82d5db638e5b8a5697746c95a2460fdeb19f1f62d416d7a420d8048359fe84d5

Analysis

max time kernel
114s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e789b4a888989e17920f84e292e2f910N.exe
Size

112KB
MD5

e789b4a888989e17920f84e292e2f910
SHA1

a5313a26d7c83ee632b60686165efe88a4b9809b
SHA256

82d5db638e5b8a5697746c95a2460fdeb19f1f62d416d7a420d8048359fe84d5
SHA512

eb3c6c698dcc278b5b5d65e239eaec413a1be183cf360c8274e92e9d25842b7e04d4c53daf4c76d4e253451a0b7396cabd135961ebaee6b9143cbd27984791df
SSDEEP

1536:BP7ls0KSr0EnbCocw9RN0FmSqZpAxQKMGfyJ+hrUQVoMdUT+irjVVKm1ieuRzKwZ:BD205nQocFhqZTGq+hr1RhAo+ie0TZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjdokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e789b4a888989e17920f84e292e2f910N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jejbhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlidpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llimgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klgqabib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlfhke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kalcik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldfoad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e789b4a888989e17920f84e292e2f910N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kemhei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jejbhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kalcik32.exe

Executes dropped EXE 30 IoCs

pid	Process
4836	Jjdokb32.exe
1508	Jejbhk32.exe
1280	Jjgkab32.exe
228	Jelonkph.exe
3172	Jlfhke32.exe
2868	Jacpcl32.exe
2796	Jlidpe32.exe
4584	Jaemilci.exe
1736	Jhoeef32.exe
4560	Kbeibo32.exe
4940	Kdffjgpj.exe
4428	Klmnkdal.exe
3568	Kbgfhnhi.exe
208	Kdhbpf32.exe
1132	Klpjad32.exe
1244	Kalcik32.exe
3376	Klbgfc32.exe
456	Kopcbo32.exe
3532	Kaopoj32.exe
3252	Kkgdhp32.exe
3216	Kemhei32.exe
1388	Klgqabib.exe
4788	Lacijjgi.exe
3336	Llimgb32.exe
512	Laffpi32.exe
316	Llkjmb32.exe
2612	Lojfin32.exe
1596	Ldfoad32.exe
2836	Lolcnman.exe
4328	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Klgqabib.exe
File created	C:\Windows\SysWOW64\Jgcnomaa.dll	Llimgb32.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Kemhei32.exe
File created	C:\Windows\SysWOW64\Jacpcl32.exe	Jlfhke32.exe
File created	C:\Windows\SysWOW64\Cmkjoj32.dll	Jacpcl32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffjgpj.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Klpjad32.exe	Kdhbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Klbgfc32.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Ldnemdgd.dll	Jjdokb32.exe
File created	C:\Windows\SysWOW64\Oojnjjli.dll	Kbeibo32.exe
File opened for modification	C:\Windows\SysWOW64\Kalcik32.exe	Klpjad32.exe
File opened for modification	C:\Windows\SysWOW64\Kbeibo32.exe	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Bibokqno.dll	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Ldfoad32.exe	Lojfin32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lolcnman.exe
File opened for modification	C:\Windows\SysWOW64\Jejbhk32.exe	Jjdokb32.exe
File created	C:\Windows\SysWOW64\Elmoqj32.dll	Jlfhke32.exe
File opened for modification	C:\Windows\SysWOW64\Klmnkdal.exe	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Kbgfhnhi.exe	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Klpjad32.exe	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Ldfoad32.exe
File created	C:\Windows\SysWOW64\Afgfhaab.dll	Jelonkph.exe
File created	C:\Windows\SysWOW64\Kalcik32.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Pmbpeafn.dll	Klpjad32.exe
File created	C:\Windows\SysWOW64\Klbgfc32.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Mghekd32.dll	Llkjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Jjdokb32.exe	e789b4a888989e17920f84e292e2f910N.exe
File opened for modification	C:\Windows\SysWOW64\Jhoeef32.exe	Jaemilci.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbpf32.exe	Kbgfhnhi.exe
File opened for modification	C:\Windows\SysWOW64\Kkgdhp32.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Idjcam32.dll	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Ldfoad32.exe	Lojfin32.exe
File created	C:\Windows\SysWOW64\Jjdokb32.exe	e789b4a888989e17920f84e292e2f910N.exe
File created	C:\Windows\SysWOW64\Kdffjgpj.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Kaopoj32.exe	Kopcbo32.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Kopcbo32.exe
File created	C:\Windows\SysWOW64\Aomqdipk.dll	Kopcbo32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Cjbdmo32.dll	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Efhbch32.dll	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Llkjmb32.exe	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Lojfin32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Jejbhk32.exe	Jjdokb32.exe
File created	C:\Windows\SysWOW64\Fncnpk32.dll	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Dhfhohgp.dll	Kalcik32.exe
File created	C:\Windows\SysWOW64\Acibndof.dll	Kemhei32.exe
File created	C:\Windows\SysWOW64\Llimgb32.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Lojfin32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Jlidpe32.exe	Jacpcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jaemilci.exe	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Llfgke32.dll	Klbgfc32.exe
File opened for modification	C:\Windows\SysWOW64\Llimgb32.exe	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Laffpi32.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Jlfhke32.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Jhoeef32.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Hmijcp32.dll	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Kdhbpf32.exe	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Kopcbo32.exe	Klbgfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kopcbo32.exe	Klbgfc32.exe
File opened for modification	C:\Windows\SysWOW64\Jlidpe32.exe	Jacpcl32.exe
File created	C:\Windows\SysWOW64\Ijaaij32.dll	Jlidpe32.exe
File created	C:\Windows\SysWOW64\Klmnkdal.exe	Kdffjgpj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3260	4328	WerFault.exe	125

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlidpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjdokb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkgdhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e789b4a888989e17920f84e292e2f910N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kalcik32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijcp32.dll"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghekd32.dll"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e789b4a888989e17920f84e292e2f910N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgfhaab.dll"	Jelonkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jlidpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfhohgp.dll"	Kalcik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e789b4a888989e17920f84e292e2f910N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnemdgd.dll"	Jjdokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll"	Jlfhke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll"	Lojfin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfgke32.dll"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e789b4a888989e17920f84e292e2f910N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jaemilci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpmamlm.dll"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llimgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjdokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acibndof.dll"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjdokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfdkqcmb.dll"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll"	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcnomaa.dll"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnoffic.dll"	Kbgfhnhi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4836	2808	e789b4a888989e17920f84e292e2f910N.exe	93
PID 2808 wrote to memory of 4836	2808	e789b4a888989e17920f84e292e2f910N.exe	93
PID 2808 wrote to memory of 4836	2808	e789b4a888989e17920f84e292e2f910N.exe	93
PID 4836 wrote to memory of 1508	4836	Jjdokb32.exe	94
PID 4836 wrote to memory of 1508	4836	Jjdokb32.exe	94
PID 4836 wrote to memory of 1508	4836	Jjdokb32.exe	94
PID 1508 wrote to memory of 1280	1508	Jejbhk32.exe	95
PID 1508 wrote to memory of 1280	1508	Jejbhk32.exe	95
PID 1508 wrote to memory of 1280	1508	Jejbhk32.exe	95
PID 1280 wrote to memory of 228	1280	Jjgkab32.exe	96
PID 1280 wrote to memory of 228	1280	Jjgkab32.exe	96
PID 1280 wrote to memory of 228	1280	Jjgkab32.exe	96
PID 228 wrote to memory of 3172	228	Jelonkph.exe	97
PID 228 wrote to memory of 3172	228	Jelonkph.exe	97
PID 228 wrote to memory of 3172	228	Jelonkph.exe	97
PID 3172 wrote to memory of 2868	3172	Jlfhke32.exe	98
PID 3172 wrote to memory of 2868	3172	Jlfhke32.exe	98
PID 3172 wrote to memory of 2868	3172	Jlfhke32.exe	98
PID 2868 wrote to memory of 2796	2868	Jacpcl32.exe	99
PID 2868 wrote to memory of 2796	2868	Jacpcl32.exe	99
PID 2868 wrote to memory of 2796	2868	Jacpcl32.exe	99
PID 2796 wrote to memory of 4584	2796	Jlidpe32.exe	100
PID 2796 wrote to memory of 4584	2796	Jlidpe32.exe	100
PID 2796 wrote to memory of 4584	2796	Jlidpe32.exe	100
PID 4584 wrote to memory of 1736	4584	Jaemilci.exe	101
PID 4584 wrote to memory of 1736	4584	Jaemilci.exe	101
PID 4584 wrote to memory of 1736	4584	Jaemilci.exe	101
PID 1736 wrote to memory of 4560	1736	Jhoeef32.exe	102
PID 1736 wrote to memory of 4560	1736	Jhoeef32.exe	102
PID 1736 wrote to memory of 4560	1736	Jhoeef32.exe	102
PID 4560 wrote to memory of 4940	4560	Kbeibo32.exe	103
PID 4560 wrote to memory of 4940	4560	Kbeibo32.exe	103
PID 4560 wrote to memory of 4940	4560	Kbeibo32.exe	103
PID 4940 wrote to memory of 4428	4940	Kdffjgpj.exe	104
PID 4940 wrote to memory of 4428	4940	Kdffjgpj.exe	104
PID 4940 wrote to memory of 4428	4940	Kdffjgpj.exe	104
PID 4428 wrote to memory of 3568	4428	Klmnkdal.exe	105
PID 4428 wrote to memory of 3568	4428	Klmnkdal.exe	105
PID 4428 wrote to memory of 3568	4428	Klmnkdal.exe	105
PID 3568 wrote to memory of 208	3568	Kbgfhnhi.exe	106
PID 3568 wrote to memory of 208	3568	Kbgfhnhi.exe	106
PID 3568 wrote to memory of 208	3568	Kbgfhnhi.exe	106
PID 208 wrote to memory of 1132	208	Kdhbpf32.exe	107
PID 208 wrote to memory of 1132	208	Kdhbpf32.exe	107
PID 208 wrote to memory of 1132	208	Kdhbpf32.exe	107
PID 1132 wrote to memory of 1244	1132	Klpjad32.exe	108
PID 1132 wrote to memory of 1244	1132	Klpjad32.exe	108
PID 1132 wrote to memory of 1244	1132	Klpjad32.exe	108
PID 1244 wrote to memory of 3376	1244	Kalcik32.exe	109
PID 1244 wrote to memory of 3376	1244	Kalcik32.exe	109
PID 1244 wrote to memory of 3376	1244	Kalcik32.exe	109
PID 3376 wrote to memory of 456	3376	Klbgfc32.exe	110
PID 3376 wrote to memory of 456	3376	Klbgfc32.exe	110
PID 3376 wrote to memory of 456	3376	Klbgfc32.exe	110
PID 456 wrote to memory of 3532	456	Kopcbo32.exe	112
PID 456 wrote to memory of 3532	456	Kopcbo32.exe	112
PID 456 wrote to memory of 3532	456	Kopcbo32.exe	112
PID 3532 wrote to memory of 3252	3532	Kaopoj32.exe	113
PID 3532 wrote to memory of 3252	3532	Kaopoj32.exe	113
PID 3532 wrote to memory of 3252	3532	Kaopoj32.exe	113
PID 3252 wrote to memory of 3216	3252	Kkgdhp32.exe	114
PID 3252 wrote to memory of 3216	3252	Kkgdhp32.exe	114
PID 3252 wrote to memory of 3216	3252	Kkgdhp32.exe	114
PID 3216 wrote to memory of 1388	3216	Kemhei32.exe	116

C:\Users\Admin\AppData\Local\Temp\e789b4a888989e17920f84e292e2f910N.exe
"C:\Users\Admin\AppData\Local\Temp\e789b4a888989e17920f84e292e2f910N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\Jjdokb32.exe
  C:\Windows\system32\Jjdokb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\Jejbhk32.exe
    C:\Windows\system32\Jejbhk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - C:\Windows\SysWOW64\Jjgkab32.exe
      C:\Windows\system32\Jjgkab32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1280
    - - C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
      - C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3172
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Jlidpe32.exe
        
        C:\Windows\system32\Jlidpe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:208
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 412
        32⤵
        Program crash
        
        PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4328 -ip 4328
1⤵
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3036,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
1⤵
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afgfhaab.dll

Filesize
7KB

MD5
500637b7bb64e4ffb59675e6f22b6933

SHA1
6cff852abf11bfd35e995393fbec1d9bc264ef02

SHA256
4e1e97c021180ec605f9d14ff6297777cce7588baefb014f6cd09865b1dff744

SHA512
2e6db977820efd23b56093d713db6075fe5a9b367afba47b2e1c0a93262c861594ade7190ec93b1471c3b2f6d4b5d50e56066da3b718932435e1b8b3dbd34289

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
112KB

MD5
fc58f6e49fa71f27f41f4bc088d3505f

SHA1
6e034f4d1fd20bd7fa349674d13dd1ff6b1aae6a

SHA256
5d08a64532f8414715547d82b713fccfe326f5c58b307f2a5c82034b174444fb

SHA512
e72a1b53172f6dc79a527c4407cfc07fb062ee7717f271c7dec260461dba4c5c1aee4ade4bb6d71ab8779f4088de9caa11d18916b6141e20cdb49bc6d922b8af

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
112KB

MD5
441fb9762c8d1fd3c988affcf8d9aacd

SHA1
bde498c4b91d222512f6961407041e0ed76b3112

SHA256
d3cba17334d8a6ddbbc07f595f91448b9bbc2d44afcd46489b6e18730caadec8

SHA512
4e5aa5e93fde0da43f932fd448cca9146df687906515e0d4417a460193c9aa0a2022202b5cfe81c4fc7d9f320fec8df2a8113584bc985e0d2ef593c753d32533

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
112KB

MD5
0bccf58de3066ca0091054dacffc3038

SHA1
fa50b09bbd7554c9e0a61428d4cfded2836f0864

SHA256
bf771026c9da248cd56ce584c61da79a9da201dca9aa57a74bebb7b0a41ffa0e

SHA512
f54f002074b6a1df50abf0974ac5eff75b879bd16bdbd2429dcb02f380d1c5fa76dff24991d1065d6ec241e2cadf1f4c9712db885cacf4a3216003659f14de0d

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
112KB

MD5
878ed67151e785e78d2bbbc8908af0bd

SHA1
c2fefb10801aef8fd5620cdf47b87401f7fbfdfe

SHA256
3e38040e26a31a2c0928ccb4bf334ec40d3cb2de6c96c7acb360044565e4285b

SHA512
ae40ff01d9a419f480e4dce0696b3ef9a5ea86136082e08636b4f5219d693829b5a4e44d886fd443403e5bbb597167f35e9f2fb5547ed72a58332a2ca45c7689

Download Submit
C:\Windows\SysWOW64\Jhoeef32.exe

Filesize
112KB

MD5
a0ebe037eea2c4f84a8337b622cc1ac2

SHA1
5d2c2d58fadf67f55b6f5bcc208ba95d7d329d47

SHA256
a8ba2da9aee3e8f31c6e9009dcb2a3f7557b3cc63ae77fb4dd85b1e157c4286b

SHA512
124c2661b9a1cff2f4039f61ea390d5db62939988f087557ae896bc45efe7397af3c024c1af6709ed7dc784b7c0294baec5b8901db0c9b40b73bcd6025824f95

Download Submit
C:\Windows\SysWOW64\Jjdokb32.exe

Filesize
112KB

MD5
237e434cee48d6016e1ebb79592150fa

SHA1
4950e9fbea0cf476547a5a375052da6ff9a80e7b

SHA256
65ae8afe3fe169d2b01d00d18d5721afd790e0a3fb3453d634954afebbc7c2dc

SHA512
cc296e8c6a074ed08bbb07f80ded456851aba0ad6d147ef5dd2ee6148f2f8faf78302a9ded49193bb2f84b14ae30b9c8bdbe7489c66dbaf6565a75aa5485987e

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
112KB

MD5
41029b6fb9524a975ccefa35169e8a2e

SHA1
d7300b6a34aeeb65bf269c73cced8b219f91ff32

SHA256
3b9c9d6ad18c29804a9cd1df3f4716f9de6ca2ec92a50cda13c01cc8e3695175

SHA512
9e4ede41d5464c7bba2935cb7e9ad50fc33484d45ac9149f6e225d96f29c2eb74210156c3ea7ceb9025b8838d35f84a628093b2189fc7c283388e568c957150d

Download Submit
C:\Windows\SysWOW64\Jlfhke32.exe

Filesize
112KB

MD5
35e40269536c9a5134e31a45f0f999db

SHA1
d90b3edb0dc081eba8a5769a065c54f0e8629e08

SHA256
afe9633b7d5253885df4d59b0f573db5603e687dd75661441dbeaec98963b4be

SHA512
c03e6216ea0bc7e8f4691cb086b592d4a4a511a19af88be33a4f1f1ca32edbb0b5292b35bf73ba3aad062484a345d50821bba318df5ff92aa9ccf32ae174e7ba

Download Submit
C:\Windows\SysWOW64\Jlidpe32.exe

Filesize
112KB

MD5
24b935cd70ae082ff1f90d4eb4ff8761

SHA1
f4bbcf4b307569cd59a8793cb40ed7b52c2a294b

SHA256
db8219786586804d9b26b6382a548731958b8f7a2764e8609e212226c1ea61f7

SHA512
7f2f526d36f78fbf0790e95ddb6eb22ced27fc8a5fb8e884499e51d54b94c74f0f79a0d2113f7484b495846ee32c9a4174a8a850df4bd793a37065ab52f50be6

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
112KB

MD5
58ff446d80ddaa5f6d6fcf2f341a3ba7

SHA1
917839ed43eee1f48836c89c155b43199dbc09b0

SHA256
5f7080d322039394206054a9fa8735fb77958415fc78d30382959c8b67cd819c

SHA512
2006443a2e926c70662f4651adbb0aac0e5961fa3d77708858a64eecb0ad218ec02bf2751f283f88aa4232bbf58594236620cb4728b84084fd4ba2cd8d2f0d63

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
112KB

MD5
d440bec954122f7b5961703b830a6168

SHA1
d89030b4a4db81553ddaba2140ac5039e1be3afc

SHA256
f014f33831563338789e587549ab1a8b26d9b8847dc76a2c319d6665887ec199

SHA512
2569af0d51dbe13db0acf4f52e455a124e897d2857c02ce69711464085f0a8fa6307f19de09bb7a7d3f6325e325da803fc88215a70986e8e84a0073a4851066e

Download Submit
C:\Windows\SysWOW64\Kbeibo32.exe

Filesize
112KB

MD5
8126714afdb89a00fc82a14a2067b909

SHA1
960199bbe1acff10eec62e0e9dc6097c1f266346

SHA256
6f25947bb05eb8eb7b48b772613bc92906a97288cf6051770f1f430d07e7c117

SHA512
45091ad0d2400726a6cebd9ccf5331f4622b337faa21879f85205bde87a5b429b986376a39c1ca891843c1d346ff8addad19d1dadd38b68de7b8ed5124fcc876

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
112KB

MD5
b4bb48129ce716339e0f9fceb12ef707

SHA1
ba9285b2d64de1804305cd8d06351410ab145c35

SHA256
ed19abeb5f5a46d3d773fea60f2fba7fcaa0ee8cc14a22d2de22be5faf86009a

SHA512
4732982ea285a87fc3e2c015789a81e85a42ad1a8fd8711a7d54817e4f6159775452b8b46c2b0374595ffd1d28088501b2de4db6bde6f944a3b263e2cf33650e

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
112KB

MD5
473c55436919fd716bcc0670ac43d7a1

SHA1
53f228ab8c85939de05429b0b2ff4f24f8c6bb1d

SHA256
2065b12ac621620c8959730c6973209cf8880e755d0e675b8d7b6fe1ccde9b46

SHA512
248badc7a5581d3468175a43b1ba8580c47a08f517d3de43c84fff05812306793bdd92469cfc753fb9f9a62e9f0ee38aa83b9d4f4e8d22f4feaf7c68c2080534

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
112KB

MD5
9b125a8d02040489e1ce14f90dbde7f0

SHA1
d96a3dbf9f7480af6160e8535169a9bb1eef94b8

SHA256
3bd4a8a1dc2414618aae5d989be83ca5d136d842979b908c65b7e038f90af124

SHA512
b138e4be2e8611b34e5ff853d65b73d9721f09963df040b14d53b7d0d14fed24cc60fd640f2cbf25791c88ca859b38b926e4dc85a471fc9b6fe0ab7b74fbe499

Download Submit
C:\Windows\SysWOW64\Kemhei32.exe

Filesize
112KB

MD5
7963721ffac64785aaf59b663439cbe0

SHA1
f6beec8b8da5ca9f7e3cf38d5e2443d072318a2f

SHA256
8ec42002d2b8c7c2a0ca6ac8ed01c4ec78fb4c500618165f6e426c330ce89f9f

SHA512
1b27519a8d75ebdf15488b9007e99233513a103ad07ce81547cc063699c0d6bfba60aa38203d437dda8b3b665bddcddf3d685896eeabbe557961dbaeae2904fb

Download Submit
C:\Windows\SysWOW64\Kkgdhp32.exe

Filesize
112KB

MD5
d26077c52ab4936a1ba3dde4f30981e2

SHA1
52c6f291ca82845ee859feff6668c7ad3cb7e434

SHA256
ccb40371447057cee59514bdd97555c3a3ad68e8aaf6772ec7c08cc0e21aa855

SHA512
9c62ae6b1aee33e714cc1ddbd886940ccb122b878dfd0a4018b7ee4096fd9c1ff07a8b5edd65ff9c569bea3530a45807709fac376694369b20c7c3d6a2475705

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
112KB

MD5
083e85a95031422916bf83a36152797b

SHA1
4c3281bced7a55165d374a9a29b3d0e340b5c025

SHA256
1ac996b6696a6397130ba4b4af647e9850dc759b17970795d1214537b601f685

SHA512
fd340b36504723edb98d6f0618c70f4f60351624ae4087796a45613fd48ef8e7c9b22c82648eb544b0027c91115f7412d73f73a94fd0ed2e4261a6d2bc638109

Download Submit
C:\Windows\SysWOW64\Klgqabib.exe

Filesize
112KB

MD5
10edf569a0c491d4c9bec03b2aa5e597

SHA1
70a452b7cdcff2aa02429807c51b9773892c2c21

SHA256
bda49ece5a972cdabc03f3ce5f836a5a30ee44e81cb6cdada6dd5d6e28c9f683

SHA512
c73848aefbdceb470f0fb68ff2fd37b84a5dfa488552bf122e04f2a763b59585fb365035e4937b30ee35a3646b7f149b9337239dde644699198a3ec027c4c322

Download Submit
C:\Windows\SysWOW64\Klmnkdal.exe

Filesize
112KB

MD5
25ab570f6aba9c04d2bd8dd8fd26748b

SHA1
49d54b629d038b244fe2b2ded0adec0ea2747483

SHA256
d51bfdbeb0a26abcea9728cc8cd0d908359f64c3a5a9a9cda4ba725492c54e14

SHA512
abf43df37ae5012bdc463df76d55cdb1e751526578ae3d8a7d36ce8aff1273ca8b90677d4d1e91a9f4bf1e544b5c866e9e277ffcb0037144c3a29a39d37b1bab

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
112KB

MD5
62385f718cce9a6813ab8514a2929408

SHA1
1671e7c2f77d2c14c2296197af768819c505d464

SHA256
edf08610a8ce45483c04d57f87b5f2c4b522cc0c2f447b8e006a2fa47a7fad37

SHA512
8789fecb502c01d13e92c9cd3aded7f1c3daab98808afab1d4b0d028f8789bdf2f812b2696e045911e4c159f384b04b82af6705e23ba47ceb372a26c218fa98f

Download Submit
C:\Windows\SysWOW64\Kopcbo32.exe

Filesize
112KB

MD5
0a5d33c5048f7531b77a33d8b1960b1b

SHA1
68ed96d71a70a73e8ea202aaa633a631fc6227bb

SHA256
9732b729a8def0725c34dc7d50dab310ff77e05eb5b0aea9f04c109aeb7d55ed

SHA512
154220e0ac3e299cd88143e5d35e63311663dc7159790c9840194250d1a0a2c92da59e51adcc303466d700565085f20d2a8bbb89b451f82d0e39169f99d69d27

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
112KB

MD5
d63b68558cda7efabb5efe85cc4e139b

SHA1
69d29466dd9118b9c52fe7c53413f68a63d07fbc

SHA256
f86655f4c302e0ad24f627940d18ffe1c6dc58930fd6e8404350d92df22dd06d

SHA512
4d77f1d55c61ae685844ed640506ab70282d033055304a33fec40c500c86271b971ec5b2817d2cc9bfcdb3952bee9aeed844260fcea27a959201f95ea10861de

Download Submit
C:\Windows\SysWOW64\Laffpi32.exe

Filesize
112KB

MD5
5978c11a56fc2350554caf392c1d3d51

SHA1
1688a6dca9ff6e8ad4923b9a408e2d46b6d390da

SHA256
07a7eb9441a0563ca004bbd13af0f011d0d3d3f5a9d4637135ea125f904ab2c7

SHA512
1e08e2bb5bfaa9ce48707ae920674506d4a0ecf4421e72f511975edd591dd979caf4f66b520d22f4c57f3f2b9679a24cc67ad0572e5bcc667c1b0aeb22c9d12d

Download Submit
C:\Windows\SysWOW64\Ldfoad32.exe

Filesize
112KB

MD5
a70868785a21238dba80538e3e91530d

SHA1
8b11de0e7e86b2142be17aa1706a132600610e84

SHA256
6a2cba942d1fbddb7a80b868f39c0ac995ed15b6206eb01298fb26e4da7e085c

SHA512
b8c27077a7cf7892ca20594bacc07b7b73a66ce7d9d573d31e30d4a0bcacd8fe015b12b28d9e7ff326ebcded3add2a4f988ee518c6ecb493ed74ac44bb5dcc1c

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
112KB

MD5
4f047185e42fe65cdd81fe3453845b2e

SHA1
65f6982000df0000d45b3dbd401ef2b0e59bc064

SHA256
f26fa1f8c63d5225d63317200f514a98d56c83c42f244e51f6e6b77a7b9881da

SHA512
d35656524d921df31b589a896e2388dc8d4b34cd901b86d4de6842015bfb8127b0529a03fe3d8c4f79dc2538260d0a05ba8af5d9c999441cd3c8de31abded834

Download Submit
C:\Windows\SysWOW64\Llimgb32.exe

Filesize
112KB

MD5
0606772a11f41838a168b1781b118923

SHA1
ecdc8abac071cc6ccdbea7ef238f15c3e9aa8faa

SHA256
ac7df07ec85d2681bf9fafb977cb1d85001f4d43083062b6436f585cc120f3f2

SHA512
8678cca9964533d0d562e8a0a0e99bbd3a5c74440d3d3bfe1118a0741c5c13cbb39bd9608de05b371c5d54e856f1347a9e445bcd620a960c8871befa33e42ad9

Download Submit
C:\Windows\SysWOW64\Llkjmb32.exe

Filesize
112KB

MD5
06d9ed173ad6cceea89559d7746f9aed

SHA1
58ee7a8a8da6775619bca185fddf0cd3657ca0a0

SHA256
3df7c0a0a4e8048d9d128b9a94a0a6429467fdc037ca2f261133fa920d744dea

SHA512
2776435be6a671e32da175f38de3639f615d12c9be847394a0261d35f282752342fad7b7c5e1eea5d2772648343ae34a96157818b162a4629ceb5d5c195eb13e

Download Submit
C:\Windows\SysWOW64\Lojfin32.exe

Filesize
112KB

MD5
035fea67ebe5215e8a66c34ebc5bb74c

SHA1
a66d7c1b8b7f0ae81dd3aaffb948b73e967335a9

SHA256
1e789d2640e8cd140bf6fbef0d4d30c6f76a7a453ac382baf3cb39e1a6599e55

SHA512
39b348bd9112ad52634b3d5c843124dcda9a99471bc84c5fdec1a0296d148ae5939134d016f9d21d32e9ee969078577f30c99ae0df34e8d9d9afe3dba3e87100

Download Submit
C:\Windows\SysWOW64\Lolcnman.exe

Filesize
112KB

MD5
f8d08797a612d6c2ffd4f837d8500b4f

SHA1
8d95f8eee1ea7db36c81ae63547f8a024d87267e

SHA256
02acd7ebad6d8384118d1cca31c45ce748a8c949b77b171fa868a6e6bd189366

SHA512
20a74e51204e2d489e3f8402156501715b9408d201d4603a39ece0984262e51bce06ef2f70b5599a1eb0f9ca63a67bd1093ce3d929a4d811daf7bf4c3560b0c2

Download Submit
memory/208-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/208-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/228-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/228-267-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/316-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/316-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/456-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/456-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/512-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1132-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1244-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1244-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1280-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1280-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1388-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1388-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1508-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1736-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1736-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-264-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2808-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2836-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2868-265-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3172-266-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3172-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3216-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3252-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3252-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3336-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3336-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3532-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3532-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3568-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3568-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4328-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4560-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4584-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4836-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4940-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads