d9272a53f4c78456b8471929553d6ff4f845f4a09a1d896009ba4c3ca53ae4b8

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-09-2024 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

077075e7483f59ba07912e14a93b0340N.exe
Size

90KB
MD5

077075e7483f59ba07912e14a93b0340
SHA1

0f17823ff27bc28bcb18f364ab396cc59b2ecac8
SHA256

d9272a53f4c78456b8471929553d6ff4f845f4a09a1d896009ba4c3ca53ae4b8
SHA512

095c4548ac1c7ea245458f4c939656eb32ed6c903dcf81cf22b4b7cdc6825be612d9ff5db6cce59adc8279e99c136bfa78adfaa53b77c2897b611bec5c4ff834
SSDEEP

1536:soThRGd2Qng8yuS1WaiwNIMrSXUAS15zGwu/Ub0VkVNK:BRG5zLS13uSHzGwu/Ub0+NK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kenhopmf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcepqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijaaae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iclbpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjfkmdlg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhkopj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnmacpfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcciqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	077075e7483f59ba07912e14a93b0340N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkjkle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnhgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijaaae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdbpekam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imggplgm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmlhbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iocgfhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkmjoec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiioin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Igebkiof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjhgbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khjgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iocgfhhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpepkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdbpekam.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakino32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igebkiof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcepqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlqjkk32.exe

Executes dropped EXE 51 IoCs

pid	Process
1296	Hhkopj32.exe
1168	Hkjkle32.exe
2640	Hkjkle32.exe
2752	Hjmlhbbg.exe
2544	Hnhgha32.exe
2712	Hdbpekam.exe
2584	Hcepqh32.exe
2060	Hnmacpfj.exe
1524	Hmbndmkb.exe
1680	Hclfag32.exe
1852	Hiioin32.exe
2508	Iocgfhhc.exe
1672	Ifmocb32.exe
2988	Imggplgm.exe
2304	Inhdgdmk.exe
2516	Iinhdmma.exe
1028	Iogpag32.exe
640	Ibfmmb32.exe
2240	Iipejmko.exe
2200	Ijaaae32.exe
1780	Iakino32.exe
1788	Igebkiof.exe
2220	Imbjcpnn.exe
1992	Iclbpj32.exe
2628	Jjfkmdlg.exe
2684	Jgjkfi32.exe
2168	Jjhgbd32.exe
2668	Jpepkk32.exe
2812	Jimdcqom.exe
2652	Jcciqi32.exe
3016	Jbfilffm.exe
380	Jmkmjoec.exe
2864	Jibnop32.exe
1708	Jlqjkk32.exe
1968	Jplfkjbd.exe
2032	Kbjbge32.exe
580	Kidjdpie.exe
2576	Khjgel32.exe
2428	Klecfkff.exe
2216	Kablnadm.exe
1288	Kenhopmf.exe
980	Kmimcbja.exe
1460	Kpgionie.exe
2596	Kfaalh32.exe
3036	Kkmmlgik.exe
2964	Kpieengb.exe
2756	Kkojbf32.exe
2660	Llpfjomf.exe
2648	Lplbjm32.exe
2772	Ldgnklmi.exe
3048	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
2096	077075e7483f59ba07912e14a93b0340N.exe
2096	077075e7483f59ba07912e14a93b0340N.exe
1296	Hhkopj32.exe
1296	Hhkopj32.exe
1168	Hkjkle32.exe
1168	Hkjkle32.exe
2640	Hkjkle32.exe
2640	Hkjkle32.exe
2752	Hjmlhbbg.exe
2752	Hjmlhbbg.exe
2544	Hnhgha32.exe
2544	Hnhgha32.exe
2712	Hdbpekam.exe
2712	Hdbpekam.exe
2584	Hcepqh32.exe
2584	Hcepqh32.exe
2060	Hnmacpfj.exe
2060	Hnmacpfj.exe
1524	Hmbndmkb.exe
1524	Hmbndmkb.exe
1680	Hclfag32.exe
1680	Hclfag32.exe
1852	Hiioin32.exe
1852	Hiioin32.exe
2508	Iocgfhhc.exe
2508	Iocgfhhc.exe
1672	Ifmocb32.exe
1672	Ifmocb32.exe
2988	Imggplgm.exe
2988	Imggplgm.exe
2304	Inhdgdmk.exe
2304	Inhdgdmk.exe
2516	Iinhdmma.exe
2516	Iinhdmma.exe
1028	Iogpag32.exe
1028	Iogpag32.exe
640	Ibfmmb32.exe
640	Ibfmmb32.exe
2240	Iipejmko.exe
2240	Iipejmko.exe
2200	Ijaaae32.exe
2200	Ijaaae32.exe
1780	Iakino32.exe
1780	Iakino32.exe
1788	Igebkiof.exe
1788	Igebkiof.exe
2220	Imbjcpnn.exe
2220	Imbjcpnn.exe
1992	Iclbpj32.exe
1992	Iclbpj32.exe
2628	Jjfkmdlg.exe
2628	Jjfkmdlg.exe
2684	Jgjkfi32.exe
2684	Jgjkfi32.exe
2168	Jjhgbd32.exe
2168	Jjhgbd32.exe
2668	Jpepkk32.exe
2668	Jpepkk32.exe
2812	Jimdcqom.exe
2812	Jimdcqom.exe
2652	Jcciqi32.exe
2652	Jcciqi32.exe
3016	Jbfilffm.exe
3016	Jbfilffm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cbdmhnfl.dll	Jpepkk32.exe
File opened for modification	C:\Windows\SysWOW64\Jbfilffm.exe	Jcciqi32.exe
File opened for modification	C:\Windows\SysWOW64\Kenhopmf.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	Kfaalh32.exe
File created	C:\Windows\SysWOW64\Mlpckqje.dll	Igebkiof.exe
File opened for modification	C:\Windows\SysWOW64\Imggplgm.exe	Ifmocb32.exe
File created	C:\Windows\SysWOW64\Leoebflm.dll	Iakino32.exe
File opened for modification	C:\Windows\SysWOW64\Jcciqi32.exe	Jimdcqom.exe
File opened for modification	C:\Windows\SysWOW64\Hhkopj32.exe	077075e7483f59ba07912e14a93b0340N.exe
File opened for modification	C:\Windows\SysWOW64\Hclfag32.exe	Hmbndmkb.exe
File created	C:\Windows\SysWOW64\Iinhdmma.exe	Inhdgdmk.exe
File created	C:\Windows\SysWOW64\Ibfmmb32.exe	Iogpag32.exe
File created	C:\Windows\SysWOW64\Kobgmfjh.dll	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Jjfkmdlg.exe	Iclbpj32.exe
File opened for modification	C:\Windows\SysWOW64\Hdbpekam.exe	Hnhgha32.exe
File created	C:\Windows\SysWOW64\Dfcllk32.dll	Hiioin32.exe
File created	C:\Windows\SysWOW64\Iipejmko.exe	Ibfmmb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjfkmdlg.exe	Iclbpj32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Hcepqh32.exe	Hdbpekam.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Jplfkjbd.exe	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Mjcccnbp.dll	Ibfmmb32.exe
File created	C:\Windows\SysWOW64\Dmplbgpm.dll	Ijaaae32.exe
File opened for modification	C:\Windows\SysWOW64\Igebkiof.exe	Iakino32.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Ldgnklmi.exe
File opened for modification	C:\Windows\SysWOW64\Inhdgdmk.exe	Imggplgm.exe
File opened for modification	C:\Windows\SysWOW64\Jmkmjoec.exe	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Kidjdpie.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Jpepkk32.exe	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Iocgfhhc.exe	Hiioin32.exe
File opened for modification	C:\Windows\SysWOW64\Iocgfhhc.exe	Hiioin32.exe
File opened for modification	C:\Windows\SysWOW64\Iakino32.exe	Ijaaae32.exe
File created	C:\Windows\SysWOW64\Jpbpbbdb.dll	Jjfkmdlg.exe
File created	C:\Windows\SysWOW64\Ibodnd32.dll	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Kfaalh32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Bbdofg32.dll	Hjmlhbbg.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Klecfkff.exe
File opened for modification	C:\Windows\SysWOW64\Kmimcbja.exe	Kenhopmf.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Imbjcpnn.exe	Igebkiof.exe
File opened for modification	C:\Windows\SysWOW64\Hmbndmkb.exe	Hnmacpfj.exe
File opened for modification	C:\Windows\SysWOW64\Iclbpj32.exe	Imbjcpnn.exe
File created	C:\Windows\SysWOW64\Dfaaak32.dll	Jjhgbd32.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Ldgnklmi.exe	Lplbjm32.exe
File opened for modification	C:\Windows\SysWOW64\Hkjkle32.exe	Hhkopj32.exe
File created	C:\Windows\SysWOW64\Ikaihg32.dll	Inhdgdmk.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Hiioin32.exe	Hclfag32.exe
File created	C:\Windows\SysWOW64\Lpfhdddb.dll	Iocgfhhc.exe
File created	C:\Windows\SysWOW64\Kndkfpje.dll	Iinhdmma.exe
File created	C:\Windows\SysWOW64\Ibnhnc32.dll	Iclbpj32.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jcciqi32.exe
File created	C:\Windows\SysWOW64\Ldgnklmi.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Hmbndmkb.exe	Hnmacpfj.exe
File created	C:\Windows\SysWOW64\Imbjcpnn.exe	Igebkiof.exe
File opened for modification	C:\Windows\SysWOW64\Jgjkfi32.exe	Jjfkmdlg.exe
File created	C:\Windows\SysWOW64\Jjhgbd32.exe	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Aiomcb32.dll	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Kenhopmf.exe	Kablnadm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2540	3048	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iinhdmma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcciqi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	077075e7483f59ba07912e14a93b0340N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjmlhbbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhkopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjkle32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnhgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcepqh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmkmjoec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hclfag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jimdcqom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlqjkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imggplgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibfmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpepkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijaaae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kenhopmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmocb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipejmko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkjkle32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhdgdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iclbpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igebkiof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmacpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmbndmkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakino32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdbpekam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjfkmdlg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iocgfhhc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdofg32.dll"	Hjmlhbbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmbndmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll"	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkmqd32.dll"	Jmkmjoec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeefjhh.dll"	Hdbpekam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll"	Ibfmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkaobghp.dll"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iipejmko.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jimdcqom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	077075e7483f59ba07912e14a93b0340N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll"	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iinhdmma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcciqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khjgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Igebkiof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll"	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonpco.dll"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogcf32.dll"	Hkjkle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hnhgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hclfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iclbpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgmjmajn.dll"	Hclfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll"	Iinhdmma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbdmhnfl.dll"	Jpepkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jimdcqom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioigi32.dll"	077075e7483f59ba07912e14a93b0340N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmogcf32.dll"	Hhkopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	077075e7483f59ba07912e14a93b0340N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jibnop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kenhopmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hkjkle32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnhnc32.dll"	Iclbpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iocgfhhc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1296	2096	077075e7483f59ba07912e14a93b0340N.exe	31
PID 2096 wrote to memory of 1296	2096	077075e7483f59ba07912e14a93b0340N.exe	31
PID 2096 wrote to memory of 1296	2096	077075e7483f59ba07912e14a93b0340N.exe	31
PID 2096 wrote to memory of 1296	2096	077075e7483f59ba07912e14a93b0340N.exe	31
PID 1296 wrote to memory of 1168	1296	Hhkopj32.exe	32
PID 1296 wrote to memory of 1168	1296	Hhkopj32.exe	32
PID 1296 wrote to memory of 1168	1296	Hhkopj32.exe	32
PID 1296 wrote to memory of 1168	1296	Hhkopj32.exe	32
PID 1168 wrote to memory of 2640	1168	Hkjkle32.exe	33
PID 1168 wrote to memory of 2640	1168	Hkjkle32.exe	33
PID 1168 wrote to memory of 2640	1168	Hkjkle32.exe	33
PID 1168 wrote to memory of 2640	1168	Hkjkle32.exe	33
PID 2640 wrote to memory of 2752	2640	Hkjkle32.exe	34
PID 2640 wrote to memory of 2752	2640	Hkjkle32.exe	34
PID 2640 wrote to memory of 2752	2640	Hkjkle32.exe	34
PID 2640 wrote to memory of 2752	2640	Hkjkle32.exe	34
PID 2752 wrote to memory of 2544	2752	Hjmlhbbg.exe	35
PID 2752 wrote to memory of 2544	2752	Hjmlhbbg.exe	35
PID 2752 wrote to memory of 2544	2752	Hjmlhbbg.exe	35
PID 2752 wrote to memory of 2544	2752	Hjmlhbbg.exe	35
PID 2544 wrote to memory of 2712	2544	Hnhgha32.exe	36
PID 2544 wrote to memory of 2712	2544	Hnhgha32.exe	36
PID 2544 wrote to memory of 2712	2544	Hnhgha32.exe	36
PID 2544 wrote to memory of 2712	2544	Hnhgha32.exe	36
PID 2712 wrote to memory of 2584	2712	Hdbpekam.exe	37
PID 2712 wrote to memory of 2584	2712	Hdbpekam.exe	37
PID 2712 wrote to memory of 2584	2712	Hdbpekam.exe	37
PID 2712 wrote to memory of 2584	2712	Hdbpekam.exe	37
PID 2584 wrote to memory of 2060	2584	Hcepqh32.exe	38
PID 2584 wrote to memory of 2060	2584	Hcepqh32.exe	38
PID 2584 wrote to memory of 2060	2584	Hcepqh32.exe	38
PID 2584 wrote to memory of 2060	2584	Hcepqh32.exe	38
PID 2060 wrote to memory of 1524	2060	Hnmacpfj.exe	39
PID 2060 wrote to memory of 1524	2060	Hnmacpfj.exe	39
PID 2060 wrote to memory of 1524	2060	Hnmacpfj.exe	39
PID 2060 wrote to memory of 1524	2060	Hnmacpfj.exe	39
PID 1524 wrote to memory of 1680	1524	Hmbndmkb.exe	40
PID 1524 wrote to memory of 1680	1524	Hmbndmkb.exe	40
PID 1524 wrote to memory of 1680	1524	Hmbndmkb.exe	40
PID 1524 wrote to memory of 1680	1524	Hmbndmkb.exe	40
PID 1680 wrote to memory of 1852	1680	Hclfag32.exe	41
PID 1680 wrote to memory of 1852	1680	Hclfag32.exe	41
PID 1680 wrote to memory of 1852	1680	Hclfag32.exe	41
PID 1680 wrote to memory of 1852	1680	Hclfag32.exe	41
PID 1852 wrote to memory of 2508	1852	Hiioin32.exe	42
PID 1852 wrote to memory of 2508	1852	Hiioin32.exe	42
PID 1852 wrote to memory of 2508	1852	Hiioin32.exe	42
PID 1852 wrote to memory of 2508	1852	Hiioin32.exe	42
PID 2508 wrote to memory of 1672	2508	Iocgfhhc.exe	43
PID 2508 wrote to memory of 1672	2508	Iocgfhhc.exe	43
PID 2508 wrote to memory of 1672	2508	Iocgfhhc.exe	43
PID 2508 wrote to memory of 1672	2508	Iocgfhhc.exe	43
PID 1672 wrote to memory of 2988	1672	Ifmocb32.exe	44
PID 1672 wrote to memory of 2988	1672	Ifmocb32.exe	44
PID 1672 wrote to memory of 2988	1672	Ifmocb32.exe	44
PID 1672 wrote to memory of 2988	1672	Ifmocb32.exe	44
PID 2988 wrote to memory of 2304	2988	Imggplgm.exe	45
PID 2988 wrote to memory of 2304	2988	Imggplgm.exe	45
PID 2988 wrote to memory of 2304	2988	Imggplgm.exe	45
PID 2988 wrote to memory of 2304	2988	Imggplgm.exe	45
PID 2304 wrote to memory of 2516	2304	Inhdgdmk.exe	46
PID 2304 wrote to memory of 2516	2304	Inhdgdmk.exe	46
PID 2304 wrote to memory of 2516	2304	Inhdgdmk.exe	46
PID 2304 wrote to memory of 2516	2304	Inhdgdmk.exe	46

C:\Users\Admin\AppData\Local\Temp\077075e7483f59ba07912e14a93b0340N.exe
"C:\Users\Admin\AppData\Local\Temp\077075e7483f59ba07912e14a93b0340N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\Hhkopj32.exe
  C:\Windows\system32\Hhkopj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\Hkjkle32.exe
    C:\Windows\system32\Hkjkle32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\SysWOW64\Hkjkle32.exe
      C:\Windows\system32\Hkjkle32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\SysWOW64\Hjmlhbbg.exe
        
        C:\Windows\system32\Hjmlhbbg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
      - C:\Windows\SysWOW64\Hnhgha32.exe
        
        C:\Windows\system32\Hnhgha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Hdbpekam.exe
        
        C:\Windows\system32\Hdbpekam.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Hcepqh32.exe
        
        C:\Windows\system32\Hcepqh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Hnmacpfj.exe
        
        C:\Windows\system32\Hnmacpfj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Hmbndmkb.exe
        
        C:\Windows\system32\Hmbndmkb.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Hclfag32.exe
        
        C:\Windows\system32\Hclfag32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Hiioin32.exe
        
        C:\Windows\system32\Hiioin32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Iocgfhhc.exe
        
        C:\Windows\system32\Iocgfhhc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Ifmocb32.exe
        
        C:\Windows\system32\Ifmocb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Imggplgm.exe
        
        C:\Windows\system32\Imggplgm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\Inhdgdmk.exe
        
        C:\Windows\system32\Inhdgdmk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Iinhdmma.exe
        
        C:\Windows\system32\Iinhdmma.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Iogpag32.exe
        
        C:\Windows\system32\Iogpag32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Ibfmmb32.exe
        
        C:\Windows\system32\Ibfmmb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Iipejmko.exe
        
        C:\Windows\system32\Iipejmko.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Ijaaae32.exe
        
        C:\Windows\system32\Ijaaae32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Iakino32.exe
        
        C:\Windows\system32\Iakino32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Igebkiof.exe
        
        C:\Windows\system32\Igebkiof.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Iclbpj32.exe
        
        C:\Windows\system32\Iclbpj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Jjfkmdlg.exe
        
        C:\Windows\system32\Jjfkmdlg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\Jgjkfi32.exe
        
        C:\Windows\system32\Jgjkfi32.exe
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\Jjhgbd32.exe
        
        C:\Windows\system32\Jjhgbd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\Jpepkk32.exe
        
        C:\Windows\system32\Jpepkk32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Jimdcqom.exe
        
        C:\Windows\system32\Jimdcqom.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Jcciqi32.exe
        
        C:\Windows\system32\Jcciqi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Jmkmjoec.exe
        
        C:\Windows\system32\Jmkmjoec.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Jlqjkk32.exe
        
        C:\Windows\system32\Jlqjkk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:580
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Kenhopmf.exe
        
        C:\Windows\system32\Kenhopmf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Kmimcbja.exe
        
        C:\Windows\system32\Kmimcbja.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:980
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Kkmmlgik.exe
        
        C:\Windows\system32\Kkmmlgik.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\Ldgnklmi.exe
        
        C:\Windows\system32\Ldgnklmi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 140
        53⤵
        Program crash
        
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbdofg32.dll

Filesize
7KB

MD5
d4ad68d787699ab5b0bfe80a2ddd4d9f

SHA1
c64359adabd6e8410764e767c0d18e68c1e4ba0f

SHA256
6a81579e893ca715bf09cfd6923ba70b08246f6e575c4d843de76c8052a906ae

SHA512
5aa9582dfab4b6ba9d4ec254945b9f2f7b0b20667420de1837136cc8c415d8a1293662511a6eb5aa0fd4a82144e75d081caec0ba2b2bb7b6cead8ebe8d18fd26

Download Submit
C:\Windows\SysWOW64\Hcepqh32.exe

Filesize
90KB

MD5
99944b9ac57a1d5aa6ad48eef412f5c8

SHA1
149242bef99129bc3fbc10ff2b87826b4c28fac8

SHA256
88c2b739c58ddf49388e8c2d57ddd6c42760f3325bbb518f8c9dd051e92b544e

SHA512
b6de9b668416b7b7e72f70f0dfbeda40f83319e53a0eda8cad4bcc5217e1ec6251f4fe56e31c235bd34a39704f9ba8514a2c2306c2fc2f677ff5bc6db60be4aa

Download Submit
C:\Windows\SysWOW64\Hclfag32.exe

Filesize
90KB

MD5
abcf6fbe36978840698775fca56ce6e8

SHA1
7202b1290868b0272a5c3b8a699990279960bc22

SHA256
8aa2d51c17ed849ed5a84f8be125d07d7eb68be46ed447bd2b0ffdac027deddd

SHA512
1ee8e0cadcf8eb8d29af90ae8e61d0c5d78a7cd1abf070737a3ada8081eb1a732751d34befc22a311cd60c9594f9b1027aadf25ccb534592219bc4ff7ab1d93d

Download Submit
C:\Windows\SysWOW64\Hjmlhbbg.exe

Filesize
90KB

MD5
57333244797666ee2f8ecf91dac3ee75

SHA1
e3640adb6c58a0b064da62f35a6f259de85bf1a8

SHA256
b665b0f1bab3be2a140e43e2729a0afed029a40fc91db7cd3ec2baa998f7687c

SHA512
610f536d910fe988bda2a9206bb566cdd3b77d9f1a14ddbc33cf6f94773d01248e2f97dda8c60717b8926ed2eed6778336cc7b776618f259f67746be02d150b7

Download Submit
C:\Windows\SysWOW64\Hnmacpfj.exe

Filesize
90KB

MD5
b32b26cd48d00156ee090366dea09870

SHA1
fcce68c8dad0ef63bca7753d53073edc18e582bc

SHA256
09a09f3152a274ecc01c4b37d92d4342615084329508c8650e54fe86a07ee28f

SHA512
e4c05b8e152586e7829eba57ef966aed2b02a2733b585218ac45b0b80374cace5164915117fbadb7718020c22bbe6d89945ab156177c761a75e22c0db39c4041

Download Submit
C:\Windows\SysWOW64\Iakino32.exe

Filesize
90KB

MD5
fb72987b2cb35bc2c885bbae25ce3ffd

SHA1
2ed2a0de94c3d98a4ba0194cee3276227c7911be

SHA256
4cc9456a6bfd709e0103c78851e75c7e7debaf1de05d769dc260f375f8d72ecc

SHA512
f64cb071a4ff3c01a40cf9452dcc1e2b3711d7c93e257bddc5aaf601d59e0688874459572256f7b58bb5bcd93b2430387ce4e822d08f06ef60fb92d6d8e9c936

Download Submit
C:\Windows\SysWOW64\Ibfmmb32.exe

Filesize
90KB

MD5
eace6a415a026bfd42de8ee4c4b77938

SHA1
4ec7ff6aa504497176a1164930c42408a71d04ad

SHA256
dcf3dc646b84adfe3ef63b1888de18c05924ecfbd529ef4ae06f35c0a2f3d638

SHA512
3c932c6dcb2f25cb6301edbaecd4da4751d818157167b48ae10046bd9049b1daae907e523e7cd80f5f68bccd42856a07f3ecfccf8382015f6acc4bbc17e9de7b

Download Submit
C:\Windows\SysWOW64\Iclbpj32.exe

Filesize
90KB

MD5
4fbfbd17c89f6b66f0615ce4b3115488

SHA1
cd1eb103cb061a77fc41d077ad3823ea1c3ace68

SHA256
52de83aaa1ddc226bdba230505c512770c7cae7b51d4e5583eb43ff9cdbbb011

SHA512
01da8a70a9140ddc83646007e5a4c7bd92016305d280ef18914d64744ffe4f1f1664f9923382aaab22e4eb706b509c5c2d5b98a75e74d09c6ecb2bc46ef3c7ba

Download Submit
C:\Windows\SysWOW64\Igebkiof.exe

Filesize
90KB

MD5
d9c9e4cef00c34087f8806974986f55e

SHA1
b41ddbdbbc937215caf904979c70892b7bfbc4b8

SHA256
7cfba317723d4a5d93f818dd875a1d3eae7424ba562220b949087a274ac0b7c9

SHA512
d3c2d9127283d7d64904ea5588b33816c1516a9cb4d7edd06eaa141232976ee2377231a03215f834a534a8c95748728d94db2db2a29ecde6e40e235fbcfc249f

Download Submit
C:\Windows\SysWOW64\Iipejmko.exe

Filesize
90KB

MD5
7d7dad0162f4646648c23550cd413251

SHA1
536685058b0cdb9b8c121c8ad9f6eff3c20c9d64

SHA256
e11f024ff28d2c570952f259080e9579eb34dd35c6f9453d2383cf9d091eeae9

SHA512
145a569ede5a63b565123e726abb713da2e93d821211ecbc235c87044164de7eb0964488bd42c482ce3a86f35dafffca067e22594b381e404ed801a4e9c880be

Download Submit
C:\Windows\SysWOW64\Ijaaae32.exe

Filesize
90KB

MD5
71a197459d288b24d60fda0b50ee846c

SHA1
026bc7da28255d4d3a86491ae5fb2d99f1d57225

SHA256
c827d9d06a64b7fb81691eb33df83727017d7313bfee778723ccce5ef5325bc3

SHA512
2ab576ff6ff8c753030ef3c5c35552b0ccac15638aef8e33f99e6bc9ebb7078e4e8619fc28c904f05bd3237f48ab849a97feff2169afdd751988cc15fb1ebef6

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
90KB

MD5
a3fc5d4ddea55aab4b8c7ea415abb19f

SHA1
84351873213a9dc566552416250c952c1b54e9c6

SHA256
7e9b5705fef28f2ac55abc7fba06a150dde24f5bfbec0ca2935138db81b90554

SHA512
1b628a03ce711269e558007d2b8574ba501ffcf7c2669a87032d4eea5318a7602be6f05ed4614dd7ce7b03325fd1e8b9732cd7b0c2e177d8d45af5eca7172afe

Download Submit
C:\Windows\SysWOW64\Iocgfhhc.exe

Filesize
90KB

MD5
b5c2dae2c6d4251b136b7dbe22b0839d

SHA1
9cf24963ad4c347c1984bac6760008d8ca297281

SHA256
88450425b1e49b8838d053009b7dc1fefbfa0e8357e8236b9e41d2f9a599615d

SHA512
9aed864160668556a34c914a3925e5fe6537b42f48a01b486148e596ef5e5bbc66b0a53553fb5b6253d86e4065322e582a723b12450fd7cbd796e6bb37bb39c3

Download Submit
C:\Windows\SysWOW64\Iogpag32.exe

Filesize
90KB

MD5
cf8e1d3983c9468ff28f35d97ed15e6f

SHA1
6d70fb6358ca6c33021bd766243898e369bd32cc

SHA256
7ea894d6fa94e8885fade7650da56bea9378df171e220cabfb5c02c11ffcb03a

SHA512
60dedcb46242f070aa1606ecd742c4065896d91d325d0f79d3b8ac33b711057aefcc1a358e3148f6e1519b6aa7b311b86e65d59644fe8aeb12cbb9fdcd85aaf5

Download Submit
C:\Windows\SysWOW64\Jbfilffm.exe

Filesize
90KB

MD5
946d78ab685d3c934c133b9829f8b155

SHA1
47dea1070c1b6f75b6f8ea7f7135dc3b87d1dd5c

SHA256
8179626d63d3affacba5eeb408909c4cc0ab8c37f580b7fb83b8480750d563fe

SHA512
1f5bc76c80864ccb95602995317c14cf77211e06cfc4256b5a546fc812088eabc8506a9338d738b4a7d38069f5614287e437e29bdda11eeb6b6ac5a597c4019e

Download Submit
C:\Windows\SysWOW64\Jcciqi32.exe

Filesize
90KB

MD5
031bfa83aa0fcc0adefe73ddbc1d1d2c

SHA1
1b89fa4d9c5669f4ee18f98a1ead596f93c22dfc

SHA256
ff750be317f52a769701b521e6a977e414786374caadbcf74f3512936e5b9b26

SHA512
c9cd8a9075c9101ca23bfe7556737c2ca39f555b9548f4e868be6f53e955bc3064d6589b9e09c2f401337575d40290ae407509b07d5a56fa033c5a9ded5072c9

Download Submit
C:\Windows\SysWOW64\Jgjkfi32.exe

Filesize
90KB

MD5
7019e6668b18d65b725babc5db48dd1b

SHA1
6f6205385d421d5afc120976a46a0420ab1ed5d0

SHA256
c9e3457ced5f82100b3fd12dc40761a5938d0985f6a28c28490f9789905d9a53

SHA512
1021ebdf3839a4ab01ecc6e04448d3a9f257610ebe7530600377779ba415bb09a66ea0fecf70b18f47284fcfca663a9af01eebcb321df1a7d5d72bb2bffcc3e6

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
90KB

MD5
b4ad74fcaae2e9dffea796ff857673e0

SHA1
60b194db87e0728271b4868479b4c10d97d19817

SHA256
5db44f7a8c1de644ae9534e8c5e2388c4b48d65ca15f12594075d4686966e972

SHA512
556296c979cd0e2b1d20e7eb81fede8205b1778cece3d2753a95b736dcffea2461fb6fc743568fcb0056465559cf66a7c1779849a885026ad71c4003dc671aaf

Download Submit
C:\Windows\SysWOW64\Jimdcqom.exe

Filesize
90KB

MD5
6dff27cf3362ad2c40aa1172356eb64f

SHA1
380d1eb4282f2f7144d2955e1bc9a6c8503a0457

SHA256
3eaa2065cd313d042fb9f27c2d1e91f0c2ef24b6a365a47819a7297a4ac07cc6

SHA512
1958510bbc66a6e25aeba8f329e0b19023b47d9f5dc061ed39527064572ccc20b3eaabafb9f9a103460c66be685cf67a25c910a74a6741cd09da9312472af31c

Download Submit
C:\Windows\SysWOW64\Jjfkmdlg.exe

Filesize
90KB

MD5
4bd68afb48e5c9e13e4b92ba2f2bfd0d

SHA1
207401a9f1c9d95020ddde7a5eea03e4dc7442bc

SHA256
b03a7b67d53224e06f60ffe98c1f2058152e306099c17610f201a9675dcb88c8

SHA512
1f87192cf10d3cd9cd501294e1a5ba15c97d0f5eaa8d626f0c519502e99245d588a737216e02fab38f2a6390ea23c10f816e4790d20ab24837d7345a6573f16c

Download Submit
C:\Windows\SysWOW64\Jjhgbd32.exe

Filesize
90KB

MD5
6510c43260daa6dd48102ecd675d0521

SHA1
93890e9eb0c876f6341f2ae3fb74d4785bb7355d

SHA256
8737b068515acc842a7d8e0006182171120bffe39ae5e9d1dd005fbf2fd67291

SHA512
c0e0cc75eaf72d99edb06eea38e842f5c667ae0f25e3e2d1966c9ee4bf086990ee6433912f77596568cc8bf555e63aac13c6711088df7fce40351fadcc5131a0

Download Submit
C:\Windows\SysWOW64\Jlqjkk32.exe

Filesize
90KB

MD5
7f02f8a58741ddf56f45ce0a6a8c4441

SHA1
f64ebbb71a2674d083cb8923ff54d896aadbb41d

SHA256
7b1d6e60b62bf28e5b011cb4f217d43b2f89d4fbb30a8af17579211ab48583de

SHA512
a00f6510fc37e8fe1a569fe1e2355acf2f464f362eac1d67f1c1937ce5648a2b2f1534abe4a51d7f13849808c3e7f500844f4c6481824741a42b70b3c62cd832

Download Submit
C:\Windows\SysWOW64\Jmkmjoec.exe

Filesize
90KB

MD5
e5b39be91e25f2c505c0ffde6262171d

SHA1
e0675d06ea71542b0d23f83c4063ad30270b8a29

SHA256
6dbe1d865ae031d42ae625a98821d2d0b7d016c2b5e048db385a70a36bcfe847

SHA512
88c295f02e149299b2b5866f0c6170a4dd72e621bfcd2cecfc6abd43777dc7a35e1473832995b28d66c256ffa7e4171bbf7c28c737dbb74529eadb6a95d38eef

Download Submit
C:\Windows\SysWOW64\Jpepkk32.exe

Filesize
90KB

MD5
f7d93049574780a23bc7ea67eeca8239

SHA1
8ed9d92da28b5ff9436a57b51ce8f98279586f6d

SHA256
e21ee599741bcd1d66d90d360c3cdce162c9391dcc3498e190927d62739685f7

SHA512
0bd8af1eee296bc4feb443b34a139bcee83e5834641fe9793b065d75333771801fa83c1786e3a47539b5aa282f82bb8077efbd47a11d4ed4355aebc444395548

Download Submit
C:\Windows\SysWOW64\Jplfkjbd.exe

Filesize
90KB

MD5
75f8c9219a83b733fbb04f0b7e37cf28

SHA1
3ef01e7b4c6809fff76c2d5d31b56e3062101662

SHA256
d07c67879ac0943e49d37990e32fe9136ab097e77fd64c2fc85d8e413d609ba2

SHA512
6418c671f435c46f24943d962026defb8d026568a3a761eac80d033b26491eb9b6667b7f88e7f7b53e1c5953ac5f4cc0a4599b566e8711e1589ec58bcd416c09

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
90KB

MD5
943c0f8bb8709c34382910f42e2ecd6c

SHA1
40b558c113654205c10e0ccc656236d11e18bc3d

SHA256
9b6e19097601b9c110997e1d54331502408d5df97d79a06a11c0c0eb577ef532

SHA512
688409016c581cf36307834c147982377911e26680c1037f8365f7c4915966dddc54ad57c2d7e8604252be31af32ea60bc41765f18743633c396e08fa7f87b95

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
90KB

MD5
8c58a463fdfbbd5aec32db53bb5e7451

SHA1
4a90be11f11c26b2281d48d2e7a5764585bdc513

SHA256
fdc0cf3b6c91cead640a5c049fe8f50fa821bc309fa0c29c6b14aebe4ff25450

SHA512
c1d3afb151462a553c3a80227e9d809aaed54e0ef9e1fc2df74871a6bf97909d1ccc5ae31b424890c6cf5eb58b1e0322dce7b19e86f3ab0a2d765df231f2fffc

Download Submit
C:\Windows\SysWOW64\Kenhopmf.exe

Filesize
90KB

MD5
8db79a7e355bbf2e27ba35c37fc44bf3

SHA1
482a7a0d378ed000215211d8e7af6e810dcaabe9

SHA256
8dd8b2a0076ef7c2351346856350f04eb4b7f81a2bc3fec7ecea7516a5af2b27

SHA512
88e05ab998820607901a8d4a5517fd4eec9bd6bf49c1eb35d4dda96543223946c470458e2166139d00e5d3382b2f41f03572d12a94cf808bb07b75433cdcdb89

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
90KB

MD5
b10bc1b7dab5ed84b354128d2978c3e3

SHA1
d26c02400994ec15dfafffef2faebef60ea8ee11

SHA256
e1e9fd1516884cece3e7a8498bdf550c9826bdc53e4827ca5888e37fe9c54092

SHA512
1abb74596ef2728bf29130ee82d682a5b0469bf31c6cf2e39af8a63be2850616e09919546cbbc376e534a3d430b6ccec859b5b94993d31d6c05238db980a6f06

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
90KB

MD5
c820e96e43a0b67acf5c4a65a1b8f6c3

SHA1
2a4e7509443e02355dd99c5b446240208576fc4d

SHA256
0e4720b2893683cf0fe15d9126d976a1b46b42690c24160840dc0cf9c4060c5e

SHA512
9a0f589d6c926ed303eb49913fc010b7af4280f5dcbdb0cd6a8016523fa156d616b631a7d5ee1fcea168808eb344ae17998783525ed7fab7a6a7b264be64b826

Download Submit
C:\Windows\SysWOW64\Kidjdpie.exe

Filesize
90KB

MD5
3aa0e86c5288df506af07ead188b9ac5

SHA1
3f598091ec7591b83b5c2ab64e5e1302b0b6b226

SHA256
a84925aaba38f95f95706ee987666ccfed54c359249e3183d89bf64b7f2f19e3

SHA512
3de7982ca98942b73e482c50340bd4bbf651c9afce203dd2f0f20c2755d33bbaf305498919f8b451bb5291b7b9c12566c9d14e6035a2d943fac4110586795ef7

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
90KB

MD5
ff64909f8ae2ddbda29014f58f3d8b19

SHA1
6e3b77e2864c300d4f44445efa002aeaa8ca23c2

SHA256
5e58ae5d99524c8fbccd3493fb1596a9be633136879f624615929c87efbff634

SHA512
86edec9297fda328c441f3705ec9c508fe6f2c246e0447a5a5d889b7efc59cb1c9a9b32fe3a6d4c1f54373e20859d39daa436022eabac12905dc2027de86e9c8

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
90KB

MD5
eaeaea8f28f8e0203ebba20d7ae27476

SHA1
ffb09d737cd3da6242cce7290258dcae8e346327

SHA256
00775ae52aa3412406febc10b22f24c588bd48b586c5448936e8b6e1caaa613d

SHA512
ca6aabd2da3bb8cd024a9f9ad67c2e7d1dfb1aa76bb2c853abab42f88a8bba9decb5b08b9dad28f0703b7d43c53481b7cfc7479cee2bf7e4a7832f95555ac2f0

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
90KB

MD5
16567e480485043134c9494ff2c59275

SHA1
a60f36153fe4f8de17d1d02950f69e39f037c936

SHA256
fbbc8fc19415454962e3d02702de72c2e53eb8a63ab3fb937e1a558bbe9eeaf7

SHA512
0df3d70ae1b1d45d0ef0497026b86e231a2a6a2d869f05d1565396b0198a6e3100eed226ac6fcd952c4b96cd49a8eecb1040847be28d992bbbcd5bad4db3f048

Download Submit
C:\Windows\SysWOW64\Kmimcbja.exe

Filesize
90KB

MD5
5060e04ed3029859527b777a31b2fc3d

SHA1
8f48476c704e8fe2c91edf85e351e968992e92d1

SHA256
43afc72fe9d4c1d93c05589c79a3b5c598087119e7257fae6e37fffcd25e5453

SHA512
e000a98e62e997c6e744c808b01b50c6caa5fb7b2463633062a401f67b10e4b067f5a699aeea464dd7ce1163458874686b514c1bd7a42a572f62ce509c31949c

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
90KB

MD5
28076a548f0aaa5f8efc7592412ec515

SHA1
b31e57188b928c0b566382c1f86c318f6cc4d456

SHA256
746b8f3ad153afb6d973248eea2b7f58d41d9bff315614f4a61ef8172275b25b

SHA512
2a0ab4479dd55f1a0f67c51f604ae4f59b8bda4a3cf0eb2719a4a30503a867c50cd63d125c6e0c05b60615d15ed07b7b818f235dfdde11c4421b9b3c2ebb6179

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
90KB

MD5
b82e89bbd5ea0bd31b7db574387381a6

SHA1
3872d67f16168a8ffd3345e881d6916ef7e32610

SHA256
c093de328b411eb372c51019246491c4ba74d3f43087823726c0e6d71c645b5f

SHA512
fb3c54b6032d6a706b5d561490af273207344b74b90679ac6d8fd7fbab4cc188f7794a18ae1a87aec1133131f35ab5d54f7874fc65dcbf349b8561059fe93ffb

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
90KB

MD5
c5c1374fa216b69aecc1567f7107fcac

SHA1
41d4655f5f684880f8a54f59f4dba8a4b1f3f406

SHA256
01fb8a54773746fbc3ed1cfa373b4f2a69f56d9fd23bab6136934d625f14f96f

SHA512
2a0f3135b90460f4ae3737acaad89a758e94f3abfb46d6d344e84092dbf442bd1bf73098340f53e97a463428426454b397cd4fa276b68c5dd03cbd32c9761963

Download Submit
C:\Windows\SysWOW64\Ldgnklmi.exe

Filesize
90KB

MD5
6566ade3a7b6db6070edaabdc16c0016

SHA1
16c0f4c87df1c3011db0c50116a693005ff51cb3

SHA256
bbe33e0f4967caa2390ca82ec6e39c61d5a59bc052bdcc6628ec2751e381509b

SHA512
b8e42d34280a18b7134a26f0716c9299bea28304821c272ae8d21c173a2bfb321356444caa8c98425dca7e92a01dfff052fb2ab766b82df0d8c993de3eb143f9

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
90KB

MD5
b2ab645bb7d68f467b7e994c475a561c

SHA1
6b31e3bc0eeaba923943377095a7c80b676cb5cc

SHA256
884d4babc013b1bf5fabd087891656d1475ff3f64654b355286b568a59acbc1b

SHA512
3d924dab042f14013c9506c094e1c19e5ae6177a69618be66873a0b0c718f9fa79596ba306af848a3f46b787015db8fbb4fa0e56c21d47e5e31ab8108a7cd174

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
90KB

MD5
0bb0e5f6da5498d96f15be4b7f04d68e

SHA1
dbfc08e87f95e36dd40a846a40b9ac6271da9e4a

SHA256
51c047196070fbfe33be9ffb5f26f78360114aed19abbaca59f0dc25c60fa8fa

SHA512
9d2f47d7fde0ab2909b592bf236216ed8e8144799453a7b08d8e130b7a15f79c8972b686fa966d939366a9a29416c7d340125b32ae74e1105dcd638c23b09495

Download Submit
C:\Windows\SysWOW64\Nmogcf32.dll

Filesize
7KB

MD5
dded025ffc8f87f989380616eec2eb1b

SHA1
a4adf54cedb1a897bc83a5176d590f598713fef1

SHA256
6190865a7a0bd7c5600304feac01f24872ca348cf78d0b19e0ca7635045d8672

SHA512
af4dce0dab6dcad0ef8ffdefda280cbd6646d539fe77a3009db704d27c7ef2417401517a3fab1ac9dcf43e56655c94055d18a89bbdc13dc33c15cad28c2eec2c

Download Submit
\Windows\SysWOW64\Hdbpekam.exe

Filesize
90KB

MD5
3870d1e2288fe2443c4e5b68e9f64eee

SHA1
fd0dc025b5c9dae0b38586e287ea4f7ab1ce27c7

SHA256
a8cd9caf60719ca328843fd794f60b2abaa65768a94a46d8d81c972cb5bf0614

SHA512
57a9d05ec0aba9100300e3babe68e0e60f34c524c806237d4826bee1df8db1b5f4453c61cdae9cb7c4a54dce4c98a1484b0a3c20537f10ea288c6e4714ca9565

Download Submit
\Windows\SysWOW64\Hhkopj32.exe

Filesize
90KB

MD5
0b37f997c9557f3b588c36c3a92e6dd1

SHA1
dc8d46569780d6bba6283001748fd82e42649be3

SHA256
739c885c17f288ca17be6a48e2de8bc98b92cb224d6ceaef354ab0e2f28bde6c

SHA512
536ec96252ad20ee373ad25251a463745c76fe1261a21ce6918e5397beed2a61754e9f0274ce26cd1253de0790587db528dfdf03578d089800770559f073221e

Download Submit
\Windows\SysWOW64\Hiioin32.exe

Filesize
90KB

MD5
203c86f7c95658024f027264abeb2903

SHA1
237dcae775cac03516df04c7e1ff6afb244ad2e1

SHA256
d226eb1be898b9c825c2af2a9f6adaf6fdaa72ae068d8cfd8e5851a405bb9b4a

SHA512
dc9420285701f7ffb6aea6a7b48f4f99cfa8dd28c8e6a0b992b2bf61fa92b586917b7830b4b4529d9926085cd1602b95fe68582f9ac3e4499e4e014ff9afedc2

Download Submit
\Windows\SysWOW64\Hkjkle32.exe

Filesize
90KB

MD5
11fc4ad145e76ff9dda46bfb3d76f1b2

SHA1
bc924f088690966b10356d23419922d67fd9387a

SHA256
c529a079717021b6547e92d7dc4c2dd06c977508d15b2eaa64fab8427b83d7eb

SHA512
3cf7a20f9c4404efa7db9a6680cef06e630098bf4a002d7247592365cd0a9ad514bf7836f6f97fd5eb5be297881f3c159bbbd08c6eb4a90e5e8ed18813b5fb73

Download Submit
\Windows\SysWOW64\Hmbndmkb.exe

Filesize
90KB

MD5
ed70e77e6f2a98ebca0b29a995ebd354

SHA1
c4d67a901c4a4b5dc750a07907f732aec77c1e0b

SHA256
b2c2d8ba4abaec3dea974dfada3345d4cc525ac9165fab0d9371c614508264a7

SHA512
9dc34eb34348685229353c57d9e09668e43f048cd3f081bd3f3721a95070b2116fcaf1b99e5fae240530482653740309df797466864717316409bf59f4cd4084

Download Submit
\Windows\SysWOW64\Hnhgha32.exe

Filesize
90KB

MD5
592540fc69b0362951639109c0b84e8f

SHA1
53f819f75bd89516b879af19c6c46c55a49fb779

SHA256
e02e6f28eb0e6c96c68181aefb8babbd54f4831d040622c28f9416ec5b718b24

SHA512
2caa4950a8d85fc0f3a8ec4b1a971bc4458b032ee9b51c3ab3232c4a096d7ec214165d32b94dec20a6f7027be63de7ffa2fa50efc7e333953d34f5fce66572f1

Download Submit
\Windows\SysWOW64\Ifmocb32.exe

Filesize
90KB

MD5
8319ea13928516ba68bf187b52c7f753

SHA1
de0abd8df9263ef001907f487de87a718796df6f

SHA256
7f6500fb340d790f5ea471d96451b6a44ad00d7613c9df28cb368fa01729355b

SHA512
9dd53f32be15adfad533b0f53a1f94759af2aa9174f95d310bc59dcdc0ce5560eba5f4027d8af8df69bdbf6dee128e998c00748ba379fde9181e0369ac9d911d

Download Submit
\Windows\SysWOW64\Iinhdmma.exe

Filesize
90KB

MD5
76662a0778b4141d9d39717dffc37d08

SHA1
4e00edcac34ebc2d92badae4be729da45777a339

SHA256
dcaa5dbd137679ed160c6eb9bb1463fb7e7de655b34caddf826d08fdfa7bc40a

SHA512
258bbef6199ef189515f40ac1a263548da5806df6fdba9192a63ddc0c569d9e191373736529e71bb1a01da0058cf67b74d73104ace7dc3065ea4e29d43d6d471

Download Submit
\Windows\SysWOW64\Imggplgm.exe

Filesize
90KB

MD5
9c5b1f8d379bef6a71f0281a249ff15b

SHA1
6707f8ccabbf7a6bfcaca5f6696038dbf2922867

SHA256
3b1a413f286adc01bd91e36d9e3cd2faaa0c09021db30ec34c8d84eaedc8f12a

SHA512
751460a8c075aaa56da7a7eafeba3438cfd3b941dea86bfe262fb90d03eb32bd050cd13a275c9cb6645be0d8e3cc5e93e86de44ef5635387e9e4f7da93e8c8a9

Download Submit
\Windows\SysWOW64\Inhdgdmk.exe

Filesize
90KB

MD5
60d33ddf831a948ae18ce68d09e571f9

SHA1
968e9c5d4ca3dde65e8b93626766b767702a2790

SHA256
d68b801a3d452937bb8d3667c5a042a9924fb1ab10ea6676d5a6238daca4a78b

SHA512
d4c3fcbc8a8bf194788b45aded4a7d58f85bf72f897dba5b496cb074dff60002b7ff0767979fe682e4f211da938ecad3ac9e14913c0a644d48a78ba84f622688

Download Submit
memory/380-386-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/380-385-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/380-376-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/580-442-0x0000000000260000-0x000000000029D000-memory.dmp

Filesize
244KB

Download
memory/580-433-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/640-225-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/640-233-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/980-484-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1028-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1168-76-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1288-483-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1296-72-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1296-75-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/1460-504-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1524-114-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1524-432-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-166-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1672-485-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1680-443-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1680-134-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/1680-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1708-403-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-265-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1780-261-0x00000000002D0000-0x000000000030D000-memory.dmp

Filesize
244KB

Download
memory/1788-266-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1788-276-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1788-275-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/1852-461-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1968-419-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/1968-413-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1992-298-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/1992-288-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1992-293-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/2032-428-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2032-421-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2060-107-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2060-100-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2060-420-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2060-427-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/2096-398-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2096-17-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2096-397-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2096-405-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2096-71-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2096-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2168-331-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2168-329-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2168-330-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2200-245-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2200-251-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/2200-255-0x00000000002A0000-0x00000000002DD000-memory.dmp

Filesize
244KB

Download
memory/2216-465-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2220-277-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2220-287-0x0000000000320000-0x000000000035D000-memory.dmp

Filesize
244KB

Download
memory/2220-286-0x0000000000320000-0x000000000035D000-memory.dmp

Filesize
244KB

Download
memory/2240-235-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2240-244-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/2428-464-0x0000000000450000-0x000000000048D000-memory.dmp

Filesize
244KB

Download
memory/2428-463-0x0000000000450000-0x000000000048D000-memory.dmp

Filesize
244KB

Download
memory/2428-462-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2508-153-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2508-471-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2516-212-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2516-205-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2544-83-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2576-447-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2584-414-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2584-98-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2584-86-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2628-309-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2628-299-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2628-308-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2640-81-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2652-364-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2652-363-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2652-354-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2668-342-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2668-332-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2668-341-0x0000000000310000-0x000000000034D000-memory.dmp

Filesize
244KB

Download
memory/2684-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2684-320-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2684-319-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/2712-84-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2752-82-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2812-353-0x0000000000260000-0x000000000029D000-memory.dmp

Filesize
244KB

Download
memory/2812-343-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2812-352-0x0000000000260000-0x000000000029D000-memory.dmp

Filesize
244KB

Download
memory/2864-396-0x00000000002F0000-0x000000000032D000-memory.dmp

Filesize
244KB

Download
memory/2864-387-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2988-502-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2988-503-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/2988-179-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2988-187-0x0000000000360000-0x000000000039D000-memory.dmp

Filesize
244KB

Download
memory/3016-373-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3016-374-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download
memory/3016-375-0x0000000000250000-0x000000000028D000-memory.dmp

Filesize
244KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads