e9f2f0580374291e6ae3881d6678b6bed34ba021c7e588b0a6bb9acb5e701f71

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 07:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

43baafce6330c896774eaaa4f805ca90N.exe
Size

89KB
MD5

43baafce6330c896774eaaa4f805ca90
SHA1

bbe5a8c05657f54318e46d262e7f937f8610d862
SHA256

e9f2f0580374291e6ae3881d6678b6bed34ba021c7e588b0a6bb9acb5e701f71
SHA512

7d36ad2dac887c3ed76307d1a0daa0e7a2a4d201ee0035b3c77e5bf1db6a106821c16ff5db415f4fcd52a60e2988cc1a915972dd952b136a8cfcf8f4c69a651f
SSDEEP

1536:K9Wz2hV9qzGUENvNcL7UR+Q2r0YvJA8RQpD68a+VMKKTRVGFtUhQfR1WRaROR8R:KGc2JH7nQ20Yvi8e4r4MKy3G7UEqMM6

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikgkei32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieponofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keioca32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iaimipjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	43baafce6330c896774eaaa4f805ca90N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igceej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iknafhjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmdgipkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmfcop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcgmfgfd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikldqile.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmdgipkk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjmlhbbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgeelf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfcabd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Icifjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieponofk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjaeba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igebkiof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Imggplgm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kadica32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imbjcpnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqiqjlga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjcaha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hadcipbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjfnnajl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaimipjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hqiqjlga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkojbf32.exe

Executes dropped EXE 56 IoCs

pid	Process
1296	Hgnokgcc.exe
2724	Hjmlhbbg.exe
2748	Hadcipbi.exe
2788	Hnkdnqhm.exe
2820	Hqiqjlga.exe
2592	Hcgmfgfd.exe
3048	Hjaeba32.exe
1912	Hgeelf32.exe
1680	Hjcaha32.exe
2360	Hifbdnbi.exe
628	Hjfnnajl.exe
564	Ikgkei32.exe
2160	Ieponofk.exe
2720	Imggplgm.exe
1148	Inhdgdmk.exe
1312	Iebldo32.exe
1068	Ikldqile.exe
1456	Iaimipjl.exe
808	Igceej32.exe
2980	Iknafhjb.exe
1160	Icifjk32.exe
636	Igebkiof.exe
1860	Imbjcpnn.exe
2128	Ieibdnnp.exe
1696	Jfjolf32.exe
2584	Jmdgipkk.exe
2992	Jgjkfi32.exe
2540	Jmfcop32.exe
1300	Jabponba.exe
3016	Jfohgepi.exe
2860	Jjjdhc32.exe
576	Jpgmpk32.exe
2292	Jfaeme32.exe
2848	Jmkmjoec.exe
2508	Jbhebfck.exe
2944	Jfcabd32.exe
1900	Jlqjkk32.exe
1604	Jnofgg32.exe
988	Kbjbge32.exe
1288	Keioca32.exe
2064	Kbmome32.exe
1664	Kdnkdmec.exe
1460	Khjgel32.exe
3024	Kjhcag32.exe
1548	Kdphjm32.exe
1444	Kkjpggkn.exe
864	Kadica32.exe
2284	Khnapkjg.exe
2672	Kfaalh32.exe
2668	Kipmhc32.exe
2604	Kpieengb.exe
2376	Kbhbai32.exe
1892	Kkojbf32.exe
1672	Lmmfnb32.exe
1940	Lplbjm32.exe
288	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
2096	43baafce6330c896774eaaa4f805ca90N.exe
2096	43baafce6330c896774eaaa4f805ca90N.exe
1296	Hgnokgcc.exe
1296	Hgnokgcc.exe
2724	Hjmlhbbg.exe
2724	Hjmlhbbg.exe
2748	Hadcipbi.exe
2748	Hadcipbi.exe
2788	Hnkdnqhm.exe
2788	Hnkdnqhm.exe
2820	Hqiqjlga.exe
2820	Hqiqjlga.exe
2592	Hcgmfgfd.exe
2592	Hcgmfgfd.exe
3048	Hjaeba32.exe
3048	Hjaeba32.exe
1912	Hgeelf32.exe
1912	Hgeelf32.exe
1680	Hjcaha32.exe
1680	Hjcaha32.exe
2360	Hifbdnbi.exe
2360	Hifbdnbi.exe
628	Hjfnnajl.exe
628	Hjfnnajl.exe
564	Ikgkei32.exe
564	Ikgkei32.exe
2160	Ieponofk.exe
2160	Ieponofk.exe
2720	Imggplgm.exe
2720	Imggplgm.exe
1148	Inhdgdmk.exe
1148	Inhdgdmk.exe
1312	Iebldo32.exe
1312	Iebldo32.exe
1068	Ikldqile.exe
1068	Ikldqile.exe
1456	Iaimipjl.exe
1456	Iaimipjl.exe
808	Igceej32.exe
808	Igceej32.exe
2980	Iknafhjb.exe
2980	Iknafhjb.exe
1160	Icifjk32.exe
1160	Icifjk32.exe
636	Igebkiof.exe
636	Igebkiof.exe
1860	Imbjcpnn.exe
1860	Imbjcpnn.exe
2128	Ieibdnnp.exe
2128	Ieibdnnp.exe
1696	Jfjolf32.exe
1696	Jfjolf32.exe
2584	Jmdgipkk.exe
2584	Jmdgipkk.exe
2992	Jgjkfi32.exe
2992	Jgjkfi32.exe
2540	Jmfcop32.exe
2540	Jmfcop32.exe
1300	Jabponba.exe
1300	Jabponba.exe
3016	Jfohgepi.exe
3016	Jfohgepi.exe
2860	Jjjdhc32.exe
2860	Jjjdhc32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ikgkei32.exe	Hjfnnajl.exe
File opened for modification	C:\Windows\SysWOW64\Ieponofk.exe	Ikgkei32.exe
File created	C:\Windows\SysWOW64\Njboon32.dll	Ikgkei32.exe
File created	C:\Windows\SysWOW64\Mebgijei.dll	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Dgcgbb32.dll	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Keioca32.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Khjgel32.exe	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Hqiqjlga.exe	Hnkdnqhm.exe
File created	C:\Windows\SysWOW64\Jmdgipkk.exe	Jfjolf32.exe
File opened for modification	C:\Windows\SysWOW64\Jjjdhc32.exe	Jfohgepi.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Kadica32.exe	Kkjpggkn.exe
File opened for modification	C:\Windows\SysWOW64\Iaimipjl.exe	Ikldqile.exe
File created	C:\Windows\SysWOW64\Leoebflm.dll	Icifjk32.exe
File created	C:\Windows\SysWOW64\Biklma32.dll	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Lmmfnb32.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Hifbdnbi.exe	Hjcaha32.exe
File created	C:\Windows\SysWOW64\Ieibdnnp.exe	Imbjcpnn.exe
File opened for modification	C:\Windows\SysWOW64\Jfcabd32.exe	Jbhebfck.exe
File created	C:\Windows\SysWOW64\Jlqjkk32.exe	Jfcabd32.exe
File created	C:\Windows\SysWOW64\Abqcpo32.dll	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kfaalh32.exe
File opened for modification	C:\Windows\SysWOW64\Hgeelf32.exe	Hjaeba32.exe
File created	C:\Windows\SysWOW64\Inhdgdmk.exe	Imggplgm.exe
File created	C:\Windows\SysWOW64\Lpmdgf32.dll	Iebldo32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jjjdhc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdnkdmec.exe	Kbmome32.exe
File created	C:\Windows\SysWOW64\Gpcafifg.dll	Khjgel32.exe
File created	C:\Windows\SysWOW64\Eogffk32.dll	Hgeelf32.exe
File opened for modification	C:\Windows\SysWOW64\Jmdgipkk.exe	Jfjolf32.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Hcgmfgfd.exe	Hqiqjlga.exe
File opened for modification	C:\Windows\SysWOW64\Ikldqile.exe	Iebldo32.exe
File opened for modification	C:\Windows\SysWOW64\Jfohgepi.exe	Jabponba.exe
File opened for modification	C:\Windows\SysWOW64\Hjmlhbbg.exe	Hgnokgcc.exe
File created	C:\Windows\SysWOW64\Imbjcpnn.exe	Igebkiof.exe
File created	C:\Windows\SysWOW64\Pbpifm32.dll	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Hnnikfij.dll	Kjhcag32.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Hnkdnqhm.exe	Hadcipbi.exe
File created	C:\Windows\SysWOW64\Ghcmae32.dll	Hjcaha32.exe
File created	C:\Windows\SysWOW64\Chpmbe32.dll	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Ieponofk.exe	Ikgkei32.exe
File created	C:\Windows\SysWOW64\Gbmhafee.dll	Iknafhjb.exe
File created	C:\Windows\SysWOW64\Oiahkhpo.dll	Jmfcop32.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Icifjk32.exe	Iknafhjb.exe
File created	C:\Windows\SysWOW64\Qmgaio32.dll	Jabponba.exe
File created	C:\Windows\SysWOW64\Jbhebfck.exe	Jmkmjoec.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Hjaeba32.exe	Hcgmfgfd.exe
File created	C:\Windows\SysWOW64\Hgajdjlj.dll	Jmkmjoec.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jnofgg32.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Lbjofi32.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Kmkoadgf.dll	Ieponofk.exe
File created	C:\Windows\SysWOW64\Jfjolf32.exe	Ieibdnnp.exe
File created	C:\Windows\SysWOW64\Jmkmjoec.exe	Jfaeme32.exe
File created	C:\Windows\SysWOW64\Jfcabd32.exe	Jbhebfck.exe
File opened for modification	C:\Windows\SysWOW64\Jnofgg32.exe	Jlqjkk32.exe
File created	C:\Windows\SysWOW64\Khjgel32.exe	Kdnkdmec.exe
File opened for modification	C:\Windows\SysWOW64\Kfaalh32.exe	Khnapkjg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2928	288	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hadcipbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhdgdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaimipjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igceej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iknafhjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnkdnqhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjaeba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jabponba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieponofk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjjdhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khnapkjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikldqile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfjolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keioca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khjgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlqjkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbmome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjmlhbbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmfcop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfcabd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqiqjlga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imggplgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjhcag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmkmjoec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnofgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgnokgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjcaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikgkei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	43baafce6330c896774eaaa4f805ca90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igebkiof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieibdnnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcgmfgfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifbdnbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfaeme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfnnajl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imbjcpnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmdgipkk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll"	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kfaalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaamgeg.dll"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgjdnbkd.dll"	Jfjolf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jmfcop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbhebfck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khjgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aibijk32.dll"	Hjmlhbbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hadcipbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjcaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmdgipkk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbmome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjaeba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncbdnb32.dll"	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jfjolf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlqjkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjcaha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoebflm.dll"	Icifjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjjdhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll"	Jfaeme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faibdo32.dll"	Hnkdnqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgajdjlj.dll"	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kjhcag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hjfnnajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieponofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikldqile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbpifm32.dll"	Ieibdnnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jabponba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjjdhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	43baafce6330c896774eaaa4f805ca90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfchlee.dll"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anafme32.dll"	Igceej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clffbc32.dll"	Hgnokgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogffk32.dll"	Hgeelf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Igebkiof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jmkmjoec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khnapkjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hadcipbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnkdnqhm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 1296	2096	43baafce6330c896774eaaa4f805ca90N.exe	31
PID 2096 wrote to memory of 1296	2096	43baafce6330c896774eaaa4f805ca90N.exe	31
PID 2096 wrote to memory of 1296	2096	43baafce6330c896774eaaa4f805ca90N.exe	31
PID 2096 wrote to memory of 1296	2096	43baafce6330c896774eaaa4f805ca90N.exe	31
PID 1296 wrote to memory of 2724	1296	Hgnokgcc.exe	32
PID 1296 wrote to memory of 2724	1296	Hgnokgcc.exe	32
PID 1296 wrote to memory of 2724	1296	Hgnokgcc.exe	32
PID 1296 wrote to memory of 2724	1296	Hgnokgcc.exe	32
PID 2724 wrote to memory of 2748	2724	Hjmlhbbg.exe	33
PID 2724 wrote to memory of 2748	2724	Hjmlhbbg.exe	33
PID 2724 wrote to memory of 2748	2724	Hjmlhbbg.exe	33
PID 2724 wrote to memory of 2748	2724	Hjmlhbbg.exe	33
PID 2748 wrote to memory of 2788	2748	Hadcipbi.exe	34
PID 2748 wrote to memory of 2788	2748	Hadcipbi.exe	34
PID 2748 wrote to memory of 2788	2748	Hadcipbi.exe	34
PID 2748 wrote to memory of 2788	2748	Hadcipbi.exe	34
PID 2788 wrote to memory of 2820	2788	Hnkdnqhm.exe	35
PID 2788 wrote to memory of 2820	2788	Hnkdnqhm.exe	35
PID 2788 wrote to memory of 2820	2788	Hnkdnqhm.exe	35
PID 2788 wrote to memory of 2820	2788	Hnkdnqhm.exe	35
PID 2820 wrote to memory of 2592	2820	Hqiqjlga.exe	36
PID 2820 wrote to memory of 2592	2820	Hqiqjlga.exe	36
PID 2820 wrote to memory of 2592	2820	Hqiqjlga.exe	36
PID 2820 wrote to memory of 2592	2820	Hqiqjlga.exe	36
PID 2592 wrote to memory of 3048	2592	Hcgmfgfd.exe	37
PID 2592 wrote to memory of 3048	2592	Hcgmfgfd.exe	37
PID 2592 wrote to memory of 3048	2592	Hcgmfgfd.exe	37
PID 2592 wrote to memory of 3048	2592	Hcgmfgfd.exe	37
PID 3048 wrote to memory of 1912	3048	Hjaeba32.exe	38
PID 3048 wrote to memory of 1912	3048	Hjaeba32.exe	38
PID 3048 wrote to memory of 1912	3048	Hjaeba32.exe	38
PID 3048 wrote to memory of 1912	3048	Hjaeba32.exe	38
PID 1912 wrote to memory of 1680	1912	Hgeelf32.exe	39
PID 1912 wrote to memory of 1680	1912	Hgeelf32.exe	39
PID 1912 wrote to memory of 1680	1912	Hgeelf32.exe	39
PID 1912 wrote to memory of 1680	1912	Hgeelf32.exe	39
PID 1680 wrote to memory of 2360	1680	Hjcaha32.exe	40
PID 1680 wrote to memory of 2360	1680	Hjcaha32.exe	40
PID 1680 wrote to memory of 2360	1680	Hjcaha32.exe	40
PID 1680 wrote to memory of 2360	1680	Hjcaha32.exe	40
PID 2360 wrote to memory of 628	2360	Hifbdnbi.exe	41
PID 2360 wrote to memory of 628	2360	Hifbdnbi.exe	41
PID 2360 wrote to memory of 628	2360	Hifbdnbi.exe	41
PID 2360 wrote to memory of 628	2360	Hifbdnbi.exe	41
PID 628 wrote to memory of 564	628	Hjfnnajl.exe	42
PID 628 wrote to memory of 564	628	Hjfnnajl.exe	42
PID 628 wrote to memory of 564	628	Hjfnnajl.exe	42
PID 628 wrote to memory of 564	628	Hjfnnajl.exe	42
PID 564 wrote to memory of 2160	564	Ikgkei32.exe	43
PID 564 wrote to memory of 2160	564	Ikgkei32.exe	43
PID 564 wrote to memory of 2160	564	Ikgkei32.exe	43
PID 564 wrote to memory of 2160	564	Ikgkei32.exe	43
PID 2160 wrote to memory of 2720	2160	Ieponofk.exe	44
PID 2160 wrote to memory of 2720	2160	Ieponofk.exe	44
PID 2160 wrote to memory of 2720	2160	Ieponofk.exe	44
PID 2160 wrote to memory of 2720	2160	Ieponofk.exe	44
PID 2720 wrote to memory of 1148	2720	Imggplgm.exe	45
PID 2720 wrote to memory of 1148	2720	Imggplgm.exe	45
PID 2720 wrote to memory of 1148	2720	Imggplgm.exe	45
PID 2720 wrote to memory of 1148	2720	Imggplgm.exe	45
PID 1148 wrote to memory of 1312	1148	Inhdgdmk.exe	46
PID 1148 wrote to memory of 1312	1148	Inhdgdmk.exe	46
PID 1148 wrote to memory of 1312	1148	Inhdgdmk.exe	46
PID 1148 wrote to memory of 1312	1148	Inhdgdmk.exe	46

C:\Users\Admin\AppData\Local\Temp\43baafce6330c896774eaaa4f805ca90N.exe
"C:\Users\Admin\AppData\Local\Temp\43baafce6330c896774eaaa4f805ca90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\SysWOW64\Hgnokgcc.exe
  C:\Windows\system32\Hgnokgcc.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\Hjmlhbbg.exe
    C:\Windows\system32\Hjmlhbbg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\Hadcipbi.exe
      C:\Windows\system32\Hadcipbi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\Hnkdnqhm.exe
        
        C:\Windows\system32\Hnkdnqhm.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Hqiqjlga.exe
        
        C:\Windows\system32\Hqiqjlga.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Hcgmfgfd.exe
        
        C:\Windows\system32\Hcgmfgfd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2592
        
        C:\Windows\SysWOW64\Hjaeba32.exe
        
        C:\Windows\system32\Hjaeba32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Hgeelf32.exe
        
        C:\Windows\system32\Hgeelf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Hjcaha32.exe
        
        C:\Windows\system32\Hjcaha32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Hifbdnbi.exe
        
        C:\Windows\system32\Hifbdnbi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Hjfnnajl.exe
        
        C:\Windows\system32\Hjfnnajl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Ikgkei32.exe
        
        C:\Windows\system32\Ikgkei32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Ieponofk.exe
        
        C:\Windows\system32\Ieponofk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Imggplgm.exe
        
        C:\Windows\system32\Imggplgm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Inhdgdmk.exe
        
        C:\Windows\system32\Inhdgdmk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Ikldqile.exe
        
        C:\Windows\system32\Ikldqile.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Iaimipjl.exe
        
        C:\Windows\system32\Iaimipjl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\Igceej32.exe
        
        C:\Windows\system32\Igceej32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Iknafhjb.exe
        
        C:\Windows\system32\Iknafhjb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\Icifjk32.exe
        
        C:\Windows\system32\Icifjk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Igebkiof.exe
        
        C:\Windows\system32\Igebkiof.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Imbjcpnn.exe
        
        C:\Windows\system32\Imbjcpnn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1860
        
        C:\Windows\SysWOW64\Ieibdnnp.exe
        
        C:\Windows\system32\Ieibdnnp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Jfjolf32.exe
        
        C:\Windows\system32\Jfjolf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Jmdgipkk.exe
        
        C:\Windows\system32\Jmdgipkk.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\Jgjkfi32.exe
        
        C:\Windows\system32\Jgjkfi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\Jmfcop32.exe
        
        C:\Windows\system32\Jmfcop32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Jabponba.exe
        
        C:\Windows\system32\Jabponba.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Jfohgepi.exe
        
        C:\Windows\system32\Jfohgepi.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Jjjdhc32.exe
        
        C:\Windows\system32\Jjjdhc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Jfaeme32.exe
        
        C:\Windows\system32\Jfaeme32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Jmkmjoec.exe
        
        C:\Windows\system32\Jmkmjoec.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Jfcabd32.exe
        
        C:\Windows\system32\Jfcabd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Jlqjkk32.exe
        
        C:\Windows\system32\Jlqjkk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\Jnofgg32.exe
        
        C:\Windows\system32\Jnofgg32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Keioca32.exe
        
        C:\Windows\system32\Keioca32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1288
        
        C:\Windows\SysWOW64\Kbmome32.exe
        
        C:\Windows\system32\Kbmome32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\Khjgel32.exe
        
        C:\Windows\system32\Khjgel32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Kjhcag32.exe
        
        C:\Windows\system32\Kjhcag32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\Khnapkjg.exe
        
        C:\Windows\system32\Khnapkjg.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2604
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1672
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 288 -s 140
        58⤵
        Program crash
        
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Faibdo32.dll

Filesize
7KB

MD5
16ebde6032aa12acef1e26495b12933b

SHA1
70c7929915048bbaead57731f560ed7e6e96151c

SHA256
22ed572e19dd042bb0fff96601caaea397aa97dd61c0619f3660defa69f18fab

SHA512
3fee6c27af6a6bf8295c398c73cdf38db384f056e0458511a8e8a6dc9f54272434c6e9f8c27fdd8e0cbaad6cf347d57c76faba9110d4d7d28a304bce8dccb988

Download Submit
C:\Windows\SysWOW64\Hgeelf32.exe

Filesize
89KB

MD5
345e268add0fbffd55d16838470d7f80

SHA1
90ed953fd45a4335d4ce6e387ffa36c341bf1497

SHA256
0ba9778b0329b7d2047d5300808a6e338e060b1326d9925677c77b00988834b6

SHA512
6f51f473544e4a0e67861323b5adae2f71e7a44463c2c4e019e5bc1bf3e685412a859b9b07eece8402ac9a869499626cbc208f791069f3f6291adf890921114f

Download Submit
C:\Windows\SysWOW64\Hgnokgcc.exe

Filesize
89KB

MD5
90bceb31295da83554b8759b2ed79945

SHA1
d2badfcb2ac1d94bb82a592fafad081c5eb74fc9

SHA256
0d5775315cc261afd685c8f7b86634df11509d6f45f1a32ba774fd7d6400c578

SHA512
f4081145a83878feb8e5504d53dbf54c6283e589ae5fe821a67791db05dc22a83b6b4babb2c3c7cf1b65d4cac30d17c592e4b9ef8a44bd6cada2b1b1a51603b2

Download Submit
C:\Windows\SysWOW64\Hjaeba32.exe

Filesize
89KB

MD5
8b66c3da397a00efc46f772f1e7942ab

SHA1
65fcec3e5354ae07aae11e9008f9bece100a9c70

SHA256
b4f0d1da298a96f39ffae873b1c7774ae5a299c0b25effeb571111ee9715fc87

SHA512
c273d7212b6f840e72bef0e9918c80958ad1fbe60658642288b4f7629e2ba983778e05d0004b8e268ad35d17857768b7050ab69115186efd4594f944a40afad6

Download Submit
C:\Windows\SysWOW64\Hjcaha32.exe

Filesize
89KB

MD5
eb85b59b7d6f37efb47454c45932a7aa

SHA1
cfb846da7c75f1b9ef87ec5d5e048565d724f228

SHA256
2aa7800fe77024e8f521fc35b2283986666311f150def59b7efd90ce4e6f0099

SHA512
330f2705c453ab29315b45ca9babaa960fed8d0fe7b0acd4f7ad1ea25607d5da49d140b2334d5810abc19ad33790376e98b8e5a134966fc73feeb57f60b47a0d

Download Submit
C:\Windows\SysWOW64\Hjfnnajl.exe

Filesize
89KB

MD5
2f9f562edab7307b603b5b6674dced03

SHA1
eb6b1c502b25c88a2f78d58d2b0fadf9d6a7fbcb

SHA256
80e9863941019e84bb9018bbb14fc83d746aa551fbf2dbe5cafa7772f45f5534

SHA512
7f1b2c5e97d26c19cd24979d40e5e30378b61e91b3b9323bb6d181ab64009b07a33f256f7df92dc0e94acff2aba970adba4adef9eea3ade5cf4fb484ea90097e

Download Submit
C:\Windows\SysWOW64\Hnkdnqhm.exe

Filesize
89KB

MD5
4a18b889788d13ce1c42341bf85b32a4

SHA1
37970ac0514d92fc9fbe3f90ea0336aee6a037a6

SHA256
9c18fd484c9dc23f4f82eb6e596b6eadf7ff0bc52761d2df6c55aa9f4479aaee

SHA512
e5bf088a911114c52f863a985f515e9fe8770179dec17061069cad860d8476791047d92ab4eaaf4d6203330290f150bc26f575583ee77dcf8c39b31b934fca51

Download Submit
C:\Windows\SysWOW64\Iaimipjl.exe

Filesize
89KB

MD5
ef2aeeb1e793b01ea6ae7066f08323d4

SHA1
728f61370ec8d65e198d76ea6aaf4ecfc5098613

SHA256
3acafe1a385767bdf1f6affb62b1930fc87939b9316f3957988d8b0aaedda8ce

SHA512
1432b949511bc93b1a5511d41a86fe300b715cd7f51eeefaeaa9e17dd25b34b702ad077a1354de97c490532b7559f95da296d98ea401450760806069951c4cf0

Download Submit
C:\Windows\SysWOW64\Icifjk32.exe

Filesize
89KB

MD5
24b27599274ec5f3891df79df4a67f6d

SHA1
6434a15ae35c6604eac16b2ae9124358c65e5c1a

SHA256
2d19243cd529fd5215c1576de4eb27d55672b08b989058b3600d2960caa933e2

SHA512
4c635603a419822df42fc87717891fd3d12e91ada8a9c332d04745c4a25fb4c2b506740cf8b4b149ea62e1f65fef025f9eea52179f0d73f7a78d7e38bba0027a

Download Submit
C:\Windows\SysWOW64\Ieibdnnp.exe

Filesize
89KB

MD5
15b417dcc5979cd1571967583864c76b

SHA1
b39384f262b9cc171a8ef17a9dc48309b44e7d3e

SHA256
3287efbd7f961a65e907e302dbe737bf816bd77474f891967e9af07928e5bfb7

SHA512
3918319e62a9c973e2b027ff3ac500f65bf2f253baf640f4ae97544c2c44e0f78a10331e118035a4013f106b17f530f0ec2c54e0b9f42785de3526c8435d526d

Download Submit
C:\Windows\SysWOW64\Ieponofk.exe

Filesize
89KB

MD5
a5121627e21fed326ca7fd761a7bd3a6

SHA1
d58f29c7d80ac2e1c614b7f8039f86909d4a42b1

SHA256
700612fafa3bac3b8b5496fd7e127364132c21a72e31887862d59e8043ad896e

SHA512
4d40a1527a7b381e51833740142d9b9395f8eaf1bb13b7940bf9bd5fc12af99191e42382c42a679e3a066e8613759fd8d2257289c52d4761444d84780f3a6f9d

Download Submit
C:\Windows\SysWOW64\Igceej32.exe

Filesize
89KB

MD5
a348a1dcb57363f99575d67d28128fa9

SHA1
d8fff42adaa5dd3285027957a90ae4d24ba61b81

SHA256
2c597e0c732f5b676097c7deae8d7cb547a9adb9f5fdc5b68a1d4d0f1c451749

SHA512
69641acafaf59ef3dedbf5e8f9c745251746cec073e225adb23be6477a2ab1b15a51712635662a509278d6da77315e4b8d2c769a6cf617ae901ee65c7c9f04c5

Download Submit
C:\Windows\SysWOW64\Igebkiof.exe

Filesize
89KB

MD5
5bd540ef4f5f22f043c5ecab712aa14b

SHA1
18120345a4103e4cbcb6d548c822b7827f7efe54

SHA256
958c50573c5c19a34683ee031d0a9abdab5c794e5d7edb41ef39bf58cbfb583c

SHA512
94e7c96268ac90fafa133d03e85a84eb70460e5992ca39f5922ae941897285733f56e71e4d1f812ea44eca8299d07fb1ce6b0169202e8eb5a24e0d053a6603ee

Download Submit
C:\Windows\SysWOW64\Ikldqile.exe

Filesize
89KB

MD5
ab01576a5f72400b541a727b3d2a07b7

SHA1
1a28843d75fb9de7d7dec6bde25db645e8fa4ab7

SHA256
508ba85f489d6be7d42c96899cbfdf8f9f691dd694b231dbd627d4d776b4cfa3

SHA512
7a2d65771ebf3e909949a642e17f25f3a6ceae8b852047ed34d86fc3d774bb099c0ececeb613cb62d34a6b05eabb5d86d20823d962482e3bfe4801d44fff6879

Download Submit
C:\Windows\SysWOW64\Iknafhjb.exe

Filesize
89KB

MD5
15f804754cf54289df6e7ee650bc2be6

SHA1
e671bab59c406f863bc4b0a29ba8cadb8e451b20

SHA256
ce9239bf9d56b255bd03a966bc7b93b954698c05a99b0cff5688f10729024cbf

SHA512
8df302cd76eb9733da914d745fbb87e1f3e4b0bcbc0b7e7551e29aceacae473ae211b60e5e49b56d2cffb4585b31d09264d723e0c1100bb76bf1343100024962

Download Submit
C:\Windows\SysWOW64\Imbjcpnn.exe

Filesize
89KB

MD5
b6dfa2212e1bf60a28e6f4b83c64194f

SHA1
232c5c4e141ffb14bc75d6546e37db20cf04e2e4

SHA256
fca65a8e074973a600fbccca0226f048337ed44187009977cf902ff20ea018af

SHA512
05c9b31d4bbf6497266de7b1acf782596ad0229c4c19b0434b1a4f3183b1bd71288a915a0047577ec91de5722fd1ebcc9ca44f48617b4125a019e16dbaa9ada3

Download Submit
C:\Windows\SysWOW64\Imggplgm.exe

Filesize
89KB

MD5
7b2a2c3bf3ae99593cc31766cbd7be70

SHA1
92c6272202c8f16cbbd63ac13be8150d2d6fd381

SHA256
19efe0ce92e3849792154e63fda858438b74773bd6080c53714c4dc10579c625

SHA512
f08c494a7a5fe3641ea3da1c93f5bdfb2e5b2b3e5cca3581b5609978e3b6a8904f395ad0803725e38a1d9a35ef2265113d56702113fe6afbd45572e8ee7c2a03

Download Submit
C:\Windows\SysWOW64\Inhdgdmk.exe

Filesize
89KB

MD5
084b019f7e1d01642f98594c081e1ab3

SHA1
99a059d44e188b914b269f65dfc9ae3b659cee05

SHA256
f2a6b112f45629ca7c2dd903bea3e605202f7fac0cbf58f0490ad45d37a0b385

SHA512
e2393411d689725158e415a173c7625f58f097e8943c63d3f47c3c5757b7def887f39a4dcaa0cdbba465e3d153db3b5246f028dcbcbdd1524cfcc9c9541bf6f6

Download Submit
C:\Windows\SysWOW64\Jabponba.exe

Filesize
89KB

MD5
ae3e424cb907f68d4b423f81b7c488ee

SHA1
833215dc6c462ae6e60d28cd7b93721463877039

SHA256
88ceb7f6ff3856426d1bf825cc12b707c3ba0b76a75805d7251bc2e763ffc23b

SHA512
9fd7cb5ed40eb37e50132ca08d1ab6cc12f9dc71946572b0fddeb82b09f1df14ead9d4fc3ade9a559c735d29beba70b6cf92f6c66c468e4c7a03221b663c2657

Download Submit
C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
89KB

MD5
9f35117da09ae3fda6bf420a785be96b

SHA1
081201998f2d8ae15b9c86b82fce91250b6689ca

SHA256
99261260e015e50ee03804c8cd961dca395ec6789b6c75ad37de69d04637e0a9

SHA512
f67d080a5cf083a9bb6df09340906e3e30d7313b81d59b7f8089920e72818cd6a8f37c5e688b7a6ec22d41e7aab8bfdb5f48cbe320346a8c4d76ed16e249e9cb

Download Submit
C:\Windows\SysWOW64\Jfaeme32.exe

Filesize
89KB

MD5
e7160d88301ab4c1045ae76e99fe0aaf

SHA1
b391a0f62cbd066afcbe85107490d26ba5818196

SHA256
905cd21eda19d402ba5717325ecc92d9c52f3559d5bd3f84988729311ea61a5f

SHA512
71df97ce6381ce531577c293f6096d508390fc6bf493057eee33ee33fce9e7c24ec6ebb9d6bde7fcc918908c86d224b582a55c62689523c07610e3f52a32373d

Download Submit
C:\Windows\SysWOW64\Jfcabd32.exe

Filesize
89KB

MD5
67d25b7d27d0e01fcd0303428dea9934

SHA1
95190d0757a9526ed0ddb4093770ca9ac65d77e2

SHA256
4a772a52a41963801945a005ac855e7a801b509cbb96f2bbdf186072617d609e

SHA512
7279ecdad6b905d80f8863599434147b36b9d0cd0e8b9e313c81dbb17c2e61520f5ea72b7a99e4b157aa58cd3c4e95cb57d5bbc81a89ff0000c623318cc51d18

Download Submit
C:\Windows\SysWOW64\Jfjolf32.exe

Filesize
89KB

MD5
0182338b435cb9e26b590604fe7801ab

SHA1
08488e9c4dae403d0e42823966aa9532ba49fc81

SHA256
ec4db468a3ed9f983c27634d867a303988b6cbb6ba3d5f0b25aba5fef6acefa8

SHA512
084caabf76284c27ad6faefc564f2e95a35bbd89a995842a75a9c95b20cbaf2796558c395a77158bb271a98c681f23c0ee265c6867461884677e44ff9e3fcfbc

Download Submit
C:\Windows\SysWOW64\Jfohgepi.exe

Filesize
89KB

MD5
a3ac0a507a88a9840eafed9dd9867b42

SHA1
80e232580d8194306f79e08897d07d5c50c38e6b

SHA256
6d84eb76421e820478b20f3ffee85df862dbf51b73935e89a1470507e853e3a5

SHA512
0cad78772270543a8ad33b38bb9dcbc14c7fe78cf8ae24a0ff532524787a9c4a413865a1b63bb2b2b5d3355935f7e08fe235768e80983f4da10dd749d20d924d

Download Submit
C:\Windows\SysWOW64\Jgjkfi32.exe

Filesize
89KB

MD5
ee10cd448daabd36bc2179d62a5b6574

SHA1
5dad985aead70f7e501f6035d0e64b22f723ebeb

SHA256
d1a638f273d818d4bbd5d806af57890cb2284723142db44285a75861f83d0774

SHA512
66c0badb7a3c656b2a3d547963501f40619ab4291766bab0d9e3149e00a3750548031cbf2be4f4c1bc1bce6bdce0128630ebb6707a2f804a43a0ba2f47d4505a

Download Submit
C:\Windows\SysWOW64\Jjjdhc32.exe

Filesize
89KB

MD5
28296f620e213f49767bbb32e5f51b64

SHA1
a6fd52a539be943a6846072b82452838e307af56

SHA256
7213f7b4bf54c6fa13d7314f6eb1355e4a061d1339de15beba60ec3677b69d29

SHA512
79ed6cb7886e6b77fd9fe1defda9e8b37b05ecc93e1dfd5dee792b8f1d8ba5efd9123b9bb5de92e0fdc47516f1f39b90f216aed72fc69c2704553c3f390cdffd

Download Submit
C:\Windows\SysWOW64\Jlqjkk32.exe

Filesize
89KB

MD5
112acbb68de1ca9f22202f26152dbc3d

SHA1
50fae5169773ef40f6541cd7a6c0dac095c36869

SHA256
5e08efdd52eec3c0619c01f26458406ffe28da70559fff6e77178e96ec18e54a

SHA512
76ba5f7d5192c477e7753c79206f6911bd3fbee33c55d2a6a9d1277cfc12f8a3acde60ca931f101b9e3c38d4688a430046d9750a7bddb4fd00fa2a45dc686227

Download Submit
C:\Windows\SysWOW64\Jmdgipkk.exe

Filesize
89KB

MD5
e18b8acd705b52f4fd3440b9ff445875

SHA1
e9c6c95748e701080d560dcb4d83d1d5c9fa3fb2

SHA256
75b44774d8db8ce437b28d0851fdf54cecbe34b128f89fc063d512be182d389b

SHA512
f6a0255e67195bd3420f03e24b4b96a1b1d7c4fd8e3750c2c653b163b63c32806993960908e83dab25692d974100b9742c50721a84a214c5057f83f9470ca7bb

Download Submit
C:\Windows\SysWOW64\Jmfcop32.exe

Filesize
89KB

MD5
8bd909658fa7d8d0c029bbabd108552c

SHA1
27e1d94fb2a90b0be0e080d3608a478af731fe9e

SHA256
0ca076322ce99fb36090d83f540b4c895f17f4677023923c01849085269d29b4

SHA512
5441f3bbea88cfcb794854d1ba82cc27cb7d880c0a621dca5eab7c1c95b4ae6ad480d7fd26024136a93df91c37c34cf429568f8a79102ba3740eec15f1c1aec8

Download Submit
C:\Windows\SysWOW64\Jmkmjoec.exe

Filesize
89KB

MD5
31dd4ec808a3f920ca3f86cf1c6b9678

SHA1
b0caaa75d03148cb98c73772a8ea66e53d1ecc90

SHA256
0506d23796bdb01ec5e978c722c6d2e029c939626c2028ffaa975e5ec7daa0fa

SHA512
0917dfb300b303903e68cab43f4f64cda40298cc1566700d04001a593a0dc9a680f998eceb378097462c7441af7a00f93e3b4d49b1a1c25f5c70ef8a9e3b839a

Download Submit
C:\Windows\SysWOW64\Jnofgg32.exe

Filesize
89KB

MD5
b705ecf74d61d9a5b7c13807aee101d9

SHA1
aab81b91930e7e7bc79b8f2d7966483c8237783b

SHA256
37d29ff31ac9513928a5fed04b7208ae8a29d2ce5f5c45dc14e6a1ceebd67671

SHA512
2c3ce9b44df470c4ba302b06aa10f26409a010c3b76018c47efa9532f93c950ce0c1888aeb73254d5523c6bd2113cad12dc57e68038f2daba56df2ea42019d17

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
89KB

MD5
8bb8c7439dcad9558ef1cc3fb8cf5d1e

SHA1
d6e87da838561f3db8d5f96c90a47f4e0833b414

SHA256
11b1b6b0624f4cbbe86277813c119431737d06022dd5234e62d6915c87654714

SHA512
60f660fc89cb8f7af0661e985f053cfc6292e17096f3d13ecf1ba34e492b2240bff6f560e0964da178fc831cb3bf388965f9dfb11880f232e33ba2d28dc155c0

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
89KB

MD5
a55258c7a0d2e61ec09e5fc3cde5403b

SHA1
dc35d814fe0f5fd30950c7f5a1cac266b98bf257

SHA256
91683f3a71389b254704fdd7f94c65cc610e5ced3e3a8e1e031b84ae9ce88c53

SHA512
f8ea2e679f4e63fed9b1ef2cda76e0c343081c6f3512826f2a4ccd78060e63ca977236550810ed355b8d0831d867a07f01bdeeea03c67dc5d1b2dcab9dab0c07

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
89KB

MD5
86ffc6977289e5a7b93d839b51a9d115

SHA1
84d52c276a083ea92fb2eccc7feded9e9f15765a

SHA256
63fe15899c56d38298dd694f4eefb99f757a35f4aec4b98172f8ce3833d1aac8

SHA512
cd53473446a30bd1e7ba314f9f40f62aedb34262a0fc934d6b95acc488a1800f939963f0551000ffab47d9a20dac4220da20e22b7d97341ec97e4bc392f17d1d

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
89KB

MD5
6ea2eb37523a47386207ef4fbb230d4c

SHA1
2f4f9e5133051de9937aee1c14d8ea7e00c27ed5

SHA256
ae7c898fc059e0002c13260a56f16b66c1065e6301028f83b995256e97f56926

SHA512
fbed30a8886b7981a0ba9d292ddcaac4c8ff6b31e9584fbe9bc4335727f1d355b7a4e37af4254afaad6b9ab9d8f759019d79343eea86fdfc6510e37b82e80158

Download Submit
C:\Windows\SysWOW64\Kbmome32.exe

Filesize
89KB

MD5
86912bfafaf17616623307fcaccf4990

SHA1
6c36023dc151b52583f570ec43b81cbccfa79e74

SHA256
b6891804cffa05b358e5e896160571de42039e5d6b9f77b1c3430630f1893198

SHA512
699f9c11e4ca6d7c72a3bf4a11b6f7ed26164c936aebacb29c769a010422bdb99b2d65a99c539161b7bee425cfc2fb0449084efed44504121bd1181974d25057

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
89KB

MD5
f079ea553ec6d80999896a915ce776ff

SHA1
7afa1aa76c3d5eca608c880f73a23d1f4cc777bd

SHA256
5211ccd9d3a6de769016c371b7c991d5de0b2e165436282d95056e4b54010dbc

SHA512
50472b82cbd9523ddf629109860a714cb0e4b0c8f6df25ea54c1be6292a18bb5a288acf36c114d53f5a2a669326f6cafab2ab708a2e1bf548d8b9901cb641d09

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
89KB

MD5
f1d330c6877d29a41247c05c777b24e9

SHA1
7f05b03cae035ee22017f5202e20c3cb6bfe507b

SHA256
6ccc4025b62a2d7f61a67f02a34c971d6c92eaa50747369013423629aa1a9b1f

SHA512
13524391e007eed2b8bcbf18d4ca2b17c0777abad16cd1beb4a213bbfa9a74d7915f705e8c5db54973f7811fd9ab6881a4cde3a00d7617b74c99f22c746cb476

Download Submit
C:\Windows\SysWOW64\Keioca32.exe

Filesize
89KB

MD5
ab1b61db14f8e733484e2c3bb0316843

SHA1
eb346229c0f6e7900f57396bf009cc010dfcf693

SHA256
30d1fffdf8961f0661b953750d317e6e78e09bddc9a7dc084d41bbeb753d62f3

SHA512
5e99514395f4b8cd2fb53a259cf6d636034fc9d53863d0cd294efe00e7004bf1a6c9bd404c874f5eabeb544ee3ca4a3b5b6dd36aaaf3ee5749853a05e33bbaad

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
89KB

MD5
10b174543f7a93d6040fab3464687cdf

SHA1
cced22778d3bc0b3bb607e938fdb174d1b9b89ac

SHA256
b31b80a20d64ae0c451ff905507814a14435b0616ff5aeed528142e63f66d60f

SHA512
d45cf72b19c20077a0aacd295dd4a5c80aa674e2436adccdc3fec3aa4b8df8f3a3b3aa0d8e859644bafb125fbcf63467dab987783b52227de0cf4a27acf920e2

Download Submit
C:\Windows\SysWOW64\Khjgel32.exe

Filesize
89KB

MD5
9abdae8e58944b68db6839cc48629a27

SHA1
98d5173957cf6bab311620ffe0346bb8dd34342e

SHA256
eae0faa563051e1be8666d95ed76137d69890b3796b732694df98e1315a50eb9

SHA512
cfe201a536c7a3a5a1c02faa916f0a48ba930d4f6278514ff15fd037ccf4ecaa424cdf653bf70da374897e0eca7d7b78771b2834c54eca30476e8d45095b882a

Download Submit
C:\Windows\SysWOW64\Khnapkjg.exe

Filesize
89KB

MD5
263771432317f5403e79286c66803c92

SHA1
eeb1c1f1afb7ce3119e7d473d21b4dcab5523fb0

SHA256
63997a304b4a566689f0014828ff85b1e061d93c8bdd35c8efe216f2f0dcafa7

SHA512
aeb566b2c0f8e5c0d6e6e0d7a7764587ad26524b93292d3bc2deaccb411a52ea3bd972a26946949d9d1c70d7bd0e4bad01a2de2f4c91ffacddf47a67c8ef76e4

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
89KB

MD5
78db02ee23c1154433ae0fa9d739d1f7

SHA1
41b266dd7dc07fa2fac991583c40be4150b7dd9d

SHA256
32d4df32717c5417b2b739a7b36da6676c7a93b31987a1de508fbe0b17a95c13

SHA512
ff6fea7d29c0bcabf68ca13239df8d5648cd94eb7ab10b13b7db3be8d751dd105749d0660d435ec15901214cafc80685baf4cc431560b33ba80c2a37822bde0f

Download Submit
C:\Windows\SysWOW64\Kjhcag32.exe

Filesize
89KB

MD5
5ea73b1c5bcd18ae0f1aa2314d596d1f

SHA1
a36e8556192ecabf77116f85178e495e32fd7c7b

SHA256
fbd4515cc9c10e8277dedeb8c4f4392cab1d20be1c34aae9b55baf116a52a41f

SHA512
3177d2a403614521507853ffe66af333d5c2154756d68129bb05bffe10764d77a643300a16f8bae46836e31669699f897af8422f551f42f24a46f9f084939e8f

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
89KB

MD5
8c747a2afb059c7fdd6d8572bf6b49f0

SHA1
b476ba337f0ff69c088de224cbfb6cfa1d809bd5

SHA256
e75557edc67a9f06f4dd757ae61e915d5bd2b848eacbaa9d21dd4496a3c23eba

SHA512
c2f780f60ffc7c07279f5f366d2da940d79484ad209c019490b24d9496610c60c132066088086288d8785bace913da853bdbed659024797063745f45b2f67855

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
89KB

MD5
1d316e92107a2d56616c862dd8f6880a

SHA1
cfe22188cfdba7d07dec39ac70d2274a778386b5

SHA256
f94e9ee9ce91b8c9bc170014a6dd98694e57992c2ef59ef777430f2d761803f9

SHA512
33003858aa721da704defdee6dbd93a4c3db7203834a16cdadea192799ddbdd4c872905ec5f2236b71991f2d8872b9dc9fbe71918446ee8aa9bd408739419ca6

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
89KB

MD5
33227139c854d7a3c47327fc3e0dd5f1

SHA1
e6bd4ecd46b3c8dca4ffc14c05e6e1a190b3623f

SHA256
9f4915fca9f4109c2d327aca9d107176f0558ffe4353dad9bcf55b2bdf021aa5

SHA512
bca68df2034d8d1ae7cfc63fa2336d128827d70316376c78e8dfdfe51d631ac5161580b992ee1c8235f5fa9770589e64df87b5cbeb8efc92f0b1ad846936167c

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
89KB

MD5
6fb7720081fa8bef4d1dc7f35192ea36

SHA1
e68d1d7d6d88e1bbeb663b1320914a20f8151ecf

SHA256
a8977d492087e282e6f6845f9bcbe0bb74109abb0150f222f1d0e4ab6b33b62d

SHA512
5ef5bae2c5fd827da2c67d50b44ad5917a66742b9ae8804ca2e9190a2760c667a7efebd98378a6ff73374e522297169f482b9608e89cdbebd9777ddfd2073b58

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
89KB

MD5
b9582239ab66245ce78b5cf42260454d

SHA1
35376afaf07eae33c259eb88b768168ef7e49664

SHA256
c99c3734bf9746d510b9b3f6237fa31661c562fbff3e8830dd6f0b27e581271c

SHA512
c76e4561e8e1f18dfcf5adb86652f31cedbd0d098d844a0a6c100833edde6900e4d1a738ebe81d93ae0ae075f3984c825af4e0b29a412d2ad484ecfd83c01484

Download Submit
C:\Windows\SysWOW64\Lplbjm32.exe

Filesize
89KB

MD5
38e7147005c56b2b016e8330f2b7d622

SHA1
72e58588b7ff9b498d42ceb7fb79f437aec64ca3

SHA256
ddf0640efde423f45affa1df076f8653e362aa4af3dff9f505341f80fec004ac

SHA512
aca09e0ec5e010fbb0ef838353dd826526d152c4ea5ed5c244cc52048f42991f789973214396bdca266a872567ee7f5bfdb5393a68cf30f0aed2d3e1669bc5dc

Download Submit
\Windows\SysWOW64\Hadcipbi.exe

Filesize
89KB

MD5
21bbc6350c2216f336aaa0cdda3ed0b2

SHA1
b4600216f82a472ffdf9914b489f1acbda58a9ac

SHA256
136023d897a0005597000169fe70c4b42ab3248d467f2569100343cd269679df

SHA512
195e037978d3670c3e7acc3b66be930397f6679c1125c75a8f2cf92910f014864e75ca02d3e6b259f0ca5da1b5a9bd2c1760a8a92e6827f73200cb8ede81a6b0

Download Submit
\Windows\SysWOW64\Hcgmfgfd.exe

Filesize
89KB

MD5
fd3e4695f7e4123767ff36c4aa8df6d3

SHA1
bc47c8c73ddf7c3d9bc4c4eb72d609ebb9c753a4

SHA256
b6bc0a8d9cc2371267006d599ce92a615b8f0d1b505e7fb6c5acb3f214f5f93b

SHA512
f7eb6650bc9663aff0be7a3248c411ab2f006a9ec4f36472899fa1963ead3f2cb5ea9f337909ef249fba913b9ab38f9c887432f2689af3a6e92226d22ff96b1e

Download Submit
\Windows\SysWOW64\Hifbdnbi.exe

Filesize
89KB

MD5
cb09296a908608790b8b37a9593efb24

SHA1
55fbcf9606af2e5f4588e78fd856fc628ea2a1fa

SHA256
ecb949c76f1164650a536a6d33ccf3d22933927ded2bf36adbfa28bba0ca8bff

SHA512
4e8eda6bb705e684d0f3c5e3a5d660c39abc2014511065a5b184f27f2a51571150b26a74cd92f6442dea8e45b3626bf0eb376e3dadeeccbc14d3b1a829beede7

Download Submit
\Windows\SysWOW64\Hjmlhbbg.exe

Filesize
89KB

MD5
ad3c70cb4a9cdad6feacbd1093bfbf4d

SHA1
cd70b692530f48e786f199308ccfc68a6a3a8fdb

SHA256
fc31111b184c4f8ad3c79221d2eee10b362f82aca0d03367bb3b120e950881a7

SHA512
16ec70a7ac9e259325ee27dba4a8bac5f2415a2b76f3cdd4efe7ddc46ba163dd4847226979e5488acb10efd2fa16d1b85ccd77d926ee5158d8c78ac709c1a5e8

Download Submit
\Windows\SysWOW64\Hqiqjlga.exe

Filesize
89KB

MD5
482d35489104b35b9c6ecbe2306fb0bb

SHA1
1bdc6a05d9cd4221d1d87252f9a429e3377ddb1e

SHA256
cf06ea72bf74754c2582e95cde16510ef1909f94b7948fe7847233b64cbe7464

SHA512
f070524f498ccded4c9decaa9afbfaa6dc91d9a1880c22b3295602f46cc7d0d265417436b16a341d2d3042800667f8867dd558dfe0b8b1cd5a005785b7f55ff8

Download Submit
\Windows\SysWOW64\Iebldo32.exe

Filesize
89KB

MD5
f602d731b668e9d109549dafb44dc10b

SHA1
402a53c17c6503d4272ca4d22bb97fd88f08325b

SHA256
e523fc6965fcdf49ae1e677e421e56e827fd19d93196c0c33d89dc0e78be5f4d

SHA512
ee253808c6a76375335340606bf7611ca4f45aeec9d24c7b2af45011fefa0e1d0560c463bfad7b49dccea90d6003f57f1439f382a6e2abdf73bf21ee5a2bfcdc

Download Submit
\Windows\SysWOW64\Ikgkei32.exe

Filesize
89KB

MD5
31ca1f066e67a924e85be3ca2d2a0592

SHA1
ab77dceb7c9dc80e83c3cdcccf8cf7cd5f2ec5e0

SHA256
c8eaa355f7365a46a2a1075e46e162f869d57644aa8bfb02c53a3ead5d12cf26

SHA512
fa0a638cf952d32e922a7d15c1bbb16be00a9973af1de164e491623205a4e073c7eea58dd36597f2859d969522cf28fd44ce0652867cd95543a305fd651d7fd0

Download Submit
memory/564-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/564-245-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/564-188-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/564-237-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/576-418-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/628-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/628-173-0x00000000002F0000-0x0000000000332000-memory.dmp

Filesize
264KB

Download
memory/636-313-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/636-343-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/636-317-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/808-282-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/808-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1068-260-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1068-296-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1068-264-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1068-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1148-270-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1160-303-0x0000000000310000-0x0000000000352000-memory.dmp

Filesize
264KB

Download
memory/1160-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1296-25-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1300-380-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1300-387-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1300-416-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1312-280-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1312-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1312-247-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1312-252-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/1456-272-0x0000000000390000-0x00000000003D2000-memory.dmp

Filesize
264KB

Download
memory/1456-301-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-141-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1680-194-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/1680-131-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1680-186-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1696-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1696-345-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/1860-318-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1860-325-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/1860-353-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1912-124-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/1912-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1912-172-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-24-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2096-69-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2096-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2096-17-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2128-367-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2128-335-0x0000000000290000-0x00000000002D2000-memory.dmp

Filesize
264KB

Download
memory/2160-258-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2160-208-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2160-210-0x00000000002E0000-0x0000000000322000-memory.dmp

Filesize
264KB

Download
memory/2160-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2292-428-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/2360-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-148-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2360-158-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2540-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2540-376-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2540-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2584-385-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2584-355-0x00000000002C0000-0x0000000000302000-memory.dmp

Filesize
264KB

Download
memory/2592-147-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2592-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2592-99-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2592-155-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2592-93-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2592-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2720-265-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/2720-224-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/2720-218-0x0000000000320000-0x0000000000362000-memory.dmp

Filesize
264KB

Download
memory/2720-253-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-40-0x0000000000280000-0x00000000002C2000-memory.dmp

Filesize
264KB

Download
memory/2724-27-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-82-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-98-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2748-101-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2748-49-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2748-41-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-62-0x00000000004A0000-0x00000000004E2000-memory.dmp

Filesize
264KB

Download
memory/2820-139-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2820-83-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2820-85-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/2820-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2860-408-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2980-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2980-292-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/2992-368-0x0000000000250000-0x0000000000292000-memory.dmp

Filesize
264KB

Download
memory/2992-396-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3016-401-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/3016-397-0x00000000002D0000-0x0000000000312000-memory.dmp

Filesize
264KB

Download
memory/3016-426-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-163-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-113-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download
memory/3048-157-0x0000000000350000-0x0000000000392000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads