49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2

Analysis

max time kernel
131s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe
Size

92KB
MD5

6c090c44419e6d668c64a3b71e890069
SHA1

f9965b4535c8d7a01f785f5884cdac6b1aecb4fc
SHA256

49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2
SHA512

006d15d95959803f975d3182801a079a5d681e4e00761da81674cf4bf380adb6677aa815ce2acc7f87a5956568f878db14ae4ef50f05a7992cec53cca0af74b3
SSDEEP

1536:SloEaD/PexC4+NSTPF8DMIg0bqjXq+66DFUABABOVLefE3:9D/rSTPiD/Lqj6+JB8M3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khihld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijpepcfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijbbfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idhiii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llimgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkmqed.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddble32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lojfin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffjgpj.exe

Executes dropped EXE 34 IoCs

pid	Process
964	Ijpepcfj.exe
3440	Idhiii32.exe
2108	Ijbbfc32.exe
1364	Jbijgp32.exe
4164	Jaljbmkd.exe
3684	Janghmia.exe
2692	Jldkeeig.exe
2568	Jelonkph.exe
1604	Jjihfbno.exe
3256	Jeolckne.exe
5072	Jjkdlall.exe
5100	Jaemilci.exe
4088	Jlkafdco.exe
792	Kdffjgpj.exe
3212	Kkpnga32.exe
4976	Kbgfhnhi.exe
3772	Kkbkmqed.exe
2228	Kehojiej.exe
652	Klbgfc32.exe
4924	Kaopoj32.exe
5000	Khihld32.exe
1020	Kkgdhp32.exe
3992	Kdpiqehp.exe
3616	Loemnnhe.exe
1920	Lacijjgi.exe
4812	Llimgb32.exe
464	Logicn32.exe
2324	Lddble32.exe
4704	Lojfin32.exe
1112	Ledoegkm.exe
3872	Lhbkac32.exe
3052	Lkqgno32.exe
2180	Lajokiaa.exe
2908	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aaqcco32.dll	Jelonkph.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jeolckne.exe
File created	C:\Windows\SysWOW64\Jlkafdco.exe	Jaemilci.exe
File opened for modification	C:\Windows\SysWOW64\Kdffjgpj.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Janghmia.exe	Jaljbmkd.exe
File opened for modification	C:\Windows\SysWOW64\Kbgfhnhi.exe	Kkpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkmqed.exe	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Aomqdipk.dll	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Lajokiaa.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Jaljbmkd.exe	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Kaopoj32.exe	Klbgfc32.exe
File created	C:\Windows\SysWOW64\Ojglddfj.dll	Janghmia.exe
File opened for modification	C:\Windows\SysWOW64\Kkgdhp32.exe	Khihld32.exe
File created	C:\Windows\SysWOW64\Cjbdmo32.dll	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Idhiii32.exe	Ijpepcfj.exe
File opened for modification	C:\Windows\SysWOW64\Ijbbfc32.exe	Idhiii32.exe
File created	C:\Windows\SysWOW64\Mnpkiqbe.dll	Jaljbmkd.exe
File created	C:\Windows\SysWOW64\Bkclkjqn.dll	Logicn32.exe
File opened for modification	C:\Windows\SysWOW64\Jeolckne.exe	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Kkpnga32.exe	Kdffjgpj.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Jjihfbno.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Dcmnee32.dll	Jaemilci.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Icajjnkn.dll	Ijpepcfj.exe
File created	C:\Windows\SysWOW64\Jdiphhpk.dll	Ijbbfc32.exe
File created	C:\Windows\SysWOW64\Kdffjgpj.exe	Jlkafdco.exe
File opened for modification	C:\Windows\SysWOW64\Ledoegkm.exe	Lojfin32.exe
File opened for modification	C:\Windows\SysWOW64\Idhiii32.exe	Ijpepcfj.exe
File opened for modification	C:\Windows\SysWOW64\Jbijgp32.exe	Ijbbfc32.exe
File created	C:\Windows\SysWOW64\Kdpiqehp.exe	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Llimgb32.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Llimgb32.exe
File created	C:\Windows\SysWOW64\Mghekd32.dll	Lddble32.exe
File created	C:\Windows\SysWOW64\Jelonkph.exe	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Kkgdhp32.exe	Khihld32.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lojfin32.exe
File opened for modification	C:\Windows\SysWOW64\Jjihfbno.exe	Jelonkph.exe
File opened for modification	C:\Windows\SysWOW64\Lacijjgi.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Oojnjjli.dll	Jlkafdco.exe
File created	C:\Windows\SysWOW64\Ijpepcfj.exe	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe
File created	C:\Windows\SysWOW64\Gjmheb32.dll	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe
File created	C:\Windows\SysWOW64\Pakfglam.dll	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Khihld32.exe	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Logicn32.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Ijbbfc32.exe	Idhiii32.exe
File created	C:\Windows\SysWOW64\Bibokqno.dll	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Jjmannfj.dll	Jeolckne.exe
File created	C:\Windows\SysWOW64\Ijaaij32.dll	Jjkdlall.exe
File created	C:\Windows\SysWOW64\Ebpmamlm.dll	Khihld32.exe
File created	C:\Windows\SysWOW64\Kdlmhj32.dll	Ledoegkm.exe
File opened for modification	C:\Windows\SysWOW64\Lkqgno32.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Anjkcakk.dll	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Kehojiej.exe	Kkbkmqed.exe
File opened for modification	C:\Windows\SysWOW64\Kehojiej.exe	Kkbkmqed.exe
File created	C:\Windows\SysWOW64\Lddble32.exe	Logicn32.exe
File opened for modification	C:\Windows\SysWOW64\Lhbkac32.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Ehilac32.dll	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Loemnnhe.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Jjkdlall.exe	Jeolckne.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4440	2908	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkbkmqed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkgdhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojfin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaemilci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeolckne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kehojiej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lddble32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijpepcfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkpnga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klbgfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Idhiii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ijbbfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jaljbmkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibokqno.dll"	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lojfin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icajjnkn.dll"	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakfglam.dll"	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodipp32.dll"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lajokiaa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojglddfj.dll"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaljbmkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijaaij32.dll"	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idhiii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lojfin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmnee32.dll"	Jaemilci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkmqed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghekd32.dll"	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfhni32.dll"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjkdlall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjkcakk.dll"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbdmo32.dll"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jaljbmkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jldkeeig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddble32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijpepcfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmannfj.dll"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaemilci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Klbgfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqcco32.dll"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddble32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilbckfb.dll"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ijbbfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kehojiej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkclkjqn.dll"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klbgfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kaopoj32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 964	1576	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe	90
PID 1576 wrote to memory of 964	1576	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe	90
PID 1576 wrote to memory of 964	1576	49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe	90
PID 964 wrote to memory of 3440	964	Ijpepcfj.exe	91
PID 964 wrote to memory of 3440	964	Ijpepcfj.exe	91
PID 964 wrote to memory of 3440	964	Ijpepcfj.exe	91
PID 3440 wrote to memory of 2108	3440	Idhiii32.exe	92
PID 3440 wrote to memory of 2108	3440	Idhiii32.exe	92
PID 3440 wrote to memory of 2108	3440	Idhiii32.exe	92
PID 2108 wrote to memory of 1364	2108	Ijbbfc32.exe	93
PID 2108 wrote to memory of 1364	2108	Ijbbfc32.exe	93
PID 2108 wrote to memory of 1364	2108	Ijbbfc32.exe	93
PID 1364 wrote to memory of 4164	1364	Jbijgp32.exe	94
PID 1364 wrote to memory of 4164	1364	Jbijgp32.exe	94
PID 1364 wrote to memory of 4164	1364	Jbijgp32.exe	94
PID 4164 wrote to memory of 3684	4164	Jaljbmkd.exe	96
PID 4164 wrote to memory of 3684	4164	Jaljbmkd.exe	96
PID 4164 wrote to memory of 3684	4164	Jaljbmkd.exe	96
PID 3684 wrote to memory of 2692	3684	Janghmia.exe	98
PID 3684 wrote to memory of 2692	3684	Janghmia.exe	98
PID 3684 wrote to memory of 2692	3684	Janghmia.exe	98
PID 2692 wrote to memory of 2568	2692	Jldkeeig.exe	99
PID 2692 wrote to memory of 2568	2692	Jldkeeig.exe	99
PID 2692 wrote to memory of 2568	2692	Jldkeeig.exe	99
PID 2568 wrote to memory of 1604	2568	Jelonkph.exe	100
PID 2568 wrote to memory of 1604	2568	Jelonkph.exe	100
PID 2568 wrote to memory of 1604	2568	Jelonkph.exe	100
PID 1604 wrote to memory of 3256	1604	Jjihfbno.exe	101
PID 1604 wrote to memory of 3256	1604	Jjihfbno.exe	101
PID 1604 wrote to memory of 3256	1604	Jjihfbno.exe	101
PID 3256 wrote to memory of 5072	3256	Jeolckne.exe	102
PID 3256 wrote to memory of 5072	3256	Jeolckne.exe	102
PID 3256 wrote to memory of 5072	3256	Jeolckne.exe	102
PID 5072 wrote to memory of 5100	5072	Jjkdlall.exe	104
PID 5072 wrote to memory of 5100	5072	Jjkdlall.exe	104
PID 5072 wrote to memory of 5100	5072	Jjkdlall.exe	104
PID 5100 wrote to memory of 4088	5100	Jaemilci.exe	105
PID 5100 wrote to memory of 4088	5100	Jaemilci.exe	105
PID 5100 wrote to memory of 4088	5100	Jaemilci.exe	105
PID 4088 wrote to memory of 792	4088	Jlkafdco.exe	106
PID 4088 wrote to memory of 792	4088	Jlkafdco.exe	106
PID 4088 wrote to memory of 792	4088	Jlkafdco.exe	106
PID 792 wrote to memory of 3212	792	Kdffjgpj.exe	107
PID 792 wrote to memory of 3212	792	Kdffjgpj.exe	107
PID 792 wrote to memory of 3212	792	Kdffjgpj.exe	107
PID 3212 wrote to memory of 4976	3212	Kkpnga32.exe	108
PID 3212 wrote to memory of 4976	3212	Kkpnga32.exe	108
PID 3212 wrote to memory of 4976	3212	Kkpnga32.exe	108
PID 4976 wrote to memory of 3772	4976	Kbgfhnhi.exe	109
PID 4976 wrote to memory of 3772	4976	Kbgfhnhi.exe	109
PID 4976 wrote to memory of 3772	4976	Kbgfhnhi.exe	109
PID 3772 wrote to memory of 2228	3772	Kkbkmqed.exe	110
PID 3772 wrote to memory of 2228	3772	Kkbkmqed.exe	110
PID 3772 wrote to memory of 2228	3772	Kkbkmqed.exe	110
PID 2228 wrote to memory of 652	2228	Kehojiej.exe	111
PID 2228 wrote to memory of 652	2228	Kehojiej.exe	111
PID 2228 wrote to memory of 652	2228	Kehojiej.exe	111
PID 652 wrote to memory of 4924	652	Klbgfc32.exe	112
PID 652 wrote to memory of 4924	652	Klbgfc32.exe	112
PID 652 wrote to memory of 4924	652	Klbgfc32.exe	112
PID 4924 wrote to memory of 5000	4924	Kaopoj32.exe	113
PID 4924 wrote to memory of 5000	4924	Kaopoj32.exe	113
PID 4924 wrote to memory of 5000	4924	Kaopoj32.exe	113
PID 5000 wrote to memory of 1020	5000	Khihld32.exe	114

C:\Users\Admin\AppData\Local\Temp\49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe
"C:\Users\Admin\AppData\Local\Temp\49fda4e68f279005762f78a827c021b24a495b79a311bf8364a9ce94e4106eb2.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\SysWOW64\Ijpepcfj.exe
  C:\Windows\system32\Ijpepcfj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SysWOW64\Idhiii32.exe
    C:\Windows\system32\Idhiii32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\SysWOW64\Ijbbfc32.exe
      C:\Windows\system32\Ijbbfc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\SysWOW64\Jbijgp32.exe
        
        C:\Windows\system32\Jbijgp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1364
      - C:\Windows\SysWOW64\Jaljbmkd.exe
        
        C:\Windows\system32\Jaljbmkd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Jaemilci.exe
        
        C:\Windows\system32\Jaemilci.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Kdffjgpj.exe
        
        C:\Windows\system32\Kdffjgpj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Kbgfhnhi.exe
        
        C:\Windows\system32\Kbgfhnhi.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Kkbkmqed.exe
        
        C:\Windows\system32\Kkbkmqed.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Kehojiej.exe
        
        C:\Windows\system32\Kehojiej.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Klbgfc32.exe
        
        C:\Windows\system32\Klbgfc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Lddble32.exe
        
        C:\Windows\system32\Lddble32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Lojfin32.exe
        
        C:\Windows\system32\Lojfin32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 400
        36⤵
        Program crash
        
        PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2908 -ip 2908
1⤵
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4512,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:8
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Idhiii32.exe

Filesize
92KB

MD5
7f623c99e18af88534bc8fc0d07af106

SHA1
82aa7b6f30c20ee8aa3653d1146dd00584ae8170

SHA256
1cad2f1e25c84e2383c490ab382600dd9d48ee4029622fc10e5707e27492e20b

SHA512
10b7d11762747fbb65a176a270a363eaef64bcd82ae9dd93ac010b8896925d7e41656bdf37cbda5df09efde7ba79ce4812a537878a9257893e411ad2bf84c568

Download Submit
C:\Windows\SysWOW64\Ijbbfc32.exe

Filesize
92KB

MD5
4258c590592fcaf7f125ae48a7acdfdf

SHA1
ef3ee900d6614c41ae92f9951640d66e15aca700

SHA256
6b5bf9ab2693d2fb49229cc1166f2752dec8cfac5674066e2fd7bee5eb7a6490

SHA512
9737808e4377208071e693d43fff8972614195498bb24e8f8efe89814cdb738974a783bd7a3c4c197485d3b4bcd61cb07ae087108fe751faa78b418a3c1e2307

Download Submit
C:\Windows\SysWOW64\Ijpepcfj.exe

Filesize
92KB

MD5
3055ee9398b03d02483d5a0f7c55640c

SHA1
96aaafbc2e2017c07dbf2c4647b8dc9826a7033d

SHA256
f0510a37ccc30d75b8a9e9f8967677bb665572658ce83695d9c0fa352eb2003e

SHA512
85625cefef458d459f086d0ef5a55a2bab738006f915c3b7e5696e040b395f242118f6b76189b9b64f538896274b3e43c1f45d9829f01eef89143334380af068

Download Submit
C:\Windows\SysWOW64\Jaemilci.exe

Filesize
92KB

MD5
4c42aa44fc3ad6f84fede60eaf3b167c

SHA1
275ac5e09dcf1d70c9d4cc8a946aa9ed6d596efa

SHA256
80018395c1e4e974ceb48ebdceb217e1da0b2015d9b166f9f6d93bce941ef5ab

SHA512
c0ca089678363a3ad4ee2c8ec8269e8b0c857d7ecc242306e34d0d25cb8feaa8b01c640a72c4f06e088cbe6ed3cb0060bbcece64fa00388e8b1329c2242bd46e

Download Submit
C:\Windows\SysWOW64\Jaljbmkd.exe

Filesize
92KB

MD5
a6cda5ac203138c8f3d2fd8cf25e1adf

SHA1
7fa5caa796336bb964a002d98caaa047182a6832

SHA256
210c31c22d6d01940b50b178f0511b604e9740802239e5bb8be081c75930faeb

SHA512
38371eb5e1994e64792557d26f2ddc8e01c3f0be42109a58771e66f9d2509c8778ccefd6a6958ebddef93e2c512df8ed1a500c953a482db60c08583eede22fba

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
92KB

MD5
aaffb0d87b9cc73da28145e96200610a

SHA1
5c9536c083caf17c4c73eca8dac281ccef08bc72

SHA256
560f3df73ecf6c1fb629a6e6bb3fdd4c7d25c9fd43897eca96914fbaa7c35e34

SHA512
6533b9f2881610d04b959f9997c357ac1482d1521049a2fdecf274aefe6ee426fcf580d07dd93b448004b74b2ef3c073fb152484279a6205470dce0b337c74b7

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
92KB

MD5
f3584f4a4f854030793a90920ee9ae2c

SHA1
908a075217869502b959deca8b0d4cd91775b019

SHA256
18fac2b10d97c11abc378190578e4f3559067914771689bc8945a7a7e5aa4dba

SHA512
ef35b5f55c34ec38926c9d26afc3f87d37a8ec0b2ce3dc45663298c590403336199580e8f2955718a54787528c2fd9e79a8c2bcb282c5b1d1d75377db4fbaffd

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
92KB

MD5
33352f8e934b149e73fc4a9de1e8e08b

SHA1
f1baf01aec594753a3502607b026c529fa312a12

SHA256
0d57663229b74ca9b50dbbe63fba367d633b67359106f387ec28d4f477423fb5

SHA512
dbd7bcec5f4cf4a5a5b59668addb860535d089865e5262421257c0c5b907ec2e9245d9d5747dd460848960f5cf6dc7d36f52df80359fea394101b84272343949

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
92KB

MD5
9df85d9742a65b3f24597d567ab49b2f

SHA1
1670bc857e4f04e01aaf54524c2c0c80fb4ed043

SHA256
1fbd8cb86745ed6791d7f5fbf95b680f69664f1509c6d0a2aa82fc553ca71356

SHA512
bcdec94cff25ab5c1cbe65ca03aad929e823ea61955fe1041214b0e621c1ba8a47724744b4ac0fdd55189cb3d05e34dfcc6d747d15350e9294c3fabcd58a2523

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
92KB

MD5
020be9cd5b3868e73354fd8248a5c56b

SHA1
2755c4ced0a22ad68d0f770e13d9e321bf79a5f4

SHA256
8f8adf692af977deaf6b2be90adb361a6529b9c5aa7d51b03d32a2828ac3e768

SHA512
79cfb6499240aa9f692f28b03d77001f16b3609fe88211262fe7024a9e4f2629960dae2e1cf1ed4925364a9691c55b4c8138b715426411968fb1624d9ad24675

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
92KB

MD5
8a12af6287eaddff27488840d085f782

SHA1
5b0bd6a7e482acab398ed42aacc335a72311b532

SHA256
1571fada645f8d85bf9f6fb30a758c323d8e402224049bc750db436e89946432

SHA512
4f76675297ee558a636e328b4cef76d3846d999c1e51263c15813cdb3510c8e9b2808a1fe64e2abe01e75bce1553737438c016b533eb3bfbd7f11477fc5aff9e

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
92KB

MD5
682a058b4291177ca54ec8746560dd1d

SHA1
f278da9048d592becf63a8ccd423711bb32e85c2

SHA256
3af2c4a41eea2a6256a1cf28b49a6cebce6bdfe86ff5dcb3dd3cbafded1fd399

SHA512
18745244b68df989133ee980047ffe3d5917140e97bf54ec76fb1cae3b4184c2ddc0430154f7403f7f475ff5db20eb59423d66bcbb130bb6ad2d8ceefa0c0077

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
92KB

MD5
2e83539e549f866234ef9ba2260cc52a

SHA1
f9c76f2a9f3e62594732667ed9611b734b865912

SHA256
bd88ffa09d91f0ccf1a4b08a3ebc6264703437a638910ea076b72d0174aa1379

SHA512
23c8185d75f19d8cdc062bbbfb0e21224ae3df2f1ebc9b4101fe58d38c94220ef75d5bce6e672e7de46c14b676fc3aac7b2f3fc3645838ea7f573c833538fb99

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
92KB

MD5
c519d309df644e31a94c9c98bd03d737

SHA1
b3aed5e1647062b68a5bef71916d8987a6f42d8c

SHA256
187a0edd54bed984ed4a8db937b19e128c2fcfde4759d01f68df45795d05ce6f

SHA512
1e65ea1a06a355ea83a4823c5edc7cfa85d57f2a0f38b3c94aeee8acb8924e82ca76a2c4c6b6e4fbff45fe04d14c9440699a61f0a1fb0e96e13c1122cc1c4acb

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
92KB

MD5
d9962993e613569851fa6c7f7c56087a

SHA1
cc571df402d035cbcecb3c6630a4b6d9da87ce53

SHA256
9ad63d0f6d27de5f42cada4c7075a046f68dcb119eae7a0a7ad909ac5b5f78ff

SHA512
6cd17efdd13c392973cae9ddf5fe45cc6080629e552bbbc8610a8e099cb742e1f622b88c02617b7d5ac2df29eb3a2e07dc2bb7150fc2390288da63542969c48c

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
92KB

MD5
6a997efc5435516ee42928d6ce53ca1f

SHA1
9980f39e8328ea26cedcca5ed61ea37772a21400

SHA256
71ee15d83fea4ad4609089c9cd24aa70afbda85c5481f8bf8bdc6f690505872d

SHA512
e3b3e415bedc7b3825d1f9c1496ca5274dfaaad0aa6f5ed769587599fb0e8cfc64aeb78feb6f082046550edd77d0410346b1c17484c9324d05494fb903fa7589

Download Submit
C:\Windows\SysWOW64\Kdpiqehp.exe

Filesize
92KB

MD5
3b51e515526765949c05d23f84660309

SHA1
fdc5d9719c50638041f604930a5129de501c6b64

SHA256
348120100f4c0db43f1338f2b457146c7ee5d0514067ee2a039cbbcd6dc1e02b

SHA512
d9af565bda34300083c1c5bbfb42435cb803a76383514b46dd1f110d67cda2de0fe889eb7d6fc95daca3fce45f665f632ceaa4de9ae52406a94a65d336609d76

Download Submit
C:\Windows\SysWOW64\Kehojiej.exe

Filesize
92KB

MD5
bbd9f45e657d6ddab0f82ce358ef366a

SHA1
eaa00c2837889ebdfc5af125515b54f0ae83055c

SHA256
5513c055cae60d7461b7811503c0565f4c3ed04632548e9c50b728de9f4bd1ec

SHA512
4da758aff9647ad5b3023bf74cdd3dc273f62b0377f1b024758d76ca71898935ba3b059890b18df6b3e082e8263f60eba2777ab4d7063a4f5b62d5ec8a13d161

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
92KB

MD5
9d47a223f0ae317f399fdca67901959b

SHA1
1549613254e9bf5b684e9ea871d49fa273498cb3

SHA256
6a49663134edeeae1fe7ea81d489b88973a7beca5043c0b03640417702726c01

SHA512
f25f9b6e2c8dae37c89c531d52e55b7df5d23889427dc1d6f8cf4ad128e8a76c3943a00cc93c46f7cfb994f460bcc9c3d261a09795844d5534a12416112cb5df

Download Submit
C:\Windows\SysWOW64\Kkbkmqed.exe

Filesize
92KB

MD5
153c392c152361e7253ec9eeb5c86c84

SHA1
8d37e425e8fc137404a38e82b06b9e9b94ded7bf

SHA256
b16c7350c8a0ef9a38e9ba32287b73000f31bae6d615f3bfa9d4b9c035bc4d70

SHA512
dc4160c98bc74a56c9a99bb0573011f6622cbb1b265a3558f809294721dc732d1c2b97628a0c75a8fa01b0df48550416e5f30b89ca944378463cd6f841250545

Download Submit
C:\Windows\SysWOW64\Kkgdhp32.exe

Filesize
92KB

MD5
e840ebf8431ac145d3b818ee83fb6da7

SHA1
a214093b912e73fbbefe1c625b7747cefd8f3567

SHA256
5b74b4a1dfb9d85eb11794ac0fdb9a2239185580246eda3fdacd62cc7fc306c3

SHA512
5f24982be52bd10c159ee7360a6fb992e2503255de1650314fe77133534a1e50cd48075f702a1606ac8ea766387dd5c3d8da3cf79401ce5204b9a7837e52d092

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
92KB

MD5
872da8955f0b2f69808299c504889140

SHA1
50383ef0d46c59e08104a9d0c84de126b0c95749

SHA256
28eaa62dad473573daf68de4921c3c30928c727a7e931f01fdf885c4f28bc5fd

SHA512
ab7ac18961fa3476b06f2e2247a3d89436fdb5a519b959c130bf7c34fa56d41477bc0feb53c8d1aed3738710acb5928ee6cd215713a6ecaa6e63f229ecff7dcf

Download Submit
C:\Windows\SysWOW64\Klbgfc32.exe

Filesize
92KB

MD5
31918ade9730fd6d9a3d9d4d43945014

SHA1
1e4d3683b2b5358e9d945423e3348a29e80fd7c5

SHA256
95f93195b296825d95aec8e6d506f4e0f8be5f298f81a7f70e6c29f18a657545

SHA512
2194ecca093c3a1e3064a83241196a3a261aeafa6292fdb376aa48375c845b6fe92ba5e839a4ce475e03a8d90ab9ead6344d2a69525e0e112afc209070c98bca

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
92KB

MD5
2612b92ee6e03c4d04760a10644cbebd

SHA1
3a05e1954f589f921fa8d9b792ff9ac752fb4575

SHA256
00170c4c7ee3e7e0f1b567e387cfc871d0c9817f19518a966e37820ad4c5dad0

SHA512
4f120a823f7649514ef2cb5ed9385f11fc550245488c548e58e1a396bbd5ca4a6eda6533ad09a458da757f5b81ede76b80665ee4dde8ffec491c0094a4f8f1be

Download Submit
C:\Windows\SysWOW64\Lddble32.exe

Filesize
92KB

MD5
aff67dca36b75db83a733615dc345abe

SHA1
0e9857a500479b9dd7bbdb16a2b9475f877fb756

SHA256
cb1f0a1484474732455e304270cc5373308ebfcf7271bd1f39a8683778702c83

SHA512
d193ffdaad61958890f9102969add7bcef1b0f9d45af30f1895dacfab2f4c837c65be2c8e3898b3d57a932412aa3d6d63694f7100ac1babefedba264a3ef07d9

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
92KB

MD5
e35b7700fbcba8398330c9b088f67a89

SHA1
b599ed72fd862271a44f9be38bdd883f1caa4fc6

SHA256
d6dae0549a47fa2e2d2f2cc3058c5a790f8985be0abbc42d7f9e1df09b09f457

SHA512
c2a35a066bf1d2062d8613bb7ad4a6e47f9a18df73d0821ddd283bcfdacbbb05c7d9f92bc00e80391b20bf4e68311bd08181ff9fe3022669f4ab06ed4ffde07e

Download Submit
C:\Windows\SysWOW64\Lhbkac32.exe

Filesize
92KB

MD5
b891d0796524052fbc18104dd148ce50

SHA1
d89f0cae96b6beac0cfb729d5df2f80203a65877

SHA256
94b99a8c9641c0e49aca8809b0d9820d7c031f460c87718bd3637e3172aa03fa

SHA512
ec5cfe9b376933a629ab92c56646fd88375ffe172be4dd0d606e9c7f3cd58f1811f5ffa42af10015be9c76a51c9ec8aaba9c6dd29ba0c9a8c39314dde8d09f4d

Download Submit
C:\Windows\SysWOW64\Lkqgno32.exe

Filesize
92KB

MD5
fd99741c7077653d1b0b45ef7a3140c4

SHA1
166bcd14f643ae529274e08af855ac7804f43fdb

SHA256
033da55eb8f3ce62f7a199b82c256f835e3b7bef32ae708aa77982d7c932e550

SHA512
539f04e039aac7fa61ad13f1019ad74be03312e594ac1ed170821cd3b693b05bff533cda0143d749f99d3b06800d7eb59163806a2d0e28eea658ab6b495a71f5

Download Submit
C:\Windows\SysWOW64\Llimgb32.exe

Filesize
92KB

MD5
769e59b5b601188d2b535775156d67a7

SHA1
777ff27a82aaa2631b4f281fd1e0e4ae891c857f

SHA256
e7aa8ce817a51f272578939ad3e20380ed932fb85e34b11e3b7502933353fafb

SHA512
42f684878d246133fcfa734f0f6f02c3bfbd89a736d307776df9764360aebef59ac452a2e84636715f1219407441628f132c38adc6032b33616f65e36166f6d5

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
92KB

MD5
843dbee43b82992273169851231dca9f

SHA1
bb2386d34ed68072b6803f0ac8f30e68f38a6b5e

SHA256
e45f47d344ebf00a62da83cc45abec6c152759692eb8390ed51900d2ab39129a

SHA512
e169311a340a90e5a0a0587622c40cf64e9bc9297c233f4a94c483b0113b0d589656a16e6adfd3bb19d4b69150a86530d10619221e17d8d1191a01f45dbeaa64

Download Submit
C:\Windows\SysWOW64\Logicn32.exe

Filesize
92KB

MD5
09a2746a96739666ba6845b593738da7

SHA1
2c279f5fa9a03ad5ebe3f6082b3757532df60966

SHA256
10d3373a2e01fc9bfd2ed0ef5a738e1aabfdc725248bb54c694c19ffc039fabb

SHA512
14dd77ed17f800eb73c58594420504fe9ce35fa47747a732f290a4131517c21029c32dfe2f599cc742daaed3fa81068f0aed1530d19888db449d1f6434bfd597

Download Submit
C:\Windows\SysWOW64\Lojfin32.exe

Filesize
92KB

MD5
dc089f60a3b24d85233cf16fd8b742ae

SHA1
5d4d92f4f0f2dac1439c118ec0557de708f1f1b2

SHA256
ccc4a153b2e86dab671db5b297e30b71ed9bce7a882b3a3c0245f705303bbf1a

SHA512
4c2ff9c2ea5bc7c7bcac366c1d0954e9f5d5e9f894ea3ba4e5b16f6f2073dcb11bdf65f60db5ae9bd1946749ea9ac9ad8afc20bfea5c80b96574fe5cf2a19b12

Download Submit
memory/464-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/464-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/652-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/652-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/792-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/792-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/964-295-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/964-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1020-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1020-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1112-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1364-38-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1576-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1576-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1576-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1604-289-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1604-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1920-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2108-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2180-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2228-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2228-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2324-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-290-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-291-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2908-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-271-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3212-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3212-283-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3440-294-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3440-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3616-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3684-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3684-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3772-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3772-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3872-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3992-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-293-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4164-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4704-238-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4812-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4812-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-297-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4976-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4976-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5000-173-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5072-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5072-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5100-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads