672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe
Size

64KB
MD5

15fa8c51a7be6d1bc92356db8890a0e9
SHA1

b82727e7e35b0373d8e08a82143a20e60ccb4914
SHA256

672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e
SHA512

ce378416d448c7b9efdaed6a28193c221c70c0b677d0f9b5ad8c02becf8d6ccb380b377e3bcb5d259ef8e7a407b47c9e9a669065ec8ea46ff588f1d812445eea
SSDEEP

1536:hjsEeQGdckU+gndqbI/4TsuYwFvC6odenufpzDfWqc:hjsEeQWckU+a7/4TsdwFvC6odenkpzTs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kadica32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hffibceh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfjolf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmkmjoec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klecfkff.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmdin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclfag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldgnklmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiioin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifmocb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kapohbfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgqlafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgqlafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icifjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jibnop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiioin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibfmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgjkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igceej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iamfdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclfag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibfmmb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jipaip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfaalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgeelf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iakino32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iogpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iipejmko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhebfck.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqkmplen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hffibceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iebldo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iakino32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldgnklmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnmacpfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inhdgdmk.exe

Executes dropped EXE 58 IoCs

pid	Process
2752	Hadcipbi.exe
2732	Hgqlafap.exe
2568	Hgqlafap.exe
2072	Hmmdin32.exe
2552	Hffibceh.exe
1360	Hnmacpfj.exe
2912	Hqkmplen.exe
2120	Hgeelf32.exe
444	Hjcaha32.exe
1980	Hqnjek32.exe
484	Hclfag32.exe
2768	Hbofmcij.exe
1036	Hiioin32.exe
2316	Ifmocb32.exe
2360	Iikkon32.exe
1932	Inhdgdmk.exe
620	Iebldo32.exe
1628	Iogpag32.exe
716	Ibfmmb32.exe
1820	Iipejmko.exe
2856	Igceej32.exe
2720	Ibhicbao.exe
556	Iakino32.exe
2400	Icifjk32.exe
2952	Inojhc32.exe
2680	Iamfdo32.exe
2640	Jfjolf32.exe
2872	Japciodd.exe
2548	Jgjkfi32.exe
2144	Jikhnaao.exe
2944	Jcqlkjae.exe
2108	Jpgmpk32.exe
2504	Jipaip32.exe
1684	Jmkmjoec.exe
1144	Jbhebfck.exe
1404	Jibnop32.exe
776	Jplfkjbd.exe
2220	Kbjbge32.exe
1292	Khgkpl32.exe
2320	Kapohbfp.exe
2064	Kdnkdmec.exe
2020	Klecfkff.exe
2052	Kablnadm.exe
1112	Kdphjm32.exe
1556	Kkjpggkn.exe
3064	Kmimcbja.exe
2964	Kadica32.exe
1504	Kdbepm32.exe
1352	Kfaalh32.exe
2540	Kmkihbho.exe
2068	Kpieengb.exe
2532	Kbhbai32.exe
2920	Kkojbf32.exe
2628	Libjncnc.exe
2232	Lmmfnb32.exe
2248	Llpfjomf.exe
2424	Ldgnklmi.exe
2848	Lbjofi32.exe

Loads dropped DLL 64 IoCs

pid	Process
684	672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe
684	672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe
2752	Hadcipbi.exe
2752	Hadcipbi.exe
2732	Hgqlafap.exe
2732	Hgqlafap.exe
2568	Hgqlafap.exe
2568	Hgqlafap.exe
2072	Hmmdin32.exe
2072	Hmmdin32.exe
2552	Hffibceh.exe
2552	Hffibceh.exe
1360	Hnmacpfj.exe
1360	Hnmacpfj.exe
2912	Hqkmplen.exe
2912	Hqkmplen.exe
2120	Hgeelf32.exe
2120	Hgeelf32.exe
444	Hjcaha32.exe
444	Hjcaha32.exe
1980	Hqnjek32.exe
1980	Hqnjek32.exe
484	Hclfag32.exe
484	Hclfag32.exe
2768	Hbofmcij.exe
2768	Hbofmcij.exe
1036	Hiioin32.exe
1036	Hiioin32.exe
2316	Ifmocb32.exe
2316	Ifmocb32.exe
2360	Iikkon32.exe
2360	Iikkon32.exe
1932	Inhdgdmk.exe
1932	Inhdgdmk.exe
620	Iebldo32.exe
620	Iebldo32.exe
1628	Iogpag32.exe
1628	Iogpag32.exe
716	Ibfmmb32.exe
716	Ibfmmb32.exe
1820	Iipejmko.exe
1820	Iipejmko.exe
2856	Igceej32.exe
2856	Igceej32.exe
2720	Ibhicbao.exe
2720	Ibhicbao.exe
556	Iakino32.exe
556	Iakino32.exe
2400	Icifjk32.exe
2400	Icifjk32.exe
2952	Inojhc32.exe
2952	Inojhc32.exe
2680	Iamfdo32.exe
2680	Iamfdo32.exe
2640	Jfjolf32.exe
2640	Jfjolf32.exe
2872	Japciodd.exe
2872	Japciodd.exe
2548	Jgjkfi32.exe
2548	Jgjkfi32.exe
2144	Jikhnaao.exe
2144	Jikhnaao.exe
2944	Jcqlkjae.exe
2944	Jcqlkjae.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dgmjmajn.dll	Hbofmcij.exe
File created	C:\Windows\SysWOW64\Iakino32.exe	Ibhicbao.exe
File created	C:\Windows\SysWOW64\Jpbpbbdb.dll	Japciodd.exe
File opened for modification	C:\Windows\SysWOW64\Kdphjm32.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Ldgnklmi.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Ibhicbao.exe	Igceej32.exe
File created	C:\Windows\SysWOW64\Japciodd.exe	Jfjolf32.exe
File opened for modification	C:\Windows\SysWOW64\Kapohbfp.exe	Khgkpl32.exe
File opened for modification	C:\Windows\SysWOW64\Klecfkff.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Kablnadm.exe	Klecfkff.exe
File created	C:\Windows\SysWOW64\Cbamip32.dll	Llpfjomf.exe
File opened for modification	C:\Windows\SysWOW64\Hgeelf32.exe	Hqkmplen.exe
File opened for modification	C:\Windows\SysWOW64\Inhdgdmk.exe	Iikkon32.exe
File opened for modification	C:\Windows\SysWOW64\Jfjolf32.exe	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Hpdjnn32.dll	Jfjolf32.exe
File created	C:\Windows\SysWOW64\Jipaip32.exe	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Hqnjek32.exe	Hjcaha32.exe
File created	C:\Windows\SysWOW64\Gbmhafee.dll	Iakino32.exe
File created	C:\Windows\SysWOW64\Jfjolf32.exe	Iamfdo32.exe
File created	C:\Windows\SysWOW64\Klecfkff.exe	Kdnkdmec.exe
File created	C:\Windows\SysWOW64\Pigckoki.dll	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Inojhc32.exe	Icifjk32.exe
File created	C:\Windows\SysWOW64\Jibnop32.exe	Jbhebfck.exe
File opened for modification	C:\Windows\SysWOW64\Libjncnc.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kbhbai32.exe
File opened for modification	C:\Windows\SysWOW64\Lmmfnb32.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Hgqlafap.exe	Hadcipbi.exe
File opened for modification	C:\Windows\SysWOW64\Hiioin32.exe	Hbofmcij.exe
File created	C:\Windows\SysWOW64\Bgcmiq32.dll	Iipejmko.exe
File created	C:\Windows\SysWOW64\Jcqlkjae.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Kmimcbja.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Kdphjm32.exe	Kablnadm.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Lmmfnb32.exe
File created	C:\Windows\SysWOW64\Iikkon32.exe	Ifmocb32.exe
File created	C:\Windows\SysWOW64\Caejbmia.dll	Iogpag32.exe
File opened for modification	C:\Windows\SysWOW64\Icifjk32.exe	Iakino32.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jikhnaao.exe
File created	C:\Windows\SysWOW64\Khgkpl32.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Iikkon32.exe	Ifmocb32.exe
File created	C:\Windows\SysWOW64\Kapohbfp.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Kadica32.exe	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Lbjofi32.exe	Ldgnklmi.exe
File created	C:\Windows\SysWOW64\Lcepfhka.dll	Hmmdin32.exe
File opened for modification	C:\Windows\SysWOW64\Igceej32.exe	Iipejmko.exe
File created	C:\Windows\SysWOW64\Icifjk32.exe	Iakino32.exe
File created	C:\Windows\SysWOW64\Hlekjpbi.dll	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Hnmacpfj.exe	Hffibceh.exe
File created	C:\Windows\SysWOW64\Mjcccnbp.dll	Ibfmmb32.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kdphjm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldgnklmi.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Cmojeo32.dll	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Jipaip32.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Hhhamf32.dll	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Hgqlafap.exe	Hadcipbi.exe
File created	C:\Windows\SysWOW64\Ncbdnb32.dll	Iikkon32.exe
File opened for modification	C:\Windows\SysWOW64\Iogpag32.exe	Iebldo32.exe
File created	C:\Windows\SysWOW64\Iamfdo32.exe	Inojhc32.exe
File created	C:\Windows\SysWOW64\Gkddco32.dll	Inojhc32.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kmkihbho.exe
File created	C:\Windows\SysWOW64\Jfmgba32.dll	Hnmacpfj.exe
File opened for modification	C:\Windows\SysWOW64\Jbhebfck.exe	Jmkmjoec.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Lmmfnb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2740	2848	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hnmacpfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgqlafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqkmplen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hclfag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbjofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inhdgdmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibfmmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icifjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jipaip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klecfkff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifmocb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Japciodd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmmfnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjcaha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldgnklmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgeelf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqnjek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibhicbao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iakino32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jibnop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hbofmcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfaalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inojhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hadcipbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplfkjbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfjolf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmkmjoec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kapohbfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hmmdin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmkihbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgjkfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbhebfck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hffibceh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hiioin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iogpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iipejmko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iamfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdnkdmec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdphjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgqlafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igceej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kadica32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdnkdmec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hclfag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inhdgdmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iamfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icifjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdapknb.dll"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlekjpbi.dll"	Kdphjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgqlafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Lmmfnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmdin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll"	Jfjolf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgqlafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqacnpdp.dll"	Hffibceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfchlee.dll"	Inhdgdmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iamfdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hffibceh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgeelf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcmiq32.dll"	Iipejmko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hmmdin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmgba32.dll"	Hnmacpfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klecfkff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kadica32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmkihbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifmocb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jibnop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ibhicbao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgjkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll"	Jipaip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jplfkjbd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmmfnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmhafee.dll"	Iakino32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll"	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iakino32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll"	Kapohbfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll"	Kablnadm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdphjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcepfhka.dll"	Hmmdin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifmocb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll"	Ibfmmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgjkfi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 2752	684	672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe	30
PID 684 wrote to memory of 2752	684	672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe	30
PID 684 wrote to memory of 2752	684	672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe	30
PID 684 wrote to memory of 2752	684	672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe	30
PID 2752 wrote to memory of 2732	2752	Hadcipbi.exe	31
PID 2752 wrote to memory of 2732	2752	Hadcipbi.exe	31
PID 2752 wrote to memory of 2732	2752	Hadcipbi.exe	31
PID 2752 wrote to memory of 2732	2752	Hadcipbi.exe	31
PID 2732 wrote to memory of 2568	2732	Hgqlafap.exe	32
PID 2732 wrote to memory of 2568	2732	Hgqlafap.exe	32
PID 2732 wrote to memory of 2568	2732	Hgqlafap.exe	32
PID 2732 wrote to memory of 2568	2732	Hgqlafap.exe	32
PID 2568 wrote to memory of 2072	2568	Hgqlafap.exe	33
PID 2568 wrote to memory of 2072	2568	Hgqlafap.exe	33
PID 2568 wrote to memory of 2072	2568	Hgqlafap.exe	33
PID 2568 wrote to memory of 2072	2568	Hgqlafap.exe	33
PID 2072 wrote to memory of 2552	2072	Hmmdin32.exe	34
PID 2072 wrote to memory of 2552	2072	Hmmdin32.exe	34
PID 2072 wrote to memory of 2552	2072	Hmmdin32.exe	34
PID 2072 wrote to memory of 2552	2072	Hmmdin32.exe	34
PID 2552 wrote to memory of 1360	2552	Hffibceh.exe	35
PID 2552 wrote to memory of 1360	2552	Hffibceh.exe	35
PID 2552 wrote to memory of 1360	2552	Hffibceh.exe	35
PID 2552 wrote to memory of 1360	2552	Hffibceh.exe	35
PID 1360 wrote to memory of 2912	1360	Hnmacpfj.exe	36
PID 1360 wrote to memory of 2912	1360	Hnmacpfj.exe	36
PID 1360 wrote to memory of 2912	1360	Hnmacpfj.exe	36
PID 1360 wrote to memory of 2912	1360	Hnmacpfj.exe	36
PID 2912 wrote to memory of 2120	2912	Hqkmplen.exe	37
PID 2912 wrote to memory of 2120	2912	Hqkmplen.exe	37
PID 2912 wrote to memory of 2120	2912	Hqkmplen.exe	37
PID 2912 wrote to memory of 2120	2912	Hqkmplen.exe	37
PID 2120 wrote to memory of 444	2120	Hgeelf32.exe	38
PID 2120 wrote to memory of 444	2120	Hgeelf32.exe	38
PID 2120 wrote to memory of 444	2120	Hgeelf32.exe	38
PID 2120 wrote to memory of 444	2120	Hgeelf32.exe	38
PID 444 wrote to memory of 1980	444	Hjcaha32.exe	39
PID 444 wrote to memory of 1980	444	Hjcaha32.exe	39
PID 444 wrote to memory of 1980	444	Hjcaha32.exe	39
PID 444 wrote to memory of 1980	444	Hjcaha32.exe	39
PID 1980 wrote to memory of 484	1980	Hqnjek32.exe	40
PID 1980 wrote to memory of 484	1980	Hqnjek32.exe	40
PID 1980 wrote to memory of 484	1980	Hqnjek32.exe	40
PID 1980 wrote to memory of 484	1980	Hqnjek32.exe	40
PID 484 wrote to memory of 2768	484	Hclfag32.exe	41
PID 484 wrote to memory of 2768	484	Hclfag32.exe	41
PID 484 wrote to memory of 2768	484	Hclfag32.exe	41
PID 484 wrote to memory of 2768	484	Hclfag32.exe	41
PID 2768 wrote to memory of 1036	2768	Hbofmcij.exe	42
PID 2768 wrote to memory of 1036	2768	Hbofmcij.exe	42
PID 2768 wrote to memory of 1036	2768	Hbofmcij.exe	42
PID 2768 wrote to memory of 1036	2768	Hbofmcij.exe	42
PID 1036 wrote to memory of 2316	1036	Hiioin32.exe	43
PID 1036 wrote to memory of 2316	1036	Hiioin32.exe	43
PID 1036 wrote to memory of 2316	1036	Hiioin32.exe	43
PID 1036 wrote to memory of 2316	1036	Hiioin32.exe	43
PID 2316 wrote to memory of 2360	2316	Ifmocb32.exe	44
PID 2316 wrote to memory of 2360	2316	Ifmocb32.exe	44
PID 2316 wrote to memory of 2360	2316	Ifmocb32.exe	44
PID 2316 wrote to memory of 2360	2316	Ifmocb32.exe	44
PID 2360 wrote to memory of 1932	2360	Iikkon32.exe	45
PID 2360 wrote to memory of 1932	2360	Iikkon32.exe	45
PID 2360 wrote to memory of 1932	2360	Iikkon32.exe	45
PID 2360 wrote to memory of 1932	2360	Iikkon32.exe	45

C:\Users\Admin\AppData\Local\Temp\672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe
"C:\Users\Admin\AppData\Local\Temp\672d99501c2b03532a80ec0416f93cd6478817ef47a6951aecda92c8e786345e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\SysWOW64\Hadcipbi.exe
  C:\Windows\system32\Hadcipbi.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\Hgqlafap.exe
    C:\Windows\system32\Hgqlafap.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Hgqlafap.exe
      C:\Windows\system32\Hgqlafap.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\Hmmdin32.exe
        
        C:\Windows\system32\Hmmdin32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Windows\SysWOW64\Hffibceh.exe
        
        C:\Windows\system32\Hffibceh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\SysWOW64\Hnmacpfj.exe
        
        C:\Windows\system32\Hnmacpfj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Hqkmplen.exe
        
        C:\Windows\system32\Hqkmplen.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Hgeelf32.exe
        
        C:\Windows\system32\Hgeelf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\SysWOW64\Hjcaha32.exe
        
        C:\Windows\system32\Hjcaha32.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Hqnjek32.exe
        
        C:\Windows\system32\Hqnjek32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Hclfag32.exe
        
        C:\Windows\system32\Hclfag32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\SysWOW64\Hbofmcij.exe
        
        C:\Windows\system32\Hbofmcij.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Hiioin32.exe
        
        C:\Windows\system32\Hiioin32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Ifmocb32.exe
        
        C:\Windows\system32\Ifmocb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Iikkon32.exe
        
        C:\Windows\system32\Iikkon32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Inhdgdmk.exe
        
        C:\Windows\system32\Inhdgdmk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:620
        
        C:\Windows\SysWOW64\Iogpag32.exe
        
        C:\Windows\system32\Iogpag32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1628
        
        C:\Windows\SysWOW64\Ibfmmb32.exe
        
        C:\Windows\system32\Ibfmmb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Iipejmko.exe
        
        C:\Windows\system32\Iipejmko.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Igceej32.exe
        
        C:\Windows\system32\Igceej32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2856
        
        C:\Windows\SysWOW64\Ibhicbao.exe
        
        C:\Windows\system32\Ibhicbao.exe
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Iakino32.exe
        
        C:\Windows\system32\Iakino32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Icifjk32.exe
        
        C:\Windows\system32\Icifjk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Inojhc32.exe
        
        C:\Windows\system32\Inojhc32.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\Iamfdo32.exe
        
        C:\Windows\system32\Iamfdo32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Jfjolf32.exe
        
        C:\Windows\system32\Jfjolf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Japciodd.exe
        
        C:\Windows\system32\Japciodd.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\Jgjkfi32.exe
        
        C:\Windows\system32\Jgjkfi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Jcqlkjae.exe
        
        C:\Windows\system32\Jcqlkjae.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Jipaip32.exe
        
        C:\Windows\system32\Jipaip32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Jmkmjoec.exe
        
        C:\Windows\system32\Jmkmjoec.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Jbhebfck.exe
        
        C:\Windows\system32\Jbhebfck.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Jibnop32.exe
        
        C:\Windows\system32\Jibnop32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Jplfkjbd.exe
        
        C:\Windows\system32\Jplfkjbd.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Kapohbfp.exe
        
        C:\Windows\system32\Kapohbfp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Kdnkdmec.exe
        
        C:\Windows\system32\Kdnkdmec.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Klecfkff.exe
        
        C:\Windows\system32\Klecfkff.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Kdphjm32.exe
        
        C:\Windows\system32\Kdphjm32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Kmimcbja.exe
        
        C:\Windows\system32\Kmimcbja.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\Kadica32.exe
        
        C:\Windows\system32\Kadica32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Kdbepm32.exe
        
        C:\Windows\system32\Kdbepm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Kfaalh32.exe
        
        C:\Windows\system32\Kfaalh32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1352
        
        C:\Windows\SysWOW64\Kmkihbho.exe
        
        C:\Windows\system32\Kmkihbho.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Lmmfnb32.exe
        
        C:\Windows\system32\Lmmfnb32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Ldgnklmi.exe
        
        C:\Windows\system32\Ldgnklmi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\Lbjofi32.exe
        
        C:\Windows\system32\Lbjofi32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 140
        60⤵
        Program crash
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eqpkfe32.dll

Filesize
6KB

MD5
208a9c3c14295c94cce9d1a6ac978c64

SHA1
61f5df04ce631a297e026c9ce3be447889a7e9e0

SHA256
0295d82f2445f82c8f72d8f3628d68f4ac8825cfbc2dc4aca84852c1f92c5f35

SHA512
ab5473dee8ef681a2d3888f14f4b9cd6bb96c43fb0d9fefae3d8cc52919c0fad2e8db883aaa6a80f168bdbcbcf9825d9b917a81235c1c55846edf60e4396ec9a

Download Submit
C:\Windows\SysWOW64\Hadcipbi.exe

Filesize
64KB

MD5
ba432992cd6e40b66b9b9d0a934e6f7d

SHA1
5168de7fff4a1c04e26a66eb8f1b53172f99c8af

SHA256
aae013b26b8ec47c965b62f4ffc930f43294c636fabd017e46e140a5e8825ff4

SHA512
2b35ae4e1dc474612b86f3c0b0bb2c1d91ee4cf4e08f6e9c7479dcf59a5c0163112887d41b67fed14b6ca59c43c927f8d24745d998da75b2c8dea2dcc507a479

Download Submit
C:\Windows\SysWOW64\Hffibceh.exe

Filesize
64KB

MD5
ff9582ba19cc76dde6ebe748dcf66d0b

SHA1
479f95246b35c74c292039d76971eb90f7c7b389

SHA256
d4d04396de4547571842a245f6d92d5cd73ad45efed7c78648943b985727dfd8

SHA512
e579d2ffe73d7f99344e2849ee2eb52ef2cdcc796df968af1f0da09d75c9ee50ae51e591cf84cde510d60ed7f679e4766da2ad9ab37be4a409b24ba6e0b2702a

Download Submit
C:\Windows\SysWOW64\Hgqlafap.exe

Filesize
64KB

MD5
dde72a57d31c57676375265a61660943

SHA1
0942405f09ec2e1deaeb7d8bfa877377cf095073

SHA256
f4575827fad17fda9319e0a356762aa22f5f8784cbb02e8e8d3980a509131f8e

SHA512
a7c9aab6dcd69d1d7137c843ce3326c3224383a98d5ac521eee9bb4f42a6a051fcf108588119dea9eca082afca9c0c38b6c7f101393a25f8be9f943bb5de5773

Download Submit
C:\Windows\SysWOW64\Hiioin32.exe

Filesize
64KB

MD5
e0c9abc5075d130ab16b42239c6857e9

SHA1
fb7b6f56acf25383895f6591fb179c68178c6bb7

SHA256
b16e6766e15dd7a2f539f68d5b4f6f8d24e635618678fbdf4cc83bad084934de

SHA512
65bcfac40384435ebb1148004f9974f578d4f3afb62af86630b997828c9e421b6ff8c02d06d89264a1b6ebaf66e6df2308ee9a98372a35d639280f3a184cb57e

Download Submit
C:\Windows\SysWOW64\Hjcaha32.exe

Filesize
64KB

MD5
46facce40d1c9d33d64f0e94346546ad

SHA1
1c1bb462d664051c06995213008433f148bed718

SHA256
c9b378029ccc45310f2abe8548f8e7ef3ed89d80fb94042478da6c9eb4c3349b

SHA512
28166d3130e5768150103467118cbf04d62cb2121da0504cf6b05a69c2fae95b124d1ee031fc6d56b4d6236035672c502bd19ce6254108395d265d73f412bbee

Download Submit
C:\Windows\SysWOW64\Hnmacpfj.exe

Filesize
64KB

MD5
2f342abbbeae41239b9791e3cc2364a9

SHA1
68db4ade9cdc69dbba49c3a6ca9ddaea58f95edf

SHA256
8679c15eee6662643028c677e890a1970f082ce08042b7143039f91ddc94b77a

SHA512
68603eace7fe2988873cbdd1bc2bc164463f0b2ce4668d07e515a3f6bbabe39bbb9a01bbf450287f8573e916594b514fc93e723a7ee47d2d6b193ac0d4bec6a2

Download Submit
C:\Windows\SysWOW64\Iakino32.exe

Filesize
64KB

MD5
3bc5a04463bc4b53f97bf3f67e2c4940

SHA1
a40d330ac39f9faa3fe1ac1e88b810e896d02f78

SHA256
814c8e137cd29d4b3eae3417daf49b06e7b98163b11fa5ffbf917f8a58c7d27a

SHA512
e25af8aa6555df78101f69598bfab62032a68920d44414a324393bbb015b46e52b505e93e90471b67a81055a9f02b2519447a4414b9cd4d5d3c96de4a6b2b72d

Download Submit
C:\Windows\SysWOW64\Iamfdo32.exe

Filesize
64KB

MD5
c79bc2435c47a2d37efe56464968e21f

SHA1
b4cbd2cc91ea0abfe287840d12e8dc84e88fc104

SHA256
527c4f791117d2e1d3c4d246d1a42311115eb8de2abbffd170175b17c1ac432b

SHA512
b857866c38b27d54325501b4e2cf214b2740b739ace6b5b0709df82232880e77b27ec6a5b7ea7960df4f164f36706ebc019dd09e8bbb0e1dbb044f6029f29a58

Download Submit
C:\Windows\SysWOW64\Ibfmmb32.exe

Filesize
64KB

MD5
d59694ef7bb64e50f238afdc20ec5d96

SHA1
4eb268cf68c1721828aa7e61c3ee95eda92d47fc

SHA256
c20d7af51f105fd7887ab378396648a502827ed18201f6bb64a980cc3802bc7c

SHA512
342eb728a14d16c43ee7fd262f79d8ef47ff2a57242f99e68eadee166293fa8b72f5f40aac1b3920ae05a9680b76e82c9932e68f623ac377a9dc84ad3deb274c

Download Submit
C:\Windows\SysWOW64\Ibhicbao.exe

Filesize
64KB

MD5
2473d10e221d48c9fde7c856b6b90ec1

SHA1
505ffe81f51034bad5d4e5d2ca83b7807b680830

SHA256
1ada42f0398303d91d26a98a9940ec59326060738f7fe44088a973eb4b9cd2de

SHA512
697957e2085b3cdb4350e66edc00df8d4f748be2ca9c744a201b7613ca05ea24a11f97d39877793d2c1aac5d568f8b90462696c2e5d221727eb36dbd02873b21

Download Submit
C:\Windows\SysWOW64\Icifjk32.exe

Filesize
64KB

MD5
12c91e026624e33193e5fcc8da2bc0a7

SHA1
24e326398c13dcb07515661198f874c3b7242123

SHA256
b6b96fb6b4bedb32491ee4bc50ce98e5226954e7c4d8f06696beed2ab6542d00

SHA512
469c1037c1f07e55faa3287b5963ebf4ccbde871d01b84eacc4c4ca2ed3346330d7f1cc8d3e7519f84bfd11313a59b6bd4beb43248d4ddcd15aa5da49218c1df

Download Submit
C:\Windows\SysWOW64\Iebldo32.exe

Filesize
64KB

MD5
0bf08191fdd9d6101be282af9d24375a

SHA1
86d3a00850d9bab1b4757e0a58904f907d7d1d92

SHA256
c9a30b1363cc5da0d89118c8d4ba938b4ada70e6085b8f4294bb9f637d5bd6d7

SHA512
61626391386560dadc50b3e00702663a9d9d0e2f0a7e9beead1be62f4f3eaa9a186b43e06a514a5a58153973540469ee555afb24c2cb76158013655584acee93

Download Submit
C:\Windows\SysWOW64\Igceej32.exe

Filesize
64KB

MD5
15cceeba643cf084e637f5c181a4ef58

SHA1
bc261da06e39d5bb61bcf0350cdfff9ec59cd151

SHA256
47f06a6c4df561ac85298e21932fc84b36324e5a604d654e5e4ec076d76839df

SHA512
9b868f8aa44e65d79940ae07da31843b2f330858c301df7ba1365761b4b7820164afd64327ecfecf1fb7c2a01352bc7902fa1a4007c9841066702166efe668dd

Download Submit
C:\Windows\SysWOW64\Iipejmko.exe

Filesize
64KB

MD5
0a08a0a0f001f53d822a8b15d997ee25

SHA1
63731a68e4bb2c31c7d11ccf3089f223fed6e5fb

SHA256
1708ee29230ed9784b31ad0aec7f7ed2e62ec562c978b2b021fb28adcbc16034

SHA512
faf46023b3ea8282b7e5dadf389863df9bba297bcb1980ba5470238f576e1d05e9986bf4072d172e8a7656d32fe6db41c5521dcdb991e9275eaec8a4114aee69

Download Submit
C:\Windows\SysWOW64\Inojhc32.exe

Filesize
64KB

MD5
ee59eef71cbab216238dbed93ed50ca9

SHA1
8dac45b3d5c72f8121133568645cc7ac190b7e6b

SHA256
821deafa8cb096a6a657b76901d5f84f62b38125c5e7c9f3f4936f0b9f46bdd8

SHA512
1c50a482f54262d1f42cf768814d2eb771701a45363ed74ce753c886bb10ebc004232c6bb5e4c3edade0b983ab9b04ed6539705e00149b830cf491ae77935644

Download Submit
C:\Windows\SysWOW64\Iogpag32.exe

Filesize
64KB

MD5
cf5c20d2949a7a2f64d55d08337180a8

SHA1
2afc3ed1bd121cd523b080c9969a55291ace7407

SHA256
ef90426036fce3c88eac6e2d52fe7971693bf2022e2de7739be3dfea24d6364e

SHA512
331d2f86d85c05a5c83c0095119633b05372fb8134662c35aeeb396fe6760f4778d8ab18ba16aa776a46bb57533b48de5b9426a9707d7958a08a4f2bdba07eb9

Download Submit
C:\Windows\SysWOW64\Japciodd.exe

Filesize
64KB

MD5
ec7ded33992abe7f732d6ad8ef4c6137

SHA1
bd9d139b4ceb84bc7885fa580525288ff1caaefe

SHA256
b77d674f8e9355a3bd3e7a4882ffab9bd09a2ce7637a6e530e50095eb3e9c49b

SHA512
f9a2ae987977df6be1c2f6474c05ca1bbda18eb22686e43b3efb8e122f40251733bc4a03bad512554ac872bfe10fa5ff30b70b47386c9816dc11ead853363078

Download Submit
C:\Windows\SysWOW64\Jbhebfck.exe

Filesize
64KB

MD5
81eac6c64a446779242e6edbdd5a1493

SHA1
d7e774ba2821020ee49e873506c784680f2ffdf6

SHA256
05db9a11440801bcf6cf49b568336d68feedd5a8850683a3ea8817588356ea83

SHA512
ca653387db6911593fa0c5ba55bbebc1fd7272569366230d29e9170ca17ffb47bf34f2a34ced26db8d0673db86679e7dc3d5a366cd46da28786d3a5106183244

Download Submit
C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
64KB

MD5
aa1ed7b76d5b80146794da18fe2e6d8d

SHA1
6b913ad0bc4434303f8bd559964f80c438b2fce8

SHA256
af29112ced285908044f2d9146b7003418013367bf16818584e764f82572834c

SHA512
3f8430171627a3c1176c8b4f91e998bfeeb5828e5015aaf15c580f83e67f1aa79518ecf591ec8892b12ef3b31d98cc165f8e731d01fd993799eed3205dbf9153

Download Submit
C:\Windows\SysWOW64\Jfjolf32.exe

Filesize
64KB

MD5
28c2da6abecc2db20042790223e254da

SHA1
ae6bac7577325a1b07c4c85e6da967247e227f71

SHA256
fdf611261d583d2e017688bf34c17ecafe1ab33faeaef080b77dc295c243c008

SHA512
d6e4f63f913f4d0ff285aeb96c71867c8e8a41181664179a8df2a86e76472993d8b26f8c6c8a20897538ec3b6d5368cac7f5a323e2236cc494e0d952cdfaf1a7

Download Submit
C:\Windows\SysWOW64\Jgjkfi32.exe

Filesize
64KB

MD5
4463fe4462ee45d39efa0db13fe01cb2

SHA1
0229cae0de3500ebca4c17ef17fa8d361a16d137

SHA256
faa7f50d172be159f458b34313b5a1a1c091b93ff8d0c46e5dbea2f665dba7b9

SHA512
c8910f25069707fd0e13eaa7f15f1e9f39e4e4132c06e48095cdaefb3f43befd9e9ff1cc9d7b8c368e3e4bb782b87214ad53b6e741b1dd3cd82e96764252e246

Download Submit
C:\Windows\SysWOW64\Jibnop32.exe

Filesize
64KB

MD5
5b8a821af2e525b2bed7592102e75ae1

SHA1
41120c750b0dcd8fedd291a1b45d1f7fca3cef2f

SHA256
8e886d333ef38510bb28496b351f56840cb7422424214c8316995ce4f9bb3d36

SHA512
a27f1b3b244eb588365fd2b0ad14fda9a24b48f37ccec117d062bd7677408bc0d57e3d033d9fb9a869bdbf111d38e7a91c3d009ee1d0028d49fc500dc33621a1

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
64KB

MD5
49b0e0449f22a006b27a922f64a58480

SHA1
9bda680454b2764080ce806e8405465d43fe776b

SHA256
e3c42ae93ed5e58d010cf7a56832b854238ff39e2d2062aee54faa4340d78ef1

SHA512
612908310ef0d5ed6f596466d968d7a43e62dc8ca3c39e2acf46fac7e1ac488c957d6fc9dc09c6f07ac00fc61b4afbc91dd891ad5f7f750c26fbca2f39f7c402

Download Submit
C:\Windows\SysWOW64\Jipaip32.exe

Filesize
64KB

MD5
9207edad2f78735c7424625eff1c2b8e

SHA1
6d6c0e9b9ee5a9ea1fad9af112324489e4525d96

SHA256
555dd860f5b29c86261dc3aaca383a3d9d05b685a8697b25e43f138a21b93a59

SHA512
552119737627da1e0a8e3794663bca07cbae957d89fc9189b7507c98dcfb0ef7829688fc7ee509f787099275873212488f21219a6f157965d338faedf727cb14

Download Submit
C:\Windows\SysWOW64\Jmkmjoec.exe

Filesize
64KB

MD5
427c0d6edbb05e240831b117600b1bd1

SHA1
088a8372fe95f5dee4c113e52ec159862d5ec6cf

SHA256
502751d15acfc7dc32c77a22dc3d5edab01b0ac59ce437a62120870bde156384

SHA512
c078ad51de5c1d28e1713bc4f29dbf41f424eb939dc90ce4eec8a0c0bfa9e5b3d5dbaf70b04fc74301ef9c4b80bb746c8cde934a973aa07b2c0f430707ecd149

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
64KB

MD5
ba96b0c3697aa12420cadd1f054526e8

SHA1
844b350a6302980701df9e4e4e89735619ef2305

SHA256
7231956f317220105da7624830cbf170b85956f7eb3ab1bcacb94961f1f4ffdf

SHA512
0b9a8503bde91c4073f79eaa707e8a149fca4e89ace985ce4d5cbc08a3509e9f0fba73f97c80d5cb0ad9d083a2756b778459af8f43d105c2fbf71b26b24cde6b

Download Submit
C:\Windows\SysWOW64\Jplfkjbd.exe

Filesize
64KB

MD5
021e0a4e7c7aad584d24b90f5d8de9e0

SHA1
8a379fb0bbbff89085bec2d8198f8f0779f01786

SHA256
7a6a2e433ad08e83b4f86f9c225034ada5ce2da3d8f6ea9c704b76ff9df2effc

SHA512
288e5953e87a3e9921a3b5881762b58dc163bd25b4867a63fec9af74e525474d755e8c1788bdd8dbdbff58fbd2f2cd017b375afe103e631cc44081b502c4559e

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
64KB

MD5
b354de864a6758b1a961f50f7027c816

SHA1
64f6c937d1cdd232d8677cf2d3aacddc3fdf38f5

SHA256
31f7db6a43c6ef73f6a1152ce707c940fded7f4e9710f4bed2a0519d3c2dc882

SHA512
b839be9b6ec25187c7e5d6dd0f5be6187fd107bd5b1c18a6dc4498c4648d080cd562d690ccecbf3c3f9694f220ad01e94a0044b4cd9626b03aae591119d80153

Download Submit
C:\Windows\SysWOW64\Kadica32.exe

Filesize
64KB

MD5
18ff4eb1ee3b9139413d5ea5da285a0d

SHA1
8ba9199659ac0a2a4f1483610feff4be271e4be2

SHA256
3197624b561663371daab45759693044b47329e459166f1e96080b37ba8f9d84

SHA512
c926ae857af2d35d297ba695a03ec3d72a3cae76901cf42fa5f96bd1a024f6584a41ce4ecae47daf48a74fbccff50c1b75fdb075756fb4c23b5b67d2a6cb54a2

Download Submit
C:\Windows\SysWOW64\Kapohbfp.exe

Filesize
64KB

MD5
86dd66ffbdbb1efe1525f0540995903d

SHA1
cf01d4ff262f830db98ef1e8c733a579a745dfa3

SHA256
8bd236eeb0fde7d89076455240360ce3ca96556f42a1b2f83e8d163d958771d3

SHA512
3e6f47371b89883d6314884a7cbc4f3bd72a28e20bb663132d41a577a41cc56c7875637a8474954069bbe8ecc85787c65a98389b459b6df389c22a9d048cb6a3

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
64KB

MD5
0459b0efe02db7ec3f91157e2719d771

SHA1
cf17eb07c650440d5883b1073c02de5da6f91ac8

SHA256
27df989d112163184e131799d88c48dcd93acd755a1b3481394e3baf1eee7471

SHA512
7639a20a2e16f6b69ec50fa250581bbf8c338936a23e2af7a27406722801a98cedb50d0c70d3eb7500f539c0232686add85faaadc0b73483945e94be7b136f98

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
64KB

MD5
5d807423c8a7c9e1ba9c29bd86aa4559

SHA1
c1e59b64188cfdabb9abb1fe9525e632e43510f7

SHA256
7a3d338d6a6440a9810e616fa03615a7e3013ee06d89913a97367d261fd3f687

SHA512
df6059629cc1cb49d2602248bd255d616851c2aa475bd989d88d86fbea4018e7c082449000180bf26b8f0568d5adb251c39a72553694293e25510eedd5f3c18c

Download Submit
C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
64KB

MD5
1a6915411aa3b40112c65ce7b3043e23

SHA1
269cfb50b34673a4525ff9b5cb9ae5a4fc71501a

SHA256
1c8eeea9e735e88d6d1b08d0a35046d8e7fb0b687c5516794e54f93024421dbc

SHA512
5d879991e1e98184fd67da7db8dccef4a38000678ed6f8558bb33e01d092da1e85268e00b3ad62183cd01245734a3cb391fa6ec81440f16b39430c025d676006

Download Submit
C:\Windows\SysWOW64\Kdnkdmec.exe

Filesize
64KB

MD5
681193c232544b60332135e86d4485a4

SHA1
bad6402b03455a8919b68230435a3973fe47e2b5

SHA256
6f49b78ae415842ff49dfd2533632230d75b93ca9a8e6ad23631789986424cf9

SHA512
00c57610f0e812e5a04cff6ef91ef0227fa05b9c9c9e484208a192a63615119a45e065bcadd005b7e5a8cb32fdedb37fdc8d6fdaf72c8bee87a5c7b5f930f09a

Download Submit
C:\Windows\SysWOW64\Kdphjm32.exe

Filesize
64KB

MD5
a70dc6ebb3b46cebc85b1f60395e04ed

SHA1
441d537e0bf17c23a118e5890597923890f9f52f

SHA256
c604dc3513b105a71b5ace02a786f8d173a525b4a1cf7844599fc79d1804dbc9

SHA512
b9c388c4d0e467067915ef4d3e9c30991a004f948a675add4be2c368934c6b7365a6a80213488621bfaa6e8f5cb417254ede72a0e41bc366d14b8cbe0b20a2ae

Download Submit
C:\Windows\SysWOW64\Kfaalh32.exe

Filesize
64KB

MD5
779aefa91e1bcfb7305c1313248769c3

SHA1
61edc74b19eb14e0603d75c8edcbcd634b4f7034

SHA256
f2e6ab66b3de6c0006700dc47a1f0d769a135061576a8973273c1cb90bf63154

SHA512
cdad7840fbdf1760ac251eda511d9b481de96952e255253cf1bfb1a03dc86feb6c0a07e453f64716c2f40caec4be686608d874cdfe2607e1430f052697b5e89b

Download Submit
C:\Windows\SysWOW64\Khgkpl32.exe

Filesize
64KB

MD5
50cc3dae80fc116fb34397fb999092f7

SHA1
a3ef22e4585611305e6b710c843d5c862a76523a

SHA256
c6f585ebc0d971ff4e4ba34f2c2e2adefbee8e79cc1126f647f06b969c935e23

SHA512
7d2fceba919195c228691b0fa5b4b81bc7714a1f7a75594bce3f920bb5c75f41f87926ecf9e5648aab2b757c8a236c31290873ac8c2f4b9534038d5fab857aaf

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
64KB

MD5
131abd3a76b17e9e5ca013e10abb0826

SHA1
76ba2ddf2676618136fef1d2cea1d7cf6b9409ac

SHA256
c9ce284500254be8a3f5001f6b8813882d9c8244461acc2cd1b36d2b3e59c329

SHA512
4353e03a5a7e772a325cef0ea00f771785a6ba3df83837b3e3568be1145ee61f529d92d833aac10f6e94f21d6f75d092ad71092bbee19f8904ce7718447610a4

Download Submit
C:\Windows\SysWOW64\Kkojbf32.exe

Filesize
64KB

MD5
6b4ccb36fc9b651ce022ebf2c6ff8da8

SHA1
7fc1e497af7cc7f91672db0fc52bcf08b863b62c

SHA256
12f3e726ec186adc96fcf13c18999444ab7f179374b55ad73803c609b9b91d7b

SHA512
5b01bf78007557536dd074b1c639ece8b5e6062a31d8487a22412c7806c4743fbba5a52ff798ba0f160a09549e8ced8ebcf5f7ad3511de0f5715dabbb4a9f434

Download Submit
C:\Windows\SysWOW64\Klecfkff.exe

Filesize
64KB

MD5
07463a3c06af1b22349a050b6e8998e5

SHA1
4c2eff93091959f4558ac768f1b92d9bd209f659

SHA256
8616e4a83a574539b836e35942744684422cd8812c8ce1ca2c1dc37dc8956a10

SHA512
640105d491767024789d842391d6290ec383a52298d34930528f76dd4cee280bb7f8525c5226c0c7c9838f2605e048cb7b4327da7c2227dce914bb45cfc3babe

Download Submit
C:\Windows\SysWOW64\Kmimcbja.exe

Filesize
64KB

MD5
3f1e8a8638b56ee692eab92bebe752f9

SHA1
e28d2ffc1947603755dae15a6b19ddab4929c5f1

SHA256
ae9f5b5fe6477d4ad6875cdc7dcc2053df268ec89dde11cf991e2958407eded6

SHA512
3e311400c85cf91c3959a2e99da09775b682f7a66440d48a4cd1389f84b87dc71826cde1d7aad5a0a696313e97106e070c041b12b708fb8f8b3be361de6b3924

Download Submit
C:\Windows\SysWOW64\Kmkihbho.exe

Filesize
64KB

MD5
772e49c2c1499836989093392efad61d

SHA1
6a563a0f14acc9b4d0eda281ded87d3abea1bada

SHA256
0e2f0187ec50d6a2c94094690d2e272ceac63f8f9cd1c816568da5fc8a092b9b

SHA512
e4551f3838e1b0fa918e57398ca64ae1abfafd39fe55712037d32411a1f4ecd86ebdf752ffd50f28532c32b39de99b137209ae0e7202b5d85a9142581ec92ed1

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
64KB

MD5
d38079e5040b13b8744dc83e1c7477ec

SHA1
7d89157fadb5613fb13393d203be6d7fd3367971

SHA256
077c6c90e30c84e0787aefe6f0ab8d987f4896df3ffa16e659128228c158fce5

SHA512
a5c6d6134ad14b3966f19cbefe804957a2797439e01206de7cc6abe3d0364c04b1d8959fb983e356d30ab5ecc11adfeed70db5c6265c1420bb00af818581a007

Download Submit
C:\Windows\SysWOW64\Lbjofi32.exe

Filesize
64KB

MD5
45466a436c1c7186be34049582f116ef

SHA1
cd1f36198eb9a1d87ad3aebf67d61f00d03958ba

SHA256
221a961a1e947857c71e0f84ca7b27001a1c05a8c5ebef6cb61f5899c5daa3c6

SHA512
9a3b56e89b71a0885cf953f8739effca4153d116ebdc6408355df1d26082f0058a30aeb38d45c32a5a682de4e1289b4ccb3ac370074c9998ee5799c101292dcd

Download Submit
C:\Windows\SysWOW64\Ldgnklmi.exe

Filesize
64KB

MD5
b753ca0d90a6b2ff2c4246d50ccb7e40

SHA1
ab5e65a7b9f1b7d81bf29aa4e01982f58ccb6d15

SHA256
b835d363134c95bcfc4762bd91d38e37171e7887c268c978649782767758c22e

SHA512
080b1a1a11da01535fa467e20b4fce84247d8ab54c0f0f92b50175eee794666071cace126e7353da7e279f58f5a153e3cdb2f83d616b7bda74fce8ba4ace2408

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
64KB

MD5
9e9e739f1aac4ce9d251e8c00e3cc89e

SHA1
f2a5fd4dddb586415c5de670552fa50bc09efbdd

SHA256
80b0c6d573676f628ce9b0aeb1330a112c0a4910b3e93936f14d4d4f235bb15a

SHA512
8077ed82fbbfc387437f72b8260bb0c091a3696cf42fb0d0452815f40153876600d0bb7640bbed4252a6a48a6a57a680f311170351f698c797f7bb6190141d55

Download Submit
C:\Windows\SysWOW64\Llpfjomf.exe

Filesize
64KB

MD5
86d84680c686a3552ab8ecba34b21d91

SHA1
2ae2d113957ad9196c54625f49516ac63d0bb183

SHA256
2705348d77a405c1a5166b1ca2295669bd9fd2e38f083b5ff94bfaaff17a8c24

SHA512
69edf51b6d381887d7533c4b091f1f4330cf032b6018737b9816994b79a15904ff5a2afda520d935c952148b30562fbcb1802a9d3b1e4995567fd8356dc62a33

Download Submit
C:\Windows\SysWOW64\Lmmfnb32.exe

Filesize
64KB

MD5
fb34a5413dbf8d7ffd1414f692f0ac40

SHA1
0688ac77dc9fd9d7d114b013857debd7f24cac17

SHA256
94043cefc4835327751239f92b580b9769b6227b161ee27790df042528aaf6c0

SHA512
e26a665ba5f0c40aca4bcc2ed5293e28cf54187c666e50f662c89bc14a1d7f183bba1cf818eadeabe2acd152c1c82aaed63000b04e31eff06f0b38c1a3335d04

Download Submit
\Windows\SysWOW64\Hbofmcij.exe

Filesize
64KB

MD5
75c2ad1430d7a5f146c8d6f372d0d453

SHA1
e1780bf60e860abe7747866cfbd5cb51655db83c

SHA256
feb22a906ce62e012a8d9b46b3155d298f42265dbe64205bd0a46c2d974039ca

SHA512
df9700498ba42f5a0c8400370371cd00865409a1328402f94035fb9c3ebb1a6546add628052859c27ea54430f56436b3354e16b4ccdf1ead4e500fb48b868410

Download Submit
\Windows\SysWOW64\Hclfag32.exe

Filesize
64KB

MD5
472067ca7896b5f6580c63c1c8d44fc3

SHA1
6a3eb09edf33c94d3df32640fbb2d8d53e9fdf9a

SHA256
2334c7b0e7971668ae2ba62ad7ecf580a976369666e892b2b8ed563536858dab

SHA512
04e95b8fed8ab43487fab4070cbea95f55e7464793640de93f09549bd0c4f247650b70120dfe363f03a72a645db2b234e520627904f03c9173c0f9a65c5a4a6f

Download Submit
\Windows\SysWOW64\Hgeelf32.exe

Filesize
64KB

MD5
3abf1a0b45eef88300764d1b5017448e

SHA1
377197b2138822c81c1aa330c8ac1853e211f671

SHA256
6e04a31758ef277e31ce47ff0cc3656911110a740d4b06fe233196afadc8564d

SHA512
2bba8bb48d92ef43fc4300ff5a0cf10f9cebe03ee4afd2346f4d348d22c873c91aa7177304e36cc172ecaa6bae5512e64a08252d6eef16a6ab91aa8f6101fce0

Download Submit
\Windows\SysWOW64\Hmmdin32.exe

Filesize
64KB

MD5
b8834ed91f496b9683b616f069a51d4f

SHA1
c0fab5c1b36ccdd597169a41ecdf7a360ff48041

SHA256
1327e7bb33d010c6e73a847bc11fde90f537d0f2a20a1bf7f2d205e0c7d93eb8

SHA512
e5eb8e4b8d5963f760554e3966ea817424872d1f5023bbca98f1d6184f60c997f2ed590116f090c1667a05afbc12ad4e1b80febb53904206f7fbe082c49a4ab5

Download Submit
\Windows\SysWOW64\Hqkmplen.exe

Filesize
64KB

MD5
4b05d817f5a890829b240f5ba0b9581a

SHA1
9d8c36d83b98d9b7ddbfa3e8bb6a62d8b6efe60b

SHA256
6b82bba1e6f33e3610b7cd29b1e27aad6d1f24bdb6de80942ffad9f487101c20

SHA512
f9ec52afdfc6ae8e9b2d5b2501d8626b4faf4b28308ecf96df5a2f7bf42fa15eb73d4b5edfa8ed684773a9fe1b219c5d897c1d4803b12ae9da14090eade4459b

Download Submit
\Windows\SysWOW64\Hqnjek32.exe

Filesize
64KB

MD5
2967b14e154bbc8a026d1de6b8ec534f

SHA1
a0ae1fb6d5a4544d2dd4688eb6b9c4dbd54b5cce

SHA256
72cb6444fab43772b2902775d6b878600f8dd799d89f1d0ff11d1e131905d536

SHA512
307bb03fe2298e0cea23257bd25a1586a901bfad2a46402d61feed51e180187c892cb611df31af7b67d436a176ab8a2bc43f3b4d873d48862d35f473ce0daf5e

Download Submit
\Windows\SysWOW64\Ifmocb32.exe

Filesize
64KB

MD5
9988d9ab16f73e10f9ed77f78ab4fe33

SHA1
258a4c7b2073fabada1d7a115233f742bccd21ed

SHA256
033a1ba94a47b0ece70036d353eae45089a4467c55cb1f12d529b95b627c9a98

SHA512
21c9b0c0eb862ccee9700fcfbd0f142f7ce6ccece6703d6f612db15862538eceaf25874d6933329f26d1a13e6bcd309a896956a823f9e52c58d517e99694cdea

Download Submit
\Windows\SysWOW64\Iikkon32.exe

Filesize
64KB

MD5
19c5eb64bef0f0915d764569dd6af76b

SHA1
55e5944ef838bcf5ef05dd88ed7a63ce2071cb67

SHA256
975bd5bc5bc5be99cc4edd903042ee30c99fdf6d1dee4780daf22d1c04a28a19

SHA512
04fb75a7f61cf79862070d0b0ecb8c3bf4464476e4087225067eb33425424aa28364b726db22322c681eb32e4122392ba750794ac9c060b6292d9f90376325e5

Download Submit
\Windows\SysWOW64\Inhdgdmk.exe

Filesize
64KB

MD5
e2458320708624c4cd847e7ab7eeccd8

SHA1
6bb2a2b8006ab866799fda26c4284c353f6f48dc

SHA256
34c7f3515f6c626de1bac670bced2f5ea07074b324dffd7e447085065681c8e2

SHA512
735410d41429ee0b0d5fd584a629d3250abf2eaaa491fd461c1cb3cca412f4f50ce23e94fd878c3bcaf8360aa3d72de9522b8550be1501a28a8cb3988d45f625

Download Submit
memory/444-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/444-447-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/484-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/484-467-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/556-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/556-283-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/556-279-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/620-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/620-221-0x0000000000300000-0x0000000000335000-memory.dmp

Filesize
212KB

Download
memory/684-348-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/684-11-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/684-12-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/684-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/684-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/716-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/716-243-0x00000000002D0000-0x0000000000305000-memory.dmp

Filesize
212KB

Download
memory/776-433-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/776-434-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/776-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-497-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1036-165-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1036-488-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1112-515-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1112-500-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1144-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1292-456-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1360-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1404-423-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/1404-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-520-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/1556-516-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1628-225-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-393-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1820-249-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/1932-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-126-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2020-478-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2020-487-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2052-495-0x00000000005D0000-0x0000000000605000-memory.dmp

Filesize
212KB

Download
memory/2052-489-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-468-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-473-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2072-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2072-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-381-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2120-107-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2120-99-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2120-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-356-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2144-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2220-444-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2220-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2316-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-466-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-203-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2360-509-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2360-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2400-292-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2504-380-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-346-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2552-68-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2552-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2552-392-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-390-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2568-379-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2568-40-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2640-325-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2640-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-324-0x0000000000290000-0x00000000002C5000-memory.dmp

Filesize
212KB

Download
memory/2680-309-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2680-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2680-314-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2720-272-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2720-271-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2720-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-34-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2732-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-159-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2856-258-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/2872-335-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2872-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-336-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2912-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2912-86-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2944-370-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2944-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2952-298-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download
memory/2952-303-0x0000000000250000-0x0000000000285000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads