c7aedd0e3e942c61b825ce99c0890c41c7c8572555f4a8a81f5ed7d694395202

Analysis

max time kernel
114s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
Size

95KB
MD5

bcf92fd8ae3ab3daf2b0843a9ac796a0
SHA1

a1c891f41afb7b76576fbb3c3bab8c986d740adf
SHA256

c7aedd0e3e942c61b825ce99c0890c41c7c8572555f4a8a81f5ed7d694395202
SHA512

b265f7d837394c92a52cb42fcf9fd77138b1a2cbdfed42ed6f3b409ec0bfa325edc9d4fcc42ed42260127b08688333552fc9df0e425f23dc76973361e49362d6
SSDEEP

1536:Ws5eM3AdS9FLm0rJI8sxGwTPKuUOGsw7bRQr8MRVRoRch1dROrwpOudRirVtFsrS:WsnCEm0KvjTJUOGsw7bepTWM1dQrTOwJ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kongmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kalcik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbppgona.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjnaaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnnnfalp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jlfhke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjgkab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jejbhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lddble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjnaaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kongmo32.exe

Executes dropped EXE 29 IoCs

pid	Process
3944	Jnnnfalp.exe
4232	Jdjfohjg.exe
1148	Jnpjlajn.exe
436	Jejbhk32.exe
4404	Jjgkab32.exe
1648	Jelonkph.exe
816	Jlfhke32.exe
4208	Jbppgona.exe
4156	Jdalog32.exe
4564	Jjkdlall.exe
4288	Jeaiij32.exe
2316	Jjnaaa32.exe
5084	Kdffjgpj.exe
3336	Kbgfhnhi.exe
4520	Kdhbpf32.exe
3724	Kongmo32.exe
3940	Kalcik32.exe
4576	Khfkfedn.exe
4116	Klddlckd.exe
4352	Kemhei32.exe
4948	Lkiamp32.exe
4984	Ldbefe32.exe
3456	Logicn32.exe
3624	Leabphmp.exe
744	Lddble32.exe
3532	Lahbei32.exe
1760	Ldfoad32.exe
4728	Lbhool32.exe
2920	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lndkebgi.dll	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Pceijm32.dll	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Ldbefe32.exe	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Jhmimi32.dll	Lkiamp32.exe
File opened for modification	C:\Windows\SysWOW64\Jjgkab32.exe	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Jkfood32.dll	Jbppgona.exe
File opened for modification	C:\Windows\SysWOW64\Jjnaaa32.exe	Jeaiij32.exe
File opened for modification	C:\Windows\SysWOW64\Kbgfhnhi.exe	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Ofnfbijk.dll	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Qagfppeh.dll	Logicn32.exe
File created	C:\Windows\SysWOW64\Mobpnd32.dll	Kalcik32.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Jnnnfalp.exe	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
File created	C:\Windows\SysWOW64\Bibokqno.dll	Jjgkab32.exe
File opened for modification	C:\Windows\SysWOW64\Jdalog32.exe	Jbppgona.exe
File created	C:\Windows\SysWOW64\Jjmannfj.dll	Jdalog32.exe
File opened for modification	C:\Windows\SysWOW64\Kongmo32.exe	Kdhbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Kalcik32.exe	Kongmo32.exe
File created	C:\Windows\SysWOW64\Kbgfhnhi.exe	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Mhfdfbqe.dll	Kdhbpf32.exe
File created	C:\Windows\SysWOW64\Lbhool32.exe	Ldfoad32.exe
File opened for modification	C:\Windows\SysWOW64\Jnpjlajn.exe	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Jjgkab32.exe	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Efhbch32.dll	Jejbhk32.exe
File created	C:\Windows\SysWOW64\Jelonkph.exe	Jjgkab32.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Kdhbpf32.exe	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Logicn32.exe
File created	C:\Windows\SysWOW64\Ldnemdgd.dll	Jnpjlajn.exe
File created	C:\Windows\SysWOW64\Pmbpeafn.dll	Kongmo32.exe
File opened for modification	C:\Windows\SysWOW64\Klddlckd.exe	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Lkiamp32.exe	Kemhei32.exe
File opened for modification	C:\Windows\SysWOW64\Leabphmp.exe	Logicn32.exe
File opened for modification	C:\Windows\SysWOW64\Jnnnfalp.exe	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
File created	C:\Windows\SysWOW64\Jdjfohjg.exe	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Jnpjlajn.exe	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Ipmgkhgl.dll	Jeaiij32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbpf32.exe	Kbgfhnhi.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File opened for modification	C:\Windows\SysWOW64\Khfkfedn.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Kemhei32.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Bkclkjqn.dll	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Jejbhk32.exe	Jnpjlajn.exe
File created	C:\Windows\SysWOW64\Jlfhke32.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Jbppgona.exe	Jlfhke32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffjgpj.exe	Jjnaaa32.exe
File created	C:\Windows\SysWOW64\Ldfoad32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Mkojhm32.dll	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfohjg.exe	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Afgfhaab.dll	Jelonkph.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lbhool32.exe
File created	C:\Windows\SysWOW64\Bfdkqcmb.dll	Klddlckd.exe
File created	C:\Windows\SysWOW64\Lahbei32.exe	Lddble32.exe
File created	C:\Windows\SysWOW64\Okahhpqj.dll	Lahbei32.exe
File opened for modification	C:\Windows\SysWOW64\Jlfhke32.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Ndnoffic.dll	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Kongmo32.exe	Kdhbpf32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiamp32.exe	Kemhei32.exe
File created	C:\Windows\SysWOW64\Logicn32.exe	Ldbefe32.exe
File opened for modification	C:\Windows\SysWOW64\Ldfoad32.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Lddble32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2456	2920	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kalcik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khfkfedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjnaaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kongmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjgkab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdhbpf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlfhke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jejbhk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbppgona.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdjfohjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkclkjqn.dll"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndkebgi.dll"	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pceijm32.dll"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfdfbqe.dll"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldnemdgd.dll"	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okahhpqj.dll"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jlfhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmannfj.dll"	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkojhm32.dll"	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibokqno.dll"	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kdhbpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnpjlajn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jdalog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndnoffic.dll"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kongmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnfbijk.dll"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Jjnaaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjgkab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jdalog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jejbhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgfhaab.dll"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobpnd32.dll"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbppgona.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kdhbpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeliqka.dll"	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjaco32.dll"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomfkgml.dll"	Jlfhke32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 3944	3372	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe	90
PID 3372 wrote to memory of 3944	3372	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe	90
PID 3372 wrote to memory of 3944	3372	bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe	90
PID 3944 wrote to memory of 4232	3944	Jnnnfalp.exe	91
PID 3944 wrote to memory of 4232	3944	Jnnnfalp.exe	91
PID 3944 wrote to memory of 4232	3944	Jnnnfalp.exe	91
PID 4232 wrote to memory of 1148	4232	Jdjfohjg.exe	92
PID 4232 wrote to memory of 1148	4232	Jdjfohjg.exe	92
PID 4232 wrote to memory of 1148	4232	Jdjfohjg.exe	92
PID 1148 wrote to memory of 436	1148	Jnpjlajn.exe	93
PID 1148 wrote to memory of 436	1148	Jnpjlajn.exe	93
PID 1148 wrote to memory of 436	1148	Jnpjlajn.exe	93
PID 436 wrote to memory of 4404	436	Jejbhk32.exe	95
PID 436 wrote to memory of 4404	436	Jejbhk32.exe	95
PID 436 wrote to memory of 4404	436	Jejbhk32.exe	95
PID 4404 wrote to memory of 1648	4404	Jjgkab32.exe	96
PID 4404 wrote to memory of 1648	4404	Jjgkab32.exe	96
PID 4404 wrote to memory of 1648	4404	Jjgkab32.exe	96
PID 1648 wrote to memory of 816	1648	Jelonkph.exe	97
PID 1648 wrote to memory of 816	1648	Jelonkph.exe	97
PID 1648 wrote to memory of 816	1648	Jelonkph.exe	97
PID 816 wrote to memory of 4208	816	Jlfhke32.exe	99
PID 816 wrote to memory of 4208	816	Jlfhke32.exe	99
PID 816 wrote to memory of 4208	816	Jlfhke32.exe	99
PID 4208 wrote to memory of 4156	4208	Jbppgona.exe	100
PID 4208 wrote to memory of 4156	4208	Jbppgona.exe	100
PID 4208 wrote to memory of 4156	4208	Jbppgona.exe	100
PID 4156 wrote to memory of 4564	4156	Jdalog32.exe	101
PID 4156 wrote to memory of 4564	4156	Jdalog32.exe	101
PID 4156 wrote to memory of 4564	4156	Jdalog32.exe	101
PID 4564 wrote to memory of 4288	4564	Jjkdlall.exe	102
PID 4564 wrote to memory of 4288	4564	Jjkdlall.exe	102
PID 4564 wrote to memory of 4288	4564	Jjkdlall.exe	102
PID 4288 wrote to memory of 2316	4288	Jeaiij32.exe	103
PID 4288 wrote to memory of 2316	4288	Jeaiij32.exe	103
PID 4288 wrote to memory of 2316	4288	Jeaiij32.exe	103
PID 2316 wrote to memory of 5084	2316	Jjnaaa32.exe	105
PID 2316 wrote to memory of 5084	2316	Jjnaaa32.exe	105
PID 2316 wrote to memory of 5084	2316	Jjnaaa32.exe	105
PID 5084 wrote to memory of 3336	5084	Kdffjgpj.exe	106
PID 5084 wrote to memory of 3336	5084	Kdffjgpj.exe	106
PID 5084 wrote to memory of 3336	5084	Kdffjgpj.exe	106
PID 3336 wrote to memory of 4520	3336	Kbgfhnhi.exe	107
PID 3336 wrote to memory of 4520	3336	Kbgfhnhi.exe	107
PID 3336 wrote to memory of 4520	3336	Kbgfhnhi.exe	107
PID 4520 wrote to memory of 3724	4520	Kdhbpf32.exe	108
PID 4520 wrote to memory of 3724	4520	Kdhbpf32.exe	108
PID 4520 wrote to memory of 3724	4520	Kdhbpf32.exe	108
PID 3724 wrote to memory of 3940	3724	Kongmo32.exe	109
PID 3724 wrote to memory of 3940	3724	Kongmo32.exe	109
PID 3724 wrote to memory of 3940	3724	Kongmo32.exe	109
PID 3940 wrote to memory of 4576	3940	Kalcik32.exe	110
PID 3940 wrote to memory of 4576	3940	Kalcik32.exe	110
PID 3940 wrote to memory of 4576	3940	Kalcik32.exe	110
PID 4576 wrote to memory of 4116	4576	Khfkfedn.exe	111
PID 4576 wrote to memory of 4116	4576	Khfkfedn.exe	111
PID 4576 wrote to memory of 4116	4576	Khfkfedn.exe	111
PID 4116 wrote to memory of 4352	4116	Klddlckd.exe	112
PID 4116 wrote to memory of 4352	4116	Klddlckd.exe	112
PID 4116 wrote to memory of 4352	4116	Klddlckd.exe	112
PID 4352 wrote to memory of 4948	4352	Kemhei32.exe	113
PID 4352 wrote to memory of 4948	4352	Kemhei32.exe	113
PID 4352 wrote to memory of 4948	4352	Kemhei32.exe	113
PID 4948 wrote to memory of 4984	4948	Lkiamp32.exe	114

C:\Users\Admin\AppData\Local\Temp\bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe
"C:\Users\Admin\AppData\Local\Temp\bcf92fd8ae3ab3daf2b0843a9ac796a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Windows\SysWOW64\Jnnnfalp.exe
  C:\Windows\system32\Jnnnfalp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\Jdjfohjg.exe
    C:\Windows\system32\Jdjfohjg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\SysWOW64\Jnpjlajn.exe
      C:\Windows\system32\Jnpjlajn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Windows\SysWOW64\Jejbhk32.exe
        
        C:\Windows\system32\Jejbhk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
      - C:\Windows\SysWOW64\Jjgkab32.exe
        
        C:\Windows\system32\Jjgkab32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Jlfhke32.exe
        
        C:\Windows\system32\Jlfhke32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Jbppgona.exe
        
        C:\Windows\system32\Jbppgona.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4208
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\SysWOW64\Jjnaaa32.exe
        
        C:\Windows\system32\Jjnaaa32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Kdhbpf32.exe
        
        C:\Windows\system32\Kdhbpf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Kongmo32.exe
        
        C:\Windows\system32\Kongmo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 412
        31⤵
        Program crash
        
        PID:2456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2920 -ip 2920
1⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4164 /prefetch:8
1⤵
PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Efhbch32.dll

Filesize
7KB

MD5
a664c713046dc44a6d3470863a62bc62

SHA1
5dc1926ebcf52c0616430f9a907e3c7723afec86

SHA256
89e2e0cf5e211cd730df2052bd6fe95a7ef884af63909c50935521ee09bf2486

SHA512
ffe11a38a2b43548d3ec3683660d2840b0b6459cb672bc310303d2ff1d6a47c1f1a0bb5f090791bbd39ae00b8419eb6b87dad760da447e68a8f9524ac288b4cd

Download Submit
C:\Windows\SysWOW64\Jbppgona.exe

Filesize
95KB

MD5
33cd3602ce27080e2a3fb5d0a78581fb

SHA1
4ced63c504e7f0a2d19f46016659294b32d5700e

SHA256
2103a94d89369101cfda1a26342b53f25e5fe7534af140ba3112429da88b5c8d

SHA512
bed4612da03ebf305f012c090c3cd322754e310514e20798caa8b75d7315ea3384121e20d51da375e6a64a28fdc8d8d29cc3e438f6793b53d1c1c2cdb719c210

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
95KB

MD5
6536d740f0d7e2da38ed95dca1f45b93

SHA1
6f2de5226c0049be7ff4b3950511f507c285baa3

SHA256
057cbb79a26f73fbcb4c52bd17695b5c7637b70d405ca451448082119d50c67c

SHA512
4e33cd5dbc96f26d65991ab6939beda0006f28668bb8d1a33e36925f8f705e1d9f486799f2a07d6ce583a95ab579ed9b055729a46f5237a06ae13633cf8afe83

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
95KB

MD5
824f46f6ad11305c2e79987596231966

SHA1
1d4962e19f659f74bb64040269fb5a3cd9abc4f1

SHA256
3102efed39b006250b87afdee05ff57c61fdcb520dc516217ede97439e3a29d0

SHA512
e2c70e43c4e42fbd243bceaac3dc7c211a146f0e22eb82170e84572fa0e0861ac97de1398500bd2244d412118e28a25347d319a352d1f2af33bda060647630b6

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
95KB

MD5
465963574be6b7c629055d3043d45c79

SHA1
4e192ddb9a6994668bd76ecd5f73fff5ad2b764b

SHA256
e4a94ec4420113e771d8954cf19179f3128ac031357ea726caafabef7c59c327

SHA512
28a1dffbcd0671639e35a2e0048502f9a786b0556c704aab31f7f56c8927e346b3731135e136c6c1d63058a3844c14a94b4418e9bb2fcdc17658d0ed8255ad0b

Download Submit
C:\Windows\SysWOW64\Jejbhk32.exe

Filesize
95KB

MD5
8c33acf2db6560e5b490750027ec01f7

SHA1
33b246c35c6c26263f70bff5e2c7c7593738781e

SHA256
1dced802d010d666cbeb20ef182ddfe47c5ff265b96687df8c683feed589d4d0

SHA512
2b30a39de635281bd770d766b6ab5e402f1b15ae12e906b4b4cbb1d63c0e5421abb50fa37d0b574aebf15570b10f6da6f84f8d6fc86a23320f4416912c2c431f

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
95KB

MD5
5b7b7412ccbce7f613dec704f1509bbf

SHA1
6e8f595902f2841fdb8fde1ed959cf9199c7e888

SHA256
54c59290085bfdce05af404c37f1acac97f46c71064ea47105deb57694659276

SHA512
dd2178573be050417c57b628d8013a5d056a7daaff8886358a94c14563756898637d7d8584aaffc82e323f7a986dfbfe10fc4eb9e5ebf130af8f7c73f1bdb9a6

Download Submit
C:\Windows\SysWOW64\Jjgkab32.exe

Filesize
95KB

MD5
11b6228550572917baa31b3954bdd459

SHA1
954dc4f5838a37384ec0edb556fc1138b1b15525

SHA256
2e083fef5cd438f9911ee8dc13fabb1fa152c3901b9007969a4e80b63f66a3fb

SHA512
16d139167d716af781a37824f37861c8cebfb361fcb58eba75e23c9e1e918a1d54890a0793d5d285ae5fc60ce6452019d0bd292a5ca8c303aae8451c91cdb4cd

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
95KB

MD5
6eec1d52f0ef438f743eb9d196346acc

SHA1
10c741fddceca03c1902ec96423f7c7aea18aaf7

SHA256
e78d5d3128669c0af5a4395d0d758f6ed396a809f5f08e7c6a6203aaad4f6d6b

SHA512
6c8770fac4e8aa84d174ddc35efeb789685a1ae426034762550ba85e581cad480f65beab201f7dc97cb3e7a437bc1241ca8bd2c2053b8dd975d6a212c0407389

Download Submit
C:\Windows\SysWOW64\Jjnaaa32.exe

Filesize
95KB

MD5
3256c93e925a18e0f5f6b778f7b27219

SHA1
09680df5c006a5a55cb323bafb09ec886715a9a5

SHA256
151377874fe98fce9ace6f0ee5390eab038c44156651a1ba1dfa7ca74c6213b3

SHA512
588834252af541bd263cc77c31e41d4e92709b7a6d31154db5544ebcfc6615cde027958ed526e3aa7ecd90dee82449b3f62166dc53086220f1a8fa0b3d5991fc

Download Submit
C:\Windows\SysWOW64\Jlfhke32.exe

Filesize
95KB

MD5
91e588b848c78eca7570dc3a9965c32a

SHA1
b30fe65cc6103b70dfec89f781c19ab466f5ab3d

SHA256
e9f1bfedeb21a152fc7740c9b632405a3d8b766deff4f6d8080d0acb590e2ac6

SHA512
5ed16b53a8dabdd57f1ef753542689f751876b31acfa10ea5d42705ae8a8e43ec36e6a8ae126e5865858e434dc389db4b7a34763445444245146db59bd368658

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
95KB

MD5
2b11185808c053a65f0f468e0156de3f

SHA1
20e3390098db95dc7d0769cb3c294112d5de4649

SHA256
03d1b35f8a67814c21ae2ad4b63b70eb919a7a0620dc1f6fbe77891ebcb4fee8

SHA512
33b477740a289898e5dc44435fa648b887e3e886456e920541f2b5516426c2d2025f5e9c12d7e67b7f13e73bc5dcd16491839c74b8fc0400c2f188845ebef09b

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
95KB

MD5
212482a1d564c0af00b637a4da1454c1

SHA1
e98f6449df921939a2bef15a3c2476006eaaa9e2

SHA256
2a796c604c85225ec0164c5b0d4f6169d625389079792bcc903ce074d47c6776

SHA512
0a5bf9fe5a4a936521b29010b7098ec008f7cc69c926c316b4c1cd3d143a433bfe7bc9cc0da2146325d307e1da94d20a5c60382578d4e171c260862ec6e4fcb9

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
95KB

MD5
617634949e7819cbdc115d44094d22e5

SHA1
573d7afdb446093132a598abbe7d59949edbafbd

SHA256
d6acf408665c687705fd1968eb953c115b3f6e44126e3df7b97e52ba3107b23a

SHA512
478f11432d127b0e2a5abfbb740bc29d62384e53c7d4bc58a467ac0b6737f80d0230696a328ec3bc873894fe19b1353a102196e18b87200b12062e7abe67f74b

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
95KB

MD5
11cc32ddf70b46d7696f1809ab89d071

SHA1
69a74e23619dd6e1c3f45527be68f6fe0d957be4

SHA256
a33fac5b1ebe57a8cc9aa1888e20c278679e3001207565a67eb6ed0abdffe387

SHA512
fa31db210497a4fbe210c2d29bcdd79ee49352723fdc6c27cf2c06e56896c81b18bed162f6db0da34edbfc8d9936b3ef88a6ea5d0d1dbe5562a5b5c1ac32b3ae

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
95KB

MD5
e97cdc8437ae5aac29293b28c68e5be1

SHA1
385d3bd8b889a55d8896c3f4347999d4fd435c7a

SHA256
6e68c422ed21097e568894776dfe67d425a83c52c89fca7f19877c8181c92aaf

SHA512
1dd9e7a063662c360cfde606416a3c3c207bea61c7e6595887f67b853031402a9a9a52e3a512d2817a34874bf93cf154521a9ce219ce52968ca8ce97a6c55013

Download Submit
C:\Windows\SysWOW64\Kdhbpf32.exe

Filesize
95KB

MD5
9ce257e67b6ba73a2a973bc2f20a5b4f

SHA1
7a457cd4bfea1a2b6c86f9d8ba06ae3bb7ff3395

SHA256
d510a910d8bef01abda0600ef9d3dc6fb1db458f69117f972ed9563d549dce9e

SHA512
30130ce342e329dd0f4806dadbbf71847f1b7ffe82a65dea3d08f999e867fab0ebcd8c67abcb3b310c1c63fdd2b3e2625d99fadec94d329fda33414b55c2bcb9

Download Submit
C:\Windows\SysWOW64\Kemhei32.exe

Filesize
95KB

MD5
a958f13a69c77485b7b6219718b9068d

SHA1
920de917b1e30b8a62d13fc38f72d7d265a0a474

SHA256
5fc3b470683e5260dac56123b39e61da36c3ce051f297007070f34a719798a41

SHA512
0c6b8d97fc891542289b5440382ac42af2a56d378100aa80289040862f9b718bd01df8ac09dc470a7dff3f89bbde319a2ab78b491e86013ef369d3096f6dc502

Download Submit
C:\Windows\SysWOW64\Khfkfedn.exe

Filesize
95KB

MD5
4868395e29cd186f11fae006e0023e35

SHA1
c5c9361f9cf82bdce6fb75bccf885889bf00d9af

SHA256
aa3d4d403762e83aeb203796104179f8f10ac220239517eae99b29e37afb5585

SHA512
af566ba5a60a55339d8ac567ce9780292e185a402098649b5e1080d5cdfda6102aec209d39e7841c121d867fe02b151d63448257430949bf1f116058367ee85a

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
95KB

MD5
8c8ecb5474706ca858555a2bc3977d6b

SHA1
e3e22d051fa9f6743dce48e9b04d319e8f50e191

SHA256
dadd94ebaa6690de1a3576bf3c2e9906a9df8788deb0533c1eb45cb6d0b8ebab

SHA512
a10d1db15557f50d04c021a8daf2a34c5ffdf2dabbfde78c001e339fc9bfc6a5d1da6163ae597e9548ec311f813523403769e786870a961112bbf25405ee0741

Download Submit
C:\Windows\SysWOW64\Kongmo32.exe

Filesize
95KB

MD5
3c66b1cf132128375ee1ec2f391ca0d3

SHA1
6f00b155bf787f49b6be249eb6ac66cb914e82c8

SHA256
4a8546972eb751168ba93cff9e4cad34dfd18eb33451041ac0d043b093016db2

SHA512
22cdcd745fb83bac04f76c0075da517c32feb79a1cc1ca78984f2ec47bb21f4b7a51f829e25911df10d7c559fc381ac12673ab7ef8772c3efc97058a023a3073

Download Submit
C:\Windows\SysWOW64\Lahbei32.exe

Filesize
95KB

MD5
4b38123b124d5580e8cd343e010ecb23

SHA1
544ac39f7c63839507833e40c91f5d3d8d272c55

SHA256
2fa51e81efdf91a033097103cb911bc0fc3143a1a551036d4aaec95c7cfdeb9d

SHA512
b16f263448628113f428747220b93ec736568e48bb1bd95056f165e784d4cc0a246e807295ba1cb40b2d25c959d5c00a34d872cb991fa0734257311e7f11d57a

Download Submit
C:\Windows\SysWOW64\Lbhool32.exe

Filesize
95KB

MD5
306ab9ee1be68b00c865ab2b2ba4eb79

SHA1
42dcf437976d0c2f62b53f6a008800628afa0694

SHA256
ca0ca8886537c1930c0bea213c55beaab7d25fc7fd9fe4945b6d0df4852beb9a

SHA512
f8cb5028c22042bc642f417494c0da8f8e9df44b2140e62d576951ddf426a82a3b3d779a2feeb98e09cf0538efc5e8d0a11792b2669e82cf20a25773113140fa

Download Submit
C:\Windows\SysWOW64\Ldbefe32.exe

Filesize
95KB

MD5
6a2c76f099491ad1303d3784a4e93cb2

SHA1
d19267123cb456505b0ee944cf7273f96480e29b

SHA256
b47d8e82ec537844367da6be2ca588246989e0db70d768d869510f5dc640b70c

SHA512
70eb2d97e9f4baa7ae4a28ce20e22b8c5db95615c846de51963145c6d4238aed15f9d3e0129ce005be5271a81c6d5ac70dda57aa0fffa4481b393f359186e9b8

Download Submit
C:\Windows\SysWOW64\Lddble32.exe

Filesize
95KB

MD5
d4484a72c64d103b860f3aa4fea5ef65

SHA1
b12d7558a9c41fc9ef9e38ee3e2c78a89f23f28d

SHA256
e3f649f778e4c1e6eb5ee6a87add0b9de0057ce0d32d254e2ad7cb64833ddf11

SHA512
8097e9ee8a920eefdb6ddd1b25ae51e9dba3caa7021f74f4aa6cd566a89c03a784f2d04d2089b1a5471fb0172cd480d076f2c30ada22d585f92b50ba1b377a36

Download Submit
C:\Windows\SysWOW64\Ldfoad32.exe

Filesize
95KB

MD5
3344ff19aada5df1def510f33e672ceb

SHA1
6644ba5bd1d8f391821978ddbc6b385452029296

SHA256
8123540ce353c8b6c922346a88d97fd18abdf6475a6c889c39158e77759e3c68

SHA512
43b5197a400c793882e7a1cfb905f75533b677168afa23dc8a315cdbd21cc2ea37176f1a4a38ec515aac622f318af06f76946717c36bdc51f1b70bc2ad7cf9fe

Download Submit
C:\Windows\SysWOW64\Ldfoad32.exe

Filesize
95KB

MD5
71146ed2c03b8a426de4b99f2843cfd8

SHA1
6e40874a2e28ec0b52a683ee80caea0817a637c3

SHA256
1efbc82ad0cf0afee5196b98f890d24d80605efd18f58fd599ad9f7c2632fb22

SHA512
bc22ccffc82016a5bb765a464a728a8104ade24bee618d48711e087430adb9035f551773ffff63a089cdf4f23c7e73e94b8aaee5542d76a3d1ef7a55af8763b0

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
95KB

MD5
bad5ce93fd02f0eefa6b48d2ab3e8122

SHA1
3c3bf88fcfcc02b9dfabc38e29a776a17edef621

SHA256
e694f6291dd4fa2dda535db0b144d19ab7d66ef0acc9daaec8912cdeb58cc7e0

SHA512
23f4814b76ba0493ca37dbeb0791acc40d3424f6c1c8e8131abbcf3de77ca16e570ef3afa26d8fda81de2a66b805e7d69465737c44ffd5f1dc423318d9ead7d5

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
95KB

MD5
629b43cc6196c47d612bc815dc1a6dd9

SHA1
5ac437d9bf8b23e6ac765c331410908938164203

SHA256
df0d49f226a1ac40ad57a4e5ffcec0fe0b379357e81f72be54f761b7906b7ae7

SHA512
d95f8890558dad0a7e5139c63e8585571691e42f0e860a1e6e051f3054bc564866212d6411721300c420ee8933c56fcf9d7cb56d19838b73b508349dccd08444

Download Submit
C:\Windows\SysWOW64\Lkiamp32.exe

Filesize
95KB

MD5
28bdbde22a6b0b98fed29970e016735a

SHA1
dc32f70c9818633f1f090ebe75325f6150158fe5

SHA256
b048dfcf6e200b66c7b90772150b148f134fc6fdc44b6dec72e05822a9e5dab0

SHA512
d002f1cc61c980083963c379372d1c116bf94076edad5b3120a2f87d5e518ed2a7759604e1aa7d996bfc5bab2801643d9c9b8643946c555c8cb9e76c1f1bbc85

Download Submit
C:\Windows\SysWOW64\Logicn32.exe

Filesize
95KB

MD5
45fd267b0bede21c242f69dd3b1f58d5

SHA1
98cd8c04a2a1b4bf2fba44dee57c14e35f2e1fc9

SHA256
caea374ca792e8487cdff64bd6781c965b88480c4ce1074fd03aaeebabad9ed5

SHA512
e34e719d76c018555978329a39b816260b2313007559f7d9cd1ed89c517505401b47a7f9f5b1115f9431146a203627864eb68cd1f4a195f002a35e3e6a5a6d60

Download Submit
memory/436-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/436-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/744-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/744-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-147-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1148-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1148-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1760-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2920-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3336-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3372-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3456-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3456-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3532-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3624-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3724-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3724-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-148-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4208-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4208-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4288-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-259-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-129-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4404-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4728-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-258-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4948-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4984-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads