df9b56e0d1e99bd3d59606b4ebe7a77b0d3f2fdc020e96fe2940824893f596f9

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddca3db8deab743d856ad9fe47934e50N.exe
Size

363KB
MD5

ddca3db8deab743d856ad9fe47934e50
SHA1

d2e9a660c2ef3a93d35a78a85f43b14fef596ef4
SHA256

df9b56e0d1e99bd3d59606b4ebe7a77b0d3f2fdc020e96fe2940824893f596f9
SHA512

dfdfea897b2cda09f4d3048abc8d03789ae651dfbd29a7ef8a90d5db4f2453ad982196d8c0612edeb5641e783331942876c639d439da31d633c5773244e53329
SSDEEP

6144:S0XTtrH5tTDUZNSN58VU5tTt50NoYnX5tTDUZNSN58VU5tT:SYTt75t6NSN6G5tb0fX5t6NSN6G5t

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inkaqb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbppgona.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iecmhlhb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Koljgppp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ddca3db8deab743d856ad9fe47934e50N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lefkkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kejloi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ddca3db8deab743d856ad9fe47934e50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkljfok.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jnnnfalp.exe

Executes dropped EXE 37 IoCs

pid	Process
3344	Ilkhog32.exe
1032	Iecmhlhb.exe
3032	Inkaqb32.exe
4872	Jnnnfalp.exe
3336	Jaljbmkd.exe
2796	Jdmcdhhe.exe
1644	Jbncbpqd.exe
4024	Jhkljfok.exe
1492	Jnedgq32.exe
1888	Jbppgona.exe
2996	Kbeibo32.exe
1128	Klmnkdal.exe
1008	Koljgppp.exe
1516	Kbjbnnfg.exe
2460	Kopcbo32.exe
1052	Kejloi32.exe
4880	Khihld32.exe
1384	Kbnlim32.exe
4420	Klgqabib.exe
3324	Lacijjgi.exe
2912	Ldbefe32.exe
1856	Lhmafcnf.exe
2480	Lklnconj.exe
1164	Logicn32.exe
1612	Laffpi32.exe
2576	Leabphmp.exe
2704	Lhpnlclc.exe
4940	Llkjmb32.exe
4588	Lojfin32.exe
1944	Lbebilli.exe
2356	Ledoegkm.exe
4552	Lhbkac32.exe
4360	Llngbabj.exe
3060	Lolcnman.exe
2756	Lbhool32.exe
4156	Lefkkg32.exe
1736	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Kejloi32.exe
File created	C:\Windows\SysWOW64\Lbhool32.exe	Lolcnman.exe
File created	C:\Windows\SysWOW64\Jaljbmkd.exe	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Koljgppp.exe
File created	C:\Windows\SysWOW64\Japjfm32.dll	Koljgppp.exe
File created	C:\Windows\SysWOW64\Kejloi32.exe	Kopcbo32.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Lbebilli.exe	Lojfin32.exe
File opened for modification	C:\Windows\SysWOW64\Llngbabj.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Fncnpk32.dll	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Jgcnomaa.dll	Logicn32.exe
File created	C:\Windows\SysWOW64\Mghekd32.dll	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Jnnnfalp.exe	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Jbppgona.exe	Jnedgq32.exe
File created	C:\Windows\SysWOW64\Jmjdlb32.dll	Klgqabib.exe
File created	C:\Windows\SysWOW64\Ledoegkm.exe	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Inkaqb32.exe	Iecmhlhb.exe
File created	C:\Windows\SysWOW64\Jdmcdhhe.exe	Jaljbmkd.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Lhmafcnf.exe
File opened for modification	C:\Windows\SysWOW64\Koljgppp.exe	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Klgqabib.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Koljgppp.exe	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Leabphmp.exe	Laffpi32.exe
File created	C:\Windows\SysWOW64\Lojfin32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Klgqabib.exe
File created	C:\Windows\SysWOW64\Jhmimi32.dll	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Lojfin32.exe	Llkjmb32.exe
File created	C:\Windows\SysWOW64\Lolcnman.exe	Llngbabj.exe
File created	C:\Windows\SysWOW64\Ncapfeoc.dll	Iecmhlhb.exe
File created	C:\Windows\SysWOW64\Jbncbpqd.exe	Jdmcdhhe.exe
File created	C:\Windows\SysWOW64\Jhkljfok.exe	Jbncbpqd.exe
File opened for modification	C:\Windows\SysWOW64\Klmnkdal.exe	Kbeibo32.exe
File created	C:\Windows\SysWOW64\Oapijm32.dll	ddca3db8deab743d856ad9fe47934e50N.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Ohnncn32.dll	Jdmcdhhe.exe
File created	C:\Windows\SysWOW64\Kbeibo32.exe	Jbppgona.exe
File opened for modification	C:\Windows\SysWOW64\Kopcbo32.exe	Kbjbnnfg.exe
File opened for modification	C:\Windows\SysWOW64\Lhmafcnf.exe	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Laffpi32.exe
File created	C:\Windows\SysWOW64\Idjcam32.dll	Lhpnlclc.exe
File opened for modification	C:\Windows\SysWOW64\Lbebilli.exe	Lojfin32.exe
File created	C:\Windows\SysWOW64\Hmfchehg.dll	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Jdmcdhhe.exe	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Jlbngnmk.dll	Jbncbpqd.exe
File created	C:\Windows\SysWOW64\Pomfkgml.dll	Jnedgq32.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Hfamlaff.dll	Ilkhog32.exe
File created	C:\Windows\SysWOW64\Inkaqb32.exe	Iecmhlhb.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Kbnlim32.exe
File opened for modification	C:\Windows\SysWOW64\Lolcnman.exe	Llngbabj.exe
File opened for modification	C:\Windows\SysWOW64\Kejloi32.exe	Kopcbo32.exe
File created	C:\Windows\SysWOW64\Acibndof.dll	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Lklnconj.exe
File opened for modification	C:\Windows\SysWOW64\Jnnnfalp.exe	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Mkojhm32.dll	Inkaqb32.exe
File created	C:\Windows\SysWOW64\Jnedgq32.exe	Jhkljfok.exe
File created	C:\Windows\SysWOW64\Qhomgchl.dll	Jhkljfok.exe
File created	C:\Windows\SysWOW64\Iecmhlhb.exe	Ilkhog32.exe
File created	C:\Windows\SysWOW64\Idhdlmdd.dll	Leabphmp.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lbebilli.exe
File created	C:\Windows\SysWOW64\Fhjaco32.dll	Lolcnman.exe
File opened for modification	C:\Windows\SysWOW64\Iecmhlhb.exe	Ilkhog32.exe
File created	C:\Windows\SysWOW64\Hmijcp32.dll	Jbppgona.exe

Program crash 1 IoCs

pid	pid_target	Process
2060	1736	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lefkkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnedgq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbeibo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddca3db8deab743d856ad9fe47934e50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iecmhlhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhkljfok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdmcdhhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilkhog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljbmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kopcbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kejloi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lklnconj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ddca3db8deab743d856ad9fe47934e50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbppgona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kopcbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncapfeoc.dll"	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llngbabj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ddca3db8deab743d856ad9fe47934e50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjaco32.dll"	Lolcnman.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbppgona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jnedgq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcnomaa.dll"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kopcbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakfglam.dll"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkpol32.dll"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhomdeb.dll"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fooqlnoa.dll"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghekd32.dll"	Llkjmb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdmcdhhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomfkgml.dll"	Jnedgq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laffpi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ddca3db8deab743d856ad9fe47934e50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilkhog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll"	Kbeibo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkojhm32.dll"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnncn32.dll"	Jdmcdhhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfppeh.dll"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhkljfok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmijcp32.dll"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbeibo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aannbg32.dll"	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbngnmk.dll"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfgke32.dll"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhpnlclc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 3344	3476	ddca3db8deab743d856ad9fe47934e50N.exe	91
PID 3476 wrote to memory of 3344	3476	ddca3db8deab743d856ad9fe47934e50N.exe	91
PID 3476 wrote to memory of 3344	3476	ddca3db8deab743d856ad9fe47934e50N.exe	91
PID 3344 wrote to memory of 1032	3344	Ilkhog32.exe	92
PID 3344 wrote to memory of 1032	3344	Ilkhog32.exe	92
PID 3344 wrote to memory of 1032	3344	Ilkhog32.exe	92
PID 1032 wrote to memory of 3032	1032	Iecmhlhb.exe	93
PID 1032 wrote to memory of 3032	1032	Iecmhlhb.exe	93
PID 1032 wrote to memory of 3032	1032	Iecmhlhb.exe	93
PID 3032 wrote to memory of 4872	3032	Inkaqb32.exe	94
PID 3032 wrote to memory of 4872	3032	Inkaqb32.exe	94
PID 3032 wrote to memory of 4872	3032	Inkaqb32.exe	94
PID 4872 wrote to memory of 3336	4872	Jnnnfalp.exe	95
PID 4872 wrote to memory of 3336	4872	Jnnnfalp.exe	95
PID 4872 wrote to memory of 3336	4872	Jnnnfalp.exe	95
PID 3336 wrote to memory of 2796	3336	Jaljbmkd.exe	96
PID 3336 wrote to memory of 2796	3336	Jaljbmkd.exe	96
PID 3336 wrote to memory of 2796	3336	Jaljbmkd.exe	96
PID 2796 wrote to memory of 1644	2796	Jdmcdhhe.exe	97
PID 2796 wrote to memory of 1644	2796	Jdmcdhhe.exe	97
PID 2796 wrote to memory of 1644	2796	Jdmcdhhe.exe	97
PID 1644 wrote to memory of 4024	1644	Jbncbpqd.exe	98
PID 1644 wrote to memory of 4024	1644	Jbncbpqd.exe	98
PID 1644 wrote to memory of 4024	1644	Jbncbpqd.exe	98
PID 4024 wrote to memory of 1492	4024	Jhkljfok.exe	99
PID 4024 wrote to memory of 1492	4024	Jhkljfok.exe	99
PID 4024 wrote to memory of 1492	4024	Jhkljfok.exe	99
PID 1492 wrote to memory of 1888	1492	Jnedgq32.exe	102
PID 1492 wrote to memory of 1888	1492	Jnedgq32.exe	102
PID 1492 wrote to memory of 1888	1492	Jnedgq32.exe	102
PID 1888 wrote to memory of 2996	1888	Jbppgona.exe	103
PID 1888 wrote to memory of 2996	1888	Jbppgona.exe	103
PID 1888 wrote to memory of 2996	1888	Jbppgona.exe	103
PID 2996 wrote to memory of 1128	2996	Kbeibo32.exe	105
PID 2996 wrote to memory of 1128	2996	Kbeibo32.exe	105
PID 2996 wrote to memory of 1128	2996	Kbeibo32.exe	105
PID 1128 wrote to memory of 1008	1128	Klmnkdal.exe	106
PID 1128 wrote to memory of 1008	1128	Klmnkdal.exe	106
PID 1128 wrote to memory of 1008	1128	Klmnkdal.exe	106
PID 1008 wrote to memory of 1516	1008	Koljgppp.exe	107
PID 1008 wrote to memory of 1516	1008	Koljgppp.exe	107
PID 1008 wrote to memory of 1516	1008	Koljgppp.exe	107
PID 1516 wrote to memory of 2460	1516	Kbjbnnfg.exe	108
PID 1516 wrote to memory of 2460	1516	Kbjbnnfg.exe	108
PID 1516 wrote to memory of 2460	1516	Kbjbnnfg.exe	108
PID 2460 wrote to memory of 1052	2460	Kopcbo32.exe	109
PID 2460 wrote to memory of 1052	2460	Kopcbo32.exe	109
PID 2460 wrote to memory of 1052	2460	Kopcbo32.exe	109
PID 1052 wrote to memory of 4880	1052	Kejloi32.exe	110
PID 1052 wrote to memory of 4880	1052	Kejloi32.exe	110
PID 1052 wrote to memory of 4880	1052	Kejloi32.exe	110
PID 4880 wrote to memory of 1384	4880	Khihld32.exe	111
PID 4880 wrote to memory of 1384	4880	Khihld32.exe	111
PID 4880 wrote to memory of 1384	4880	Khihld32.exe	111
PID 1384 wrote to memory of 4420	1384	Kbnlim32.exe	112
PID 1384 wrote to memory of 4420	1384	Kbnlim32.exe	112
PID 1384 wrote to memory of 4420	1384	Kbnlim32.exe	112
PID 4420 wrote to memory of 3324	4420	Klgqabib.exe	113
PID 4420 wrote to memory of 3324	4420	Klgqabib.exe	113
PID 4420 wrote to memory of 3324	4420	Klgqabib.exe	113
PID 3324 wrote to memory of 2912	3324	Lacijjgi.exe	114
PID 3324 wrote to memory of 2912	3324	Lacijjgi.exe	114
PID 3324 wrote to memory of 2912	3324	Lacijjgi.exe	114
PID 2912 wrote to memory of 1856	2912	Ldbefe32.exe	115

C:\Users\Admin\AppData\Local\Temp\ddca3db8deab743d856ad9fe47934e50N.exe
"C:\Users\Admin\AppData\Local\Temp\ddca3db8deab743d856ad9fe47934e50N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Windows\SysWOW64\Ilkhog32.exe
  C:\Windows\system32\Ilkhog32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Windows\SysWOW64\Iecmhlhb.exe
    C:\Windows\system32\Iecmhlhb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1032
  - - C:\Windows\SysWOW64\Inkaqb32.exe
      C:\Windows\system32\Inkaqb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
      - C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Jdmcdhhe.exe
        
        C:\Windows\system32\Jdmcdhhe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Jbncbpqd.exe
        
        C:\Windows\system32\Jbncbpqd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\Jhkljfok.exe
        
        C:\Windows\system32\Jhkljfok.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Jnedgq32.exe
        
        C:\Windows\system32\Jnedgq32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Kbeibo32.exe
        
        C:\Windows\system32\Kbeibo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Kopcbo32.exe
        
        C:\Windows\system32\Kopcbo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Kejloi32.exe
        
        C:\Windows\system32\Kejloi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3324
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Lefkkg32.exe
        
        C:\Windows\system32\Lefkkg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 400
        39⤵
        Program crash
        
        PID:2060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1736 -ip 1736
1⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=4400 /prefetch:8
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iecmhlhb.exe

Filesize
363KB

MD5
d98370a7807d57130c4fe5e12c5c3f6b

SHA1
0282008217df12c9b772d072cee1bbec758ccf54

SHA256
8ce629f8a147eefb1fad5655d380979c4dc32b914cfd32c9c026087a27afcde7

SHA512
7599f3753183fa9fc96721585143c6bba3fea223e5c5a5a006e832b7a556d4aa29609dbf8d204c2719ddff57758d5aef64eb491537b677b3978bc0bad949b845

Download Submit
C:\Windows\SysWOW64\Ilkhog32.exe

Filesize
363KB

MD5
b4b263b88749655a8c37d722d717dbef

SHA1
054eb0df28d43b170eea803742af4b4afb886e7c

SHA256
f4cbcc9560e4a7003a41845e6a55e6d034e2a6a60cee65eeaf87ee5bd83ab983

SHA512
70ac87e213280c8fb6f824d011693d401a620941e44d919deb8933dc70f1152029dcf6b99aec97a7bb88ec21140a1a66eb7671d4cf423d8f2dc63dc8ec3da6d5

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
363KB

MD5
27913c5c5444a998790015382f92465b

SHA1
6ef53da85cf745017c66d61e6a99b84eef594bec

SHA256
05b32c5777e4c0544e007ccd047230efd84504765cc912e67bcc00d67dd72e2c

SHA512
f3a51a488efae9c0941cb613e3a9544276d27dd5bb9293cd4f109b0adb9957160d22bc28c3d49d9ffef1cb2ae7cbf1d54adb0a30a8eeda9f2fa4cadcde0f7500

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
363KB

MD5
0512e30df609c9d5be915f51a52557ca

SHA1
149cd0c96a5e32e3001d38ec7ca9a36b88755c48

SHA256
d8e724801740b519f87eecc3704c30fa0f25ddb5daf17123080b5eea567502b5

SHA512
eabefaf3c5f05715497a56c5015bf468d2818f47514214930ae853294d247514dcbc898c14e8d1613b797bbebeee09908dac1760837bdb5df8d99a6d58a69179

Download Submit
C:\Windows\SysWOW64\Jbncbpqd.exe

Filesize
363KB

MD5
c57ca9a66f2079365f3ad5e98a3eb804

SHA1
62b498c836c35653fd58c87d04b65b69ab4033d6

SHA256
e14b62273d989431120c300431c84b02c9ebbb85c734d64c98aaf95c1eab7b63

SHA512
62568e2716005bc2630779907704161a253328cdc77310c2a1d8d6c2a0c4e23e9efc9d0e601bab1b085bcd77ffc08d5c2695ff8d013f5cb525c2f7f6bc3ace06

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
363KB

MD5
1fd3170136cc7f4f4a484a956f19192f

SHA1
790c7039d936654bd4a2078ab49b77bf4d617253

SHA256
8e0e0c1be0ab08b0eca975f7255f9e834a34a37fc3beab1ac147d0a4bb96a2c5

SHA512
f427d8590d6fa4db5f463d1f0898110ce581467a2b7a34de521e226580bc07b80b4011acd638265acb12d5abd22d8125103d5067f5273bdf70ad5a4f6e7e92b4

Download Submit
C:\Windows\SysWOW64\Jdmcdhhe.exe

Filesize
363KB

MD5
aa96429301b33cb89a75080cda487727

SHA1
097de13a1f9acd0577b6de1d6e5aecc97fb8d39a

SHA256
59a1c3d7f7466bea29d2295eeea685631c490b2f570907f6b8ea30c9d942a281

SHA512
69a96b54a1aea029c5d9b33ddfb385b9c8b7879a34569f221358f590f2e25001072b82357de9b38efc955630185eb8e538b9775a4871768d7e9dc671fea2ab2e

Download Submit
C:\Windows\SysWOW64\Jhkljfok.exe

Filesize
363KB

MD5
ae9c3ee66c0ce428bba499c11c2e86fb

SHA1
f7798d0645907ea9df6a0772d2b3de4e780ebab8

SHA256
a0eaaa430682b5a6c8f49ed8ec82d9685df696a219abd0617ebb25619b64d4b6

SHA512
823c8e00f66e0fd92257d66c47344ebd0310a4b156a10c503c6dbf350550a80ebf1bdb83f6c03628f8173b50014ae018a9fb7d1c718607c18b4738028103b6b9

Download Submit
C:\Windows\SysWOW64\Jnedgq32.exe

Filesize
363KB

MD5
dcf76d58c7b8db647c7c0d4ec7c0c643

SHA1
be7c6184a33d68842bf8ebe8f854445f09e4a198

SHA256
521f354a7fb3d01b80c7e5af74cc95f39dd21aa327661ad9d7c9955064808b1a

SHA512
89a1c056bea0a7ed47ca3e8e9dcc1e64cb29c89463c568a487bfeff2c194d4f3c5aa3e832a9d755c1cbd0a3f3bff359fa2aceaf6fd02bdd947c64ae225afc68b

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
363KB

MD5
0f747db78bd81c448758b523390a8c05

SHA1
192268968e6987418701b63a53e8971b0a39adf9

SHA256
6c80a23bcbe40ee4240a109e3379fbf736df45605ebeb7180f303b54091c373c

SHA512
956ee19d9116d6526754b6d2ba4ab1b4c57d6b23b9e3b6c1227400c6fc7d88bf8fe6111206508764257bb8eb39e549654d13312c73fe7c999bea870761d6a504

Download Submit
C:\Windows\SysWOW64\Kbeibo32.exe

Filesize
363KB

MD5
33b3fd956632dc8fd0dc0ff4c5071ca8

SHA1
4d7eb7dbe35845a759996d71d5f3c3f4c7116b66

SHA256
c8753852d8edef92db97af3874cbd604ae531db753a7bdaa95fa07347166aaa5

SHA512
3674c03948c7a2ee0b641b8255b99c224dbbdb2d59025ba04840c5747b4dc89cc8c0e8b903777c6b3bedb8e8077c231b836dc3812a93ce180f6b7ea710a9fa07

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
363KB

MD5
73a4897dd7cbaca8423063422549dd61

SHA1
fedec6f840f7f3e04cd3998ee62a1283eca51850

SHA256
883c5fbe9a7214c9d6f17a82cc6f3fb1a11dee992a0df66bfe63a5b67acf545d

SHA512
5ba712b175e1298bac84d5e1bf9a8e993256dbb8b11d84b3c7b3c2632d4e2b9991620c797a78dc324104e06eea550f8f1fc88545a396c9359900ded6220c4169

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
363KB

MD5
dc5fe9a4f4fdc640dd5141febe5feb2b

SHA1
2477a0449ab18b768d6e54cff7ff916808342282

SHA256
374ea837f7b25bcf9d787320e92edcc8898801aa3b58c981b4e0e931f49701ed

SHA512
bc1a95cf9a3e330925cc69116146977be7d285c91094ce6939a3e35df6626a3df51dcced07b1ad65c782b4ca359a9dc5005d4be639d109350f0499ced009eb81

Download Submit
C:\Windows\SysWOW64\Kejloi32.exe

Filesize
363KB

MD5
0018a806b2b5550486dacaa2204bcf64

SHA1
09dfe7b6b8bd395195c8d499daefe466059e802f

SHA256
bcc915c743c6fec024bf2364cc0222e13305e3f478d8a24a6114eb9686f08358

SHA512
4302858b4906d98041387dc760a12b896525d8aee6d29fb435b85f0f7629419e049bd7e3a17e1f96b69e22714f06c481192c219d879260fe67a2d4e1c3dcb220

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
363KB

MD5
096124595675d0db6506ba71b9cbc443

SHA1
883bd547c8fc7765dcde21bfd5b7d88fefe3141b

SHA256
be100fa57c48a123f33b2d72df3d88da199fa791e778a46a175175407244936f

SHA512
986784daf1b67bba9a132925ee65c7d59379df20dbfe60d1d961ce85b446165bf05f678edb97e9b66a7183e99c8ec8b5a454f0f3a73198d43f4a4e622c513886

Download Submit
C:\Windows\SysWOW64\Klgqabib.exe

Filesize
363KB

MD5
a16c43e6f5393a8cc340ff34982be7a0

SHA1
25cc41fe5fe7df48c035eb0fedf60130979704f1

SHA256
d779c39d4abcc780221892fb5022efbc14d36e9d79108bf19fcbd797ea62fd3c

SHA512
3544e0664ebfeb0f030feb8ad4f204773df3d7cf6b4a5d2324972629ce0a0f53c7cc80c9f05b007709a3a828911a1efe56a144b44f4c08537ffeb39cd73307e5

Download Submit
C:\Windows\SysWOW64\Klmnkdal.exe

Filesize
363KB

MD5
0f6336eb2bdcee6855b1e86c5d845cd6

SHA1
0d821346497f2d1b7f4dc07738d73785c0fd252e

SHA256
3e9e71ca89271bd967263061d20185ceb6b4da13a39a0295d0943ffdf6021d2f

SHA512
e90a8d3655ea5879feaf51942b5c34722b3e5790b8464fdf18b4d96704b8e8abbbf4c5edc8794728041a4d13ac606f49fe55481286173fb07c0bb0372eef963c

Download Submit
C:\Windows\SysWOW64\Koljgppp.exe

Filesize
363KB

MD5
b7cae06de2e64bc27d9bf1652584bc09

SHA1
7bd029ba60a4a68f34767d584629f4d5e7c8ea23

SHA256
206411d23ca6ed23f754274add4b3283e013692cc8143670b8e32b05744df15b

SHA512
ddfd3306b0d9503e6491ebce94112fd362f60b39e54f9acadc22dd93af45051eeef16eb35f4bae984c27bc1b2eda0a7084293cb4dabfcf56728b47c55ce8a608

Download Submit
C:\Windows\SysWOW64\Kopcbo32.exe

Filesize
363KB

MD5
95cb10fcdc6b3e75ab5e5081408c0bf6

SHA1
d80457f36b86721c94853f95e677f1a085fa1f56

SHA256
a12edf0c61bb3e921cc91b26384ad1a3fc7e1b654029accb84f5c4e1990406c8

SHA512
f732c9a60eed653e5c552cd17c370d2b4f7d51c3c820a4655b198877bf627aafba8b7463112c825b073ed758f2102514bb927482fd2fdbf7a1e19323e535d3a8

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
363KB

MD5
2910d72620ebb6599af0d6a1cf877303

SHA1
979adba6e801719f0154e2399eb9360b47af557f

SHA256
cf20e5fb84fc5af448702339a42aa8e93c9d4ea7426818f98cb720b5bc5c376e

SHA512
652f8aeb74159e94b6fc1be8a5cf27b568e945a32f5b08390133bb1176bda2b3fc8955796aebd23f90fdb161a7db9c2c2e65dc9ce70884c6a9c4cdc3dbcfb391

Download Submit
C:\Windows\SysWOW64\Laffpi32.exe

Filesize
363KB

MD5
f5aaaaf9cc7a23282011e7e1f86c1628

SHA1
530ef71fd6141e93823b4604322a9d11f43ab2ff

SHA256
0686958125d77a17acb7b402f23d360f8e021c695f9dbf05cfa5b0cd45f46f4c

SHA512
244961a9412c7c276b6eb4e948cd9d1ad7e73973660874368c76207882558f4aec6cca55548490b0b9036c56afecdcbcee007ecd47cda4df1490de37dc4cabaa

Download Submit
C:\Windows\SysWOW64\Lbebilli.exe

Filesize
363KB

MD5
47394437c2fd8788b2350bc8f25676dd

SHA1
26097e7914074d5d302118f49cf1aace3a002e5e

SHA256
32f5de0a3f643673e0119d5238a059b82b82e13b738a9f78755790df2b4c2fc6

SHA512
7f7f86d4967c22ae1480050c087a56e74c925511e1d9ab8de862dc3bb11dc086d81194ead177342d6b8cc035ee563c7d395f419f3c8e624e370eb1f79274fb05

Download Submit
C:\Windows\SysWOW64\Ldbefe32.exe

Filesize
363KB

MD5
79a8952047d2f2396628d2d0b893bf2e

SHA1
b57ecf52810c7dd8f0eff043a9b432ba2634915e

SHA256
e67a34aaf3a718861718b02e77aef9f7c20efa882d8538fbc9f817ba11c0861d

SHA512
78a47bcb8cb3c7866a88cd36bddaeb7d22ceb2bd4e95f3d270feef02db9a7fdcfd2b168b6ec665f2ffdc853f7072440bb40983b67b8f7d06916449b70216efbd

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
363KB

MD5
ab3c201ead7e9a622f762b0ffc679a24

SHA1
d3d43c244b7cf84613e67bdc13f16df8b734abca

SHA256
110593e4026db72c0c3298e9807fb6a4f68b74912bb0b0bb11ae83e8fd5dcf7a

SHA512
976aa7dfcbfd9da9247dae9da984580d1e3472b528380d255fa44bbc6507b77723b125e7474077da6aa98f6bdfbc79f3f42ef824b0520313708ae9a74138d0c6

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
363KB

MD5
d3c7a4b6bca17e3ff042183b936fc96f

SHA1
eca6ca83e11ecfa2114b69e10de881ecef47f4b4

SHA256
70cde6bcb4281d6fc13ab3f75c3e3e88e1ff8a437131d778344a59c60e938009

SHA512
11ddad1efae87924a3f1aa606c91a523cb2018725053f6992076c845583409623ac08158c8eba0f234d78081031696a033a23451445a2817298af3cabab75871

Download Submit
C:\Windows\SysWOW64\Lhbkac32.exe

Filesize
363KB

MD5
aecb6c19ed7ba48959a04df06c6d5c47

SHA1
c9b6f44bd49ce64e6cac23a573e6eab1972a5356

SHA256
ab7a0d6c2fde9d985c14c07f04cd847bbfe95cb4411a14f27a123a286fbc4e4e

SHA512
5fb4ff33c528eaa5bd5c457f121df98871cb0290a478fc295d162c24a8c0085f3a682ad354466d71979af56d15da7e379af4cf5007d5f425d87d679ce9eafd61

Download Submit
C:\Windows\SysWOW64\Lhmafcnf.exe

Filesize
363KB

MD5
83b5eb02e75d688d60b106911c5e3a86

SHA1
929f32f56d770df4d2e2bff00a76ed2f98ae47c0

SHA256
1eb9f9921d5be51100876df813a9684389029b3e34092e7d263f25293aaee564

SHA512
214d989f2c04335eb96be6ae1481f2dc38c6b76cd99083e2e21982476c602cbf5848dc0af70d695faa6ae826609a2100b66ced6665e5d4ed65cc672f858f766c

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe

Filesize
363KB

MD5
b2116717df1a0515f5425b75b19e8523

SHA1
35ee348b6a7ba404bb0f4629bdb0b05ac6761dbc

SHA256
2e00b804b1f1063027b5afdbfa0ec720398bb47788ff5be2c32ea5059e73841b

SHA512
00c3feb7783369032517fc6f1753069b2d2cc9ed1fb6457942fe526777aee503a0a51bad642d6c30f2b6e14d216a78af5a6d54228690131436dd693ac4921f28

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
363KB

MD5
9694396b4dd48906ee30dfda45669942

SHA1
f26bcb7c3a4ce13b38edf18ab385ab1cc31435be

SHA256
a875cd26d8dc7e4bd52cc58f3829fc7a73163fe29f388d06f2d0683b58a6d6f1

SHA512
766bd05c7255674c97423bd90952a41c6a3dd64d8a696da2e3367fb9a346511087045514c78d8d16d0ab71a92069d845216ef9cd4331faa6aabd1b3fb648b197

Download Submit
C:\Windows\SysWOW64\Llkjmb32.exe

Filesize
363KB

MD5
5f6b93c17cdb27d1a91b856266d67f15

SHA1
3fcec670b4e0a696fa5f51fb6d06f47fb4ee239e

SHA256
3f8d3f8d71a525a856a425a8ee6f05b768b3eb5085215ad6d9b069bd82512afa

SHA512
c3df99440252f8ea8d9676eb3a700f3fd65f73e629420da4faafcda0f9fb01bec00e88f0f445fc6c26f788dbc257f8006bc724f6a461738ce82bee49ce773f18

Download Submit
C:\Windows\SysWOW64\Logicn32.exe

Filesize
363KB

MD5
a2dec21fd357793066290326adb39f9c

SHA1
f69e9e0ba192c5cf76034d7c8a5dd0d73dbc2256

SHA256
a83885baba10c561dceee86b940e5ab03979ede7385340ba2b10d251a10b2278

SHA512
1b4d33c0922cb6f109161e71e3c4eb60ae628cef6a3dc378bee2773938c2cde07d560f2984ba006232575e8c761c2833dc8e23bc4f8825c47ae3e4942692afe8

Download Submit
C:\Windows\SysWOW64\Lojfin32.exe

Filesize
363KB

MD5
c4a9e7522262ce54d0c58f483276a2df

SHA1
2760d8f36af6d95ca01381bbaeb669c5fd189137

SHA256
604f0bc9c30eb5550d3c512d422d381b38b8d95519aed9d4b003083b421dc17c

SHA512
ade86e8be463a4393eb230d3dc33c973b76f3263759dafd40ff0d8ad07c307a564c05258e2f539d8d31551dd4341eb0de03982973c94f00b393d6cfe1369f3a8

Download Submit
memory/1008-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1008-316-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1032-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1128-319-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1384-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-317-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1612-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1736-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1888-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-244-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-119-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2576-212-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2796-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3032-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3060-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3336-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3344-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3476-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4024-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4156-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4360-267-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4420-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4552-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4588-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4880-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4940-228-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads