8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/09/2024, 00:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
Size

128KB
MD5

c31bcfaf9c9958676534371b0b7d9483
SHA1

f2fa623c99f0de3457f357e91384deab5fb3916a
SHA256

8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b
SHA512

a1da6eaaef7854cdf20c03eb9e08ed6814cf68f2289e8f0dcd5b0230f4ad44213024387cd1fbed23d7f12f9013d4f510de085dd33901d018945a4f6bbe95b4af
SSDEEP

3072:l4pskm4Kh5CUBHmwsB521J24bwf1nFzwSAJB8g:lEskmVC8GZ2P251n6xJmg

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leikbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jefbnacn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llepen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llgljn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jmdgipkk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koaclfgl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laahme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbfilffm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocpbfei.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imbjcpnn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kageia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llgljn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lidgcclp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmdgipkk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnmiag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmkihbho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llepen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmkihbho.exe

Executes dropped EXE 34 IoCs

pid	Process
2780	Imbjcpnn.exe
2556	Jmdgipkk.exe
2572	Jgjkfi32.exe
2564	Jfmkbebl.exe
2348	Jcqlkjae.exe
912	Jllqplnp.exe
2392	Jbfilffm.exe
1444	Jipaip32.exe
2264	Jnmiag32.exe
1304	Jefbnacn.exe
1916	Jplfkjbd.exe
2608	Kidjdpie.exe
320	Koaclfgl.exe
2168	Kbmome32.exe
2104	Klecfkff.exe
3000	Kocpbfei.exe
2328	Kdphjm32.exe
2124	Kmimcbja.exe
2508	Kpgionie.exe
2312	Kdbepm32.exe
2032	Kmkihbho.exe
1260	Kageia32.exe
2452	Kpieengb.exe
2424	Kkojbf32.exe
1700	Lmmfnb32.exe
2804	Leikbd32.exe
2664	Lidgcclp.exe
2344	Llbconkd.exe
2716	Lcmklh32.exe
2200	Llepen32.exe
1492	Loclai32.exe
1052	Laahme32.exe
2148	Llgljn32.exe
2588	Lepaccmo.exe

Loads dropped DLL 64 IoCs

pid	Process
2688	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
2688	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
2780	Imbjcpnn.exe
2780	Imbjcpnn.exe
2556	Jmdgipkk.exe
2556	Jmdgipkk.exe
2572	Jgjkfi32.exe
2572	Jgjkfi32.exe
2564	Jfmkbebl.exe
2564	Jfmkbebl.exe
2348	Jcqlkjae.exe
2348	Jcqlkjae.exe
912	Jllqplnp.exe
912	Jllqplnp.exe
2392	Jbfilffm.exe
2392	Jbfilffm.exe
1444	Jipaip32.exe
1444	Jipaip32.exe
2264	Jnmiag32.exe
2264	Jnmiag32.exe
1304	Jefbnacn.exe
1304	Jefbnacn.exe
1916	Jplfkjbd.exe
1916	Jplfkjbd.exe
2608	Kidjdpie.exe
2608	Kidjdpie.exe
320	Koaclfgl.exe
320	Koaclfgl.exe
2168	Kbmome32.exe
2168	Kbmome32.exe
2104	Klecfkff.exe
2104	Klecfkff.exe
3000	Kocpbfei.exe
3000	Kocpbfei.exe
2328	Kdphjm32.exe
2328	Kdphjm32.exe
2124	Kmimcbja.exe
2124	Kmimcbja.exe
2508	Kpgionie.exe
2508	Kpgionie.exe
2312	Kdbepm32.exe
2312	Kdbepm32.exe
2032	Kmkihbho.exe
2032	Kmkihbho.exe
1260	Kageia32.exe
1260	Kageia32.exe
2452	Kpieengb.exe
2452	Kpieengb.exe
2424	Kkojbf32.exe
2424	Kkojbf32.exe
1700	Lmmfnb32.exe
1700	Lmmfnb32.exe
2804	Leikbd32.exe
2804	Leikbd32.exe
2664	Lidgcclp.exe
2664	Lidgcclp.exe
2344	Llbconkd.exe
2344	Llbconkd.exe
2716	Lcmklh32.exe
2716	Lcmklh32.exe
2200	Llepen32.exe
2200	Llepen32.exe
1492	Loclai32.exe
1492	Loclai32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ffakjm32.dll	Klecfkff.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Imbjcpnn.exe	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
File created	C:\Windows\SysWOW64\Ckmhkeef.dll	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Jlflfm32.dll	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Ljnfmlph.dll	Jgjkfi32.exe
File created	C:\Windows\SysWOW64\Kidjdpie.exe	Jplfkjbd.exe
File opened for modification	C:\Windows\SysWOW64\Jnmiag32.exe	Jipaip32.exe
File created	C:\Windows\SysWOW64\Pbkboega.dll	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Lgfikc32.dll	Laahme32.exe
File created	C:\Windows\SysWOW64\Kageia32.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Llepen32.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Jipaip32.exe	Jbfilffm.exe
File created	C:\Windows\SysWOW64\Bodilc32.dll	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Llgljn32.exe	Laahme32.exe
File opened for modification	C:\Windows\SysWOW64\Leikbd32.exe	Lmmfnb32.exe
File opened for modification	C:\Windows\SysWOW64\Lidgcclp.exe	Leikbd32.exe
File opened for modification	C:\Windows\SysWOW64\Laahme32.exe	Loclai32.exe
File created	C:\Windows\SysWOW64\Dneoankp.dll	Leikbd32.exe
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Jfmkbebl.exe
File opened for modification	C:\Windows\SysWOW64\Jefbnacn.exe	Jnmiag32.exe
File created	C:\Windows\SysWOW64\Kmimcbja.exe	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Jmdgipkk.exe	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Kbmome32.exe	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Llgljn32.exe	Laahme32.exe
File created	C:\Windows\SysWOW64\Kmkihbho.exe	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Kmkihbho.exe	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Jgjkfi32.exe	Jmdgipkk.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jcqlkjae.exe
File opened for modification	C:\Windows\SysWOW64\Kocpbfei.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Agpqch32.dll	Llepen32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Llgljn32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Llgljn32.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Mcbniafn.dll	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Loclai32.exe	Llepen32.exe
File created	C:\Windows\SysWOW64\Leikbd32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Jbfilffm.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Mkehop32.dll	Koaclfgl.exe
File opened for modification	C:\Windows\SysWOW64\Llepen32.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Lidgcclp.exe	Leikbd32.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Lidgcclp.exe
File created	C:\Windows\SysWOW64\Lgjdnbkd.dll	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kpgionie.exe
File created	C:\Windows\SysWOW64\Gcakqmpi.dll	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Jipaip32.exe	Jbfilffm.exe
File opened for modification	C:\Windows\SysWOW64\Kpgionie.exe	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Knfddo32.dll	Jipaip32.exe
File created	C:\Windows\SysWOW64\Ibodnd32.dll	Jefbnacn.exe
File opened for modification	C:\Windows\SysWOW64\Koaclfgl.exe	Kidjdpie.exe
File created	C:\Windows\SysWOW64\Pdnfmn32.dll	Kbmome32.exe
File created	C:\Windows\SysWOW64\Mlpckqje.dll	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kageia32.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Llbconkd.exe
File created	C:\Windows\SysWOW64\Ppdbln32.dll	Loclai32.exe
File created	C:\Windows\SysWOW64\Canhhi32.dll	Kdbepm32.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Kbmome32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1480	2588	WerFault.exe	63

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfmkbebl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loclai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbfilffm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocpbfei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llepen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laahme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koaclfgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leikbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbnacn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llgljn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmdgipkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kageia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnmiag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kageia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnfmn32.dll"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Llbconkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jfmkbebl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll"	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kocpbfei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pigckoki.dll"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll"	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jbfilffm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Loclai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcohhj32.dll"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnfmlph.dll"	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll"	Leikbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmnfciac.dll"	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klecfkff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llgljn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jmdgipkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnmiag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jplfkjbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlflfm32.dll"	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibodnd32.dll"	Jefbnacn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbmome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Laahme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Llgljn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leikbd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2780	2688	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe	30
PID 2688 wrote to memory of 2780	2688	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe	30
PID 2688 wrote to memory of 2780	2688	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe	30
PID 2688 wrote to memory of 2780	2688	8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe	30
PID 2780 wrote to memory of 2556	2780	Imbjcpnn.exe	31
PID 2780 wrote to memory of 2556	2780	Imbjcpnn.exe	31
PID 2780 wrote to memory of 2556	2780	Imbjcpnn.exe	31
PID 2780 wrote to memory of 2556	2780	Imbjcpnn.exe	31
PID 2556 wrote to memory of 2572	2556	Jmdgipkk.exe	32
PID 2556 wrote to memory of 2572	2556	Jmdgipkk.exe	32
PID 2556 wrote to memory of 2572	2556	Jmdgipkk.exe	32
PID 2556 wrote to memory of 2572	2556	Jmdgipkk.exe	32
PID 2572 wrote to memory of 2564	2572	Jgjkfi32.exe	33
PID 2572 wrote to memory of 2564	2572	Jgjkfi32.exe	33
PID 2572 wrote to memory of 2564	2572	Jgjkfi32.exe	33
PID 2572 wrote to memory of 2564	2572	Jgjkfi32.exe	33
PID 2564 wrote to memory of 2348	2564	Jfmkbebl.exe	34
PID 2564 wrote to memory of 2348	2564	Jfmkbebl.exe	34
PID 2564 wrote to memory of 2348	2564	Jfmkbebl.exe	34
PID 2564 wrote to memory of 2348	2564	Jfmkbebl.exe	34
PID 2348 wrote to memory of 912	2348	Jcqlkjae.exe	35
PID 2348 wrote to memory of 912	2348	Jcqlkjae.exe	35
PID 2348 wrote to memory of 912	2348	Jcqlkjae.exe	35
PID 2348 wrote to memory of 912	2348	Jcqlkjae.exe	35
PID 912 wrote to memory of 2392	912	Jllqplnp.exe	36
PID 912 wrote to memory of 2392	912	Jllqplnp.exe	36
PID 912 wrote to memory of 2392	912	Jllqplnp.exe	36
PID 912 wrote to memory of 2392	912	Jllqplnp.exe	36
PID 2392 wrote to memory of 1444	2392	Jbfilffm.exe	37
PID 2392 wrote to memory of 1444	2392	Jbfilffm.exe	37
PID 2392 wrote to memory of 1444	2392	Jbfilffm.exe	37
PID 2392 wrote to memory of 1444	2392	Jbfilffm.exe	37
PID 1444 wrote to memory of 2264	1444	Jipaip32.exe	38
PID 1444 wrote to memory of 2264	1444	Jipaip32.exe	38
PID 1444 wrote to memory of 2264	1444	Jipaip32.exe	38
PID 1444 wrote to memory of 2264	1444	Jipaip32.exe	38
PID 2264 wrote to memory of 1304	2264	Jnmiag32.exe	39
PID 2264 wrote to memory of 1304	2264	Jnmiag32.exe	39
PID 2264 wrote to memory of 1304	2264	Jnmiag32.exe	39
PID 2264 wrote to memory of 1304	2264	Jnmiag32.exe	39
PID 1304 wrote to memory of 1916	1304	Jefbnacn.exe	40
PID 1304 wrote to memory of 1916	1304	Jefbnacn.exe	40
PID 1304 wrote to memory of 1916	1304	Jefbnacn.exe	40
PID 1304 wrote to memory of 1916	1304	Jefbnacn.exe	40
PID 1916 wrote to memory of 2608	1916	Jplfkjbd.exe	41
PID 1916 wrote to memory of 2608	1916	Jplfkjbd.exe	41
PID 1916 wrote to memory of 2608	1916	Jplfkjbd.exe	41
PID 1916 wrote to memory of 2608	1916	Jplfkjbd.exe	41
PID 2608 wrote to memory of 320	2608	Kidjdpie.exe	42
PID 2608 wrote to memory of 320	2608	Kidjdpie.exe	42
PID 2608 wrote to memory of 320	2608	Kidjdpie.exe	42
PID 2608 wrote to memory of 320	2608	Kidjdpie.exe	42
PID 320 wrote to memory of 2168	320	Koaclfgl.exe	43
PID 320 wrote to memory of 2168	320	Koaclfgl.exe	43
PID 320 wrote to memory of 2168	320	Koaclfgl.exe	43
PID 320 wrote to memory of 2168	320	Koaclfgl.exe	43
PID 2168 wrote to memory of 2104	2168	Kbmome32.exe	44
PID 2168 wrote to memory of 2104	2168	Kbmome32.exe	44
PID 2168 wrote to memory of 2104	2168	Kbmome32.exe	44
PID 2168 wrote to memory of 2104	2168	Kbmome32.exe	44
PID 2104 wrote to memory of 3000	2104	Klecfkff.exe	45
PID 2104 wrote to memory of 3000	2104	Klecfkff.exe	45
PID 2104 wrote to memory of 3000	2104	Klecfkff.exe	45
PID 2104 wrote to memory of 3000	2104	Klecfkff.exe	45

C:\Users\Admin\AppData\Local\Temp\8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe
"C:\Users\Admin\AppData\Local\Temp\8e998bc8d54cb1a66d7c3e00786fefae15983e0a438ccb9381d28ba9bc362b7b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\Imbjcpnn.exe
  C:\Windows\system32\Imbjcpnn.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\Jmdgipkk.exe
    C:\Windows\system32\Jmdgipkk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Jgjkfi32.exe
      C:\Windows\system32\Jgjkfi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Jfmkbebl.exe
        
        C:\Windows\system32\Jfmkbebl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
      - C:\Windows\SysWOW64\Jcqlkjae.exe
        
        C:\Windows\system32\Jcqlkjae.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Jbfilffm.exe
        
        C:\Windows\system32\Jbfilffm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Jnmiag32.exe
        
        C:\Windows\system32\Jnmiag32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\SysWOW64\Jefbnacn.exe
        
        C:\Windows\system32\Jefbnacn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Koaclfgl.exe
        
        C:\Windows\system32\Koaclfgl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Kocpbfei.exe
        
        C:\Windows\system32\Kocpbfei.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Kmimcbja.exe
        
        C:\Windows\system32\Kmimcbja.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Kageia32.exe
        
        C:\Windows\system32\Kageia32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Leikbd32.exe
        
        C:\Windows\system32\Leikbd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Llepen32.exe
        
        C:\Windows\system32\Llepen32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Loclai32.exe
        
        C:\Windows\system32\Loclai32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Laahme32.exe
        
        C:\Windows\system32\Laahme32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Llgljn32.exe
        
        C:\Windows\system32\Llgljn32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 140
        36⤵
        Program crash
        
        PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cmojeo32.dll

Filesize
7KB

MD5
abaa4d3f9de2756307b094e2bf612bbd

SHA1
ad414cb188feeb5302a510d54f23c3ac033fd4b6

SHA256
7e8c76a13e9065c4278cb29bc6358685996c374881cede1f209335849632dfac

SHA512
a48c88c30dd6087b179842c0582b9415fb473f46e593e2b871bec1affceaeb4588a552a41d1676beffdd3a6805007b09811d2b2c7f8fec8496c3c04992b47e80

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
128KB

MD5
179aafe7ae57223bf513d42307ed75e9

SHA1
1abe383f3069fcb8f98d525e089ee7531b84abd0

SHA256
ba5e01f43541f8b80c07241dd6e56f005fca22d1a302f75382e43eddb85b6905

SHA512
1b246b6864b2159ad7a389880cab2df9986e6896fa6d0a1a7700f8de7d5dbf9527df679053713baf8626ef02169d488679f55466ba9f33ae8c49a2f0c917d445

Download Submit
C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
128KB

MD5
5e7da05ece804d8893bf4e990f735492

SHA1
b28fb9710d63e94fc7872a13d90434ba15d88334

SHA256
f77b92632c1c4440981210567171b340a6c7b78307522aa3ab11cb59fbe4ff58

SHA512
fdb56820626e5e9486071b959fb576b3d17df1d2f4163b439a4053a927206d6be7d93b3c62cae95e3b3f158cdbc0a2aa135cc81d66fa9b2e4ef4fc0adde32007

Download Submit
C:\Windows\SysWOW64\Jnmiag32.exe

Filesize
128KB

MD5
22bcfcc537955e11a8cdf2cd774825b5

SHA1
960d64217513b572f78ae91c778838ff06ab39de

SHA256
464c4fcb93e07d3081dbc2e91933c101982342cb8359d6de83ed9904e1491cfb

SHA512
45ab9f0bb8d232fe585e19b641422eafca59369b6005d2b2a556a41e3dc68847bee9cf9fef4d4c067ab90137962ab694d3d302381603923fcc6daa3479d1ecd7

Download Submit
C:\Windows\SysWOW64\Jplfkjbd.exe

Filesize
128KB

MD5
9fbb68a52e6307be04a8881692e379ec

SHA1
a7135f7b0b1a6edc43092fcf70071b815ffc6c04

SHA256
ea3540b2c0961976d29e24e75bc6ceac3690361857cd7257119568e0b6ad7d46

SHA512
f9e66652a9e721b17ff275b4731ed1b387dde3f1406d21af4972a0331264666fb0e72b461b9caf3609308062e5baeb081d2766516d8a68512987b20ea0ed2127

Download Submit
C:\Windows\SysWOW64\Kageia32.exe

Filesize
128KB

MD5
88bda49201410cf8515550912fc28b7c

SHA1
163d8b66029b4660cffab33700c2c46d9f21b4d3

SHA256
bd96c89caecf5cbefef4d1e576f48284003a5c2b22437a90acae40387571e184

SHA512
356b73e91bf2151c0c04effff4a7cafd0fbe069c71bdaadf96e2b7d12ef28fc937670763970e640bfb5f7db5d8232c4610b8018c40ed996e78ec4be0276d3803

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
128KB

MD5
68aa8926229f990e4f0b6ee4101412da

SHA1
c7a7d0cb2df7dce5fe3b8fc2121f4f2fc062fab5

SHA256
faf10baa9ece7fb03bd6ee8ac40023d8334b3b23b0e67f248caa16a0892625ee

SHA512
b27698ef2a05fe72011e683ff56e9b64d9767690a6375da58b2d01ab19734fbde8ade8326cf148f69b02445a7e60d69d524bb7b2306b6a0495f3de9d47494bc4

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
128KB

MD5
e4f9479f1507c370dfdaa1ec11e2fdda

SHA1
cf3b64a9f7208f800a907df560106e0dcc0f76bf

SHA256
73bc0b25481b9a3ebe49c54d4c29ff9a43366a5f8081c18b2823bd29a0da6644

SHA512
669242b3792dee46bffc7e191f9084fcf906120472ff7af4bc50770dcdf9d060802b7ad08c6911ea2bbcfcb9c73f4d36a359995855a70fb3613fc7a9cb793615

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
128KB

MD5
25dde72d82f926d37c201bf97277b3fb

SHA1
8cab1786fe2fbfab9fa3e10d65237b0699f12acc

SHA256
e3e2404c03bca66e3e7f4927d0a07f51a2361296f1b53b06dbf57012b68897ce

SHA512
1034dbeb863c28e95291457570f880875bf47001d30afd80edeafa08c93f2cc67a7e48f664673c2dfbea1a782671da7e735b42added700212f2b6b1cd9b8c004

Download Submit
C:\Windows\SysWOW64\Kmimcbja.exe

Filesize
128KB

MD5
ab4fe24af58283b21f38e034c0798b38

SHA1
9267c3347ca8eac770e494de9abb0214614bc27a

SHA256
3c5cef7756fffbd72eb5435eec1b37267fd5ca514cfe08dcfcc589e0655f1a53

SHA512
7f1e32644908944e425e304880f122aa6fcf9aed21ce88589b69721b5cbe47e755bd6f709b6d44e4e4e73100e06434948ec7bfba8cabe8f40282842690006501

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
128KB

MD5
880b3e9d7d79dfc3bae28bd461702634

SHA1
0bee50e3f40c05b4fce55a6e6aab8c608dd99e25

SHA256
06528a8f80cb62fc5c691b250a8a5e882af3dd51f7d464f57c1efbc7f21402c2

SHA512
2176dd1dab25665f4fb0c3fb18a1020f834e361cb68171b33280c53b352d1a171a1d0d59f72e27cd896198cdf2e26be56e2dcf58b59f9ef69df43f5ac162a9ca

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
128KB

MD5
d0dbc4b5d034de88d99a1a299a1abe8b

SHA1
532982535cd098f22aa520320bd13c2618ec137d

SHA256
8113804441fc4cb2c0e083ecc6cbd66e4f22ca3251a86b71fe64d8f53b348e4f

SHA512
7489881bddabfd77cde2ae38587b11d9115eb743b9fd0c306b9d886dd890c5da94d994bf95356878f9918730b766f5e9ecd389fba47faec627ab79b3950030c7

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
128KB

MD5
c6d9ff6fd891983f4edc6c71f59194c0

SHA1
db36781cdc1005468a9cc3bad2073ce808557eba

SHA256
c2d4198239e765be0403734e99e8ff96407fd0ed0baa3c105bd42072f661c72b

SHA512
775774f2519e034b28eca6991ba6431950addf9cda398d06fa7f94c6707820a1f9bfa2d52556a7ac0a6790563eb6ddc872ff34e330d80be4689f87fb01927cd2

Download Submit
C:\Windows\SysWOW64\Laahme32.exe

Filesize
128KB

MD5
0752701c4944398f859ba18927e31c2f

SHA1
3c84f71c00e30a18c10f35e613050134b5f0bcc4

SHA256
f30d3a056c5370bc9ae753b2c501eba6186ec5d0caced20271dbd641b779f3b7

SHA512
81641595ef39f6f0f79ba20dcdd21f952c3c39bba7e44eda74e58a2c1035f8cb8eec4a781de1533fb4f2a70b3dd1bf4b10a923da695070d258907870215f1a1f

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
128KB

MD5
1fb81c2ef35d7c06fdc34777e7543df3

SHA1
8e312005dde6188e71bd0d31826b8c7777653a09

SHA256
ac3393bee09b314c0864b1e91c6cfa34760c959047d25b8c037e2d946f1a27fa

SHA512
d1eab83fbdb5447b2179bdc5492f01895a5c8d6fdc8263226dfdf5a4b6abdc5e1b6001d140e59089eabfb408e4624d52c74fd063643249cf800f9d797ca05e69

Download Submit
C:\Windows\SysWOW64\Leikbd32.exe

Filesize
128KB

MD5
522274c39068aea737103b13c604dec1

SHA1
28ff5c405f52f9381328daf63eea57cb421cecfd

SHA256
723063126a26e67130d007933954d289a840dcb5ae26baa662b7d931b3ec16f3

SHA512
92957bc4a1b5bdbf5e968d7068610e4d56e5477c1bbde5a3e70c03027cc04104f49fdae5d8a7140886cfee67e42e2e393819f4d21f6199ebfd304940e9a9d186

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
128KB

MD5
ea8e4db6e647fb4dae834a669910d7f5

SHA1
1a2e2285183c55cdc185dd5e94d504bf7464f78d

SHA256
cd178a89f629d6f296e1cb7d2316e9e6ae581121cf6a1c4aba1d3ffb2495810f

SHA512
de65887e7213811da041fcda2a72008a7c65eb393492ad1789eb27e8f905e8c715762c26ca0e555e819b3b9fa5cf8ba4c5f08001fe92bda219fc27a7fe6d97f4

Download Submit
C:\Windows\SysWOW64\Lidgcclp.exe

Filesize
128KB

MD5
6128e2f7c897a66ff37199735d90858f

SHA1
39927aec092cb9218962f584a88a4b6f027bc3b0

SHA256
b4c2caf3f6eaf3f51051b7d76006d20659f6581e07e2b62768c18a87964d45d7

SHA512
356022b4c3b6b6a9630d2801046cb5e84278ff4b7b554afe988237f55b1d42382f067786c628c524c2e83f64daa35cb179437b14a45f372ef3f667fc9beb2c8f

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
128KB

MD5
9450b02b3621b00c3d885008daddb2a3

SHA1
5f3a2157e85c8c0c9491c6b46521f28abaec2288

SHA256
da1d6873a6a2104147833cfd8feede86b89d27e71761976f46891956a284cb1e

SHA512
f094b422bdd01c0ba0aa556e735db00d5040817c148f19a6406c1a76de2017c234c5c855ddfe36f7e137827d2fe2d3807c64b617d944d3c017b290e9c51d2db4

Download Submit
C:\Windows\SysWOW64\Llepen32.exe

Filesize
128KB

MD5
507b967d813b2bd39f6d1da31015fe91

SHA1
95984e86416f5570682342039b96224578a04131

SHA256
db4ae9f0ce71332786ea1481ab18d0aa5d38b3ffb27eb387e6e1963b6d2483c4

SHA512
d0593e8c7c5d81a1dd77d7587dc28f3f73ba55a0542d0252cc0ffff761881b7bbe639f2b378b0371421242916f92030902fd913a90b31820dd6f29675a4f9da3

Download Submit
C:\Windows\SysWOW64\Llgljn32.exe

Filesize
128KB

MD5
0ac2550b80f9a8f2cf1dab6626bb4e45

SHA1
37159b53d4c24ceef5c9f16317a59a4e7ca2d57e

SHA256
cdeb26934edaab87cef05d4e8e5ae24b6bf9ebad1b8912dd9fe4f32f850bc455

SHA512
8d7ecc97657de3d595a90374ad95d1e157a11507b43e28c99c20dcee7aa29f9ad356b590ec95d64a67b3d07b3e58dc26e4b690b447121962189919fb94fa4953

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
128KB

MD5
3f76272d30971222262d435533199906

SHA1
26909c873cc19363e3807c5d8ab440a0e4a7c6c7

SHA256
206ee85a5a72905cf1e83fb648de4b6e2aee1741d5f7ee502c2ea787da3dd615

SHA512
12e87d00b52932be747d51e9172acf6ad68a615cba277dd27e6af0823d8f2d0cdfaa4a428203bd19bfcd96cbc536752e1a08dbb17922ab3cd03bbcdd6b16177e

Download Submit
C:\Windows\SysWOW64\Loclai32.exe

Filesize
128KB

MD5
7551e2245353976a131fad0eae38ba0f

SHA1
d15b11b025ed25b26dc77217bc7ab12bd27b48c4

SHA256
a6aa900bc677f7a36d48379e3ee2b9eeb80dd559a21fef216f860a67c305db30

SHA512
5f546d6da282e76ea20886fa0c9ebbfbb8a8c84cc13e486b66c6738ecbee27dfbb066998ed7f398fc2ae286426910500bf5c10c7706054f4e5af2d456fbdf7eb

Download Submit
\Windows\SysWOW64\Jbfilffm.exe

Filesize
128KB

MD5
267f221ce7e2fa6ca0ea2d674df10ed8

SHA1
70b3987624f26c52801dbbef493c4e3a93616a27

SHA256
8b021236af00e6d7de051277eff7192ba05678fa679a51d841d591ac4eb3ed55

SHA512
a791255428536649226f2ceeaef1c63bee1360a474ab2ca6a024ae9251ab9bf02e134078f4dc1ebfc673e4fca781d805794111056b464cbfa700e29c305a72ce

Download Submit
\Windows\SysWOW64\Jefbnacn.exe

Filesize
128KB

MD5
47568b8c7985e1ead55683c2f046dc8e

SHA1
4de24b0512351ebed90558f53d0d208c2a92e538

SHA256
fc4fa69d17cebbfd6a23c3408919845945d264b76c4c62843de73db83cad693b

SHA512
c927ea8bf1c849ba3b29b83276b3d4da9768906198799809c3e1582fd65a013233a30d9d31eb84648fc602de78c783a334bd7a82704970bc5ee4f025212ab077

Download Submit
\Windows\SysWOW64\Jfmkbebl.exe

Filesize
128KB

MD5
49a92e03491d0f00f9a545d38948fe15

SHA1
59c5d2e6b082c428b08bac7598d6cb0dba84ab9d

SHA256
e7cccd4096533d569b2a1a7a38ce67ea13ef5995fdbe9c4fdded5a91e11a773f

SHA512
62ecc8115d344deaab62624d4ae877dc03c193b9940b827658b51124d6cb2d2392eee748b7c4fc87acfac82083316b1646070567adbc1cd714690b042ac72cbc

Download Submit
\Windows\SysWOW64\Jgjkfi32.exe

Filesize
128KB

MD5
96306ae760f09b943ee36f92cc5c7180

SHA1
48fbbf90705d1f8c63cae5085f4bd5ced08f7772

SHA256
8db9e6bcd372e84b447ca65c45abd2f46f98e99a163d6db7fa9d132baa829c2a

SHA512
340184cb3aeb9470b3375a936b33605e0a2fae2459bf82080f3f71fbe7e678cede37e396dcc3228063cd7ca0a03ed6a40a3463cf2c2898a891e7c190c3730bde

Download Submit
\Windows\SysWOW64\Jipaip32.exe

Filesize
128KB

MD5
6e4d214af5ec15e782f72316ba495103

SHA1
66b380d2d053f6d0f2c51775f258f2c90ab1f48d

SHA256
3038b6331cc4afc2fc81edbb001b649c38889880f37fa0a5db7a91c1d89419d4

SHA512
2b5f219e4f55d61fdf4f5052dba9019527aa0775bf7727cc4b1e02b6ef22397c5e65d3fd4f813d802dd79fa3534a79bdc89f95dd8f5a58b04fe27711c6e90d99

Download Submit
\Windows\SysWOW64\Jllqplnp.exe

Filesize
128KB

MD5
1f2a1d2a803b4cd573ba32baf01df7ea

SHA1
d6051779a582aa4ffb36d910dcaadc99f401a679

SHA256
2ab70af9a6063b5a38becf99e6dac2e79dfe9d23a9b81cfb4d4a1cb5ec2028b2

SHA512
e890ab4ab2bb9142816c42c11020c4083b2bb450f6dfc553c52a3d8a7fbf661a8442e21cebb519c8a9418389f2c56c3693ba7e645adb45209e511c001f668591

Download Submit
\Windows\SysWOW64\Jmdgipkk.exe

Filesize
128KB

MD5
e5fa2160173eb38bc7ec75d9e7b68a40

SHA1
3fb9be7b8a9fe67a9daa40f770e3c0bd361869cf

SHA256
c049efb1cb9130e573d5f8401e171bc11677e6a8c4fc95a6b84ce2ceefaece83

SHA512
b16084f4a3ffc5785c7dd0269788c56be9b098f439ebc34ff4a4086b4cf2f14b20598b4a710ab749a9350866e0e08029d9f6fd1f4fd71325358c8e7c1794b5bd

Download Submit
\Windows\SysWOW64\Kbmome32.exe

Filesize
128KB

MD5
6852ce5efa3d9b5db6183979845b1ccf

SHA1
5b71dc103726d70154903cf2c86fff97288632ba

SHA256
6ec09ed80e904ef3cb20b785e9548f3309b1ad56295ef7c5333c6eccf2302845

SHA512
4a574a582c872486b438a1589b6f7c58d077a3f17290de6fd142b60627b063011229b19857ecbcca83a3027330e2da141ac2857adc80e6b3937f291b4f8e6b3b

Download Submit
\Windows\SysWOW64\Kidjdpie.exe

Filesize
128KB

MD5
a2e4c054cef3ec1b8cea398741ccf1d1

SHA1
4764a722ee8738e2364b027fe11cc8132485746f

SHA256
5df158beae10e641a815b23afe50d538555dcf317a8a1834fe78d3acb09d9bbc

SHA512
db82555cfa2c230abafe460da7895ed1a837f5d19a649d86d0a9574a0b0c6065228d9dabc39231f1c05fbe876b2535b230a285492e3ac47f01f2714ece4e14e4

Download Submit
\Windows\SysWOW64\Klecfkff.exe

Filesize
128KB

MD5
9a9645ee331b486f4b287b106ad10f80

SHA1
0458b7de56dd21d75eade0eff000ea1cfaec64ff

SHA256
61ace707f1333079443ec218fe4ece573b30a9dd90262dffea22ac160c47b417

SHA512
07337138746d3c27261b074e9e93f71be3f3b2645d9219536f84d980dce0ec194eeceef8e33d5b9cbd846f232402116fe38cdf5a34293381b080a7d730e7d3c0

Download Submit
\Windows\SysWOW64\Koaclfgl.exe

Filesize
128KB

MD5
d55c1b9d3cbd345f75e1fd58a104c864

SHA1
131c66b80932682c9509024b33314fd8550d64d2

SHA256
80860850b5e92c3f8878c836974efa0682c9ac833905eac21254653c96a32cb1

SHA512
d8958251cd0d10a0ca014a6512cc20b3e10e77a08150cd6f575d9df299f40ba70a6f4af5ba11fe6904b0bf148a14f1acccd669a93622d9bf8bcc5f34c611a72e

Download Submit
\Windows\SysWOW64\Kocpbfei.exe

Filesize
128KB

MD5
521947c2c408f4d7d220a8aa22ea3f53

SHA1
047db1267be3b695e74221ff02c8aab56c3a073f

SHA256
49ce5eda15d586f44685dff668af65e11e61e3d568d7042d6f8141813474c1e6

SHA512
385f56a5c09d77d33a5b5b05e8f32a383bd2242cdcaea300b9155651b53afc942f01fe72e122e90b209c2b35ac60f40cbdfa3c6fe3fbc350d0f1898610e384d9

Download Submit
memory/320-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/320-185-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/320-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/912-91-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/912-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1052-395-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/1052-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1260-287-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1260-286-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1260-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1304-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1444-110-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-390-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/1492-381-0x00000000002B0000-0x00000000002E5000-memory.dmp

Filesize
212KB

Download
memory/1492-375-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1700-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1700-320-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1700-316-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1700-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1916-157-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1916-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1916-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-276-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2032-275-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2032-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2032-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2104-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2124-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2148-405-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2148-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-195-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2168-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2200-373-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2200-374-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2200-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2264-130-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2264-123-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-233-0x0000000000340000-0x0000000000375000-memory.dmp

Filesize
212KB

Download
memory/2328-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2344-352-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2344-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2348-77-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2348-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2392-104-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2424-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2424-309-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2424-308-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2424-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-298-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2452-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2452-294-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/2452-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-255-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2508-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-256-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2508-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-41-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2556-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2564-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2572-56-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2572-50-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2572-413-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2572-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2588-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2608-164-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2608-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-350-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2664-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-349-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/2688-12-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2688-13-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2688-408-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/2688-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2688-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-367-0x0000000000330000-0x0000000000365000-memory.dmp

Filesize
212KB

Download
memory/2716-359-0x0000000000330000-0x0000000000365000-memory.dmp

Filesize
212KB

Download
memory/2716-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-27-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2780-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2780-411-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2780-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2804-330-0x0000000000360000-0x0000000000395000-memory.dmp

Filesize
212KB

Download
memory/2804-331-0x0000000000360000-0x0000000000395000-memory.dmp

Filesize
212KB

Download
memory/2804-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3000-218-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads