a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5

Analysis

max time kernel
114s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
Size

320KB
MD5

5de31cca88ba3cfd20076a8148386e80
SHA1

58d751dab92a9366a641ad3ee158d29c88c6f600
SHA256

a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5
SHA512

cec3c86750dae06eb87711e2b9352a4b6e3f245af420afbf1f85923f1882ccdd84e9aae05d0248ad4b0f604e72c807be54d8ee4c05acc922cce6406437de2dde
SSDEEP

6144:Wcxge+29EpsVQ///NR5fLvQ///NREQ///NR5fLYG3eujj:txgMbw/Nq/NZ/NcZq

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqgjlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hilbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiiapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiphpf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdlefd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiphpf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hilbfc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idjlbqmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhedachg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhedachg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcmbco32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpcnmnnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idjlbqmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcmbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqenfc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjmbohhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjmbohhl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjdhpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpcnmnnh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieepad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdlefd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelbqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfgedkko.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqgjlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjdhpg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipqmgbbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jelbqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khlkba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfiajj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfiajj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqenfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieepad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipqmgbbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiiapg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khlkba32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfgedkko.exe

Executes dropped EXE 19 IoCs

pid	Process
2032	Gqenfc32.exe
2096	Gjmbohhl.exe
2060	Gqgjlb32.exe
2736	Hjdhpg32.exe
2656	Hpcnmnnh.exe
2676	Hilbfc32.exe
2572	Ieepad32.exe
2884	Idjlbqmb.exe
2160	Ipqmgbbf.exe
1740	Iiiapg32.exe
1788	Jiphpf32.exe
564	Jhedachg.exe
2848	Jdlefd32.exe
1420	Jelbqg32.exe
2360	Khlkba32.exe
1296	Kfgedkko.exe
108	Kfiajj32.exe
2448	Kcmbco32.exe
1344	Lfnkejeg.exe

Loads dropped DLL 42 IoCs

pid	Process
1568	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
1568	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
2032	Gqenfc32.exe
2032	Gqenfc32.exe
2096	Gjmbohhl.exe
2096	Gjmbohhl.exe
2060	Gqgjlb32.exe
2060	Gqgjlb32.exe
2736	Hjdhpg32.exe
2736	Hjdhpg32.exe
2656	Hpcnmnnh.exe
2656	Hpcnmnnh.exe
2676	Hilbfc32.exe
2676	Hilbfc32.exe
2572	Ieepad32.exe
2572	Ieepad32.exe
2884	Idjlbqmb.exe
2884	Idjlbqmb.exe
2160	Ipqmgbbf.exe
2160	Ipqmgbbf.exe
1740	Iiiapg32.exe
1740	Iiiapg32.exe
1788	Jiphpf32.exe
1788	Jiphpf32.exe
564	Jhedachg.exe
564	Jhedachg.exe
2848	Jdlefd32.exe
2848	Jdlefd32.exe
1420	Jelbqg32.exe
1420	Jelbqg32.exe
2360	Khlkba32.exe
2360	Khlkba32.exe
1296	Kfgedkko.exe
1296	Kfgedkko.exe
108	Kfiajj32.exe
108	Kfiajj32.exe
2448	Kcmbco32.exe
2448	Kcmbco32.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe
1400	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jiphpf32.exe	Iiiapg32.exe
File created	C:\Windows\SysWOW64\Khlkba32.exe	Jelbqg32.exe
File created	C:\Windows\SysWOW64\Kfgedkko.exe	Khlkba32.exe
File created	C:\Windows\SysWOW64\Kcmbco32.exe	Kfiajj32.exe
File created	C:\Windows\SysWOW64\Bjfiajnd.dll	Jdlefd32.exe
File created	C:\Windows\SysWOW64\Gqenfc32.exe	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
File opened for modification	C:\Windows\SysWOW64\Hpcnmnnh.exe	Hjdhpg32.exe
File opened for modification	C:\Windows\SysWOW64\Idjlbqmb.exe	Ieepad32.exe
File opened for modification	C:\Windows\SysWOW64\Jdlefd32.exe	Jhedachg.exe
File opened for modification	C:\Windows\SysWOW64\Ipqmgbbf.exe	Idjlbqmb.exe
File opened for modification	C:\Windows\SysWOW64\Lfnkejeg.exe	Kcmbco32.exe
File opened for modification	C:\Windows\SysWOW64\Gqgjlb32.exe	Gjmbohhl.exe
File created	C:\Windows\SysWOW64\Iiiapg32.exe	Ipqmgbbf.exe
File opened for modification	C:\Windows\SysWOW64\Kfgedkko.exe	Khlkba32.exe
File created	C:\Windows\SysWOW64\Hoglkk32.dll	Gqenfc32.exe
File created	C:\Windows\SysWOW64\Bffhjdki.dll	Gjmbohhl.exe
File created	C:\Windows\SysWOW64\Ieepad32.exe	Hilbfc32.exe
File created	C:\Windows\SysWOW64\Jdlefd32.exe	Jhedachg.exe
File created	C:\Windows\SysWOW64\Ibfdea32.dll	Idjlbqmb.exe
File created	C:\Windows\SysWOW64\Aloffcdo.dll	Jiphpf32.exe
File created	C:\Windows\SysWOW64\Kfiajj32.exe	Kfgedkko.exe
File created	C:\Windows\SysWOW64\Hdiekq32.dll	Kfiajj32.exe
File created	C:\Windows\SysWOW64\Odeiddnh.dll	Gqgjlb32.exe
File created	C:\Windows\SysWOW64\Pmnfmdnb.dll	Hjdhpg32.exe
File created	C:\Windows\SysWOW64\Ionahd32.dll	Kcmbco32.exe
File created	C:\Windows\SysWOW64\Nmmldbkc.dll	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
File created	C:\Windows\SysWOW64\Anegij32.dll	Hilbfc32.exe
File created	C:\Windows\SysWOW64\Fkgbgine.dll	Iiiapg32.exe
File opened for modification	C:\Windows\SysWOW64\Khlkba32.exe	Jelbqg32.exe
File created	C:\Windows\SysWOW64\Gjmbohhl.exe	Gqenfc32.exe
File created	C:\Windows\SysWOW64\Hjdhpg32.exe	Gqgjlb32.exe
File created	C:\Windows\SysWOW64\Jiphpf32.exe	Iiiapg32.exe
File created	C:\Windows\SysWOW64\Hpcnmnnh.exe	Hjdhpg32.exe
File created	C:\Windows\SysWOW64\Bamnjpji.dll	Jelbqg32.exe
File opened for modification	C:\Windows\SysWOW64\Kfiajj32.exe	Kfgedkko.exe
File created	C:\Windows\SysWOW64\Hilbfc32.exe	Hpcnmnnh.exe
File opened for modification	C:\Windows\SysWOW64\Ieepad32.exe	Hilbfc32.exe
File created	C:\Windows\SysWOW64\Jhedachg.exe	Jiphpf32.exe
File created	C:\Windows\SysWOW64\Mgnbnj32.dll	Kfgedkko.exe
File created	C:\Windows\SysWOW64\Gqgjlb32.exe	Gjmbohhl.exe
File created	C:\Windows\SysWOW64\Bfnaaj32.dll	Ieepad32.exe
File created	C:\Windows\SysWOW64\Hneogj32.dll	Khlkba32.exe
File opened for modification	C:\Windows\SysWOW64\Jhedachg.exe	Jiphpf32.exe
File created	C:\Windows\SysWOW64\Pfbkplni.dll	Jhedachg.exe
File opened for modification	C:\Windows\SysWOW64\Jelbqg32.exe	Jdlefd32.exe
File created	C:\Windows\SysWOW64\Lfnkejeg.exe	Kcmbco32.exe
File opened for modification	C:\Windows\SysWOW64\Gqenfc32.exe	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
File opened for modification	C:\Windows\SysWOW64\Hilbfc32.exe	Hpcnmnnh.exe
File created	C:\Windows\SysWOW64\Jcknnonh.dll	Hpcnmnnh.exe
File created	C:\Windows\SysWOW64\Idjlbqmb.exe	Ieepad32.exe
File opened for modification	C:\Windows\SysWOW64\Hjdhpg32.exe	Gqgjlb32.exe
File opened for modification	C:\Windows\SysWOW64\Kcmbco32.exe	Kfiajj32.exe
File created	C:\Windows\SysWOW64\Jelbqg32.exe	Jdlefd32.exe
File opened for modification	C:\Windows\SysWOW64\Gjmbohhl.exe	Gqenfc32.exe
File created	C:\Windows\SysWOW64\Ipqmgbbf.exe	Idjlbqmb.exe
File opened for modification	C:\Windows\SysWOW64\Iiiapg32.exe	Ipqmgbbf.exe
File created	C:\Windows\SysWOW64\Hcpphd32.dll	Ipqmgbbf.exe

Program crash 1 IoCs

pid	pid_target	Process
1400	1344	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjmbohhl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hilbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhedachg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdlefd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khlkba32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfgedkko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfnkejeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqenfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idjlbqmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqgjlb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjdhpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hpcnmnnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieepad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jiphpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelbqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfiajj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcmbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipqmgbbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iiiapg32.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnaaj32.dll"	Ieepad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneogj32.dll"	Khlkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khlkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfiajj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionahd32.dll"	Kcmbco32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipqmgbbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiiapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgbgine.dll"	Iiiapg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aloffcdo.dll"	Jiphpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhedachg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpcnmnnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieepad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieepad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hilbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipqmgbbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqenfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjdhpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnfmdnb.dll"	Hjdhpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqgjlb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpphd32.dll"	Ipqmgbbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdiekq32.dll"	Kfiajj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdlefd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjfiajnd.dll"	Jdlefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcmbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoglkk32.dll"	Gqenfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqgjlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idjlbqmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfbkplni.dll"	Jhedachg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kcmbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfdea32.dll"	Idjlbqmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iiiapg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jelbqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gqenfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jelbqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anegij32.dll"	Hilbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdlefd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khlkba32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmldbkc.dll"	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjmbohhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjmbohhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjdhpg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jiphpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfiajj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiphpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhedachg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfgedkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bffhjdki.dll"	Gjmbohhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idjlbqmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfgedkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnbnj32.dll"	Kfgedkko.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odeiddnh.dll"	Gqgjlb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpcnmnnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcknnonh.dll"	Hpcnmnnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hilbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bamnjpji.dll"	Jelbqg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2032	1568	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe	29
PID 1568 wrote to memory of 2032	1568	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe	29
PID 1568 wrote to memory of 2032	1568	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe	29
PID 1568 wrote to memory of 2032	1568	a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe	29
PID 2032 wrote to memory of 2096	2032	Gqenfc32.exe	30
PID 2032 wrote to memory of 2096	2032	Gqenfc32.exe	30
PID 2032 wrote to memory of 2096	2032	Gqenfc32.exe	30
PID 2032 wrote to memory of 2096	2032	Gqenfc32.exe	30
PID 2096 wrote to memory of 2060	2096	Gjmbohhl.exe	31
PID 2096 wrote to memory of 2060	2096	Gjmbohhl.exe	31
PID 2096 wrote to memory of 2060	2096	Gjmbohhl.exe	31
PID 2096 wrote to memory of 2060	2096	Gjmbohhl.exe	31
PID 2060 wrote to memory of 2736	2060	Gqgjlb32.exe	32
PID 2060 wrote to memory of 2736	2060	Gqgjlb32.exe	32
PID 2060 wrote to memory of 2736	2060	Gqgjlb32.exe	32
PID 2060 wrote to memory of 2736	2060	Gqgjlb32.exe	32
PID 2736 wrote to memory of 2656	2736	Hjdhpg32.exe	33
PID 2736 wrote to memory of 2656	2736	Hjdhpg32.exe	33
PID 2736 wrote to memory of 2656	2736	Hjdhpg32.exe	33
PID 2736 wrote to memory of 2656	2736	Hjdhpg32.exe	33
PID 2656 wrote to memory of 2676	2656	Hpcnmnnh.exe	34
PID 2656 wrote to memory of 2676	2656	Hpcnmnnh.exe	34
PID 2656 wrote to memory of 2676	2656	Hpcnmnnh.exe	34
PID 2656 wrote to memory of 2676	2656	Hpcnmnnh.exe	34
PID 2676 wrote to memory of 2572	2676	Hilbfc32.exe	35
PID 2676 wrote to memory of 2572	2676	Hilbfc32.exe	35
PID 2676 wrote to memory of 2572	2676	Hilbfc32.exe	35
PID 2676 wrote to memory of 2572	2676	Hilbfc32.exe	35
PID 2572 wrote to memory of 2884	2572	Ieepad32.exe	36
PID 2572 wrote to memory of 2884	2572	Ieepad32.exe	36
PID 2572 wrote to memory of 2884	2572	Ieepad32.exe	36
PID 2572 wrote to memory of 2884	2572	Ieepad32.exe	36
PID 2884 wrote to memory of 2160	2884	Idjlbqmb.exe	37
PID 2884 wrote to memory of 2160	2884	Idjlbqmb.exe	37
PID 2884 wrote to memory of 2160	2884	Idjlbqmb.exe	37
PID 2884 wrote to memory of 2160	2884	Idjlbqmb.exe	37
PID 2160 wrote to memory of 1740	2160	Ipqmgbbf.exe	38
PID 2160 wrote to memory of 1740	2160	Ipqmgbbf.exe	38
PID 2160 wrote to memory of 1740	2160	Ipqmgbbf.exe	38
PID 2160 wrote to memory of 1740	2160	Ipqmgbbf.exe	38
PID 1740 wrote to memory of 1788	1740	Iiiapg32.exe	39
PID 1740 wrote to memory of 1788	1740	Iiiapg32.exe	39
PID 1740 wrote to memory of 1788	1740	Iiiapg32.exe	39
PID 1740 wrote to memory of 1788	1740	Iiiapg32.exe	39
PID 1788 wrote to memory of 564	1788	Jiphpf32.exe	40
PID 1788 wrote to memory of 564	1788	Jiphpf32.exe	40
PID 1788 wrote to memory of 564	1788	Jiphpf32.exe	40
PID 1788 wrote to memory of 564	1788	Jiphpf32.exe	40
PID 564 wrote to memory of 2848	564	Jhedachg.exe	41
PID 564 wrote to memory of 2848	564	Jhedachg.exe	41
PID 564 wrote to memory of 2848	564	Jhedachg.exe	41
PID 564 wrote to memory of 2848	564	Jhedachg.exe	41
PID 2848 wrote to memory of 1420	2848	Jdlefd32.exe	42
PID 2848 wrote to memory of 1420	2848	Jdlefd32.exe	42
PID 2848 wrote to memory of 1420	2848	Jdlefd32.exe	42
PID 2848 wrote to memory of 1420	2848	Jdlefd32.exe	42
PID 1420 wrote to memory of 2360	1420	Jelbqg32.exe	43
PID 1420 wrote to memory of 2360	1420	Jelbqg32.exe	43
PID 1420 wrote to memory of 2360	1420	Jelbqg32.exe	43
PID 1420 wrote to memory of 2360	1420	Jelbqg32.exe	43
PID 2360 wrote to memory of 1296	2360	Khlkba32.exe	44
PID 2360 wrote to memory of 1296	2360	Khlkba32.exe	44
PID 2360 wrote to memory of 1296	2360	Khlkba32.exe	44
PID 2360 wrote to memory of 1296	2360	Khlkba32.exe	44

C:\Users\Admin\AppData\Local\Temp\a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe
"C:\Users\Admin\AppData\Local\Temp\a9947f84b60f608b18fbc0b90141eac7af87c5df43cf54b140d02a116594f4e5N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\Gqenfc32.exe
  C:\Windows\system32\Gqenfc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\Gjmbohhl.exe
    C:\Windows\system32\Gjmbohhl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\Gqgjlb32.exe
      C:\Windows\system32\Gqgjlb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Windows\SysWOW64\Hjdhpg32.exe
        
        C:\Windows\system32\Hjdhpg32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\Hpcnmnnh.exe
        
        C:\Windows\system32\Hpcnmnnh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Hilbfc32.exe
        
        C:\Windows\system32\Hilbfc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Ieepad32.exe
        
        C:\Windows\system32\Ieepad32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Idjlbqmb.exe
        
        C:\Windows\system32\Idjlbqmb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ipqmgbbf.exe
        
        C:\Windows\system32\Ipqmgbbf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Iiiapg32.exe
        
        C:\Windows\system32\Iiiapg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Jiphpf32.exe
        
        C:\Windows\system32\Jiphpf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Jhedachg.exe
        
        C:\Windows\system32\Jhedachg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\Jdlefd32.exe
        
        C:\Windows\system32\Jdlefd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Jelbqg32.exe
        
        C:\Windows\system32\Jelbqg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Khlkba32.exe
        
        C:\Windows\system32\Khlkba32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Kfgedkko.exe
        
        C:\Windows\system32\Kfgedkko.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Kfiajj32.exe
        
        C:\Windows\system32\Kfiajj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:108
        
        C:\Windows\SysWOW64\Kcmbco32.exe
        
        C:\Windows\system32\Kcmbco32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Lfnkejeg.exe
        
        C:\Windows\system32\Lfnkejeg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gqenfc32.exe

Filesize
320KB

MD5
ad5a54de06e634b226a738bb222d1a9e

SHA1
deddb60637f5cd767109c20e2e2d35ca2152cc02

SHA256
3d5c6c724707245995c228ff889d539706e66c2a158d1d3e68795a4d82e94d44

SHA512
cbea00dd74091edcf6c1342ae3040253b42b29421a3ece98d160c19cd87bd8d7b63618f19045c6c96de9d3f21d047ef8e39bc648c4a5de2f4030877429a7559f

Download Submit
C:\Windows\SysWOW64\Gqgjlb32.exe

Filesize
320KB

MD5
af778b5234600d6be4ac2269ec88f304

SHA1
36ce8dbe8ea5c694b9af41e76e650f14d3f9fdfc

SHA256
937df7246630f14e940b1c8c5c9a2a50326c3710edcfc00edc446cbdc4e58fd6

SHA512
29b5c4b5015e00d5bcff9df8a69311749c9c71d1c121ebc765b54af256b2f956d112aaff83eec581203c57f8989ee179081366c84e7be6315e14bdc9b2ee26ec

Download Submit
C:\Windows\SysWOW64\Hilbfc32.exe

Filesize
320KB

MD5
b87e24af5c1a380fe560ec77113898d6

SHA1
99e6d297be1c709a5cebc0bec03a523aca170622

SHA256
66393c72bee08c9f54c91fc70c4f851a021f59b9caf1cf0ed1255c34917af2ff

SHA512
54e6b876924c1910e5c4d72f1bff08799976279f83caf39125f054c9a20a133cb82d442f20b68e2f17fe31f5c651f529c0d11301330563cfdc9edd36d746ba06

Download Submit
C:\Windows\SysWOW64\Idjlbqmb.exe

Filesize
320KB

MD5
64ee8dcbbe8856ae02369a0071e2f689

SHA1
572ee3a02737f6b4dc269f73082c4d36a497b516

SHA256
dc5083a9abbb06bda1146f583058f9298872c9291c8e6a38980f64dffeeb9d67

SHA512
eb2dc815f0e8f974c134ab3dcb82e59f27956f9d624d1b582d4312b5b5b4e38da1b358135f5bd0086ba0d8117262042c0822e0f09f4099dd0db6294bd6cec900

Download Submit
C:\Windows\SysWOW64\Iiiapg32.exe

Filesize
320KB

MD5
56143746a82f55d7e002441c80f2e9ad

SHA1
285bd13a7170d557a76c89ec9f299b4243970829

SHA256
1f7e20afe7b3315fecbce0af913a2efb8093939d27b07d8761478ec25bc22942

SHA512
74037feb469761623a2c690285e601a5841fab7d41f4563d0912072ff2ad1681f144b354f6c5fc7f0fd937b8730b279e27ee803d3ce1eda4db2ab3b0e5e878f9

Download Submit
C:\Windows\SysWOW64\Ipqmgbbf.exe

Filesize
320KB

MD5
e1519611e243be6627a09c78d48d991a

SHA1
32332a2b50aee79ab1775d64aa7223f160c83247

SHA256
aa3a7d8d5243df896b9bde7ca5361be025933200bebce3efe37f4ea3c141ea55

SHA512
b7ad4a90989c0e989529141f7f8d371deb6c7af86278857426ac48ef3d321d1a53f1617d74aed34928407d1d4c46d23c0e6855347c1bfcd7277a2844e4d54fc8

Download Submit
C:\Windows\SysWOW64\Jelbqg32.exe

Filesize
320KB

MD5
1f363d95dfd74d28221b6b5dd35cc408

SHA1
6a1fd959b2e626d5e2cc9518c6f94664079b18f1

SHA256
ae5c00c8f4b11c28c1c79dc31608e9f809a158198916e82a48d43ecb56786bbb

SHA512
e9651232629906083f37e3f98d9c65a5db0c9d7b46bc4d93401023c690003e5d45b8e069f9e0a055be64a5a1f1b898579d0e342b27ef33217a1511755d803914

Download Submit
C:\Windows\SysWOW64\Jhedachg.exe

Filesize
320KB

MD5
daa9445a3cb3d8e2228d532a43676a13

SHA1
69e70609523f5a4801b75d0c29174c45cc4bcde2

SHA256
81d6bf08b675f98818a5930ab8a4ec09eb0694d5bf5e349991b08ebe67f652b9

SHA512
417ff307827b57f69dd4b333ee4a1248add39a9f0e857ae7bd72585a67402097a78ab64a9b80150fcfe26c7dc74a0f97f3e4d48b04eba12de3fdced7220a135d

Download Submit
C:\Windows\SysWOW64\Kcmbco32.exe

Filesize
320KB

MD5
08d2e371c49ff6bf5fd982827fa970dd

SHA1
a848091604944933ceac57cd8eee007749f76f45

SHA256
7f21797e25e1a4c230f53953b6ce84200261b9616439949359b5f74e4a4aa3a3

SHA512
c3223a87276067f250ac0c243fd974743e5c472ce5f763360e776bc46609c9efa8d0466ba8a0e3e9984b3e36a2b6f0059d7cc897894a88705cd884413b503fd6

Download Submit
C:\Windows\SysWOW64\Kfiajj32.exe

Filesize
320KB

MD5
91efc0387b3835c2806870334b250f95

SHA1
366bc806d12e2f7abb05147b7ead568a4a43286f

SHA256
28014fe707620c9666ad5ed03b17d30bfabb3bf0d3f13c0341c1c2ffcc9d13e4

SHA512
dc9d1925b11447246d55fd246f6fe284e070c7214303403c54758b8163456abdc836cc4645a5876bc1c8dd041fed0671b074f2dc34743b60c3520dbd693e2d30

Download Submit
C:\Windows\SysWOW64\Lfnkejeg.exe

Filesize
320KB

MD5
1103423a47bbd4802582ec7feadf774c

SHA1
a1cc2016830e0f397c98cdcda735d90dd0768b41

SHA256
f00f12d78b3964dc05951d595c198fda4acd731c85c7c16831211a576b81d915

SHA512
ff9b3db3e8187a86ddf7a280be38a8f1122326993a8bcd38daeb1d9557f11a7e4e2af054ce159b1adcebae4271f77d1cbb64ff40d8a09afc7fc4d66b2be44365

Download Submit
\Windows\SysWOW64\Gjmbohhl.exe

Filesize
320KB

MD5
d54b602a71c10d79f436cb43d8893f1d

SHA1
1d096387931a19a8f5152911dccda26f480b11b8

SHA256
f969fc3fb82491ea4443116addd0362f13b6628d4c7d05e2499b6eb81b56f79c

SHA512
9b3b6f3c5c0ade6d03530d044dfcf19a5271f45c1f5581d8a73a3882c6a67ec836fc682d0d199f575b8c107d8c0fbf8c2c0fa3b0bac9366fb41d2cf9c84ddd76

Download Submit
\Windows\SysWOW64\Hjdhpg32.exe

Filesize
320KB

MD5
d8b04d45e3508f2078f1862a0a22e5bf

SHA1
983b21165cc9a83382fe63e1cdd7d7fb6cab9408

SHA256
7ae1879015cae8ffccc9c40b1a4d1f0c055110343f8ecef7bc586d16f4944c0f

SHA512
2b3ff7663aa1a2b9c9e11fad6157f177b20eb5b5f6098628fb7edc5c239cf806f34ea47e0235d936b533145753d2411d8a20580d5f4cc39d506fb6a40658e8ca

Download Submit
\Windows\SysWOW64\Hpcnmnnh.exe

Filesize
320KB

MD5
2e94ae565e912ca2ba15ac30191f093a

SHA1
44258a4e4d9818031f25303e3ce388aed65ef107

SHA256
28b96950536a9e3874f4f79bf4311817e74671f80ba23caedd95902566bc022b

SHA512
c069408be480d2577333ec79a9aee281bb159020974da68f997261b7b3d7394095451e57e23b1c22810669eed3ddf8eac922c5a534e0db57ecb72a0196ad9a10

Download Submit
\Windows\SysWOW64\Ieepad32.exe

Filesize
320KB

MD5
4b8e69c035ec650a9eb9999bcacc98fa

SHA1
28844e40c1a2234a60f07948aba3f9b728603ab6

SHA256
e798540b23380123db9b25ca2a2e4fc6a7b8b9b0266268ad765d98fb5dc7e2a3

SHA512
72c4438a612a96d7e6084dd21218584d07789e93b0253654dd575b241bb05bf623fbeb85bec286a826dad89aa55921499b197d8f5c990662e5b574dd22c90d74

Download Submit
\Windows\SysWOW64\Jdlefd32.exe

Filesize
320KB

MD5
fa2328a5b99799d49d9b59f78940a0ef

SHA1
f2d9a76ce23a09ee20c678d91b4bc9a0e1845beb

SHA256
897399e6ec8425d9bf412e3caa996254ceca05cda373485939e239cb02c745a6

SHA512
daddc3cc0a766871a6057dc3184845ad0868243c80d2f7a60f9a1eac41d80af56f3b073d1784ba244da791c43687ff30357583584758f24d48875bbdca88ef2b

Download Submit
\Windows\SysWOW64\Jiphpf32.exe

Filesize
320KB

MD5
af005e4db28c313b4a7fd1f2639f73c8

SHA1
b62f90a7f431e20df2ab5eb2957c15fa5ec68136

SHA256
5658e745795988a77f0dda061b9017b2a5ec395d3a193cd85d2075ac55571966

SHA512
e5727903da61b2f58f6ffe51c32024442d5b7501056450bb145cd161ea4326d02259edee3f9b45f90c0fbf4eda2c6bbef2a6dcbcc3eb3505f19a2851d1f02b21

Download Submit
\Windows\SysWOW64\Kfgedkko.exe

Filesize
320KB

MD5
bb173087196e2c5331cb2572969feabf

SHA1
bb72ba32c45293ac31d54dc355c6c19cf34179fd

SHA256
4b59366c9f297145df2bc77cd8c68a0c13a6ca08d13fbd499d3e6450c8150ef4

SHA512
617585ab9d4df321866006f8e06cf63be71834ad5eb78f9efdb9caf4219436636cdae8cdfe76e12898955615841202b1e7d97bc3fc392c5196da6e1dfdda1e82

Download Submit
\Windows\SysWOW64\Khlkba32.exe

Filesize
320KB

MD5
193edb136501d8eb0b901f4c9dcb591d

SHA1
a6ffa4339f7b553e717de5814d508ac003d4376a

SHA256
2ac171d8438865ea9befb82bb00cb4851818777288440c4a9048858e6a4a6b74

SHA512
9b60a4737fdb1e7b54b1f1cea62c03a6bc9637f11aa9f8d18ced8429b818de21bdb96c96fa5a2993465fc1c79f8eccbbfe6123f0454db7a33ca230f9c1f1bae2

Download Submit
memory/108-245-0x00000000003A0000-0x00000000003FC000-memory.dmp

Filesize
368KB

Download
memory/108-345-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/108-241-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/564-178-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/564-177-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/564-331-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1296-229-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1296-343-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1296-235-0x00000000002F0000-0x000000000034C000-memory.dmp

Filesize
368KB

Download
memory/1296-234-0x00000000002F0000-0x000000000034C000-memory.dmp

Filesize
368KB

Download
memory/1344-256-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1344-354-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1420-339-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1420-203-0x00000000003A0000-0x00000000003FC000-memory.dmp

Filesize
368KB

Download
memory/1420-195-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1420-208-0x00000000003A0000-0x00000000003FC000-memory.dmp

Filesize
368KB

Download
memory/1568-301-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1568-18-0x00000000002D0000-0x000000000032C000-memory.dmp

Filesize
368KB

Download
memory/1568-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1568-298-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1568-17-0x00000000002D0000-0x000000000032C000-memory.dmp

Filesize
368KB

Download
memory/1740-149-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/1740-327-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1740-137-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1788-164-0x00000000002F0000-0x000000000034C000-memory.dmp

Filesize
368KB

Download
memory/1788-160-0x00000000002F0000-0x000000000034C000-memory.dmp

Filesize
368KB

Download
memory/1788-329-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1788-151-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-305-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2032-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2060-309-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2060-53-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2060-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2096-39-0x0000000000230000-0x000000000028C000-memory.dmp

Filesize
368KB

Download
memory/2096-307-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2096-27-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2160-325-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2160-131-0x00000000002C0000-0x000000000031C000-memory.dmp

Filesize
368KB

Download
memory/2360-222-0x00000000004D0000-0x000000000052C000-memory.dmp

Filesize
368KB

Download
memory/2360-210-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2360-341-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2448-252-0x00000000002C0000-0x000000000031C000-memory.dmp

Filesize
368KB

Download
memory/2448-347-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2448-246-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2572-96-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2572-104-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2572-321-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-81-0x00000000002D0000-0x000000000032C000-memory.dmp

Filesize
368KB

Download
memory/2656-68-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2656-313-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2676-94-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2676-315-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2676-82-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2736-311-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2736-66-0x0000000000220000-0x000000000027C000-memory.dmp

Filesize
368KB

Download
memory/2848-333-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-184-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2848-193-0x00000000002C0000-0x000000000031C000-memory.dmp

Filesize
368KB

Download
memory/2848-192-0x00000000002C0000-0x000000000031C000-memory.dmp

Filesize
368KB

Download
memory/2884-323-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2884-122-0x00000000002E0000-0x000000000033C000-memory.dmp

Filesize
368KB

Download
memory/2884-110-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads