d6aecb34b9fdf6c279f948ffa68ff4b3103031d494eef50a603d3bfe27c39a24

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2024, 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e4ced12c59ca31c9918d96b01cd8280N.exe
Size

59KB
MD5

4e4ced12c59ca31c9918d96b01cd8280
SHA1

f4da9f1131329101b3efe6dd2e9f8747ba87bc03
SHA256

d6aecb34b9fdf6c279f948ffa68ff4b3103031d494eef50a603d3bfe27c39a24
SHA512

5d49e453fdc66c86d75318ad94d80d02f72d124beba6bc23d2397d98ee6bc1cc9b5971c0d015f2978f2b88aefecf3799c1a3960a2f87ac2dd0901b7d962d8ae2
SSDEEP

1536:wc27fIFapQkXmMgKHO5UsOFMaBE7X8xMGE2L2LuO:gzDpQkXmMVHjsiE7LXuO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlanpfkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4e4ced12c59ca31c9918d96b01cd8280N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jblflp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbppgona.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ibgmaqfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jehfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijmhkchl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijmhkchl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kehojiej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leoejh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijbbfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijbbfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblflp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgkab32.exe

Executes dropped EXE 44 IoCs

pid	Process
4668	Ieqpbm32.exe
4744	Ijmhkchl.exe
452	Iagqgn32.exe
1912	Ihaidhgf.exe
3408	Ibgmaqfl.exe
960	Ihceigec.exe
4384	Ijbbfc32.exe
4484	Jehfcl32.exe
3532	Jlanpfkj.exe
4792	Jblflp32.exe
4748	Jdmcdhhe.exe
676	Jjgkab32.exe
4072	Jaqcnl32.exe
1184	Jhkljfok.exe
4944	Jbppgona.exe
3232	Jhmhpfmi.exe
2608	Jogqlpde.exe
2072	Jaemilci.exe
4132	Jhoeef32.exe
2692	Kbeibo32.exe
2224	Kdffjgpj.exe
2056	Kbgfhnhi.exe
4728	Kdhbpf32.exe
1412	Kongmo32.exe
1804	Kehojiej.exe
552	Kdkoef32.exe
4156	Kkegbpca.exe
4868	Kejloi32.exe
4584	Kdmlkfjb.exe
1536	Klddlckd.exe
2596	Kbnlim32.exe
2180	Khkdad32.exe
3440	Lbqinm32.exe
1224	Leoejh32.exe
5096	Llimgb32.exe
3888	Lklnconj.exe
4692	Laffpi32.exe
1648	Lhpnlclc.exe
2128	Lknjhokg.exe
2152	Lahbei32.exe
2712	Ldfoad32.exe
1764	Lkqgno32.exe
4148	Lajokiaa.exe
3940	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cboleq32.dll	Kehojiej.exe
File created	C:\Windows\SysWOW64\Dpjkgoka.dll	Khkdad32.exe
File created	C:\Windows\SysWOW64\Jgcnomaa.dll	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Lkqgno32.exe	Ldfoad32.exe
File created	C:\Windows\SysWOW64\Jlanpfkj.exe	Jehfcl32.exe
File opened for modification	C:\Windows\SysWOW64\Lbqinm32.exe	Khkdad32.exe
File created	C:\Windows\SysWOW64\Jdmcdhhe.exe	Jblflp32.exe
File created	C:\Windows\SysWOW64\Mfmeel32.dll	Kongmo32.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Kdmlkfjb.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Hbfhni32.dll	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Kknikplo.dll	Iagqgn32.exe
File created	C:\Windows\SysWOW64\Jaqcnl32.exe	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lajokiaa.exe
File opened for modification	C:\Windows\SysWOW64\Lknjhokg.exe	Lhpnlclc.exe
File opened for modification	C:\Windows\SysWOW64\Iagqgn32.exe	Ijmhkchl.exe
File created	C:\Windows\SysWOW64\Ibgmaqfl.exe	Ihaidhgf.exe
File created	C:\Windows\SysWOW64\Ckdlidhm.dll	Jehfcl32.exe
File created	C:\Windows\SysWOW64\Aannbg32.dll	Jblflp32.exe
File opened for modification	C:\Windows\SysWOW64\Jjgkab32.exe	Jdmcdhhe.exe
File opened for modification	C:\Windows\SysWOW64\Jaqcnl32.exe	Jjgkab32.exe
File opened for modification	C:\Windows\SysWOW64\Kbnlim32.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Ieqpbm32.exe	4e4ced12c59ca31c9918d96b01cd8280N.exe
File created	C:\Windows\SysWOW64\Qbddhbhn.dll	Ihceigec.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jbppgona.exe
File created	C:\Windows\SysWOW64\Lahbei32.exe	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Ldfoad32.exe
File created	C:\Windows\SysWOW64\Qfqbll32.dll	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Fbbojb32.dll	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Kejloi32.exe	Kkegbpca.exe
File opened for modification	C:\Windows\SysWOW64\Jhkljfok.exe	Jaqcnl32.exe
File created	C:\Windows\SysWOW64\Jbppgona.exe	Jhkljfok.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jhoeef32.exe
File opened for modification	C:\Windows\SysWOW64\Ldfoad32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Gqpbcn32.dll	Jlanpfkj.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcdhhe.exe	Jblflp32.exe
File created	C:\Windows\SysWOW64\Jhoeef32.exe	Jaemilci.exe
File created	C:\Windows\SysWOW64\Lbqinm32.exe	Khkdad32.exe
File opened for modification	C:\Windows\SysWOW64\Ihaidhgf.exe	Iagqgn32.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Kjejmalo.dll	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Leoejh32.exe	Lbqinm32.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Lhpnlclc.exe
File opened for modification	C:\Windows\SysWOW64\Jhoeef32.exe	Jaemilci.exe
File opened for modification	C:\Windows\SysWOW64\Kdffjgpj.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Qekjhmdj.dll	Kkegbpca.exe
File opened for modification	C:\Windows\SysWOW64\Laffpi32.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Oojnjjli.dll	Kbeibo32.exe
File opened for modification	C:\Windows\SysWOW64\Kbgfhnhi.exe	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Jhkljfok.exe	Jaqcnl32.exe
File created	C:\Windows\SysWOW64\Kdmlkfjb.exe	Kejloi32.exe
File opened for modification	C:\Windows\SysWOW64\Khkdad32.exe	Kbnlim32.exe
File opened for modification	C:\Windows\SysWOW64\Lajokiaa.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Iagqgn32.exe	Ijmhkchl.exe
File opened for modification	C:\Windows\SysWOW64\Ibgmaqfl.exe	Ihaidhgf.exe
File created	C:\Windows\SysWOW64\Kongimkh.dll	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Kongmo32.exe	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Kdkoef32.exe	Kehojiej.exe
File created	C:\Windows\SysWOW64\Idhdlmdd.dll	Laffpi32.exe
File created	C:\Windows\SysWOW64\Ldfoad32.exe	Lahbei32.exe
File opened for modification	C:\Windows\SysWOW64\Jblflp32.exe	Jlanpfkj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2436	3940	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieqpbm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jblflp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmlkfjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4e4ced12c59ca31c9918d96b01cd8280N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijmhkchl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlanpfkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khkdad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaqcnl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iagqgn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibgmaqfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jehfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnoffic.dll"	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odehaccj.dll"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgglf32.dll"	Ijmhkchl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlanpfkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbngnmk.dll"	Jaqcnl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichnpf32.dll"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfhni32.dll"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jehfcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjejmalo.dll"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4e4ced12c59ca31c9918d96b01cd8280N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll"	Kehojiej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4e4ced12c59ca31c9918d96b01cd8280N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijmhkchl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcnomaa.dll"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kongmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpjkgoka.dll"	Khkdad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ihceigec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongimkh.dll"	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll"	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijcp32.dll"	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kejloi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laffpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iagqgn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiocnbpm.dll"	Ibgmaqfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfqbll32.dll"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekjhmdj.dll"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqpbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaqcnl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlgpeb.dll"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmeel32.dll"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdmlkfjb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 4668	1588	4e4ced12c59ca31c9918d96b01cd8280N.exe	91
PID 1588 wrote to memory of 4668	1588	4e4ced12c59ca31c9918d96b01cd8280N.exe	91
PID 1588 wrote to memory of 4668	1588	4e4ced12c59ca31c9918d96b01cd8280N.exe	91
PID 4668 wrote to memory of 4744	4668	Ieqpbm32.exe	92
PID 4668 wrote to memory of 4744	4668	Ieqpbm32.exe	92
PID 4668 wrote to memory of 4744	4668	Ieqpbm32.exe	92
PID 4744 wrote to memory of 452	4744	Ijmhkchl.exe	93
PID 4744 wrote to memory of 452	4744	Ijmhkchl.exe	93
PID 4744 wrote to memory of 452	4744	Ijmhkchl.exe	93
PID 452 wrote to memory of 1912	452	Iagqgn32.exe	94
PID 452 wrote to memory of 1912	452	Iagqgn32.exe	94
PID 452 wrote to memory of 1912	452	Iagqgn32.exe	94
PID 1912 wrote to memory of 3408	1912	Ihaidhgf.exe	95
PID 1912 wrote to memory of 3408	1912	Ihaidhgf.exe	95
PID 1912 wrote to memory of 3408	1912	Ihaidhgf.exe	95
PID 3408 wrote to memory of 960	3408	Ibgmaqfl.exe	96
PID 3408 wrote to memory of 960	3408	Ibgmaqfl.exe	96
PID 3408 wrote to memory of 960	3408	Ibgmaqfl.exe	96
PID 960 wrote to memory of 4384	960	Ihceigec.exe	97
PID 960 wrote to memory of 4384	960	Ihceigec.exe	97
PID 960 wrote to memory of 4384	960	Ihceigec.exe	97
PID 4384 wrote to memory of 4484	4384	Ijbbfc32.exe	98
PID 4384 wrote to memory of 4484	4384	Ijbbfc32.exe	98
PID 4384 wrote to memory of 4484	4384	Ijbbfc32.exe	98
PID 4484 wrote to memory of 3532	4484	Jehfcl32.exe	99
PID 4484 wrote to memory of 3532	4484	Jehfcl32.exe	99
PID 4484 wrote to memory of 3532	4484	Jehfcl32.exe	99
PID 3532 wrote to memory of 4792	3532	Jlanpfkj.exe	100
PID 3532 wrote to memory of 4792	3532	Jlanpfkj.exe	100
PID 3532 wrote to memory of 4792	3532	Jlanpfkj.exe	100
PID 4792 wrote to memory of 4748	4792	Jblflp32.exe	101
PID 4792 wrote to memory of 4748	4792	Jblflp32.exe	101
PID 4792 wrote to memory of 4748	4792	Jblflp32.exe	101
PID 4748 wrote to memory of 676	4748	Jdmcdhhe.exe	102
PID 4748 wrote to memory of 676	4748	Jdmcdhhe.exe	102
PID 4748 wrote to memory of 676	4748	Jdmcdhhe.exe	102
PID 676 wrote to memory of 4072	676	Jjgkab32.exe	103
PID 676 wrote to memory of 4072	676	Jjgkab32.exe	103
PID 676 wrote to memory of 4072	676	Jjgkab32.exe	103
PID 4072 wrote to memory of 1184	4072	Jaqcnl32.exe	105
PID 4072 wrote to memory of 1184	4072	Jaqcnl32.exe	105
PID 4072 wrote to memory of 1184	4072	Jaqcnl32.exe	105
PID 1184 wrote to memory of 4944	1184	Jhkljfok.exe	106
PID 1184 wrote to memory of 4944	1184	Jhkljfok.exe	106
PID 1184 wrote to memory of 4944	1184	Jhkljfok.exe	106
PID 4944 wrote to memory of 3232	4944	Jbppgona.exe	108
PID 4944 wrote to memory of 3232	4944	Jbppgona.exe	108
PID 4944 wrote to memory of 3232	4944	Jbppgona.exe	108
PID 3232 wrote to memory of 2608	3232	Jhmhpfmi.exe	109
PID 3232 wrote to memory of 2608	3232	Jhmhpfmi.exe	109
PID 3232 wrote to memory of 2608	3232	Jhmhpfmi.exe	109
PID 2608 wrote to memory of 2072	2608	Jogqlpde.exe	110
PID 2608 wrote to memory of 2072	2608	Jogqlpde.exe	110
PID 2608 wrote to memory of 2072	2608	Jogqlpde.exe	110
PID 2072 wrote to memory of 4132	2072	Jaemilci.exe	111
PID 2072 wrote to memory of 4132	2072	Jaemilci.exe	111
PID 2072 wrote to memory of 4132	2072	Jaemilci.exe	111
PID 4132 wrote to memory of 2692	4132	Jhoeef32.exe	112
PID 4132 wrote to memory of 2692	4132	Jhoeef32.exe	112
PID 4132 wrote to memory of 2692	4132	Jhoeef32.exe	112
PID 2692 wrote to memory of 2224	2692	Kbeibo32.exe	113
PID 2692 wrote to memory of 2224	2692	Kbeibo32.exe	113
PID 2692 wrote to memory of 2224	2692	Kbeibo32.exe	113
PID 2224 wrote to memory of 2056	2224	Kdffjgpj.exe	114

C:\Users\Admin\AppData\Local\Temp\4e4ced12c59ca31c9918d96b01cd8280N.exe
"C:\Users\Admin\AppData\Local\Temp\4e4ced12c59ca31c9918d96b01cd8280N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\SysWOW64\Ieqpbm32.exe
  C:\Windows\system32\Ieqpbm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Windows\SysWOW64\Ijmhkchl.exe
    C:\Windows\system32\Ijmhkchl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\SysWOW64\Iagqgn32.exe
      C:\Windows\system32\Iagqgn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\SysWOW64\Ibgmaqfl.exe
        
        C:\Windows\system32\Ibgmaqfl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\SysWOW64\Ijbbfc32.exe
        
        C:\Windows\system32\Ijbbfc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Jehfcl32.exe
        
        C:\Windows\system32\Jehfcl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Jlanpfkj.exe
        
        C:\Windows\system32\Jlanpfkj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Jaqcnl32.exe
        
        C:\Windows\system32\Jaqcnl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2072
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3888
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3940 -s 400
        46⤵
        Program crash
        
        PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3940 -ip 3940
1⤵
PID:3168

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 044139fe558cdd2750f3ef3eef76f10c fxQa44VOSkOg0+yfD6U53g.0.1.0.0.0
1⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4344,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
1⤵
PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iagqgn32.exe

Filesize
59KB

MD5
bbae6189d3792eb7cdc1fd5297e55f53

SHA1
de958565c5260ff7038ce2d6f5c9e03ffbcd653b

SHA256
06c07969cd516a97b5e1260e81a24b0699bb87e9a52d18fd5d35aa3a517ce8e8

SHA512
0f975e472fe86260d73c6f39d3d1276f3517d98b74e2d73c3320f4427d0f68f64cdd4c5aa168a3c961f4c2cc25e3cb828814972273d35c97bc411e48e9002418

Download Submit
C:\Windows\SysWOW64\Ibgmaqfl.exe

Filesize
59KB

MD5
d59a1be0036954d84c75e663fc7e6e67

SHA1
cedbc04099519b37d7a515b78da22786769c82d4

SHA256
ac66a60a5cb59faff4877cf4aeb5b7d9b034437303beaa2c60b8dda0b1f906e2

SHA512
b82aefd7136eeed94b75613bad363d5941f2e11cb261dfa517b35972c39ffec6260daa8c19222941ee2abb82684136b103ac951c0b32c43daae98694b5814f3c

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
59KB

MD5
689422a01c94dafe48cb00e4e00c1203

SHA1
d793d7b159df115c2c855a3f92ef16099e1bb307

SHA256
8b9793e4c04b80064d49d6e5e4956d2379064533bab6c502f3f25953f1eac622

SHA512
1ea02ea324db4824045518a96693e923e17e72adc4127371de68a8451e898f96038cd8fc629ec3c523445ae27bc250ae3fb22e4a5cfcac8a37eb4f7264597d2c

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
59KB

MD5
62e997a90a05f2faf2b6218d32844fa6

SHA1
121c3a3560fe910c99a7da75f7aa6ab52d89705e

SHA256
9f88cf50f2dc699cf3a8d3a9fd8317ace941491d18f0b9ac90bb66f0c18f12ed

SHA512
45dd3ae79f5ef042559956b49f6cc2789aaae6c6c5212c62f4f10d4a743a41a969e4807935d008d0d199449a6d7bc732e8c670d974f5c57ce61aedb03a520e34

Download Submit
C:\Windows\SysWOW64\Ihceigec.exe

Filesize
59KB

MD5
b30ea6dd53e84affc27e30a5c5810e0c

SHA1
25d6c77ae4b24d6a9783e67d6274d4cc1fc9a664

SHA256
400a704e499d46c15857dbfaca3c9025b82ff727793a6cf4149fa0821209b154

SHA512
5969f8c7f377b2bfad835d1802cc8aa3f371d49cebd59e038be7439d224d4c33042abac681a6c495234391f4f2582440c0c7668e0b2f3d1e5f6ab765aab52770

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
59KB

MD5
31f184445b54138691f9de72afd946d6

SHA1
cd45156f935d42ea592be771c7d0d48d34d80695

SHA256
0b88ade562de96004ba38b00fb2a58d67d707cc25338840569d123ed1fbab7a0

SHA512
cc4d7b7056ccd1b2d64896ba4a003cc097ae9c76706ff3dda5244c0c35da077f54cd838605fc9cd0d2c401f78935f44d336d7974e6603779a24a52752ca827f2

Download Submit
C:\Windows\SysWOW64\Ijmhkchl.exe

Filesize
59KB

MD5
0eebb64a530a73965c4f56f10ff04afa

SHA1
ae06759a203930b27ad76b0449c052b8ffd1d6fe

SHA256
a1619ab98bb9d2b74ccbbb1ca220971f988b9f93939105e2e9194ff66ab44ea3

SHA512
2993acb9a06eff8abd9963a1798e52004f319f50b11a3ac1e5b1b871a4245db34621edd38d8289952c6feeebdba88cd2d22a9677a1b8485ac2db1c1093e0516c

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
59KB

MD5
a5639c628a0d7bc9f6bad7149318507e

SHA1
9d25bfa673b39e53df3535ad7a7e46443d9211b8

SHA256
6eb6b79a6c8d3ac131d43246def9cf1674b80296cc06a117209baf6956305c3c

SHA512
9e38a250d4e000cba23ab1e7747f0696a0d471654defefc24b982f77c10de1cd93914b20f567e15981f56399e0187d8a99a23d2c99832697aa6cbca861457d39

Download Submit
C:\Windows\SysWOW64\Jaqcnl32.exe

Filesize
59KB

MD5
1846717870554be4641965b0c6278d39

SHA1
b5a6ad931d20ed3021a8e80913c881a3ad0bc27c

SHA256
04301736dba68cd912e146aed906e28175b873470fdcbd7deb223233a31eaca9

SHA512
4d7e959933a664a2c33880fb03d332e1e1933855548fafddadaf290e60cc23e2ad5294895b139c2184df2aa8e15f45dfd48972d9596fe695625b85e4a3546a0e

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
59KB

MD5
b1bae8eadc366d36cc62081e64b9fd52

SHA1
e14f14f3c1d5eb3262f274c439b3e1974fb70815

SHA256
050fde7af7e7887daca1487cd8b218bdab0ba5a03dfd2f834ee780c2e24f18a2

SHA512
2e32176e5674f5f20382c0e743daa12268178e8f9d14c5bf5857da733501fd3ca974c920c4691a7b142543a746b51cbc89de0bc9b6e2908dfd34396cd340f7e0

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
59KB

MD5
77b89f74484981e6a7e96675196107c5

SHA1
31784ba180468f3dad17ee6d3b095194fe4a1a88

SHA256
d30b28e8a657b65eca1726738f21764e130ccffc05a6cf4bb6c25777a72d679e

SHA512
0ad98e49bb1127f4add8e5036b79ea27eeaaa62fbd5955f1b1802ba1e0143866c1dbfe53c2ceb138f833a5e664d54363afabb89e370eca6b169c779871e6e339

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
59KB

MD5
30dbf6ec7c462a527b25572fd2f467f8

SHA1
f1dee98a7c2a772a545ddcf3cb4772796ff27403

SHA256
6694c4385732dae94807ffefe5ae2bf3620a21f2f261145f548a52eeefc83a52

SHA512
ee95306278bbbea7f9c92517346b5dd903ffee14684f4e523a7453d285b36da263c088dcfbb4a15fb7743b6357a45dba01e76a86c8fd476d72773f5d5213dcce

Download Submit
C:\Windows\SysWOW64\Jehfcl32.exe

Filesize
59KB

MD5
0320aaef81b57d9697b18ff8b53cac07

SHA1
22c9154472376a59af09324bd0cc3f49e888679f

SHA256
a9c67041ea7e4892d28768ed135521cf8bd9984460197e293f01b58d7e9af956

SHA512
c5391734717062723e03e11a65f54977cc295f5c79d1b9fcd79eb276ea61a9c5043b776b08f7338d9541dc2eb9e20a84e1e423d4f6614b475378d37b271d1a29

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
59KB

MD5
da1701b8928d8ad3c60ad094dd4ccf67

SHA1
fe1abd8afff87bb8ca461e0e5aac99701c049edb

SHA256
fe1487ee87f4654753599c1f6b53d99561e569418c03e0db88d1108e2cf5e6a1

SHA512
6e6f809f80f3e81bfd20769eceedde113f002d0ca26b014099f510ce928e651f54d1bd1e932a88babed5f6daf3e9a534f246d33f5fbfac3a02c4193fc9f80ae0

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
59KB

MD5
a07cdd7c8a9fdbd6836d7f57b1361101

SHA1
a08fa3d6bfdbef41f3e63b5d90ec67ec67dec283

SHA256
f67fd6fd808924db802fc1708c8cf78c9718e445f5a48f991d85c40bb51842e9

SHA512
8aee46765c9b58ae5b7bea875c5629b7055793b52631673168a673ff143b673aa61c04d2c5501e954b6ebf78c8eb959bcc971ba680950f9b2aed4ae850b26142

Download Submit
C:\Windows\SysWOW64\Jhoeef32.exe

Filesize
59KB

MD5
2845f020d69fa824a66eecacd524358b

SHA1
6d47b726c069c9a0959391ef0cbe56fb2d195fd2

SHA256
4deb87e521695af06ba0e0430c300f0ac6b5d3fa4f65dc93916feb760b3828e2

SHA512
0519de35a0d201f1239e1a4871418d62a66ec2128a254b1a74c24acb1d3576ecbd455a735cef24c116198d83d19f9652f149133f6a6016602ec7ac2f0da8083a

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
59KB

MD5
b9c6c124250fd36319c53e6e89a6d668

SHA1
5e743cc60679a5ff9a920bc11e70fc6e684fbb31

SHA256
66038b601da4e23bcbbeb6a5b1f056c0898578ba2cd7ab43a98423f881f94e85

SHA512
fd4d06466471c750e35762b29b2cbbacdc39345017467bbf181888b48c805fa51a6a2828500330630b3e3894c7c10e9739448bebc279993bf10dece37f411989

Download Submit
C:\Windows\SysWOW64\Jlanpfkj.exe

Filesize
59KB

MD5
e9cbcc0fd989b16269522575d9313347

SHA1
c6c4b55142ddf50296c40aa9bc39688ef73d3a88

SHA256
393e18441083069d16bf729cf54bb5543362f1e675ef717eeed4faeed52c6c4a

SHA512
b466756ea59d9617e01ff6b011f872a83449a02fbbb124f4c2a9e3b907ca8cb9c943061f4d1b0cd800cdb0e5ad2c047107066f120fa3374e2c30c9b07020c1a2

Download Submit
C:\Windows\SysWOW64\Jogqlpde.exe

Filesize
59KB

MD5
f75776e1eb5641abf3c1f789aee11718

SHA1
3742974e4ed165f349a740500b10906d47c24e06

SHA256
4a3e8c99dda71cadd8efee2899381390d8f03ca9aaf139d313a0d3b99faef951

SHA512
1f466c6e6687a2e8bd743662a5ab8cb00c6bd376de459fe667575b4cb46c9d18c791bc100aa5cbc1b9262c499e676e5653f3e1b5ace307ec5115f4648e9e4753

Download Submit
C:\Windows\SysWOW64\Kbeibo32.exe

Filesize
59KB

MD5
2af6e7bef7d5f04f9a41c0f231c950be

SHA1
10a291e368cfbaf180028ec59809f01288ecd236

SHA256
e077353559de1596cf705fd988e1a4da00eedc99b756e838191ceaec068ab143

SHA512
09187d439700f3a664309ce3bc468d6f17395d59580350e51ad1c11e8ab5cd7d23dc1f886943977e4a9e4db538bb15bf9c9728e38154887ea29cec67d528bdca

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
59KB

MD5
736b84d1901fd2cabde9eb9d93973bb2

SHA1
2a7d9b7734ef12c23c2a429c532eb7d4e2dddb7e

SHA256
131ddf700aecf972c5dee7aacc1ce80ea262efd8d97ce276d875d97f2f06447b

SHA512
108b3e701ba8aa9c5d58033096f114df4c0ddf85080d9de08d95e174dc40536e3c0b724190f148a5c03b92a2a24127e2a2c44838a5c70782a8ebff47c0dcfef3

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
59KB

MD5
d152b7976e3cddbcb052b089b61128ae

SHA1
a8787f505a439304c3f3ebb2137ccfe6f13150a0

SHA256
3f0ae620fb2f54bdcecf71337540c540fdd9bd7f2ec02a3f0834b2bb4dbac905

SHA512
be9170f3ce482c525ebcc7669dd58d1ff93f6b4ebe91e84e71a4351c6420c8d386fb34fea6c52822592333e45ce48037877168396d3a461dc95e5ff1e562ac47

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
59KB

MD5
9985649c5ba2562e1447283ed14c50ef

SHA1
c9d9a99ffe4078b9e69226548771b7a593229470

SHA256
18040923733d1fa0afa28c9348a3aa72614e6d18f3567b69adcc7def178f01b7

SHA512
b6143b60e8dd44828a14f639fc8c12a5bd313e0f6a1c64b935bc26d7684f1ef79678593d326773c0e613c163722e91dc1c9ac2c3bca7774d5829a7b764b06f91

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
59KB

MD5
e90f6b1d8245445de8e142f3e7b4fe62

SHA1
1a6c57c9d185958eef903163ea77c91e58398118

SHA256
42ca816d70f4fa444bfe78b7e0267f16d26b68db41b7c0e462e93037cd006618

SHA512
b11a32a3e2fe7c52b6baa1651e1f2e827bcb51dce268ba9c73e1d187e838df63cdd1d31fcb364a2bb42b3793ba267b777f71257ae84a0651f47c49049fe7c7f6

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
59KB

MD5
815d5ffcb8a61d2d7f6a4391f96fbaaf

SHA1
b6ebbd74e365f8eb3852c79b69d576651b37262f

SHA256
0fb8882acf0ec7957e306ee307dfabdeb98d19e231e29adf5b920aa8f421ac19

SHA512
9b89f0727c02056f649acf59c104b2f4f31612394496d9d6a41f120fbef51aeaf56b6b917e39d41a480034cc35ece06c40d0a4c0f149fa2240081f9dda687e48

Download Submit
C:\Windows\SysWOW64\Kdmlkfjb.exe

Filesize
59KB

MD5
7496bf2c04035bbef73ef3b2c116dd24

SHA1
3487417b4e1cdb5c7965db94116459d2ef537d92

SHA256
5165b611a657d3a5ceed8913305b299c314790020969a6a224575ad80d066271

SHA512
cd8eecbda6f642261ec3c6d4efd392329c93786c380431d7e61287a627f42e58a2fc1d250025a4643ce57bc8b2b77cb987712e96dbdd1a1fc6e5bd863e0dbb52

Download Submit
C:\Windows\SysWOW64\Kehojiej.exe

Filesize
59KB

MD5
f43d4bf90d3f57c65c7c4de96b692ac2

SHA1
e0b919b27e8622610f502e2c273419a77324685c

SHA256
094a0a7c66c82db35c3dc7b18a61d116aa75f5d67d15afb1f4f2112fee65eddd

SHA512
6aaebbdfa2d26c6c40ef45041d7782d28e06bbf1e65f9f538dd9109357ec36f7541b5e6b26031c07bd5b3d7cca06aeb039b3b65d542c55c021c213fdda50a54a

Download Submit
C:\Windows\SysWOW64\Kejloi32.exe

Filesize
59KB

MD5
1574bc118bfee63465d35e1d90edabbd

SHA1
9dc81418914940408455de8bf6909a103be8014c

SHA256
917be1fc4777ebd420e7e2b87593f8879bfa61d2ead988aacaedb34444f3c98c

SHA512
8972709b436a5c6fd18721523f082ac36cfec63bee1ea1a0fd3af1aef2ac872acbe0f49f5c150b1d6f92d0669911152a9a89d9b1f7c615d892e2cf42f775484b

Download Submit
C:\Windows\SysWOW64\Khkdad32.exe

Filesize
59KB

MD5
805b25c90f0b2eb10ee604943ee944bf

SHA1
9959f858c880b4eed68f073f1835dfca71a9d3a6

SHA256
f932ff05a272168df4a984e96830304601a28054ac278fb831627378450793a1

SHA512
9161e80998ffb48ad1df8487765079fbe4113769b9ebe931b6e9522675abf4c84e9dfa215b07e852e659fbd3a1e6b0fbe901eb6658a75c84c5df64d4cbd83502

Download Submit
C:\Windows\SysWOW64\Kkegbpca.exe

Filesize
59KB

MD5
12df91b16de9eb2e59cdb6b5aad86084

SHA1
0c2131aa065198eb8c295be612fa207d430fcd63

SHA256
caa598fe7c9d726f381695b51c33fad38b883507fad7138a8e246b2dec59ec27

SHA512
98b510e5b0ba040f968700850afc12c24281ab744ffe2476867ff8cf30560d8255aa226c5a1a86dd2a34f6e9ae0bdaf836943055779edbaee74ca3a5ee8c861f

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
59KB

MD5
230f1de7b2770990ae97fcdc28c1ded4

SHA1
c38ed9d36dde3b936b24ec5606d17b936bec4e37

SHA256
0bf9e42667261a1c9a18aed80d8624a843cc6c05ca34f5fe335309e7d86162d3

SHA512
246b570a8a8cc04bdcc707ed33900869007c8c542cf9512a06df1b018a3bfd25702b07f14f8f35f2ca52b98a1ee7cbe172fb89105a8d78a34d97dddfc3b30d80

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
59KB

MD5
4ec520bfe811cefa9882dc12dec16829

SHA1
9ab1bb44dd1aa9e00e0f9a1a5aa7aa46fc46b315

SHA256
3462d865f6ba65420f253be125b54b3925a2b4073dc56433a1aa07f601380572

SHA512
55ec0804681fb6106b66a36cfc40d05bdf25e34fa3b6813624e4979fd41829362a01e154d7615e136927003f9d0c170ad727bdb1246f0e89fb04ae8317806d69

Download Submit
C:\Windows\SysWOW64\Lajokiaa.exe

Filesize
59KB

MD5
e77d7599958c69778ff61b5d4a1c6c33

SHA1
c6177ac8d52df03b28997d0df8df55238c0eabbc

SHA256
9239908cdcac4a867eeef4097fd441c4485ae939a1d7124f48430449c40ce546

SHA512
63260486591b5540a1dcf6ee75b7b5ab4a7c68a1f236e0562b81f4916f4112ba90ace458d346223b61896be7d20f9197416ce039ce9bf5597915b3e4afb901be

Download Submit
memory/452-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/552-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/676-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/960-49-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/960-405-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1224-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-240-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1536-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1588-1-0x0000000000433000-0x0000000000434000-memory.dmp

Filesize
4KB

Download
memory/1648-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1648-342-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1764-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1804-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-145-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2072-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2224-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2692-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2712-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3232-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3532-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3940-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-105-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4132-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4148-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4384-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4584-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4668-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4692-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4728-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4748-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4792-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads