bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
Size

443KB
MD5

bfcd8b6886e20c1180de613273c0fa40
SHA1

9ffb744119754796b0f4b1a8687cc2cd0f698f33
SHA256

bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311
SHA512

f4172e810f01eb22899662ef78b579bfc1308e3337b5a3c88fe0d2eec2836172e1b2257dc430c3575f15b474585ab813d03905a776062c4189414a744180a983
SSDEEP

6144:oaVNY04sW7zeXmRL13n4GAI13n4GAvs0PEpNF0pNO021fv13n4GA3uKjwszeXmOs:oY74Z1J1HJ1Uj+HiPj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libjncnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hclfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibacbcgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iebldo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ladebd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lofifi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjfnnajl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibacbcgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjfnnajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kidjdpie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lofifi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kidjdpie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lidgcclp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kablnadm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ladebd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hclfag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hqnjek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe

Executes dropped EXE 33 IoCs

pid	Process
2724	Hifbdnbi.exe
2820	Hqnjek32.exe
2948	Hclfag32.exe
2756	Hjfnnajl.exe
2628	Ikgkei32.exe
1356	Ibacbcgg.exe
1928	Imggplgm.exe
2972	Iebldo32.exe
1936	Igqhpj32.exe
1472	Jikhnaao.exe
760	Jcqlkjae.exe
1840	Jfohgepi.exe
1344	Jmipdo32.exe
1040	Jllqplnp.exe
2404	Kbjbge32.exe
1364	Kidjdpie.exe
924	Kmfpmc32.exe
1804	Kablnadm.exe
1544	Kkjpggkn.exe
1992	Kmimcbja.exe
808	Kpgionie.exe
2992	Kipmhc32.exe
1780	Kpieengb.exe
2252	Kbhbai32.exe
2824	Libjncnc.exe
2624	Lidgcclp.exe
2788	Lpnopm32.exe
1720	Lcmklh32.exe
2028	Lhiddoph.exe
644	Loclai32.exe
2716	Lofifi32.exe
2636	Ladebd32.exe
2056	Lepaccmo.exe

Loads dropped DLL 64 IoCs

pid	Process
2256	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
2256	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
2724	Hifbdnbi.exe
2724	Hifbdnbi.exe
2820	Hqnjek32.exe
2820	Hqnjek32.exe
2948	Hclfag32.exe
2948	Hclfag32.exe
2756	Hjfnnajl.exe
2756	Hjfnnajl.exe
2628	Ikgkei32.exe
2628	Ikgkei32.exe
1356	Ibacbcgg.exe
1356	Ibacbcgg.exe
1928	Imggplgm.exe
1928	Imggplgm.exe
2972	Iebldo32.exe
2972	Iebldo32.exe
1936	Igqhpj32.exe
1936	Igqhpj32.exe
1472	Jikhnaao.exe
1472	Jikhnaao.exe
760	Jcqlkjae.exe
760	Jcqlkjae.exe
1840	Jfohgepi.exe
1840	Jfohgepi.exe
1344	Jmipdo32.exe
1344	Jmipdo32.exe
1040	Jllqplnp.exe
1040	Jllqplnp.exe
2404	Kbjbge32.exe
2404	Kbjbge32.exe
1364	Kidjdpie.exe
1364	Kidjdpie.exe
924	Kmfpmc32.exe
924	Kmfpmc32.exe
1804	Kablnadm.exe
1804	Kablnadm.exe
1544	Kkjpggkn.exe
1544	Kkjpggkn.exe
1992	Kmimcbja.exe
1992	Kmimcbja.exe
808	Kpgionie.exe
808	Kpgionie.exe
2992	Kipmhc32.exe
2992	Kipmhc32.exe
1780	Kpieengb.exe
1780	Kpieengb.exe
2252	Kbhbai32.exe
2252	Kbhbai32.exe
2824	Libjncnc.exe
2824	Libjncnc.exe
2624	Lidgcclp.exe
2624	Lidgcclp.exe
2788	Lpnopm32.exe
2788	Lpnopm32.exe
1720	Lcmklh32.exe
1720	Lcmklh32.exe
2028	Lhiddoph.exe
2028	Lhiddoph.exe
644	Loclai32.exe
644	Loclai32.exe
2716	Lofifi32.exe
2716	Lofifi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kpgionie.exe
File created	C:\Windows\SysWOW64\Bndneq32.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Lpnopm32.exe
File created	C:\Windows\SysWOW64\Loclai32.exe	Lhiddoph.exe
File opened for modification	C:\Windows\SysWOW64\Hifbdnbi.exe	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
File created	C:\Windows\SysWOW64\Ogbogkjn.dll	Iebldo32.exe
File created	C:\Windows\SysWOW64\Qmeedp32.dll	Igqhpj32.exe
File created	C:\Windows\SysWOW64\Oopqjabc.dll	Loclai32.exe
File created	C:\Windows\SysWOW64\Hbppfnao.dll	Lofifi32.exe
File created	C:\Windows\SysWOW64\Ffbpca32.dll	Ikgkei32.exe
File created	C:\Windows\SysWOW64\Kjpndcho.dll	Kmfpmc32.exe
File created	C:\Windows\SysWOW64\Kkjpggkn.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Libjncnc.exe	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Ladebd32.exe
File created	C:\Windows\SysWOW64\Hjfnnajl.exe	Hclfag32.exe
File opened for modification	C:\Windows\SysWOW64\Igqhpj32.exe	Iebldo32.exe
File created	C:\Windows\SysWOW64\Kmimcbja.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Kpgionie.exe	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Jbdhhp32.dll	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Lidgcclp.exe	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Lhiddoph.exe	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Ladebd32.exe
File opened for modification	C:\Windows\SysWOW64\Jfohgepi.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Jmipdo32.exe	Jfohgepi.exe
File created	C:\Windows\SysWOW64\Kidjdpie.exe	Kbjbge32.exe
File created	C:\Windows\SysWOW64\Iebldo32.exe	Imggplgm.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jllqplnp.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Ghcmae32.dll	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
File created	C:\Windows\SysWOW64\Ibacbcgg.exe	Ikgkei32.exe
File opened for modification	C:\Windows\SysWOW64\Imggplgm.exe	Ibacbcgg.exe
File created	C:\Windows\SysWOW64\Agpqch32.dll	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Ikgkei32.exe	Hjfnnajl.exe
File opened for modification	C:\Windows\SysWOW64\Jcqlkjae.exe	Jikhnaao.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Kidjdpie.exe
File opened for modification	C:\Windows\SysWOW64\Lpnopm32.exe	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Kkjpggkn.exe	Kablnadm.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Dneoankp.dll	Libjncnc.exe
File opened for modification	C:\Windows\SysWOW64\Kmimcbja.exe	Kkjpggkn.exe
File created	C:\Windows\SysWOW64\Ipbkjl32.dll	Kbhbai32.exe
File created	C:\Windows\SysWOW64\Dllqqh32.dll	Lidgcclp.exe
File opened for modification	C:\Windows\SysWOW64\Ladebd32.exe	Lofifi32.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Ladebd32.exe
File created	C:\Windows\SysWOW64\Pncadjah.dll	Hqnjek32.exe
File opened for modification	C:\Windows\SysWOW64\Ibacbcgg.exe	Ikgkei32.exe
File created	C:\Windows\SysWOW64\Aiomcb32.dll	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Jmipdo32.exe	Jfohgepi.exe
File opened for modification	C:\Windows\SysWOW64\Jllqplnp.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Dnhanebc.dll	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File opened for modification	C:\Windows\SysWOW64\Lofifi32.exe	Loclai32.exe
File created	C:\Windows\SysWOW64\Hqnjek32.exe	Hifbdnbi.exe
File created	C:\Windows\SysWOW64\Chpmbe32.dll	Hclfag32.exe
File created	C:\Windows\SysWOW64\Jfohgepi.exe	Jcqlkjae.exe
File created	C:\Windows\SysWOW64\Ladebd32.exe	Lofifi32.exe
File created	C:\Windows\SysWOW64\Kmkoadgf.dll	Ibacbcgg.exe
File opened for modification	C:\Windows\SysWOW64\Kablnadm.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhbai32.exe	Kpieengb.exe
File opened for modification	C:\Windows\SysWOW64\Loclai32.exe	Lhiddoph.exe
File created	C:\Windows\SysWOW64\Hifbdnbi.exe	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
File created	C:\Windows\SysWOW64\Dllmckbg.dll	Hifbdnbi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2032	2056	WerFault.exe	63

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikgkei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibacbcgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jikhnaao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hqnjek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcqlkjae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lofifi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imggplgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kablnadm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ladebd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hifbdnbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjfnnajl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfohgepi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loclai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkjpggkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbhbai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lidgcclp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhiddoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hclfag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iebldo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libjncnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Igqhpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kidjdpie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpgionie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll"	Jfohgepi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbhbai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopqjabc.dll"	Loclai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmiflpof.dll"	Hjfnnajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll"	Jikhnaao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcqlkjae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhiddoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Ladebd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hifbdnbi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hqnjek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Igqhpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcqlkjae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll"	Kkjpggkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbhbai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dneoankp.dll"	Libjncnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpqch32.dll"	Lhiddoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lofifi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpmbe32.dll"	Hclfag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbpca32.dll"	Ikgkei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imggplgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiomcb32.dll"	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkoadgf.dll"	Ibacbcgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll"	Kmfpmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkjpggkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnde32.dll"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmdeem32.dll"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcmae32.dll"	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllmckbg.dll"	Hifbdnbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjfnnajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imggplgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jikhnaao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libjncnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loclai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ladebd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjfnnajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfohgepi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpgionie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbppfnao.dll"	Lofifi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2724	2256	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe	31
PID 2256 wrote to memory of 2724	2256	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe	31
PID 2256 wrote to memory of 2724	2256	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe	31
PID 2256 wrote to memory of 2724	2256	bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe	31
PID 2724 wrote to memory of 2820	2724	Hifbdnbi.exe	32
PID 2724 wrote to memory of 2820	2724	Hifbdnbi.exe	32
PID 2724 wrote to memory of 2820	2724	Hifbdnbi.exe	32
PID 2724 wrote to memory of 2820	2724	Hifbdnbi.exe	32
PID 2820 wrote to memory of 2948	2820	Hqnjek32.exe	33
PID 2820 wrote to memory of 2948	2820	Hqnjek32.exe	33
PID 2820 wrote to memory of 2948	2820	Hqnjek32.exe	33
PID 2820 wrote to memory of 2948	2820	Hqnjek32.exe	33
PID 2948 wrote to memory of 2756	2948	Hclfag32.exe	34
PID 2948 wrote to memory of 2756	2948	Hclfag32.exe	34
PID 2948 wrote to memory of 2756	2948	Hclfag32.exe	34
PID 2948 wrote to memory of 2756	2948	Hclfag32.exe	34
PID 2756 wrote to memory of 2628	2756	Hjfnnajl.exe	35
PID 2756 wrote to memory of 2628	2756	Hjfnnajl.exe	35
PID 2756 wrote to memory of 2628	2756	Hjfnnajl.exe	35
PID 2756 wrote to memory of 2628	2756	Hjfnnajl.exe	35
PID 2628 wrote to memory of 1356	2628	Ikgkei32.exe	36
PID 2628 wrote to memory of 1356	2628	Ikgkei32.exe	36
PID 2628 wrote to memory of 1356	2628	Ikgkei32.exe	36
PID 2628 wrote to memory of 1356	2628	Ikgkei32.exe	36
PID 1356 wrote to memory of 1928	1356	Ibacbcgg.exe	37
PID 1356 wrote to memory of 1928	1356	Ibacbcgg.exe	37
PID 1356 wrote to memory of 1928	1356	Ibacbcgg.exe	37
PID 1356 wrote to memory of 1928	1356	Ibacbcgg.exe	37
PID 1928 wrote to memory of 2972	1928	Imggplgm.exe	38
PID 1928 wrote to memory of 2972	1928	Imggplgm.exe	38
PID 1928 wrote to memory of 2972	1928	Imggplgm.exe	38
PID 1928 wrote to memory of 2972	1928	Imggplgm.exe	38
PID 2972 wrote to memory of 1936	2972	Iebldo32.exe	39
PID 2972 wrote to memory of 1936	2972	Iebldo32.exe	39
PID 2972 wrote to memory of 1936	2972	Iebldo32.exe	39
PID 2972 wrote to memory of 1936	2972	Iebldo32.exe	39
PID 1936 wrote to memory of 1472	1936	Igqhpj32.exe	40
PID 1936 wrote to memory of 1472	1936	Igqhpj32.exe	40
PID 1936 wrote to memory of 1472	1936	Igqhpj32.exe	40
PID 1936 wrote to memory of 1472	1936	Igqhpj32.exe	40
PID 1472 wrote to memory of 760	1472	Jikhnaao.exe	41
PID 1472 wrote to memory of 760	1472	Jikhnaao.exe	41
PID 1472 wrote to memory of 760	1472	Jikhnaao.exe	41
PID 1472 wrote to memory of 760	1472	Jikhnaao.exe	41
PID 760 wrote to memory of 1840	760	Jcqlkjae.exe	42
PID 760 wrote to memory of 1840	760	Jcqlkjae.exe	42
PID 760 wrote to memory of 1840	760	Jcqlkjae.exe	42
PID 760 wrote to memory of 1840	760	Jcqlkjae.exe	42
PID 1840 wrote to memory of 1344	1840	Jfohgepi.exe	43
PID 1840 wrote to memory of 1344	1840	Jfohgepi.exe	43
PID 1840 wrote to memory of 1344	1840	Jfohgepi.exe	43
PID 1840 wrote to memory of 1344	1840	Jfohgepi.exe	43
PID 1344 wrote to memory of 1040	1344	Jmipdo32.exe	44
PID 1344 wrote to memory of 1040	1344	Jmipdo32.exe	44
PID 1344 wrote to memory of 1040	1344	Jmipdo32.exe	44
PID 1344 wrote to memory of 1040	1344	Jmipdo32.exe	44
PID 1040 wrote to memory of 2404	1040	Jllqplnp.exe	45
PID 1040 wrote to memory of 2404	1040	Jllqplnp.exe	45
PID 1040 wrote to memory of 2404	1040	Jllqplnp.exe	45
PID 1040 wrote to memory of 2404	1040	Jllqplnp.exe	45
PID 2404 wrote to memory of 1364	2404	Kbjbge32.exe	46
PID 2404 wrote to memory of 1364	2404	Kbjbge32.exe	46
PID 2404 wrote to memory of 1364	2404	Kbjbge32.exe	46
PID 2404 wrote to memory of 1364	2404	Kbjbge32.exe	46

C:\Users\Admin\AppData\Local\Temp\bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe
"C:\Users\Admin\AppData\Local\Temp\bc2df7a827cfc920d5a44e1318172461498b24d2a430d24bdbc5c5cbc20d7311N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\Hifbdnbi.exe
  C:\Windows\system32\Hifbdnbi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\Hqnjek32.exe
    C:\Windows\system32\Hqnjek32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\Hclfag32.exe
      C:\Windows\system32\Hclfag32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\SysWOW64\Hjfnnajl.exe
        
        C:\Windows\system32\Hjfnnajl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Ikgkei32.exe
        
        C:\Windows\system32\Ikgkei32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Ibacbcgg.exe
        
        C:\Windows\system32\Ibacbcgg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Imggplgm.exe
        
        C:\Windows\system32\Imggplgm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Iebldo32.exe
        
        C:\Windows\system32\Iebldo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Igqhpj32.exe
        
        C:\Windows\system32\Igqhpj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Jikhnaao.exe
        
        C:\Windows\system32\Jikhnaao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Jcqlkjae.exe
        
        C:\Windows\system32\Jcqlkjae.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Jfohgepi.exe
        
        C:\Windows\system32\Jfohgepi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Jmipdo32.exe
        
        C:\Windows\system32\Jmipdo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Kidjdpie.exe
        
        C:\Windows\system32\Kidjdpie.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\Kablnadm.exe
        
        C:\Windows\system32\Kablnadm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\Kkjpggkn.exe
        
        C:\Windows\system32\Kkjpggkn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Kmimcbja.exe
        
        C:\Windows\system32\Kmimcbja.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Kpgionie.exe
        
        C:\Windows\system32\Kpgionie.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Kbhbai32.exe
        
        C:\Windows\system32\Kbhbai32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Libjncnc.exe
        
        C:\Windows\system32\Libjncnc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Lidgcclp.exe
        
        C:\Windows\system32\Lidgcclp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\Lpnopm32.exe
        
        C:\Windows\system32\Lpnopm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2788
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Lhiddoph.exe
        
        C:\Windows\system32\Lhiddoph.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Loclai32.exe
        
        C:\Windows\system32\Loclai32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:644
        
        C:\Windows\SysWOW64\Lofifi32.exe
        
        C:\Windows\system32\Lofifi32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Ladebd32.exe
        
        C:\Windows\system32\Ladebd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 140
        35⤵
        Program crash
        
        PID:2032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hjfnnajl.exe

Filesize
443KB

MD5
29b2122e0c0cac02efcf327ce4316a72

SHA1
c5bc03b4d31cd5c53067fffbaafb02ece7209969

SHA256
ada41f9d921c396c81f4eb2cf6046de7a5d18b345c11c84dc8946cba43b533f4

SHA512
ebeef26cd9fe4be87d65810e0a2354d4742a24eb9c825cd900631bd8cc539b86550677983cc9aa7e23148f7ec6436c7efa90d5bd48d878e7be77a046d5bdd59a

Download Submit
C:\Windows\SysWOW64\Hqnjek32.exe

Filesize
443KB

MD5
369879e0c05cccb5a28b1659b1663e69

SHA1
57dba01fd9745128625125888ea4471fbfa223aa

SHA256
eee62d41d4038548d24c3dcfe4959a7a9cf3f9b01d2ba241aa8b34de59a458de

SHA512
a343c4f8e0763522735d7c72cf739d7c15c3c2892e081c52604562b7a0c198e017dbe6a4733e82146ef8aa2061c342e4a62a2d3d09e4b4a267899aa21a84709c

Download Submit
C:\Windows\SysWOW64\Ibacbcgg.exe

Filesize
443KB

MD5
d47c6ac438e7a57fd2fc52bd4c9536dd

SHA1
74ab676bc65f6ff4c57c8b5417b13adf975b01bd

SHA256
304d022364714dc49e50a1cf834195162ff079b0a4f75c57cc73f353a8095c48

SHA512
54920cc34f2d8f9e9009d927729868a0303c24e10c53b6b62dcfd05f23c6c75be664698278d3d7d5b5cb92ece54dd76738ae05a6ec11cf2ba0537b5b3ba100c8

Download Submit
C:\Windows\SysWOW64\Iebldo32.exe

Filesize
443KB

MD5
939e559e632fbf9e3113f6fb0694a309

SHA1
8224b2fa3934b45013083bbe843b13a336ade8fd

SHA256
f8d1b3eee10f35e4a3bda0c5eb8e0a45263a816bc6d0accd6a5c9a41182dd93d

SHA512
5796938c6249dea761cdcab0ad678232359fa35cad0b55df4015781988b6453c9e2fc9574aabf03a89cdb8d5a5b13f2a63718b6c66d37a2e83c753ffa6989126

Download Submit
C:\Windows\SysWOW64\Igqhpj32.exe

Filesize
443KB

MD5
4e1d32df694880c16b559c79a298953b

SHA1
749ad686d5a5072de9cde49670068638ab239152

SHA256
12ae053e245459b9e4ded1839a68fe3635c58c20adc1a5eeae801cc662ae4aeb

SHA512
eec95a7a411aae378709b5d10c3219cbb3fa719655109164b9f27ad6e32b0fbaa0a62fdc564ea08915d57e772e4e190e89dce82c86c279437f99e5b9edf95e26

Download Submit
C:\Windows\SysWOW64\Ikgkei32.exe

Filesize
443KB

MD5
f5432f504e19f66a30ece2d2de8d77b1

SHA1
46df53a528a12020755506b3a8a02fbc25792b36

SHA256
b22667752fe3881dd9061b5583cd8f895f9d9fe682ca09c83f2688e9025a1f80

SHA512
9b0e90ce069d762bbb4d7e6c179962392df77349642dc0fd39f59bfcdb4efad5f8061a3ca1f1032ffd9db8a242534b9cf4bbbd5a9b78ed6504244abbf2f2d1cf

Download Submit
C:\Windows\SysWOW64\Imggplgm.exe

Filesize
443KB

MD5
03fe85fb7fe01dac5788041539fe71da

SHA1
09d9b2220185f8b21f28bee82f1a89e64c5bdf26

SHA256
7a6d6aba7e5364d87f958d0dc25449a991c695043f0d1e516bcac8148ecab166

SHA512
67edfd1c3c5f5dd1e03292f4a979458e850e72867a121a32ec9f57883830aca3dd3fba62c2e8d5b2061eb9ec9f254803b7a1c69b7bcf064f18571691f412998c

Download Submit
C:\Windows\SysWOW64\Jcqlkjae.exe

Filesize
443KB

MD5
f2ee8577d72e6b141cc967121d1a4b81

SHA1
ea0e44e20e411fd01ff82b513861fd53afe39721

SHA256
754b5d370844f13098947a1ecddf252a6acca2f8bff3daee433bca8a402d691e

SHA512
11b3f95e537deb96f3026eda8261cedeb5f9643663041b8b6827f79950149de9a9a6be95b9c55f3ac7f3a48de5c47e60980bbb37caed2a16396b018b324d2d62

Download Submit
C:\Windows\SysWOW64\Jfohgepi.exe

Filesize
443KB

MD5
d068fcdcc5dabde56083f135bf78a949

SHA1
0d7c464baecf8c805e04d97b5260c437b6e72248

SHA256
63d5b46039569272c2d5afd6113a53d7f401154f5d23874de48b182ccfe00ead

SHA512
6f81ad1dfb320540e2895eb390c8eac95c7f0a8642754f269c7d7998634870f471f3ff07f6d8fc710cee48de7d5a9c4b2723e38d5372567b920ad9b0884e40cb

Download Submit
C:\Windows\SysWOW64\Jikhnaao.exe

Filesize
443KB

MD5
07f9ed7846744f985ac457567d3526ea

SHA1
18e73aca2d6a38e03b8e381b2c63583ffbdc1eaf

SHA256
8ab090240a94628b43c51c654df987063e3b15d6159af536206a43ca9546477e

SHA512
098c5b3a4b7728f893d6de1967ee61542bc59e8dc9f046616601ce84b9bda1165ac576f339d29fe7d7b6c2286b8e91056120b2fcbe91eebc933f0d9806cc4797

Download Submit
C:\Windows\SysWOW64\Jllqplnp.exe

Filesize
443KB

MD5
beceaf5b86f53cdea6814e3d69b1a78d

SHA1
b8fbf8ea176ef8f59f14f72b60a984b8a6343c24

SHA256
283ba6b4e4568a3117b3ee93748fe2193f81c8caf812861f2fdc4901dbed3f60

SHA512
ac7c03842b5d16ae1197fba1a9afaea6567987f2a4b4b326dac3fcca33f63facb0c05049edbdaf7aa7895c884850a35b50f00204763a943b7d947b6491b5ad14

Download Submit
C:\Windows\SysWOW64\Jmipdo32.exe

Filesize
443KB

MD5
10adbc11fb0daa03dda2e0f35e2f0aea

SHA1
a27ff01e3004abd600f779ef3d4f1b2f45c5431f

SHA256
c465a217eb9621d50b4ae68322fddb19ad481122a647d6d210ce92910af7506c

SHA512
8e5cfbbedba25fd14ff057753e8e97e51449affc08c60499425e186ff8c0335c7db8042414071492d067723ac9448809d94a87eb1bbe8a6598f30e80e18aeb54

Download Submit
C:\Windows\SysWOW64\Kablnadm.exe

Filesize
443KB

MD5
e7efacea6e455a6376e96ba7c47d1c3e

SHA1
12d6611fa5099176540cae23499abb5155e63efe

SHA256
c0b01d2c842afc225e85096e33670249b802c66eb3135b02c01e80666ec77b9b

SHA512
137260c598e6f20f3df9722eadf37b92b0225a9d6ae0dce6de27637559a8a59b07db09364154b43f5d6ed4c6554ebac4e47c087eb1c1207c2c9f5e755bbfb608

Download Submit
C:\Windows\SysWOW64\Kbhbai32.exe

Filesize
443KB

MD5
93c6ffdb8f2249b394c63d92d6cca0f2

SHA1
42d588b921c259673e8ea3bf7a384181f771d36e

SHA256
e0ce206c139693bc76cb54132ed4702b845861e8651e358ce51b333231b9c7ce

SHA512
c63dc2e5be04c5beb3ff7e546ece7224a16bf4b8b3d2afc0561ff2bccc0ad6860f5412ef03bbc30f5467533b388178e63198412441f2d09cd24528a7f1929664

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
443KB

MD5
7571c3df31c0069db24283b4fea36508

SHA1
7115834d801bb2808a4ea71f9c4b9f76569adb06

SHA256
8d9ad8425316895639a74a62949e9c48bcf10b341d39da029d0db7d43ce678a3

SHA512
8a2cc91b6e2dda3018bf18663742e8261d5157bd0723a2618f9bda459cdea13b9710f7d68afdca8025106805ec2a4686b5121c57598f5f57dba14fc04e734c1b

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
443KB

MD5
91be6f54c4014ed9d198c88914caeec9

SHA1
e1d097c047c299bf489057a90c7d64e3aebd3f84

SHA256
ffa2f7d12c8359a0f5def2c16984e2c1f928148592e061b3c66ab1322dea21ba

SHA512
a8e9e6eada23dfff954b6c4c0fe2ae3bfc99a59bad17d453d6738cbc76d5ba84a156670775e91e510fe73f213084b75cee0ba239b82ceb99e4d44490258d89b9

Download Submit
C:\Windows\SysWOW64\Kkjpggkn.exe

Filesize
443KB

MD5
a5ab9cb126b12798a2256b511417d5db

SHA1
cc2f8eaac94d0c66f37c3698161c0e97a9e94af8

SHA256
81bf3fe2c1b3a47a7944e7872180d96c6a336d4e0842eb2bd4ed4d569ab87e28

SHA512
d0b48a45c03cd17bb2fc27d8194907fa80124d78fac3c5425e5ccc1028ba3d5793ebde6213001ae5095b9ebb8554f6988fe4cfd0bf984bb057800b9f099d9c40

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
443KB

MD5
ad1e877eb26a4be012034fc5ec3b7f86

SHA1
ee5fdc0083c2a3e17f5ec2b515ebf51b3b27e06c

SHA256
b65110e1463b80c0491113821b12611042d2c01b321df2daac6e32210c75e684

SHA512
dedf27b54bc0f05ffb89d01cd3cbd23aaa03bf859af9239f38ff06f622947d65e2845154ca393cf1600c5ce519b45db8a123f05b9a4c998fc88246cd1c8cd05e

Download Submit
C:\Windows\SysWOW64\Kmimcbja.exe

Filesize
443KB

MD5
91c685b5013fa6b7e29ddb6da5906d22

SHA1
d2acd20edd77a9037d70e9a3aa7d5dcc291ef55c

SHA256
ef31caa213d2d3f9c4f20c656c47169b9f09a4904011b08008787c5b3a98cbe1

SHA512
7c0e0f4979e985ec81aba93d62dc2d172805da1441efaf7994bc55baae82f04a13f9a55a3690c4f8ed0331f791bd6d70e418fc9795949482ab5b16866011c539

Download Submit
C:\Windows\SysWOW64\Kpgionie.exe

Filesize
443KB

MD5
eb9ae1913d6e284ad83f9a459e17a366

SHA1
9f4e286d4f588462f0b150107a7b8b40793308ba

SHA256
a41269870fd7c17caeec861b74d6b76ac3137a067e0cb1f0361d4aad6271b1de

SHA512
3ae5a97446719bdd44f22caeacc0d46cbbee541217e060deca76441e7b966bd4dbb3dc12ef2c1e56792a3ccc6c27217aae9f9cecbbd457b404e24cb7e0b04fa1

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
443KB

MD5
45b87ed48a4a27a5195d9042283cda94

SHA1
5427eef0665030afc1ab21e4f7faaa371f2df0a6

SHA256
1a9224d02e5266d901c066651d1f0ee6dce8b978a3c77c7fa7256ea3e1757736

SHA512
5b1d8923920658a55e2b321873506171169ad721296b9565934ac8b4fba80b851a6b1e3a6d6779c1ac795ef558f9a0185e9c36eb74b972a496ade9634c3b4d7c

Download Submit
C:\Windows\SysWOW64\Ladebd32.exe

Filesize
443KB

MD5
fb2070cfedd8f2d46e059d5f647c7c79

SHA1
c2e3a569ec302bbf34dc88136997bc17573f6e80

SHA256
508a5c59007f2077865aa39909ac150c6bb1a941e44f54f0c42750b21c73e8f5

SHA512
b43eed9635deb283573dc3985391c87b59cb9a3a5bea246685bc5d9b97624b59867973ebb53ec0331b248b2a18ed943c60ea3f9e9951df8b69a4ff49dd162eca

Download Submit
C:\Windows\SysWOW64\Lcmklh32.exe

Filesize
443KB

MD5
a80d27d7802efec6d42c04fb900a8c7a

SHA1
2ba713b5dd0499be14dcf89bd6cddb152233256b

SHA256
5d453abc6fc1c045309ba228dbed6036e302cccebcdb03dc1b23d7bfb2337a8f

SHA512
b0fdce0aa4ae646f6254cf9048736ace02f9e8a8a09bf7870474d75cdd20283a02c38c143500a999f01bb3226bd745584fbf23c80870822c932c3b453950caa9

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
443KB

MD5
7fbcf16f935e784d091b1e13fbaaf358

SHA1
3cfc4303de7b71f7ba38f3c2ee9f7968909d3745

SHA256
22d3e90f8c124160633e86ae3881d76beb2f26d9072d5dd040ae47b070725903

SHA512
452ed054107dab122ff0d1a8b09f2901dbb79fbacfdc98b502d25816b27cee215e743ba56be2bd48c7a6f499f3153bfba71175b7edc31c1f6f82bae0bee55420

Download Submit
C:\Windows\SysWOW64\Lhiddoph.exe

Filesize
443KB

MD5
a452a53cf6e37d5a6508590726bc9c38

SHA1
1f765b31512d2ce3832c96f2770d60e4b3d42e16

SHA256
624a1ed8346b5e8896ba374509e2a1a49f6ebc162ee36165fb04fc407fa7b410

SHA512
e8659cdc253ed3d1bf15f41ac458320742164267ca0874a8f7ee3285e7b26b0820ec09bc52a35dd0c915907f444c4d735cb42167fccc57fbfa9ac0bc07c0d7c9

Download Submit
C:\Windows\SysWOW64\Libjncnc.exe

Filesize
443KB

MD5
a95d62085a7ce6e93dd5810a57d556c1

SHA1
5be7d2f67462292b73a8d87f7a5a05e649404da9

SHA256
2e58d34886ebc452b0c1b508c512100134cde9e2fbfb0698505cb6492ff97f89

SHA512
882702872e19c569ce28a09fd92425dde1ab689796015be5333d05f3ab9fd9a3f4c7f7038e346aefbc209c22869fbf5800d0f0867620c1ded7ec1abdfc10ed7c

Download Submit
C:\Windows\SysWOW64\Lidgcclp.exe

Filesize
443KB

MD5
86d5fc2545242f6715ec7d3293e7cbdd

SHA1
07f6bcb3d015395f391373d5bc8e0ff98f8f13fe

SHA256
6fbffed45c0a02358be73da45130b1bc98a7a90cf63fb371d575b421200fc138

SHA512
5ef5e8895f75b733bcdd21e79fbf94223e4f26f103925405075e943dc8106c3c5547d4d08aa98f137a583c681513170441e455aea80d685fd3fe6bb677ae2e06

Download Submit
C:\Windows\SysWOW64\Loclai32.exe

Filesize
443KB

MD5
425c875662709b95dc57688b901f49b1

SHA1
8c076b81ecda455a98eb2d6ec542ae87c632ca20

SHA256
691e73c5fd95c4a6cbb07d94e4c4819ec4581405a642876e97dd16f2574019c7

SHA512
edd7388240d6e3251a5a8d45479ab4e70be575e8b44b75c8894add4fee2d8570967f3b9aefd5b25f4c1af04c70631ce1336ed89a56b305c1faad26c3ab6beb2a

Download Submit
C:\Windows\SysWOW64\Lofifi32.exe

Filesize
443KB

MD5
fa35a636721748dbbc7da1e111e6864c

SHA1
7a4afd8644dd6586b6e439b0121e740ded5f628d

SHA256
4c1b79081a0297c12b1d59ee7465db403a1370c496657bb6afb6e80a6bc1a179

SHA512
35fc004476f30db3d9a1f495b4cc321866ee550648c9c2af43ee7b5b91cdad8bf5a71ecdfe5dd56868d0abed695ae06a5bcde70ed776c0ab4889d338f7b3284f

Download Submit
C:\Windows\SysWOW64\Lpnopm32.exe

Filesize
443KB

MD5
287a3250695830292daaaefa8f43ba58

SHA1
58645a3f35186eeac75a05750954cac044a9eb37

SHA256
30e3155c429e1d9b8e1fc5de85fcc55dc260926f050490b29ba94b305394bd49

SHA512
04b4301e98b6f454ab2afbe24af97012238b6024b7d78fd6365013c6f04a1a730be51d9aca01034820491c378025cb6c87e5de4b13093894634edb607cf389cc

Download Submit
\Windows\SysWOW64\Hclfag32.exe

Filesize
443KB

MD5
1be48aad853a46b5aea6c8aeb2cac766

SHA1
ee50f0f5d1e9e1e8246f566a9bbeb7591477d195

SHA256
604bf9e147ef1383da43aba500f4398c6f245650b64ce2b1c80ebaa6f610f92a

SHA512
6df1308feef001a61c928260c3dfb8db33dfffcde073501155c049916596e6425ab1ad2dcbb8e2229dbb5947673e8763f1dcc4e8cb5bdaf3da5c018d6927d8b1

Download Submit
\Windows\SysWOW64\Hifbdnbi.exe

Filesize
443KB

MD5
c3ce6dc88b9457417aaa92a51b54eaa6

SHA1
129b932f10ed23bab4a91a1e8f5c4c96263da9ad

SHA256
90050efd17073e8485a802672268144610d9e62e7a9b5c9871a99b7a8715de8f

SHA512
ecd2bd08f5f50c4120a7d10ecc1e3e134931eb70a487f60f7d3158514399d4bdf18b41ae9aac8ed6d251eeb1e44519f663414a330da920973cecdecb2de8fc7b

Download Submit
\Windows\SysWOW64\Kidjdpie.exe

Filesize
443KB

MD5
6833e81ef9ae88c9d64b6954dce2729d

SHA1
f708d3e9468f0d8f31b906083802819331b58385

SHA256
862ed6bcb6b8d4521ec3c13db98cd2c767785cf1ef80fd1ca41495931d3bed45

SHA512
f80eb584a56edf05b626e60465da988f55eb30ffdc8dff67a0ab20781a161c3998e33f1a0cdfc190d63c7884669fc94927185226d49b585d7ee1101157ec1ffd

Download Submit
memory/644-413-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/644-380-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/760-168-0x0000000000480000-0x00000000004F1000-memory.dmp

Filesize
452KB

Download
memory/760-153-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/760-166-0x0000000000480000-0x00000000004F1000-memory.dmp

Filesize
452KB

Download
memory/808-288-0x00000000002E0000-0x0000000000351000-memory.dmp

Filesize
452KB

Download
memory/808-283-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/808-293-0x00000000002E0000-0x0000000000351000-memory.dmp

Filesize
452KB

Download
memory/924-434-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/924-239-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/924-250-0x0000000000280000-0x00000000002F1000-memory.dmp

Filesize
452KB

Download
memory/924-248-0x0000000000280000-0x00000000002F1000-memory.dmp

Filesize
452KB

Download
memory/1040-198-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1040-206-0x0000000001FE0000-0x0000000002051000-memory.dmp

Filesize
452KB

Download
memory/1040-212-0x0000000001FE0000-0x0000000002051000-memory.dmp

Filesize
452KB

Download
memory/1344-195-0x0000000001FE0000-0x0000000002051000-memory.dmp

Filesize
452KB

Download
memory/1344-196-0x0000000001FE0000-0x0000000002051000-memory.dmp

Filesize
452KB

Download
memory/1344-184-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1356-82-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1356-90-0x00000000002F0000-0x0000000000361000-memory.dmp

Filesize
452KB

Download
memory/1364-227-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1364-234-0x0000000000300000-0x0000000000371000-memory.dmp

Filesize
452KB

Download
memory/1364-238-0x0000000000300000-0x0000000000371000-memory.dmp

Filesize
452KB

Download
memory/1364-436-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1472-138-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1472-151-0x0000000000300000-0x0000000000371000-memory.dmp

Filesize
452KB

Download
memory/1472-146-0x0000000000300000-0x0000000000371000-memory.dmp

Filesize
452KB

Download
memory/1544-435-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1544-261-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1544-271-0x0000000000320000-0x0000000000391000-memory.dmp

Filesize
452KB

Download
memory/1544-270-0x0000000000320000-0x0000000000391000-memory.dmp

Filesize
452KB

Download
memory/1720-360-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1720-417-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1780-305-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1780-314-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/1780-315-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/1804-260-0x00000000002D0000-0x0000000000341000-memory.dmp

Filesize
452KB

Download
memory/1804-256-0x00000000002D0000-0x0000000000341000-memory.dmp

Filesize
452KB

Download
memory/1804-249-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1804-438-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1840-176-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/1840-181-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/1840-167-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1928-107-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/1936-127-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1936-131-0x0000000000380000-0x00000000003F1000-memory.dmp

Filesize
452KB

Download
memory/1936-136-0x0000000000380000-0x00000000003F1000-memory.dmp

Filesize
452KB

Download
memory/1992-430-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1992-282-0x0000000000480000-0x00000000004F1000-memory.dmp

Filesize
452KB

Download
memory/1992-277-0x0000000000480000-0x00000000004F1000-memory.dmp

Filesize
452KB

Download
memory/1992-272-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-373-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2028-379-0x0000000001FC0000-0x0000000002031000-memory.dmp

Filesize
452KB

Download
memory/2028-378-0x0000000001FC0000-0x0000000002031000-memory.dmp

Filesize
452KB

Download
memory/2028-414-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2056-409-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2252-325-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/2252-316-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2252-326-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/2256-12-0x0000000001FF0000-0x0000000002061000-memory.dmp

Filesize
452KB

Download
memory/2256-358-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2256-0-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2256-359-0x0000000001FF0000-0x0000000002061000-memory.dmp

Filesize
452KB

Download
memory/2256-7-0x0000000001FF0000-0x0000000002061000-memory.dmp

Filesize
452KB

Download
memory/2404-440-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2404-213-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2404-221-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/2624-421-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2624-347-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/2624-337-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2624-343-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/2628-68-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2628-80-0x0000000000300000-0x0000000000371000-memory.dmp

Filesize
452KB

Download
memory/2636-399-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2636-408-0x00000000002D0000-0x0000000000341000-memory.dmp

Filesize
452KB

Download
memory/2716-416-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2716-398-0x0000000001FE0000-0x0000000002051000-memory.dmp

Filesize
452KB

Download
memory/2716-393-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2724-19-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2756-54-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2756-62-0x00000000002F0000-0x0000000000361000-memory.dmp

Filesize
452KB

Download
memory/2788-420-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2788-348-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2788-357-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/2820-35-0x0000000000480000-0x00000000004F1000-memory.dmp

Filesize
452KB

Download
memory/2820-27-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2824-331-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2824-425-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2824-336-0x0000000000290000-0x0000000000301000-memory.dmp

Filesize
452KB

Download
memory/2948-465-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2948-41-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2972-117-0x0000000000280000-0x00000000002F1000-memory.dmp

Filesize
452KB

Download
memory/2972-109-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2992-426-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2992-294-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/2992-304-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download
memory/2992-300-0x0000000000250000-0x00000000002C1000-memory.dmp

Filesize
452KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads