3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5

Analysis

max time kernel
143s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
Size

62KB
MD5

fe868ee8bdf1e5df843e13468dc68755
SHA1

2d8013f8556d750d1731d32f34384daa59fe24b0
SHA256

3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5
SHA512

c39e7a261347ff1f04a69544a6ffa4230183c370790869dd0bb64dc6c46915d6eade84d7a63790e99b93ce4bb91abe5fd31ffc965be51bc98d65d127674376e6
SSDEEP

1536:fxvWDmWzpTfAG90xYjUuPCJBhyqBj8XNFLcr7Nyqve8Cy:ZuDTAG9eYjPs7oY7Nfve8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbbmmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdmlkfjb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbppgona.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbebilli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llimgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kahinkaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe

Executes dropped EXE 29 IoCs

pid	Process
2896	Jnbgaa32.exe
840	Jelonkph.exe
2936	Jhkljfok.exe
2388	Jbppgona.exe
4452	Jhmhpfmi.exe
3208	Jjkdlall.exe
2740	Jbbmmo32.exe
2768	Jeaiij32.exe
888	Jlkafdco.exe
4416	Koimbpbc.exe
2040	Kahinkaf.exe
1596	Kkpnga32.exe
1020	Kbgfhnhi.exe
4180	Kefbdjgm.exe
4524	Klpjad32.exe
3776	Kbjbnnfg.exe
1040	Klbgfc32.exe
3028	Kejloi32.exe
2268	Kdmlkfjb.exe
4412	Klddlckd.exe
4332	Kocphojh.exe
2036	Kaaldjil.exe
3692	Llimgb32.exe
4592	Laffpi32.exe
532	Lddble32.exe
2172	Lbebilli.exe
3708	Ledoegkm.exe
3112	Lbhool32.exe
3472	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kocphojh.exe	Klddlckd.exe
File opened for modification	C:\Windows\SysWOW64\Jhmhpfmi.exe	Jbppgona.exe
File created	C:\Windows\SysWOW64\Jeaiij32.exe	Jbbmmo32.exe
File opened for modification	C:\Windows\SysWOW64\Kahinkaf.exe	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Kefbdjgm.exe	Kbgfhnhi.exe
File opened for modification	C:\Windows\SysWOW64\Jelonkph.exe	Jnbgaa32.exe
File opened for modification	C:\Windows\SysWOW64\Koimbpbc.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Kbgfhnhi.exe	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Bkjbah32.dll	Klddlckd.exe
File created	C:\Windows\SysWOW64\Kahinkaf.exe	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Klpjad32.exe	Kefbdjgm.exe
File opened for modification	C:\Windows\SysWOW64\Kejloi32.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Fhjaco32.dll	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jbppgona.exe
File opened for modification	C:\Windows\SysWOW64\Jbbmmo32.exe	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Jlkafdco.exe	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Koimbpbc.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Lddble32.exe	Laffpi32.exe
File created	C:\Windows\SysWOW64\Jhkljfok.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Pomfkgml.dll	Jhkljfok.exe
File created	C:\Windows\SysWOW64\Jbbmmo32.exe	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Eqfnqg32.dll	Kocphojh.exe
File created	C:\Windows\SysWOW64\Kdmlkfjb.exe	Kejloi32.exe
File opened for modification	C:\Windows\SysWOW64\Laffpi32.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Mnfooh32.dll	Lddble32.exe
File created	C:\Windows\SysWOW64\Bochcckb.dll	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
File created	C:\Windows\SysWOW64\Jlbngnmk.dll	Jelonkph.exe
File created	C:\Windows\SysWOW64\Dcmnee32.dll	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Lajbnn32.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Klpjad32.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Jgcnomaa.dll	Llimgb32.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lbebilli.exe
File created	C:\Windows\SysWOW64\Jhmhpfmi.exe	Jbppgona.exe
File created	C:\Windows\SysWOW64\Kbgfhnhi.exe	Kkpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Lbhool32.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Kefbdjgm.exe	Kbgfhnhi.exe
File opened for modification	C:\Windows\SysWOW64\Kocphojh.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Lbebilli.exe	Lddble32.exe
File opened for modification	C:\Windows\SysWOW64\Jeaiij32.exe	Jbbmmo32.exe
File opened for modification	C:\Windows\SysWOW64\Jlkafdco.exe	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Ifkqol32.dll	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Pceijm32.dll	Jbbmmo32.exe
File created	C:\Windows\SysWOW64\Laffpi32.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Bkclkjqn.dll	Laffpi32.exe
File created	C:\Windows\SysWOW64\Ofnfbijk.dll	Kdmlkfjb.exe
File created	C:\Windows\SysWOW64\Lddble32.exe	Laffpi32.exe
File opened for modification	C:\Windows\SysWOW64\Jbppgona.exe	Jhkljfok.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Klbgfc32.exe	Kbjbnnfg.exe
File opened for modification	C:\Windows\SysWOW64\Kdmlkfjb.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Jnbgaa32.exe	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Klpjad32.exe
File opened for modification	C:\Windows\SysWOW64\Llimgb32.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Bibokqno.dll	Jnbgaa32.exe
File opened for modification	C:\Windows\SysWOW64\Jjkdlall.exe	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Jjmannfj.dll	Jhmhpfmi.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Fbkcnp32.dll	Kejloi32.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Kdmlkfjb.exe
File created	C:\Windows\SysWOW64\Cjbdmo32.dll	Kaaldjil.exe
File opened for modification	C:\Windows\SysWOW64\Jnbgaa32.exe	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jhmhpfmi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2232	3472	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koimbpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbbmmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaaldjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdmlkfjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqeooaa.dll"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbppgona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpejnp32.dll"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jelonkph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bochcckb.dll"	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnfbijk.dll"	Kdmlkfjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbdmo32.dll"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kejloi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkclkjqn.dll"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfooh32.dll"	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jbbmmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcnomaa.dll"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbngnmk.dll"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomfkgml.dll"	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnakk32.dll"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qekjhmdj.dll"	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 2896	4988	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe	91
PID 4988 wrote to memory of 2896	4988	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe	91
PID 4988 wrote to memory of 2896	4988	3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe	91
PID 2896 wrote to memory of 840	2896	Jnbgaa32.exe	92
PID 2896 wrote to memory of 840	2896	Jnbgaa32.exe	92
PID 2896 wrote to memory of 840	2896	Jnbgaa32.exe	92
PID 840 wrote to memory of 2936	840	Jelonkph.exe	93
PID 840 wrote to memory of 2936	840	Jelonkph.exe	93
PID 840 wrote to memory of 2936	840	Jelonkph.exe	93
PID 2936 wrote to memory of 2388	2936	Jhkljfok.exe	94
PID 2936 wrote to memory of 2388	2936	Jhkljfok.exe	94
PID 2936 wrote to memory of 2388	2936	Jhkljfok.exe	94
PID 2388 wrote to memory of 4452	2388	Jbppgona.exe	95
PID 2388 wrote to memory of 4452	2388	Jbppgona.exe	95
PID 2388 wrote to memory of 4452	2388	Jbppgona.exe	95
PID 4452 wrote to memory of 3208	4452	Jhmhpfmi.exe	96
PID 4452 wrote to memory of 3208	4452	Jhmhpfmi.exe	96
PID 4452 wrote to memory of 3208	4452	Jhmhpfmi.exe	96
PID 3208 wrote to memory of 2740	3208	Jjkdlall.exe	97
PID 3208 wrote to memory of 2740	3208	Jjkdlall.exe	97
PID 3208 wrote to memory of 2740	3208	Jjkdlall.exe	97
PID 2740 wrote to memory of 2768	2740	Jbbmmo32.exe	98
PID 2740 wrote to memory of 2768	2740	Jbbmmo32.exe	98
PID 2740 wrote to memory of 2768	2740	Jbbmmo32.exe	98
PID 2768 wrote to memory of 888	2768	Jeaiij32.exe	99
PID 2768 wrote to memory of 888	2768	Jeaiij32.exe	99
PID 2768 wrote to memory of 888	2768	Jeaiij32.exe	99
PID 888 wrote to memory of 4416	888	Jlkafdco.exe	100
PID 888 wrote to memory of 4416	888	Jlkafdco.exe	100
PID 888 wrote to memory of 4416	888	Jlkafdco.exe	100
PID 4416 wrote to memory of 2040	4416	Koimbpbc.exe	101
PID 4416 wrote to memory of 2040	4416	Koimbpbc.exe	101
PID 4416 wrote to memory of 2040	4416	Koimbpbc.exe	101
PID 2040 wrote to memory of 1596	2040	Kahinkaf.exe	102
PID 2040 wrote to memory of 1596	2040	Kahinkaf.exe	102
PID 2040 wrote to memory of 1596	2040	Kahinkaf.exe	102
PID 1596 wrote to memory of 1020	1596	Kkpnga32.exe	103
PID 1596 wrote to memory of 1020	1596	Kkpnga32.exe	103
PID 1596 wrote to memory of 1020	1596	Kkpnga32.exe	103
PID 1020 wrote to memory of 4180	1020	Kbgfhnhi.exe	104
PID 1020 wrote to memory of 4180	1020	Kbgfhnhi.exe	104
PID 1020 wrote to memory of 4180	1020	Kbgfhnhi.exe	104
PID 4180 wrote to memory of 4524	4180	Kefbdjgm.exe	105
PID 4180 wrote to memory of 4524	4180	Kefbdjgm.exe	105
PID 4180 wrote to memory of 4524	4180	Kefbdjgm.exe	105
PID 4524 wrote to memory of 3776	4524	Klpjad32.exe	107
PID 4524 wrote to memory of 3776	4524	Klpjad32.exe	107
PID 4524 wrote to memory of 3776	4524	Klpjad32.exe	107
PID 3776 wrote to memory of 1040	3776	Kbjbnnfg.exe	108
PID 3776 wrote to memory of 1040	3776	Kbjbnnfg.exe	108
PID 3776 wrote to memory of 1040	3776	Kbjbnnfg.exe	108
PID 1040 wrote to memory of 3028	1040	Klbgfc32.exe	110
PID 1040 wrote to memory of 3028	1040	Klbgfc32.exe	110
PID 1040 wrote to memory of 3028	1040	Klbgfc32.exe	110
PID 3028 wrote to memory of 2268	3028	Kejloi32.exe	111
PID 3028 wrote to memory of 2268	3028	Kejloi32.exe	111
PID 3028 wrote to memory of 2268	3028	Kejloi32.exe	111
PID 2268 wrote to memory of 4412	2268	Kdmlkfjb.exe	112
PID 2268 wrote to memory of 4412	2268	Kdmlkfjb.exe	112
PID 2268 wrote to memory of 4412	2268	Kdmlkfjb.exe	112
PID 4412 wrote to memory of 4332	4412	Klddlckd.exe	113
PID 4412 wrote to memory of 4332	4412	Klddlckd.exe	113
PID 4412 wrote to memory of 4332	4412	Klddlckd.exe	113
PID 4332 wrote to memory of 2036	4332	Kocphojh.exe	114

C:\Users\Admin\AppData\Local\Temp\3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe
"C:\Users\Admin\AppData\Local\Temp\3c10c5e1f99868be11d43e46530da5adffd176dea89471793519578a9ec89bb5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\Jnbgaa32.exe
  C:\Windows\system32\Jnbgaa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\Jelonkph.exe
    C:\Windows\system32\Jelonkph.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\Jhkljfok.exe
      C:\Windows\system32\Jhkljfok.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Jbbmmo32.exe
        
        C:\Windows\system32\Jbbmmo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Kdmlkfjb.exe
        
        C:\Windows\system32\Kdmlkfjb.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3692
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:532
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 400
        31⤵
        Program crash
        
        PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3472 -ip 3472
1⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4108,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4020 /prefetch:8
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbbmmo32.exe

Filesize
62KB

MD5
0f5a5edff252ac92a9c4f68382edc742

SHA1
d69fa1c169f174687604d9f22539b9a96e35d6ab

SHA256
3b5ec5c660e55f97255d55b212c5acdcea0172337298df04eb2a6d2ad9297481

SHA512
5c0d5c0932c29c706aa1c441d385811ac543ffd49414db3872602bbab28b6b0c431dd0b6735edf69722bcc8fda4fc79732818dea62673b18937572b6b34415a7

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
62KB

MD5
d4d1cf3afc86aef9f9e91bbc30086af6

SHA1
e6b30df3e366d23a1afb6f210d33827d3177d107

SHA256
b4c43dc4ab95b72f1fb8a8de5f8b958c4d9b7d164ddfa24ee54b116229e14d6d

SHA512
e24d26f03cb4ff0b9ee35780eda853a2ab4794cd3e560f2d6e285f0c7e0c733924e7a2587eb2429958861e920840228bd0c9e49119516caa45036aa20da53968

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
62KB

MD5
0eb655cbb5989e8af3fb77e3c9e8be61

SHA1
8f7e304cddda7754891019c044bf9615dea4660b

SHA256
3c0498dfad738833ce4275b2eb159993e2422000f3167c1ad0f88bfcabe21472

SHA512
8b730aee175c0c3ff344d2ab6e25f2a419163bf7d0c0fb3ed372d3472f19f1670d2283240755bae5980c20a32ca5e19c56ac32726e19b99e6157f45019b9588a

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
62KB

MD5
1edc5b0949a52a3ea6272338943eed8a

SHA1
8e23dd21db3c5cd16320aff9e75ace68ef024e75

SHA256
d215604112661f6c70669ed9de26ac4fa9a199b69634049991d6f0aaf44a40ef

SHA512
721c5ef4fc4fa0cb4e76770f33cf5ace081a63494b0646442cd56bc24d1f28b97722ed96eb73d5f834dfc71f9e89181baa47e388a4e7c08dbf74711fc39c91d9

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
62KB

MD5
62c6809de2784f0ea798c6eed1a94e83

SHA1
1394a1b6c34a860f234d03c8a5915dd03accbe79

SHA256
2c84bab12044529d38b5b5ef17a21f09f41bfc27afb4b1f0827078bb204ad678

SHA512
0140f77af2359f8d1b4ec47c2c850ddb1b3d39c7ae87dae695972032b433b8d5f0a09df022a7634584c58e9e16642170fc5599fd11a4257540dab87e7be15bf3

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
62KB

MD5
57b00dbc82892df9f02ce7d4198cdac0

SHA1
a8b7abc803e1064880e407491a164211e76c740a

SHA256
729d7f7b0001fba34408ff751a6e6997954a68920efba2da4926c2a21db6e6ea

SHA512
43050b0e59ba3b4ab6f9ce4d0887ff718ab48e2abe36f099b8be0141f55b02d8a4d71a3080c67a5c87b2bad5b400a7559a394052b475172a010c336f91a15291

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
62KB

MD5
532a3ef1b0589bebc62298211a6cb5ec

SHA1
a82d7a59fdfcc7d199d02c859d15d01472e7f20b

SHA256
bef77cc700234009797faa8a7d93fe316ba9d71e927f240f457157fcf01568d4

SHA512
22edc1789a90f67755f72278913b448f34d5620227e3c777e30165b021d3eb2d1e34b0fc8c454e2f72e7d09a823bd2b3b8f431e484b64222b1ac709b4e797360

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
62KB

MD5
0a2f9a6f06dce2c5e5b38d648c4e5a43

SHA1
61fccbb5fd53003b730e532fee6db57d915c5d08

SHA256
4a76c50539ba38e8499aad28a061a720b032b84d34e5d0cd843fb78a75adda95

SHA512
9e0f73a9ab80d33aaae997d13c3cb05ebc8eb1cc32bf62e652e161768ef9f53031dca865418e75148a10bb37246d0d40897a81abb220790f1c341da419f02a8b

Download Submit
C:\Windows\SysWOW64\Jnbgaa32.exe

Filesize
62KB

MD5
1b8a71f817d795fd9878ad5e2a420d65

SHA1
20b4299c1206c48fa3bb9f5d695d0b2d71682743

SHA256
c7b260258aeecc60beb0b7fd0a11249fabbfa32d4a3a57adcc18cad97a6f5dc3

SHA512
1f68a8ee3c9f8f3527b0cb7a3c554464f9de5f2ee0d1b8d7bf46e0ca6bb4ef3781d3f58a0a831417530fe3a9a15a3b77b895d156efa8e60eed0a831ae54688cc

Download Submit
C:\Windows\SysWOW64\Kaaldjil.exe

Filesize
62KB

MD5
847ebc379b7be0a4cef94e30bddf97d3

SHA1
56223aacd77cdd0e22a5bb595c154b0a8a1901c9

SHA256
2db23895667a0eb506bcd60f4a4c58e2a8522f1c5c1dae688361ce0810e6d7c4

SHA512
17195b9cac048008ea4952468b9eac782eb584d6c77b6d2d4f0395637eb295b1abe94eaa0d775160f513c0a152ea65a248c00c7edf37edbe02583be8b5fedbcd

Download Submit
C:\Windows\SysWOW64\Kahinkaf.exe

Filesize
62KB

MD5
3fd08ce24cdfac552af109a978104eb5

SHA1
dff37f1ca8ae4e456bc6e39b4a777d1e8e711140

SHA256
d15f9bc429e6255a597e5e006022537c793da90e359f9bc1e3a2ffad09716b0e

SHA512
488d5ff01214988ffc9b7bae420781ced22b02ad20cbd1779515d98f0b01bc914ed2ac089279b1379b2a3dc55cadc53b20be255bd84dc0b74b584f70439948e7

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
62KB

MD5
505ac427c6943ed97d55ea4d9ad459fe

SHA1
dea79ea413e4d6b3fa9d97757bf29a51853a8f2d

SHA256
94efe84ed8e4d1e15ff8684256a4ae0600dcd5bcd280338c2223a7021d351259

SHA512
ca21749c3f13aa84e200c0c0c53a593ea80f1694760cf83bebfd4eef3de1dbc53904b99d2aab1850ffcc5f47e66e12cd84228baf014b32b74cf0ac51b7a285e6

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
62KB

MD5
dcddf81f38dc67fc3d8d40d23922db9c

SHA1
ba8d952a76fbecb7a285ef309bbe776b676195fd

SHA256
0e62a40ad60240658ed62365e17fb4d7804f747a8dfe3b5a237f10d02f83fc31

SHA512
074a3dfeaf07c8ba8e232fb35a7f9421f08efaa9e2b8ed87d53c77e238ae2d2b2f82ce6a671c4217d369124957e98a44e686cd051ff1f79ec041bd6bc805bcfe

Download Submit
C:\Windows\SysWOW64\Kdmlkfjb.exe

Filesize
62KB

MD5
0760b5eed97157b167a0dfd79568ef16

SHA1
ea45dbc64423b743ded67c78bc9b4e4299caa2d6

SHA256
103e494fcbc340adea74b20999a69b91af02daafd281b5bb1f6537b39a7dceba

SHA512
0edd10b5ed8f1abe0256989f67171913d4b4cce2fc0d15d5d703c4eb6d7a3b3819cc6f1a6ef87d61d24f88be61f575f590092f135d4172d033fb1b514caa1aec

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
62KB

MD5
ad3e41adefe64dcf7f832f81b98e2779

SHA1
78f68b44c283b1eaeb253645ba92f2a395230035

SHA256
09da474551ca7ac2d006c88535fdb8bff9cdaf09749c64f0ccd0544b086c07eb

SHA512
0189ff6789ea04ddedcc3e1419e74141033c722734172a2a3a7f8128f674ca42e570b4a86c4daa69f6d572c6cd805ebf9c91d80c73dda9b19181007103651f7c

Download Submit
C:\Windows\SysWOW64\Kejloi32.exe

Filesize
62KB

MD5
8b4103eb041f569e432b258c59a37784

SHA1
0fe10eb74afa143f7cb9f1cff2a0d22b3b01c774

SHA256
d30c8b109a740129405dce56b41054c9d1c8b97a583bdfada5860e6d6f3553ac

SHA512
a002be86d2d4ad83283fd2f95a170ff26b5a08cd09f928dd5281a6c44acc5476a59476c38791735bae6d2d153008d2b7e47026e4bd6569417344b1602357c183

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
62KB

MD5
24c4bf6f1f4688e0469a6458fe856943

SHA1
d1086f7346e38f1b47c305bfd47aa7ad39080398

SHA256
43c4d8f90b2ebcb9d1e825fd8c48105c1f2484780a7a87396c89a72ab3455dec

SHA512
a4d1a01a09719e4bb2484b9c9c4444bf1cfdf7b5a80365a9709c002dee1013c85b33862d6d3f20f285a6e1bffb4ba584fdb5d23c83087ca2105b73d4ddb66068

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
62KB

MD5
da9f2c126aa380a9047ff97e04b40270

SHA1
6746551ec10d722f46c9d2c7c38e9ac53d79afe7

SHA256
57b87c8c602b2d709d79134e8c5c11372af7aad02ff92a4f4fd0160bc913b6ea

SHA512
88cbd4d125496bcce5af99e49137ba59546445300db9d66f2bf23a8adfc22c5afc2823a1115d2191ef73082505c4a4d61416b3f28e4b4b2a95983bd25d1badb8

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
62KB

MD5
4c6c3c6998f09611dd1b2ce51e42d4a4

SHA1
eb62ad9c8ac441cdb99fa0c0e9de6d83e78aec6b

SHA256
777024bd6413afb5413262ec4ba8fd808890b12e9e377c4762c6376e808c6c1e

SHA512
c0a9e7b0217be2399a10be633a0ad4b657b6a1d4656a5f7d74276b28de4cc316d2b5461841b3b93365f5e25de854dfcfc2f603e3429c856166cbcd84a660e334

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
62KB

MD5
2c9977d132518482f4f0643106d27228

SHA1
40627e146d72e632554dcf365d2c39acd2adda71

SHA256
9b37d400c767e11ec846251dd0e4ce7102780933d391fac9a2d05afe74598831

SHA512
53ee6e6b1382934a37e83039c2b44a611692b479cc2a05a72b8c77ce4476d7a4b68bbe07fce2fb06746a28f41a213d2f66674982b2f91b3a95201b30c951864c

Download Submit
C:\Windows\SysWOW64\Kocphojh.exe

Filesize
62KB

MD5
62ff676d2207da7bf05a6f07440feaa7

SHA1
9e14737297a60b8a228f075e77afd28e5bb86d9a

SHA256
05ede2852f2fb389696515b517e2c78ec1409ab349a160f3c2b6ad29f1ba79af

SHA512
75e6a1d0d55f5cd9a121642ff306ca10700a9c41a3594ea58fd8f07b10bd8bdff9916772a9c399d7e965c10ed506b9bfc6f4cf688b7733846d929369b90f1e04

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
62KB

MD5
8cdf541735d33a63ddb9fd8ff9e88a09

SHA1
26a54b6f9c6baf4da862cdc10306a472d0821bff

SHA256
4fda95d38da0e6647988f1d6fb5634e415492c3244f4a97b8f5e06db1bcbee63

SHA512
47215dcf6c486f980c1c6e655e88515fea5bbbcfae916b98ba46ad8b6ee2e83c196b3d9d85a0f39df1d0fa1f116c1887afe305748de6547c64a5060545f4d9dc

Download Submit
C:\Windows\SysWOW64\Laffpi32.exe

Filesize
62KB

MD5
a6571f1582c6271174090e280a9a829d

SHA1
c13198f3ce8e9e3cc2ceeb40c997b4751ce76f03

SHA256
28ab412c6fe1b310a45cc95e08d13eb920d5bcf06f7cb3a21e152c458c0d7a7f

SHA512
b28aff689fcd8c24014d530aa638c6d1e9a9364b0636cccf5dd450815c70cbda00c19fbee848c4fb9345aa08f9f448d4e3532da98322cf175d0b762401efb818

Download Submit
C:\Windows\SysWOW64\Lbebilli.exe

Filesize
62KB

MD5
14f684fc81a9bfa3735dfe5f174da28d

SHA1
da1fef271106dc7adf3715dc35369f52275b2765

SHA256
f4984eafc55c4c2f95ef90b74a1afb663cfdd53527923340f7bc086e2dc9ca95

SHA512
1f5fb2181e3132d0f062ab847ce0756dcda9ec27fda422e014a30e30c64e4d3ef637821650ae194313e14fa77c950f2fd00f4c4d5a373f9d94fd6fbc6fa9217b

Download Submit
C:\Windows\SysWOW64\Lbhool32.exe

Filesize
62KB

MD5
99d440725b48345d30f3bd989c9b6555

SHA1
35ba65547c5872b1dc387c8c3d39adc0c2f810c3

SHA256
4db45fdb11ebd175429bd30fe309b2a99f8fa70000cefce73d4ae210872631be

SHA512
575a56eeeab5e834ef218a41417900ed5f82952770a7aac15d569963faa472b4d56a55cf0f77d913af6fb141b0a403f13d52d75a1759f5330bddeaf649d58fb9

Download Submit
C:\Windows\SysWOW64\Lddble32.exe

Filesize
62KB

MD5
bb953d25a55a05aaadce8543abd52bb1

SHA1
4e6a80dcad5bbf6263323499839ec0b12fc9bed0

SHA256
686fb54dd862285f5aa80cc2fe05c5a8e6bc71e54dba6ca3c192e105a9f249e4

SHA512
57464615550c5bc3640e8f893223232302269e8565c98219697258dcc9fd7ae4ca287c7d46a52b3a88baef40d5825688c5177236168fcd0190b40f9ad76fc779

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
62KB

MD5
ae223d184717bab024edc7e59456f205

SHA1
04c8fe275a098bb82c97f72f0dd50bb2174b1e1b

SHA256
ec9f3c0e3aefb4bd6616f12a03f4d4d5e7e2ef69bd620613f7b434228d8e7902

SHA512
7c2396cc75976f163c2a45fc488237266b472a8bc89b1d47e24754f7bde756f08e72a9183cd4d2c7df17a4b8e0f0cbe9a1a6239d6840e2dfc82197a52f5e4dfa

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
62KB

MD5
3e8b005b9a6001fc6e34962fb923b29d

SHA1
e26c95b8f7b170e003ae32154e703af1049bbdca

SHA256
3ab5ad0d7f0d67b21ef6c464bb0c8a90f01a42a229b9dd14d12dfdb3a467577c

SHA512
4d4f3496d4daae6a530147ae9b62eaf1033e7e763f89e40ef78748bf17f53fa5b49fbdcb831602a53461324ddddc441198f78dff818085077825614c53ef3830

Download Submit
C:\Windows\SysWOW64\Llimgb32.exe

Filesize
62KB

MD5
ddcd09c00f5f777d2b70d2c40779c889

SHA1
ba21245424a8d2930ee6a4704b9ae8c6a24db63e

SHA256
b79f090ae0c46ecccdb2da4d08196b9c840d83857b2afb1e1321b1c629e07ddc

SHA512
119a94ff4a71794d91a0f9089bffeaf64b837c0f3c58b5a6bfc6636cae7ff8c163fc305ce7bd1eba1f603083537f4d56640ad34d16f3404ac846b529fc9f378d

Download Submit
memory/532-215-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/532-257-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/840-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/840-21-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/888-73-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/888-162-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1020-113-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1040-232-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1040-144-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1596-99-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1596-189-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-260-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2040-90-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2040-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-256-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2268-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2268-163-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2388-116-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2388-33-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2740-143-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2740-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-153-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2768-64-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2896-89-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2896-9-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-24-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2936-108-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3028-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3028-233-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3112-243-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3112-254-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3208-135-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3208-48-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3472-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3472-253-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3692-259-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3692-197-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3708-234-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3708-255-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3776-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3776-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4180-205-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4180-117-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4332-185-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4412-176-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4416-175-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4416-85-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4452-126-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4452-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4524-127-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4524-214-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4592-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4592-258-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4988-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads