
PID 2940 wrote to memory of 2148	2940	Jfcabd32.exe	42
PID 2148 wrote to memory of 2868	2148	Jnofgg32.exe	43
PID 2148 wrote to memory of 2868	2148	Jnofgg32.exe	43
PID 2148 wrote to memory of 2868	2148	Jnofgg32.exe	43
PID 2148 wrote to memory of 2868	2148	Jnofgg32.exe	43
PID 2868 wrote to memory of 596	2868	Koaclfgl.exe	44
PID 2868 wrote to memory of 596	2868	Koaclfgl.exe	44
PID 2868 wrote to memory of 596	2868	Koaclfgl.exe	44
PID 2868 wrote to memory of 596	2868	Koaclfgl.exe	44
PID 596 wrote to memory of 1592	596	Klecfkff.exe	45
PID 596 wrote to memory of 1592	596	Klecfkff.exe	45
PID 596 wrote to memory of 1592	596	Klecfkff.exe	45
PID 596 wrote to memory of 1592	596	Klecfkff.exe	45

C:\Users\Admin\AppData\Local\Temp\6437c8cf4fda2ad0ef989330854e2260N.exe
"C:\Users\Admin\AppData\Local\Temp\6437c8cf4fda2ad0ef989330854e2260N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\Hmbndmkb.exe
  C:\Windows\system32\Hmbndmkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\SysWOW64\Hmdkjmip.exe
    C:\Windows\system32\Hmdkjmip.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\Iikkon32.exe
      C:\Windows\system32\Iikkon32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\Injqmdki.exe
        
        C:\Windows\system32\Injqmdki.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Iegeonpc.exe
        
        C:\Windows\system32\Iegeonpc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Inojhc32.exe
        
        C:\Windows\system32\Inojhc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Jnagmc32.exe
        
        C:\Windows\system32\Jnagmc32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Jfmkbebl.exe
        
        C:\Windows\system32\Jfmkbebl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Jedehaea.exe
        
        C:\Windows\system32\Jedehaea.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:596
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iikkon32.exe

Filesize
64KB

MD5
bca4685ef939d0f3d96ec6546cc6f6ae

SHA1
3f6c9c9dbf1ab7b43bd02583a83c3fd78dd1cc66

SHA256
58cbca8989127702e72103b8b34a40e9df5f361b996cb4a056205ac32b225f6e

SHA512
66ea59b7db373dac58c38a339da94f45b35ed929821406655f72d7c0b0b1894684bf16fd6f1906fee81dd43264b7fc84bf9afe2112adac9561ef87199c68b97e

Download Submit
C:\Windows\SysWOW64\Jfmkbebl.exe

Filesize
64KB

MD5
8c32ed613b48fafe549dc5b1b7cabd53

SHA1
8bc0369aae6869d01532d76b52af2a47384b05b2

SHA256
38334a9d2977774a3fdac7ac578b4af7c3e3422ea0092cf8cc86c48e81018617

SHA512
e8aef2479375dac092ce35c16539a725f2f9845a390096c499c94c65d764fe71b53d750b06be0062e8edc6a6f2f3b016164212848994f7e3c2d31bf2f31cc4a4

Download Submit
C:\Windows\SysWOW64\Jllqplnp.exe

Filesize
64KB

MD5
3282a4551e997820d59344bcd295debf

SHA1
47dfc63a288f84f54d115b2e2e244dc78fff2703

SHA256
17c33c845cfdc219d611971158b02a1bc3d76ef6c119c6a4a5678fb932538741

SHA512
209024e9a9d73ca333dcb7fd21f4971fc306780f0991becc1e1ddad9a8e95bf3603cfc8ffcaab7fbfdf0584962d6efeab1eb8241bdf7a3def2858846836f9bb4

Download Submit
C:\Windows\SysWOW64\Jnagmc32.exe

Filesize
64KB

MD5
446633b6d93936945e3ebc26c4299663

SHA1
0b31d9ac7168d08715037a3a290f26a909abd8c9

SHA256
c4cb7e2b37e3cd10eea62d3c842ed1bd16a6554b62125d5bfb1623ecd52983b3

SHA512
934e4603b0a6ea820d8fa88b7e30fd9575ce5b87759959fd9d075eedf7ad4b49001dc6f6fa029ca7f31defb5f7cc64fe5ed052eea3d5b15fd5fe2539203fc64f

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
64KB

MD5
0b8bf4c71df901dfa2749ab10dd79342

SHA1
0110b5f2c72b581cfdfa26bc619e6c73d9709d6a

SHA256
ce553e2ca12e75df87ee7d79020c5ade4e054f27fec0a6ebc264eca29c820dd3

SHA512
0dd922f361867522a56cf1f3db5613926b55eeb2eb8db6bb08fb1741395c3e3f0247e6f7aa2a085c14a4b901f5399fc79c06f93acd3ea922299c91a00392e40c

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
64KB

MD5
99953acf7428d036ea346c38b035fdf4

SHA1
43707c8c14f147dbbab92c50c0d4aed33c7d76ee

SHA256
b861e31c8598beb26664375409cebf6a9fa2a60bf78ba01b10d84f6f33804773

SHA512
7c61d1ca4aef24096c9c64432c705d09eaf395bf55b5c2fa45daa2a9fb49df84732eb08d8758d3b98bbde75917a7a640807cf1ed8e9b4c77d8557501cea323ba

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
64KB

MD5
718ac5ed1392613535366543271ee14c

SHA1
7979c513f5816915f5351bc6d1c9cf1866897dcf

SHA256
3fec679ae714cb1f013deee19178d54ca7b5235af8de08520732427552da889a

SHA512
87b67ce5edd4968d7ae14b94d9b72c2af64d159bdca4061caf08b2476f4468bcf0d87a93e68083ec1e1bca930ff959e0f70dbe93103ecd4360acb5644cb2961e

Download Submit
\Windows\SysWOW64\Hmbndmkb.exe

Filesize
64KB

MD5
d04d9f749ea2de45df4fb33e94f6e207

SHA1
ca930eb291071596ac25a196079dc6e409b6f095

SHA256
2fb1978d89c1193c52a1950222fbe8de7c7c2c8f019e890d9b761ded64c8c9f9

SHA512
c6991bd14f2bd214b2256e5f00b16ac0dd25823d6870cba4ffd9027d5e4e50fc3d938f8567d4d88c4535187d65f8e456c2d9111564b40d0a4a778f30dfc8de8e

Download Submit
\Windows\SysWOW64\Hmdkjmip.exe

Filesize
64KB

MD5
3d64da76f403d117af38192c61c28918

SHA1
57071393255f83037b25121f10a4f3804775da53

SHA256
ec6f1eaacf24f74184851ddde05216d55f34d46d561de7aa7a57fa337219cb4e

SHA512
17ee29ba536e10cb23ef322f865f31676f3961ba6fe62e2669c940e1bf1aa8d632a547aaaca0395284725cbf968ed32ab2da269c3d84166ad31db05cf4e5a9bb

Download Submit
\Windows\SysWOW64\Iebldo32.exe

Filesize
64KB

MD5
45fabb99f9874839db24d8b8af012a34

SHA1
7ed34ca7ed8da6a0c0d3a466b38c6904dffe2181

SHA256
89e061275802528eaac09e222bdaa7ac89e745cb3188cae03eaba5034658a4c6

SHA512
c81c4c645945e6c54f598b419d166dfaefcf220d38757e7fa4d20db0f4168611b9a688b9aca9ff1acaa9f7afa5dc210c3b5f7d70445bbe21d432e41a13adaf1c

Download Submit
\Windows\SysWOW64\Iegeonpc.exe

Filesize
64KB

MD5
2bdd216b87a4766022ec349a76ed6ca0

SHA1
19ce4eb0ff5eba941139f31e13057335c6f796ff

SHA256
76c09177f2fef63f1a44784fccb8287cc3b38a4febe33ee32be4cad49acafdb9

SHA512
b8542577c8e8354369da4a19bc2eb2d533a912c4195074de9f232087f3c6c25a8f68ba8198ba15985af685b652518c2d654db85f315b81468bb4ffe10c407f0a

Download Submit
\Windows\SysWOW64\Injqmdki.exe

Filesize
64KB

MD5
6e85998c41a9db7d8006eb8780bd2fd2

SHA1
dd3d174570db6a8e89a88d871a364a8206ee47c2

SHA256
50917c1c954aaf730d8393ac70229ebc4d86ac0577058a5dfb651f689d655698

SHA512
78bf5f83e9c5d12780382c3274f654cad5af1741e8cba027be57a1a7f39d0febec0708976b20c72c3c3ba830a624b6a07e26243e4c201eac3537a0c0ceca0cac

Download Submit
\Windows\SysWOW64\Inojhc32.exe

Filesize
64KB

MD5
a326f01899cefa8475afd4ef022d563b

SHA1
c5028e5385436710c0a9003ea16f3c40f3600d9b

SHA256
0f1899e3ea0aba6ef9ecd65da9ed0578177d7186fbcf8195113532cda74b9b6b

SHA512
bc59e15bc69095c1786c78daa51fbdfc4d2db53b361eee053ab4a19b3dea9429dc9dcb3e07e81ea73ddf85ab6fe5bae9a303af9bc4796ef59527b23937dc97ba

Download Submit
\Windows\SysWOW64\Jedehaea.exe

Filesize
64KB

MD5
e36485188fe4fa401052f1d8048a422a

SHA1
9fdddb35520442088d85e4d648b7eb67441b74fb

SHA256
c6db0f2551bd442f50d9d3002260535cbbc87e6b5edbf729dce28158c2a31acb

SHA512
cfc7152bfc36efc055e2874d3156cb5beae999da8d56815f357c928bbe7fa2ff10f3481fff7e1e7450f87eb9df156667061e12924785584019fa92538913952b

Download Submit
\Windows\SysWOW64\Jfcabd32.exe

Filesize
64KB

MD5
7021a847ecd7ebc9b39689b68fa36910

SHA1
c438a75bcfc40582d1de260933426f1e98bc8881

SHA256
fc0359d4584d658691ae1d65839307e3474ca45a0051e985b0f5e54e3f53f136

SHA512
51aad6459e38660acf2c8f8df97d7da1165c5506e59e5b087237d33871a69e7793bfe9ad7d8e483d9f2b4bc85691cb1d2d6996ab17f8a1b1cdb05b840f096419

Download Submit
\Windows\SysWOW64\Jnofgg32.exe

Filesize
64KB

MD5
ca87eda596045ac2f72c7e7ab2bb47c1

SHA1
588eb4e14a0821be7912e655abc3dc1c56ff6706

SHA256
ea746e63e4303822761e94916a81965685a38fc8bd755fa3d6201798a018a2a8

SHA512
5cd2456a37cb548dd9ac0bdec4334daf43aa56819c8b6d99cfd48d06d79c7c321aad8783162b006cbbfd73e8f989d0983abde108eff726f4fcdc6ce9d33c1928

Download Submit
\Windows\SysWOW64\Kadica32.exe

Filesize
64KB

MD5
c88f9b3d0682b8f939485267ae7306d3

SHA1
518d5719452f23818f6d0a57fd99857a07ff6a64

SHA256
c366c30d92eef0e2908e4ff5176ab61d5882e66ba340fbaf6d46a7ffe641092d

SHA512
cc804e772968853a5922abd8ff3b454cf3bebb75ef170444a984183e7c71dc0425aa7f23df17865fc33d34b1a18b695ab78db3dfd5d6acbdf09f15010f300122

Download Submit
\Windows\SysWOW64\Klecfkff.exe

Filesize
64KB

MD5
84ab524740caee62f2910e1f2624ee20

SHA1
568ca961377d8b7c6c8254fa3a2d1067a5681691

SHA256
6599852486157331f9a1b2ecacc229466cfec2bb77a8136d1c783e96f380a361

SHA512
017a62121b91f2063acb6bc5475444972f6b578d34f47558836d656f11808f28e1282d53ea437df0f0216b127e00bfacbc3f2458cccd69221367e42172b96ef4

Download Submit
\Windows\SysWOW64\Koaclfgl.exe

Filesize
64KB

MD5
e8e03e581a1951de4b2cb4f6f448fd4f

SHA1
442454b7b58225273180948b8a747402c6596e40

SHA256
48111b8930f728ef38f503a855da17476ed8f8fd5bb4d64625c1012fb4f8e100

SHA512
10c807d072c840ff5ff544b6b1edad9bcc3c42da9919d2888578221aadd179e712fbaf457e9577b032d226b8d4cf983f4f677e8100a0f5bb165a608b7fe46d45

Download Submit
memory/596-213-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/596-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/624-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-226-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/1592-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1696-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1708-148-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download
memory/1708-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1804-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1804-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1804-21-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/1804-33-0x00000000002A0000-0x00000000002D5000-memory.dmp

Filesize
212KB

Download
memory/2148-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-187-0x00000000002C0000-0x00000000002F5000-memory.dmp

Filesize
212KB

Download
memory/2164-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-117-0x00000000003A0000-0x00000000003D5000-memory.dmp

Filesize
212KB

Download
memory/2364-106-0x00000000003A0000-0x00000000003D5000-memory.dmp

Filesize
212KB

Download
memory/2364-98-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-118-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-13-0x00000000001B0000-0x00000000001E5000-memory.dmp

Filesize
212KB

Download
memory/2424-12-0x00000000001B0000-0x00000000001E5000-memory.dmp

Filesize
212KB

Download
memory/2424-4-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2560-92-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2560-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2620-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-82-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2708-50-0x0000000000230000-0x0000000000265000-memory.dmp

Filesize
212KB

Download
memory/2708-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2708-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-140-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2756-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-138-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2792-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2792-68-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2868-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-200-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2940-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2940-166-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads