b5b30715a161dabeb20ff55cf3e3134ded59e009a1596491469fba2eb61f19e4

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 02:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57ef1c40391295e31291ef8f543266a0N.exe
Size

71KB
MD5

57ef1c40391295e31291ef8f543266a0
SHA1

1f7ed8f0368592685268649dd4afd2f0a0011957
SHA256

b5b30715a161dabeb20ff55cf3e3134ded59e009a1596491469fba2eb61f19e4
SHA512

f7d542f0325a5ba5b6e907ebb33ddd14ab1c13128eb179efc3653e113144c62080769f6ca99cc179feee6a631581c2a3ebe89e2df630ccb1513952a6e506242e
SSDEEP

1536:AYdo8Ek9G7nL0eo5QblzvTlgNRRQ2DbEyRCRRRoR4Rk:bd9FYkeo0zLlqReIEy032ya

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	57ef1c40391295e31291ef8f543266a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbppgona.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jeaiij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhhodg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	57ef1c40391295e31291ef8f543266a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbncbpqd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klmnkdal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbcedmnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jogqlpde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbppgona.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klgqabib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe

Executes dropped EXE 33 IoCs

pid	Process
4388	Jhhodg32.exe
4560	Jjgkab32.exe
668	Jbncbpqd.exe
1544	Jjihfbno.exe
4452	Jbppgona.exe
3220	Jhmhpfmi.exe
3152	Jogqlpde.exe
4704	Jeaiij32.exe
3088	Jlkafdco.exe
4920	Koimbpbc.exe
1792	Kdffjgpj.exe
1596	Klmnkdal.exe
4456	Kajfdk32.exe
4624	Khdoqefq.exe
4524	Kongmo32.exe
456	Kdkoef32.exe
1056	Kkegbpca.exe
4944	Kaopoj32.exe
2216	Klddlckd.exe
4860	Kocphojh.exe
2940	Kaaldjil.exe
4724	Kemhei32.exe
1200	Klgqabib.exe
2388	Lacijjgi.exe
3588	Lhmafcnf.exe
4340	Lbcedmnl.exe
4200	Leabphmp.exe
3952	Lhpnlclc.exe
3656	Lahbei32.exe
3712	Ldfoad32.exe
5060	Lhbkac32.exe
2156	Lbhool32.exe
2504	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oojnjjli.dll	Koimbpbc.exe
File opened for modification	C:\Windows\SysWOW64\Kongmo32.exe	Khdoqefq.exe
File opened for modification	C:\Windows\SysWOW64\Kdkoef32.exe	Kongmo32.exe
File opened for modification	C:\Windows\SysWOW64\Lhmafcnf.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Lhmafcnf.exe
File opened for modification	C:\Windows\SysWOW64\Ldfoad32.exe	Lahbei32.exe
File opened for modification	C:\Windows\SysWOW64\Klgqabib.exe	Kemhei32.exe
File created	C:\Windows\SysWOW64\Lhmafcnf.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Kocphojh.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Okahhpqj.dll	Lahbei32.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Ldfoad32.exe
File opened for modification	C:\Windows\SysWOW64\Jjihfbno.exe	Jbncbpqd.exe
File created	C:\Windows\SysWOW64\Ofnfbijk.dll	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Klgqabib.exe
File created	C:\Windows\SysWOW64\Lahbei32.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Jmjdlb32.dll	Klgqabib.exe
File opened for modification	C:\Windows\SysWOW64\Jlkafdco.exe	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Qagfppeh.dll	Lbcedmnl.exe
File opened for modification	C:\Windows\SysWOW64\Kdffjgpj.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Hnggccfl.dll	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Balfdi32.dll	57ef1c40391295e31291ef8f543266a0N.exe
File created	C:\Windows\SysWOW64\Efhbch32.dll	Jhhodg32.exe
File created	C:\Windows\SysWOW64\Kongmo32.exe	Khdoqefq.exe
File opened for modification	C:\Windows\SysWOW64\Lahbei32.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Fhjaco32.dll	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Ohnncn32.dll	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Pomfkgml.dll	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Kdkoef32.exe	Kongmo32.exe
File created	C:\Windows\SysWOW64\Jeaiij32.exe	Jogqlpde.exe
File opened for modification	C:\Windows\SysWOW64\Jeaiij32.exe	Jogqlpde.exe
File created	C:\Windows\SysWOW64\Koimbpbc.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Jjgkab32.exe	Jhhodg32.exe
File opened for modification	C:\Windows\SysWOW64\Klddlckd.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Ldfoad32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Fbbojb32.dll	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Bfdkqcmb.dll	Kaaldjil.exe
File opened for modification	C:\Windows\SysWOW64\Leabphmp.exe	Lbcedmnl.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfdk32.exe	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Lbhool32.exe	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Jbppgona.exe	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Gdqeooaa.dll	Jbppgona.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lbhool32.exe
File created	C:\Windows\SysWOW64\Gqhomdeb.dll	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Jhhodg32.exe	57ef1c40391295e31291ef8f543266a0N.exe
File created	C:\Windows\SysWOW64\Dcmnee32.dll	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Gedkhf32.dll	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Klgqabib.exe	Kemhei32.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Ifkqol32.dll	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Khdoqefq.exe	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Lbhool32.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Jjgkab32.exe	Jhhodg32.exe
File created	C:\Windows\SysWOW64\Qfqbll32.dll	Jhmhpfmi.exe
File created	C:\Windows\SysWOW64\Kdffjgpj.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Jjihfbno.exe	Jbncbpqd.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Kkegbpca.exe
File opened for modification	C:\Windows\SysWOW64\Lbcedmnl.exe	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File opened for modification	C:\Windows\SysWOW64\Jhmhpfmi.exe	Jbppgona.exe
File created	C:\Windows\SysWOW64\Jogqlpde.exe	Jhmhpfmi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4892	2504	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhmhpfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koimbpbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jogqlpde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	57ef1c40391295e31291ef8f543266a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khdoqefq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaaldjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kajfdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klgqabib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbncbpqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	57ef1c40391295e31291ef8f543266a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqcco32.dll"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbncbpqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjlhjjnc.dll"	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll"	Kongmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	57ef1c40391295e31291ef8f543266a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kemhei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhbch32.dll"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll"	Khdoqefq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeliqka.dll"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnfbijk.dll"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomfkgml.dll"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kocphojh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedkhf32.dll"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll"	Klgqabib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jhmhpfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjaco32.dll"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfqbll32.dll"	Jhmhpfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqeooaa.dll"	Jbppgona.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohnncn32.dll"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jogqlpde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Khdoqefq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klgqabib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlmhj32.dll"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldfoad32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4388	4528	57ef1c40391295e31291ef8f543266a0N.exe	91
PID 4528 wrote to memory of 4388	4528	57ef1c40391295e31291ef8f543266a0N.exe	91
PID 4528 wrote to memory of 4388	4528	57ef1c40391295e31291ef8f543266a0N.exe	91
PID 4388 wrote to memory of 4560	4388	Jhhodg32.exe	92
PID 4388 wrote to memory of 4560	4388	Jhhodg32.exe	92
PID 4388 wrote to memory of 4560	4388	Jhhodg32.exe	92
PID 4560 wrote to memory of 668	4560	Jjgkab32.exe	93
PID 4560 wrote to memory of 668	4560	Jjgkab32.exe	93
PID 4560 wrote to memory of 668	4560	Jjgkab32.exe	93
PID 668 wrote to memory of 1544	668	Jbncbpqd.exe	94
PID 668 wrote to memory of 1544	668	Jbncbpqd.exe	94
PID 668 wrote to memory of 1544	668	Jbncbpqd.exe	94
PID 1544 wrote to memory of 4452	1544	Jjihfbno.exe	95
PID 1544 wrote to memory of 4452	1544	Jjihfbno.exe	95
PID 1544 wrote to memory of 4452	1544	Jjihfbno.exe	95
PID 4452 wrote to memory of 3220	4452	Jbppgona.exe	96
PID 4452 wrote to memory of 3220	4452	Jbppgona.exe	96
PID 4452 wrote to memory of 3220	4452	Jbppgona.exe	96
PID 3220 wrote to memory of 3152	3220	Jhmhpfmi.exe	97
PID 3220 wrote to memory of 3152	3220	Jhmhpfmi.exe	97
PID 3220 wrote to memory of 3152	3220	Jhmhpfmi.exe	97
PID 3152 wrote to memory of 4704	3152	Jogqlpde.exe	98
PID 3152 wrote to memory of 4704	3152	Jogqlpde.exe	98
PID 3152 wrote to memory of 4704	3152	Jogqlpde.exe	98
PID 4704 wrote to memory of 3088	4704	Jeaiij32.exe	99
PID 4704 wrote to memory of 3088	4704	Jeaiij32.exe	99
PID 4704 wrote to memory of 3088	4704	Jeaiij32.exe	99
PID 3088 wrote to memory of 4920	3088	Jlkafdco.exe	100
PID 3088 wrote to memory of 4920	3088	Jlkafdco.exe	100
PID 3088 wrote to memory of 4920	3088	Jlkafdco.exe	100
PID 4920 wrote to memory of 1792	4920	Koimbpbc.exe	101
PID 4920 wrote to memory of 1792	4920	Koimbpbc.exe	101
PID 4920 wrote to memory of 1792	4920	Koimbpbc.exe	101
PID 1792 wrote to memory of 1596	1792	Kdffjgpj.exe	102
PID 1792 wrote to memory of 1596	1792	Kdffjgpj.exe	102
PID 1792 wrote to memory of 1596	1792	Kdffjgpj.exe	102
PID 1596 wrote to memory of 4456	1596	Klmnkdal.exe	103
PID 1596 wrote to memory of 4456	1596	Klmnkdal.exe	103
PID 1596 wrote to memory of 4456	1596	Klmnkdal.exe	103
PID 4456 wrote to memory of 4624	4456	Kajfdk32.exe	104
PID 4456 wrote to memory of 4624	4456	Kajfdk32.exe	104
PID 4456 wrote to memory of 4624	4456	Kajfdk32.exe	104
PID 4624 wrote to memory of 4524	4624	Khdoqefq.exe	105
PID 4624 wrote to memory of 4524	4624	Khdoqefq.exe	105
PID 4624 wrote to memory of 4524	4624	Khdoqefq.exe	105
PID 4524 wrote to memory of 456	4524	Kongmo32.exe	107
PID 4524 wrote to memory of 456	4524	Kongmo32.exe	107
PID 4524 wrote to memory of 456	4524	Kongmo32.exe	107
PID 456 wrote to memory of 1056	456	Kdkoef32.exe	108
PID 456 wrote to memory of 1056	456	Kdkoef32.exe	108
PID 456 wrote to memory of 1056	456	Kdkoef32.exe	108
PID 1056 wrote to memory of 4944	1056	Kkegbpca.exe	109
PID 1056 wrote to memory of 4944	1056	Kkegbpca.exe	109
PID 1056 wrote to memory of 4944	1056	Kkegbpca.exe	109
PID 4944 wrote to memory of 2216	4944	Kaopoj32.exe	110
PID 4944 wrote to memory of 2216	4944	Kaopoj32.exe	110
PID 4944 wrote to memory of 2216	4944	Kaopoj32.exe	110
PID 2216 wrote to memory of 4860	2216	Klddlckd.exe	111
PID 2216 wrote to memory of 4860	2216	Klddlckd.exe	111
PID 2216 wrote to memory of 4860	2216	Klddlckd.exe	111
PID 4860 wrote to memory of 2940	4860	Kocphojh.exe	113
PID 4860 wrote to memory of 2940	4860	Kocphojh.exe	113
PID 4860 wrote to memory of 2940	4860	Kocphojh.exe	113
PID 2940 wrote to memory of 4724	2940	Kaaldjil.exe	114

C:\Users\Admin\AppData\Local\Temp\57ef1c40391295e31291ef8f543266a0N.exe
"C:\Users\Admin\AppData\Local\Temp\57ef1c40391295e31291ef8f543266a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\Jhhodg32.exe
  C:\Windows\system32\Jhhodg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\Jjgkab32.exe
    C:\Windows\system32\Jjgkab32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\Jbncbpqd.exe
      C:\Windows\system32\Jbncbpqd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Jhmhpfmi.exe
        
        C:\Windows\system32\Jhmhpfmi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3220
        
        C:\Windows\SysWOW64\Jogqlpde.exe
        
        C:\Windows\system32\Jogqlpde.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\Klmnkdal.exe
        
        C:\Windows\system32\Klmnkdal.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Khdoqefq.exe
        
        C:\Windows\system32\Khdoqefq.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Klgqabib.exe
        
        C:\Windows\system32\Klgqabib.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3656
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5060
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2504
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 416
        35⤵
        Program crash
        
        PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2504 -ip 2504
1⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4032,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3992 /prefetch:8
1⤵
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jbncbpqd.exe

Filesize
71KB

MD5
5008da9a8c744c7b3858d317b1082ab5

SHA1
ea80976269e98d28e73c37ace3ad590d37d7f6a4

SHA256
8b1933acc64db9814f63b296164de2a2ee59e6dea638dadd5c0756444a125d81

SHA512
3238c6b072856c850ca90e9f1fc1f941cb30a7da9d0314452a710be18c9484a971831b4fc1d1021b09ce68674bab81c802facadc26a03b33a404fd2af8b9c1a8

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
71KB

MD5
16dd0697ee0ad04c5136c6ddfb87fc5e

SHA1
84d38fe7df6a41cacd581e4c7b782e8daf3aa64a

SHA256
4c39be24bd7114caaf2bf542a73adc3f6ea005cc962b2e5f8ec0dacad1eb9cc9

SHA512
5b75587de7655be6f0ed0bae03b98975de7bf5ba92e8441521bdf08397a883ce27b7d6479cd31063d0b9052870b0a1287a377ca42e9406a1a8dbf964079e0dc2

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
71KB

MD5
756c5215445f2000b449c807f9edf9e9

SHA1
b838882ed9a3a63a7c1ffcb279487014650e446e

SHA256
6cb4eef0e5efa8bcb74c44a4f2228a3f391339e26122d1fe296fabae026a5e75

SHA512
6f8e5d543b8dc2eb00da7a57a79280dc864fc8f63d7d0974b03db535e1beab720977746d59a89b5b75394e6840349d38e78f6577c7ce9942ac83ef429de18fe9

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe

Filesize
71KB

MD5
567913618d5d59d177b8a6e1c9575daa

SHA1
7467899754e0f02da4259e783352da2bc5f47e59

SHA256
5224915abedf026d70a0dc193fb6dcb4d8c523f3fb3973f07c321de0ccffc335

SHA512
52b3933ecb5ba5419c84f318252e27f9622b70902ba764f6b642ffcaeb5e1ea73c9f883963715a038a50bc0f376bdf61bfd4b0661a89ade719627727f9efe1cd

Download Submit
C:\Windows\SysWOW64\Jhmhpfmi.exe

Filesize
71KB

MD5
2a741958d0d5d03accb884ba70810d9a

SHA1
dca3378cd7c3e24eaa53967c206884d99cc172ed

SHA256
9f12219d0cd624db97707569b2ba32a85a12c354c1512037a5a5f4bf3643c041

SHA512
ebfebf130ad944a2d4b03b59782d7d739a733149cf111fc2dd12e7e4c2cfd0292a0eb3796d59b00a0cd6326f7c25195757d3b60c79c401e3e2727717058df8d1

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
71KB

MD5
aa25b5716ac1234af5e5561e9e9882cb

SHA1
612ce0e3bea365fc13c510ec8700af39476759d0

SHA256
448a11aab49b93fce2f1cf233fb3947c5d419b2aceef94d69fd730c8bb73ec7f

SHA512
81f04a85db50d004e449a46a07cb6d323438f8fa0838d1bd8cc03cd87a422e042734ee52ecd152c6316bc8036033d4e7fb9197eca097293f1f8537c372a9b10f

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
71KB

MD5
f86aa98c9df030ae5ca6ac8d74a84e39

SHA1
ce2fcbf9c39baccad4e1bc6ae38261fdeede8da9

SHA256
883c50bc786da82095035a46f27c08182a95273e9eeab6e5420682c46ea2f91b

SHA512
e05a8fec240aeddf5e0e19f31da96e7a70029525aa842767f5855466fef50fdecb55a00455888246dc5c10cefac1469b0527d65f0b5e2cd49bcb96339694420f

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
71KB

MD5
2e4f9f42d34dc0360c24c95809b4d27b

SHA1
3b1c1366fcd8f70820ae8b212ae062810263d0da

SHA256
569d39243c338521693695bedf402071b8530c541f4cd6597924657fd2b2c2d1

SHA512
2707044a199aafa45bd56a9622e594f307e563f3b999990f55ff7d98a64c90a5c2ec63b829cd6c59668e4d00a05a3bed3078078a1c7b5441e9489f5e52bb0344

Download Submit
C:\Windows\SysWOW64\Jogqlpde.exe

Filesize
71KB

MD5
0f03fde10a5476b98785c0b70a713426

SHA1
09f1bc734a0df3701d1b12c04412e98389829114

SHA256
78cec54a073473fc36a78aeeecff83870d94572e19d81df7bc357022d250a044

SHA512
0e04e1f6d07734dedd71f6d034343e898a63d7ec5832608dd541e6dc3f641a26922aae524ee88f92af38d14b8b1a0fc07f6c4786e3e63e2425c8adb9e365cd02

Download Submit
C:\Windows\SysWOW64\Kaaldjil.exe

Filesize
71KB

MD5
b77f990322863c70795d836b9d6192fc

SHA1
52f1be594da905d8ad4bb5eb2b0f101749ed0c0b

SHA256
c31261c6819f1cce0472a0c8e76e2c533f3fa664411950c5f8518b14949cf0d9

SHA512
fb190e8ea6aa0997de850eb550d01ce66d4894d0c08bdbb0519e9375d73dff316ae7c0000a3df5b33c3d448f0a19896b89d7fdff8bfb91191b996aa41ae5c1a5

Download Submit
C:\Windows\SysWOW64\Kajfdk32.exe

Filesize
71KB

MD5
9bb710237e6375a2378e20e6bcb54201

SHA1
d6b00de65844c47abaa8618a8ccd22c6ed3018df

SHA256
693c262b607e46c203eff65fa5fa5bfae64e7f222349f02b4af0150ba586a597

SHA512
a8cf3f984a6f0ff2fa353b4ae66653a6103af89acf07e64d917a0617bd5121a517899cc27a67de8aa4fd546cfa6848cc6b55bf9d04cbb4f3469fe4577c9ad33b

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
71KB

MD5
4e65064db9ab37db758c9dcd80710e0b

SHA1
72ae85aba0fd77eab294089a98270300a1346c6b

SHA256
50cf4ef912497b63dfe0a8bf8180d9991b5eb5f9e06ab158d547ec541cf6d3fc

SHA512
056ea6abc3d505b6a594b01e34158700b91b2591edfef7510251a3f8c5f70545d7c9a3fbfa48cafe4c781d0c7ebd88467d4949846bf3b6257bc06f7d5f2b7cb0

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
71KB

MD5
af86e3cfc3ea604cdb739e7bef5371af

SHA1
865e7a2ec1645a92aad2bf803aa56979947f50c8

SHA256
533f3086c29fcea114783e15186ffe289722107575e5ae6aa9372b755de4249b

SHA512
dc0dcffd7b1bba409979967dc6f6b8f088b2fec6ef679a1ad523f8a4d4e59e8969e194f2c0ab96ed5efa326c773cced238ec9b18cba1c58963bd0c55c5c3b69d

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
71KB

MD5
4c641247f744809509f05d56439bd5f3

SHA1
ef959dafecb421c99298e3da596bbbe566a1e550

SHA256
fa691c368832e7d48a293c23a3c8a5ad6a0c23561055048bae6ee20326726f69

SHA512
c9655eb440f02d1cb6de947641df642eed5724df7e27abad4507a6cc92168e65750b8a50c7fb7f3d933c7fb28b72c8a7f3edbe0103f11440a9e6a7b545bb5385

Download Submit
C:\Windows\SysWOW64\Kemhei32.exe

Filesize
71KB

MD5
ec3ea3139533a84712106b5ae3be95db

SHA1
bd7a355510e0d348220983f0e4646b6e6634c6e8

SHA256
93a020ed188734e63f6cca9645d4a902941d6f362f090205b2293230deafec97

SHA512
fb0f05a97f54156f068d17588879dc8cb6cf7c907864141f378dcca2aebe05e308d82c04668610a571b864de64c24240615a0cf70cd24a1a4e29d4e54d7cc5d5

Download Submit
C:\Windows\SysWOW64\Khdoqefq.exe

Filesize
71KB

MD5
40a7de71b8a06182a57a64c0c4d2d9d4

SHA1
278168849d4fe6a1c8b62c4ba8b5dc302dd71b5f

SHA256
b6b5163341cd4c7c9bd4094ad5fa217127eeecaa68caf822c4d95c02aca26fa8

SHA512
ef601ac718692b30f69f24a84ab7f270e95b4f7a70af3b1a7b58ab3c8996d68a0538d7b59bc3a77cecc20ac4160410eaa5020126355b1c830719e9fffa873f66

Download Submit
C:\Windows\SysWOW64\Kkegbpca.exe

Filesize
71KB

MD5
4b1dfe3f1dd44a2577542711336548a5

SHA1
7b7f297ad61c7cde9e89cbeb813083d38dce2039

SHA256
2768dcaf36ea4c142154aaa876cccb4cdf11789e5be2bfd4582b23ad0569d43c

SHA512
066b0355a3cbc24f4666e7ab85cbb3c7fea6a7731a43351c16aaaf2fa95e93d5e5ee3c48a777e43a599a6188e5b74316c50ff9fcaef9b1665f85a791275cf06f

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
71KB

MD5
2393a380d6619b38d999e68cfaebc9e6

SHA1
356a2cfe00b87b8b5d7b9190ae785a99cc2ab08a

SHA256
0bfc1185136f50077cd1a15671de5ec38b04253fb49044ccf44be6b912c2c986

SHA512
6db0203eddfef696388b47806d59fbce3ca488a42b0e56ca393191132b54e6aea6b008b56e359600038ba8fadb493b3b78b7dd4eb19c57bcc44f05df0ce3657f

Download Submit
C:\Windows\SysWOW64\Klgqabib.exe

Filesize
71KB

MD5
886c55150c39ff636d60ae6dce6bb946

SHA1
b2bd652fb749cab840a0fbd710014767a15e432d

SHA256
e90e96e5d88bb82188c0deddac3f910ff41340ecc3d8146dc157812ec5cd67b3

SHA512
1737f956d5d4eae116176fb58f08aee10f6c58abb1052ebf5bede2bc6595cfab64e8d36654236ca3514296b81e4d26539e191e7c078cf1cfdc193af8d6c46484

Download Submit
C:\Windows\SysWOW64\Klmnkdal.exe

Filesize
71KB

MD5
2ed88bd110375ddb1835560c54b6a86f

SHA1
b33e8f25365bf6806464a535eb1ab0ea4404f51c

SHA256
21835fb7bde834a330afdc2acde687ba8699d117fe96feca096eb9e8808b9d91

SHA512
37befd938823e9422978ebe636d8b3a78189550827ceb1cb266c1584500c0ff700fc5beda5ecfd2413f8f2bd86bc01c104690438827c90ce18d9e036dcc860bc

Download Submit
C:\Windows\SysWOW64\Kocphojh.exe

Filesize
71KB

MD5
17dd2e5b58fdea9eeb50a656e88a9164

SHA1
37ebd2f5634058e46a308c8b2474f21ed9f60a5e

SHA256
fba5fe6666187f330415dc31183de9e9fdd3edaa9370ca5bee307e518464e4d1

SHA512
9324449ab52705a359aa50e8b3c475fa0190870fe6985233a2005eab764fc79942c06682f6a311ea623926972925dd68edd2696e32b89c2523e7040b63e2dd5a

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
71KB

MD5
2475cec9167391340b8171defdc168de

SHA1
b3b9507f18bf471c4aaf2f46a6bdef92516285ac

SHA256
b3dd2184d95885ec8c719d332839198f2dc4ad5fdaa3a6da98ab82638befd85b

SHA512
3dfaaad7e126eb902c8f1011911ee7ce8be2dc98712bdfa187dd1bf57963187b4344c626b2387ac08ddc993d4747a7b0aa264d60decc064a107c963dc8b88791

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
71KB

MD5
5f09be46b1e2c2ce17e9213e1c97154e

SHA1
15c81c04c0f891951c160b70aaee21452c95b80d

SHA256
bbb7424a6c12a0433d0b66a4ab6606e81887f69b2800b142648f4bf78203aac6

SHA512
d5cfb403498f62c253341d49398d1265045ab1574a61704e0ea689a4473410643488a68956b538e66732b79d86b034c16604514b7e8f383a08ae69eff891574a

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
71KB

MD5
adcfa11f16a7fd16d068390a5037a6e8

SHA1
547e063ed2776c3514926c3fd157bd787865a05a

SHA256
dfec7be53b6d9599c8e0c871181503426a979143b707b6097a9d33a2339c444d

SHA512
114d91789954a28934d4f78e809b8d48af5795a03f2841530c0ca99f758319e1ec92f4d269bde3691f2b0be6c01d2312fe44fae3da42ab70ef2a84f4c3e3aed6

Download Submit
C:\Windows\SysWOW64\Lahbei32.exe

Filesize
71KB

MD5
d31a4b62a1c59319785492e9eaa30472

SHA1
51ab58f34a4539402217f8a5cb452e56f11caf9c

SHA256
850882d99e6af41929fd5ba87b1fc7649c333864ff0bf3018ad21b9b1eae4edc

SHA512
9fd430d2df6173d5fc9c6d3498edb7cf15f197d29a5f455e8fce04e9b404732903144aebb97ce6042bfccdfdcfdb28c32e142aa60fdab70ec2bea85d6a4f40c8

Download Submit
C:\Windows\SysWOW64\Lbcedmnl.exe

Filesize
71KB

MD5
55dee206fd52fa63718bc2f136aa0f1e

SHA1
1bfee6dad442d57a6020281762babb7200730350

SHA256
0763dd5f7f24b6658df3cc5d4ac49e2a38c1b1859c84ace13ab97592537ed967

SHA512
0863f4921b6b24fd81b938e6780e8fc2611d16ce2a2de709203c43c2f7a61d43bfa8ee47f367a5847d712efbe4cfebc196597aac2252b4e82d835d91028f06e4

Download Submit
C:\Windows\SysWOW64\Lbhool32.exe

Filesize
71KB

MD5
4c729276e4ac8bd2eb39afa6f7385309

SHA1
9362040f35ec02207b975729ccbd6cb0bb18d9f3

SHA256
0700845b16c1b467f1990706be537a6c4dde13e56be0e167b9a97a1990145cbc

SHA512
801622bcc55627ee949e18603783dbb7a28ef4c3958e60a555aab57b89d576c63d83c6e52d9d543b11d8793b2c190df44b63fafe9542eda76ce04f3b046bd154

Download Submit
C:\Windows\SysWOW64\Ldfoad32.exe

Filesize
71KB

MD5
5e5a8e3f35982c43093198e3bbd94b97

SHA1
f3f071ffa5b759790b1158dfb983c46efd2e2138

SHA256
a92f379c8ecd0cb640bb425b5118b7a60da8ac1eba804ade787cd7fa646fea93

SHA512
2064099849cada56e2c58842cd0d8327450c90e75933a98c97cf8e4daef02082ac5194b514c3dfc4cfae80cf8daa5c72f920e84f0aae5ecc3c846e3ef6f73caf

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
71KB

MD5
48c538ce4f014c9fe87f0a4ab338a79d

SHA1
57d2036909eac6ffe343fee99e2f4b7d9af63a92

SHA256
c972eb2b6e7ee5c06f9a8c4be0cb153721ae75466d555e8cbe0b56e73835e3df

SHA512
d77354198dbc62dce5c3d4e74a5f4788ea330bbd1b56cc34b003288753239d4004ed3aaec79079f03b5418da4048b6a0951faab2bb7705168bbe98d831bd0f9d

Download Submit
C:\Windows\SysWOW64\Lhbkac32.exe

Filesize
71KB

MD5
f5a6bd7e43dbd9f2dd45962e4eea9d0e

SHA1
d390773f9211efb8777231661f1cf3a1dcb415ce

SHA256
c2c2734cc75fb13cc7ba2c7b85659065c8559d085a0c47b0c116a4a2b3188ddd

SHA512
a644de7a04fb61d58837197c0d878d39e29b13b8c086401711cebf5cf220a207873b6b43a7ac72c34fdd3d01fb693f886f7a52bd005e4d74d52ea00f347bb7f9

Download Submit
C:\Windows\SysWOW64\Lhmafcnf.exe

Filesize
71KB

MD5
2343f3f6e88db6d09a7323201b3da36e

SHA1
a67aa7fd2a0c13979e0ab112a876ea898f514be8

SHA256
b0fe10db0ab10ab148c31f5688153c8c378cda4699689b99b6f84b7d5d1616d1

SHA512
6157b233d37b9f0c0b8528cad23b0b05b5e579d9d3479a6a0b1b0b3e9fe47186e0ad7c8b5042aa8d051bf0e7addc4b5f1fdc83f99dbc348da125112717468c06

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe

Filesize
71KB

MD5
f45fc8fd9a3b209052e7f47c1e0b0e37

SHA1
a6efeb0b9fabddaed87994c05a2069b8196184ec

SHA256
22222c71568c6f8406bafb3219c8d9c1e052eb15f250f1e2f3edd328fd4ce672

SHA512
7925daca9ab35846905cc0e51c2d6a3b11af14df4aa86f07aa7de3d96c2ad7d1ad1047451e3a1fb024def54d467ff65140eb5f5b37fe9c493f38dfd0d4560045

Download Submit
C:\Windows\SysWOW64\Pomfkgml.dll

Filesize
7KB

MD5
a3fac55b4b4e69d87dc65a3326298422

SHA1
77c0742716fffe5ab196a3c78b2094db57242ad7

SHA256
a1f77da92fb7df5217242e85a63c58e5458f2dd5183ea0a89b0f95dbd4a1ccfb

SHA512
6f5a2ee490063a2849b356cd6fe5a28eb792c0241859dbeb34415f9c85224f13188b28297dc9e3727804617cb5df14dfae450166a312bb7ac4752b7c578f2423

Download Submit
memory/456-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/456-279-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/668-292-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/668-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1056-136-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1056-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1200-183-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1200-272-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1544-291-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1544-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1596-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1596-283-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1792-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1792-284-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2156-264-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2156-255-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2216-276-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2216-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2388-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2388-271-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2504-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2504-263-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2940-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2940-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-286-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3152-288-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3152-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3220-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3220-289-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3588-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3588-199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3656-231-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3656-266-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3712-244-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3952-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3952-267-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4200-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4200-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4340-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4340-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4388-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4452-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4452-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4456-103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4456-282-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4524-280-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4524-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4528-293-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4528-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4560-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-281-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4624-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4704-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4704-287-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-273-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4724-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4860-275-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4860-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4920-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4920-285-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4944-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4944-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5060-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5060-265-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads