7b8b00df87d6b532f27e5c4074ee51caeb8108ad6384f3b755a44c3a22dddaea

Analysis

max time kernel
115s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f339185b0e014bc08501da24dd026f0N.exe
Size

96KB
MD5

3f339185b0e014bc08501da24dd026f0
SHA1

dee97942107ec68507c4af5efe252137e495e623
SHA256

7b8b00df87d6b532f27e5c4074ee51caeb8108ad6384f3b755a44c3a22dddaea
SHA512

bf0e2abfe5ff3ed20b5bf542e041c70a63679141ead5eb5380737e9f9f3e51934f98d52f22c866f2c43c08290457b877cf0e775a31ca1384d0f53ad471b4a120
SSDEEP

1536:RInbMsqAASN9lXqI/9PLaml2g0vyjC/UrshrUQVoMdUT+irF:8MsqA9blVgqprshr1Rhk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdalog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Logicn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ieeimlep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kahinkaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llkjmb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaedanal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jelonkph.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhfbog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjkdlall.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kahinkaf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldbefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihceigec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnbgaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldfoad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f339185b0e014bc08501da24dd026f0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihceigec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldfoad32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iecmhlhb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khabke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjkdlall.exe

Executes dropped EXE 44 IoCs

pid	Process
4800	Iaedanal.exe
4044	Iholohii.exe
4292	Iecmhlhb.exe
1032	Ihaidhgf.exe
4788	Inkaqb32.exe
4380	Ieeimlep.exe
3796	Ihceigec.exe
2228	Jnnnfalp.exe
1020	Jhfbog32.exe
2976	Jnpjlajn.exe
2612	Janghmia.exe
3524	Jhhodg32.exe
4428	Jnbgaa32.exe
1648	Jelonkph.exe
2052	Jjihfbno.exe
1696	Jacpcl32.exe
3404	Jdalog32.exe
3052	Jjkdlall.exe
4820	Jeaiij32.exe
4596	Jlkafdco.exe
4832	Kahinkaf.exe
4344	Khabke32.exe
1116	Koljgppp.exe
732	Kefbdjgm.exe
1668	Klpjad32.exe
1140	Kbjbnnfg.exe
2796	Kdkoef32.exe
4272	Kkegbpca.exe
3872	Kaopoj32.exe
4492	Khihld32.exe
3576	Kocphojh.exe
3492	Kaaldjil.exe
3156	Kdpiqehp.exe
2328	Lkiamp32.exe
3376	Lacijjgi.exe
2460	Ldbefe32.exe
4552	Llimgb32.exe
2320	Logicn32.exe
4572	Llkjmb32.exe
916	Lahbei32.exe
4752	Ldfoad32.exe
4608	Llngbabj.exe
2548	Lbhool32.exe
3516	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Jhfbog32.exe	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Lndkebgi.dll	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Lbhool32.exe	Llngbabj.exe
File opened for modification	C:\Windows\SysWOW64\Jjihfbno.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Ihaidhgf.exe	Iecmhlhb.exe
File opened for modification	C:\Windows\SysWOW64\Jnpjlajn.exe	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Jjihfbno.exe	Jelonkph.exe
File created	C:\Windows\SysWOW64\Hiocnbpm.dll	Ieeimlep.exe
File opened for modification	C:\Windows\SysWOW64\Khabke32.exe	Kahinkaf.exe
File opened for modification	C:\Windows\SysWOW64\Kefbdjgm.exe	Koljgppp.exe
File created	C:\Windows\SysWOW64\Jacpcl32.exe	Jjihfbno.exe
File opened for modification	C:\Windows\SysWOW64\Jjkdlall.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Jeaiij32.exe	Jjkdlall.exe
File opened for modification	C:\Windows\SysWOW64\Iecmhlhb.exe	Iholohii.exe
File created	C:\Windows\SysWOW64\Inkaqb32.exe	Ihaidhgf.exe
File created	C:\Windows\SysWOW64\Dfaadk32.dll	Inkaqb32.exe
File opened for modification	C:\Windows\SysWOW64\Janghmia.exe	Jnpjlajn.exe
File created	C:\Windows\SysWOW64\Lkiamp32.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Pkbpfi32.dll	Iaedanal.exe
File created	C:\Windows\SysWOW64\Bochcckb.dll	Jhhodg32.exe
File opened for modification	C:\Windows\SysWOW64\Jlkafdco.exe	Jeaiij32.exe
File created	C:\Windows\SysWOW64\Dcmnee32.dll	Jeaiij32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Hlnecf32.dll	3f339185b0e014bc08501da24dd026f0N.exe
File created	C:\Windows\SysWOW64\Mnpkiqbe.dll	Jnpjlajn.exe
File opened for modification	C:\Windows\SysWOW64\Jnbgaa32.exe	Jhhodg32.exe
File created	C:\Windows\SysWOW64\Kaaldjil.exe	Kocphojh.exe
File created	C:\Windows\SysWOW64\Lahbei32.exe	Llkjmb32.exe
File opened for modification	C:\Windows\SysWOW64\Jnnnfalp.exe	Ihceigec.exe
File created	C:\Windows\SysWOW64\Mkojhm32.dll	Ihceigec.exe
File created	C:\Windows\SysWOW64\Fbbojb32.dll	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Llngbabj.exe	Ldfoad32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Kefbdjgm.exe	Koljgppp.exe
File opened for modification	C:\Windows\SysWOW64\Kaopoj32.exe	Kkegbpca.exe
File opened for modification	C:\Windows\SysWOW64\Ldbefe32.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Jjkdlall.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Cboleq32.dll	Kbjbnnfg.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Llimgb32.exe
File created	C:\Windows\SysWOW64\Ihceigec.exe	Ieeimlep.exe
File created	C:\Windows\SysWOW64\Mapchaef.dll	Jnnnfalp.exe
File created	C:\Windows\SysWOW64\Jdalog32.exe	Jacpcl32.exe
File created	C:\Windows\SysWOW64\Bkjbah32.dll	Khihld32.exe
File created	C:\Windows\SysWOW64\Hmfchehg.dll	Ldfoad32.exe
File opened for modification	C:\Windows\SysWOW64\Llkjmb32.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Jnbgaa32.exe	Jhhodg32.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Kdkoef32.exe
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Elmoqj32.dll	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Jhmimi32.dll	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Llimgb32.exe	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Llkjmb32.exe	Leabphmp.exe
File opened for modification	C:\Windows\SysWOW64\Iaedanal.exe	3f339185b0e014bc08501da24dd026f0N.exe
File created	C:\Windows\SysWOW64\Kknikplo.dll	Iecmhlhb.exe
File opened for modification	C:\Windows\SysWOW64\Ihceigec.exe	Ieeimlep.exe
File created	C:\Windows\SysWOW64\Fhjaco32.dll	Llngbabj.exe
File opened for modification	C:\Windows\SysWOW64\Ihaidhgf.exe	Iecmhlhb.exe
File created	C:\Windows\SysWOW64\Oacmli32.dll	Khabke32.exe
File created	C:\Windows\SysWOW64\Epqblnhh.dll	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Jmjdlb32.dll	Lkiamp32.exe
File opened for modification	C:\Windows\SysWOW64\Lbhool32.exe	Llngbabj.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4440	3516	WerFault.exe	137

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iaedanal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnnnfalp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdpiqehp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iholohii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Koljgppp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klpjad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihaidhgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ihceigec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfbog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lahbei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lacijjgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Janghmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhhodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnbgaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jelonkph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khabke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldfoad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f339185b0e014bc08501da24dd026f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ieeimlep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjihfbno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaaldjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llkjmb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iecmhlhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnpjlajn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jeaiij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kahinkaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbnnfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inkaqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjkdlall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlkafdco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llngbabj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibokqno.dll"	Jnbgaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmannfj.dll"	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3f339185b0e014bc08501da24dd026f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbpfi32.dll"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jelonkph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnakk32.dll"	Jlkafdco.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll"	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjcam32.dll"	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lahbei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdalog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leabphmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3f339185b0e014bc08501da24dd026f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihaidhgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnpjlajn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jlkafdco.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3f339185b0e014bc08501da24dd026f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldfoad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jeaiij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cboleq32.dll"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll"	Ldfoad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3f339185b0e014bc08501da24dd026f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Janghmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Koljgppp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llimgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bochcckb.dll"	Jhhodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kahinkaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elmoqj32.dll"	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inkaqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3f339185b0e014bc08501da24dd026f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iholohii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapchaef.dll"	Jnnnfalp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknikplo.dll"	Iecmhlhb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 4800	1592	3f339185b0e014bc08501da24dd026f0N.exe	90
PID 1592 wrote to memory of 4800	1592	3f339185b0e014bc08501da24dd026f0N.exe	90
PID 1592 wrote to memory of 4800	1592	3f339185b0e014bc08501da24dd026f0N.exe	90
PID 4800 wrote to memory of 4044	4800	Iaedanal.exe	91
PID 4800 wrote to memory of 4044	4800	Iaedanal.exe	91
PID 4800 wrote to memory of 4044	4800	Iaedanal.exe	91
PID 4044 wrote to memory of 4292	4044	Iholohii.exe	92
PID 4044 wrote to memory of 4292	4044	Iholohii.exe	92
PID 4044 wrote to memory of 4292	4044	Iholohii.exe	92
PID 4292 wrote to memory of 1032	4292	Iecmhlhb.exe	93
PID 4292 wrote to memory of 1032	4292	Iecmhlhb.exe	93
PID 4292 wrote to memory of 1032	4292	Iecmhlhb.exe	93
PID 1032 wrote to memory of 4788	1032	Ihaidhgf.exe	94
PID 1032 wrote to memory of 4788	1032	Ihaidhgf.exe	94
PID 1032 wrote to memory of 4788	1032	Ihaidhgf.exe	94
PID 4788 wrote to memory of 4380	4788	Inkaqb32.exe	95
PID 4788 wrote to memory of 4380	4788	Inkaqb32.exe	95
PID 4788 wrote to memory of 4380	4788	Inkaqb32.exe	95
PID 4380 wrote to memory of 3796	4380	Ieeimlep.exe	96
PID 4380 wrote to memory of 3796	4380	Ieeimlep.exe	96
PID 4380 wrote to memory of 3796	4380	Ieeimlep.exe	96
PID 3796 wrote to memory of 2228	3796	Ihceigec.exe	98
PID 3796 wrote to memory of 2228	3796	Ihceigec.exe	98
PID 3796 wrote to memory of 2228	3796	Ihceigec.exe	98
PID 2228 wrote to memory of 1020	2228	Jnnnfalp.exe	99
PID 2228 wrote to memory of 1020	2228	Jnnnfalp.exe	99
PID 2228 wrote to memory of 1020	2228	Jnnnfalp.exe	99
PID 1020 wrote to memory of 2976	1020	Jhfbog32.exe	101
PID 1020 wrote to memory of 2976	1020	Jhfbog32.exe	101
PID 1020 wrote to memory of 2976	1020	Jhfbog32.exe	101
PID 2976 wrote to memory of 2612	2976	Jnpjlajn.exe	102
PID 2976 wrote to memory of 2612	2976	Jnpjlajn.exe	102
PID 2976 wrote to memory of 2612	2976	Jnpjlajn.exe	102
PID 2612 wrote to memory of 3524	2612	Janghmia.exe	103
PID 2612 wrote to memory of 3524	2612	Janghmia.exe	103
PID 2612 wrote to memory of 3524	2612	Janghmia.exe	103
PID 3524 wrote to memory of 4428	3524	Jhhodg32.exe	104
PID 3524 wrote to memory of 4428	3524	Jhhodg32.exe	104
PID 3524 wrote to memory of 4428	3524	Jhhodg32.exe	104
PID 4428 wrote to memory of 1648	4428	Jnbgaa32.exe	105
PID 4428 wrote to memory of 1648	4428	Jnbgaa32.exe	105
PID 4428 wrote to memory of 1648	4428	Jnbgaa32.exe	105
PID 1648 wrote to memory of 2052	1648	Jelonkph.exe	106
PID 1648 wrote to memory of 2052	1648	Jelonkph.exe	106
PID 1648 wrote to memory of 2052	1648	Jelonkph.exe	106
PID 2052 wrote to memory of 1696	2052	Jjihfbno.exe	108
PID 2052 wrote to memory of 1696	2052	Jjihfbno.exe	108
PID 2052 wrote to memory of 1696	2052	Jjihfbno.exe	108
PID 1696 wrote to memory of 3404	1696	Jacpcl32.exe	109
PID 1696 wrote to memory of 3404	1696	Jacpcl32.exe	109
PID 1696 wrote to memory of 3404	1696	Jacpcl32.exe	109
PID 3404 wrote to memory of 3052	3404	Jdalog32.exe	110
PID 3404 wrote to memory of 3052	3404	Jdalog32.exe	110
PID 3404 wrote to memory of 3052	3404	Jdalog32.exe	110
PID 3052 wrote to memory of 4820	3052	Jjkdlall.exe	111
PID 3052 wrote to memory of 4820	3052	Jjkdlall.exe	111
PID 3052 wrote to memory of 4820	3052	Jjkdlall.exe	111
PID 4820 wrote to memory of 4596	4820	Jeaiij32.exe	112
PID 4820 wrote to memory of 4596	4820	Jeaiij32.exe	112
PID 4820 wrote to memory of 4596	4820	Jeaiij32.exe	112
PID 4596 wrote to memory of 4832	4596	Jlkafdco.exe	113
PID 4596 wrote to memory of 4832	4596	Jlkafdco.exe	113
PID 4596 wrote to memory of 4832	4596	Jlkafdco.exe	113
PID 4832 wrote to memory of 4344	4832	Kahinkaf.exe	114

C:\Users\Admin\AppData\Local\Temp\3f339185b0e014bc08501da24dd026f0N.exe
"C:\Users\Admin\AppData\Local\Temp\3f339185b0e014bc08501da24dd026f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\Iaedanal.exe
  C:\Windows\system32\Iaedanal.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\Iholohii.exe
    C:\Windows\system32\Iholohii.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4044
  - - C:\Windows\SysWOW64\Iecmhlhb.exe
      C:\Windows\system32\Iecmhlhb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4292
    - - C:\Windows\SysWOW64\Ihaidhgf.exe
        
        C:\Windows\system32\Ihaidhgf.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Windows\SysWOW64\Inkaqb32.exe
        
        C:\Windows\system32\Inkaqb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Ieeimlep.exe
        
        C:\Windows\system32\Ieeimlep.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ihceigec.exe
        
        C:\Windows\system32\Ihceigec.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Jnnnfalp.exe
        
        C:\Windows\system32\Jnnnfalp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Jnpjlajn.exe
        
        C:\Windows\system32\Jnpjlajn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Janghmia.exe
        
        C:\Windows\system32\Janghmia.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Jhhodg32.exe
        
        C:\Windows\system32\Jhhodg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\SysWOW64\Jnbgaa32.exe
        
        C:\Windows\system32\Jnbgaa32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\SysWOW64\Jelonkph.exe
        
        C:\Windows\system32\Jelonkph.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\SysWOW64\Jjkdlall.exe
        
        C:\Windows\system32\Jjkdlall.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Jeaiij32.exe
        
        C:\Windows\system32\Jeaiij32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Jlkafdco.exe
        
        C:\Windows\system32\Jlkafdco.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Kahinkaf.exe
        
        C:\Windows\system32\Kahinkaf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Khabke32.exe
        
        C:\Windows\system32\Khabke32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\Koljgppp.exe
        
        C:\Windows\system32\Koljgppp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1116
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Llkjmb32.exe
        
        C:\Windows\system32\Llkjmb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Ldfoad32.exe
        
        C:\Windows\system32\Ldfoad32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4608
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 412
        47⤵
        Program crash
        
        PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3516 -ip 3516
1⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3036 /prefetch:8
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iaedanal.exe

Filesize
96KB

MD5
474497a0ba1f95930ab2169f4efa346b

SHA1
5fe42a6163ab2609091946838ad37e7864d39028

SHA256
00710f7353c6008cbd0243321a82b7b18cf07272a5f2413a6e386f875efdb710

SHA512
8ae656685c62ae3b98b0a39f37bedc0f2fb4c76003d346287707dc02e0bdf03db15fed0263fb61103b840a00c5a0f4331fd6c223725bbf633a13f3364084852d

Download Submit
C:\Windows\SysWOW64\Iecmhlhb.exe

Filesize
96KB

MD5
c842b96340133fc39e1d7623ac1635f0

SHA1
826ed4a912289fcd085a71a7da4c75b42cf1dab3

SHA256
2b813796344d58285fe1b9233e95c36ea3dc49aaf48d9a5d786703eee1fcf713

SHA512
f500a214f401ba3ba49e89415a980d201a1b9d459a73104991e09421d428fd118eb38200745b84e45e9790a1cbf23839e382acf84c717511dc55e6fe04b67623

Download Submit
C:\Windows\SysWOW64\Ieeimlep.exe

Filesize
96KB

MD5
909314abe53b94d46022558014392f10

SHA1
aaccbcdb46b04fc185147a10ea09e74d6752f56b

SHA256
f8320e186a21dfe8b6a7fbc0f26879b64ac736407d29482dc75503bd3fb8a493

SHA512
dc25f19b52704c4ce85c31e562ea4927db7ba6b68acf8946e3c7d321a3f73569cb60a40105ee041bb8e586eb2a2765c91dbaaee9ad9862bab72b583eef296442

Download Submit
C:\Windows\SysWOW64\Ihaidhgf.exe

Filesize
96KB

MD5
e403fe452537d3e48a36cedfc94a5f77

SHA1
95db6b2f89c2bbebe110ede364214ab76efb87ef

SHA256
23d90b8c79aafa9a1107c891852d36217d1c28408db8ccfdd8f415f0f6632df6

SHA512
db6dcf145fe22fb4dc0ebb84597d31760d3f5a69adb027d14e80079eb05f527223b9dd26e9078bf7f893d17925b561af9f275eb20203f7727e6d85c08ab531aa

Download Submit
C:\Windows\SysWOW64\Ihceigec.exe

Filesize
96KB

MD5
77ab953b59116061b6a7f125345f84d0

SHA1
cb50f62fa375b6e45c9ec1f1e9708d581358fd84

SHA256
cf3b10f85b105b612ec7f7d167bef1474978a23113fcf3ef9888976a49d8456d

SHA512
c05f719ebb8a92147c47aded12678914356fb90d9341b645a7782955f93826019772281f583a34d6137d772da8c5b7b0bc51500607c5508e307422ab612b0292

Download Submit
C:\Windows\SysWOW64\Iholohii.exe

Filesize
96KB

MD5
d17ef2b49a124868c48d176ea8c9a8d6

SHA1
df3e68f64ccc174f74f4f1da7ea011e57b6845fb

SHA256
16931708a1b5ae1cd5990b4be4c3979817843c35a84587b7dd5198563bf55e23

SHA512
4959a1121083c3cff7ca5e965cc0cb33e9a72755dfee4ff79fb7ac63ad8f3b557952cdcd598791ba4f10e2fe6d613a975f18b7e76da4cc7a519e8f417208aef0

Download Submit
C:\Windows\SysWOW64\Inkaqb32.exe

Filesize
96KB

MD5
ed8dc31c7c8654ae26e64251ba6206aa

SHA1
efd1454f025c96e01b4ed2902c4060ebdd8b333d

SHA256
5a61d17235cc87e9809cb99f24685f33bf6f5be23db4dcfa8a007b84317c1dee

SHA512
e9ef27a84c0ae121eaa0d7ba5ce9e82839fcf4665443e0b7451bef4323d1d0d193f0736637af68d3293fd69ffc57d4a7e0c2a076dec4836e4d498d4bdaf417cb

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
96KB

MD5
792e318bb12c96c106af9316d3f5ea37

SHA1
73bbe4a1fb222af249977d66ef89789804cc548a

SHA256
b8656c94b8f73cee5eac00b4ad03ff20cbbb14f95d3a4ba2eb3b96053cf29c12

SHA512
8495de5b5197e12dac2ed81cda0976481dceae54fbb6d09db667b6ee06ce1e0647f15c87b3a60ecef9bcbf0a473e8f4c10886b8bec32ab78df5415e0f6df1792

Download Submit
C:\Windows\SysWOW64\Janghmia.exe

Filesize
96KB

MD5
0489ce17c7b091e5d5c9ddd2ba52c2fe

SHA1
cb7a2e14af4a307d1ba6d6d0ab8e135d05772b60

SHA256
c71f87735d264153fa6b0e813cac8e02bf79313077075bb3f90756572373ffbb

SHA512
353f175b7cb2d0eaeba9abc2b53e74efc5b67208a2f44d042ab383419580ef318f3b5cb9b2bb8654cb29e9e0a31df8d01afba6e7f6c305d8e5605eff0d9024a6

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
96KB

MD5
722433d4fa2ed5f17d46b6dcff11840e

SHA1
c5ccd5cdff2476c91aeeeadabea00a730c49a21a

SHA256
4f4e6eac6aa297a0de876b6fbdd1a70900dfda024d302fa79c39c91c63be2557

SHA512
28d6a7650d9dbdca20d179091282ea692ca071d24333ab3b6e1cc9aa9935524da86903aab8097ddbc289a9a2f68cd0e10712bc1f0a95ac07214e41bb785fe012

Download Submit
C:\Windows\SysWOW64\Jeaiij32.exe

Filesize
96KB

MD5
5ae0ffd7e94f1206aeba670cb4b8d647

SHA1
0222f2b6c0034c0af05a9b728230dca5adb2df83

SHA256
a33f5f632583fa79b42815fe54bbd26cb10405b8906c10a72929903736e4ab90

SHA512
1b51436cace562db90bfe0e27d4e14a61922f1ed03663d20fb5e9e79dde96f46816c1e433082d3b60927eb336ad7f4d2ad4382b175df9cabc7e69962859b88c6

Download Submit
C:\Windows\SysWOW64\Jelonkph.exe

Filesize
96KB

MD5
7059ff16ebbb4c1420810c76e8de9107

SHA1
fccda963dc403fc264be8b30f34163d46b46fa6e

SHA256
e4a0044bffad5ecafc540fc9c925c51e50bc5277e34365380c9ce7389175a2de

SHA512
3cbf518efe377c9c3127da73837d346b8c658ba861ac28c357187ae8760b016742afcfe9b7e7b8237991ee87cc99b9d4ace30a30390b55f23f4a848c982a3b56

Download Submit
C:\Windows\SysWOW64\Jhfbog32.exe

Filesize
96KB

MD5
9e0c6a97cd979be5bad04a7f6b5f8313

SHA1
c8cc13ff1d81112b7dd364954b0e36739dca6e06

SHA256
9d21305e171055c161818d5626e793114767fc46bf605193a350e3b687a47d58

SHA512
60b78d7f53a0fa6a7525d2301a7c27b5ec60a3eb280e94b3ddb242d7a5d404d2434c88ede245defe2eed1b44cdb5ea543bba986f5bb93f85298b0dcd2df16f8a

Download Submit
C:\Windows\SysWOW64\Jhhodg32.exe

Filesize
96KB

MD5
36a2a4a53abd24f55e2714f2a74d4ced

SHA1
d6693833bc8e7571fbdbc6aadfa6f151160ac683

SHA256
50aea36cc0e924318f009e0ff6d4d9e281a21043e04100305afbd3eaf82512a4

SHA512
a95f70e2711aee70eb7a717f8d546bc73b86304b6820fb472eed2093194e74f5632ead2f045ec2105b6aee298485c1d99867d43ef612032dbec18b47cd089240

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
96KB

MD5
51d91e3afffebf1da58d95ba7155c8db

SHA1
8e811846fdd1e2262141e15ca765957b864be498

SHA256
fbe5d6914675e3b32b6a9f7605a0be3917e1d9ec675c9bb717ce48796c443874

SHA512
85fc68acced2b6453859dea448fe3ea3e2cae349a832a6cf2906441cf5b57e131ba1a75c45a1390507ceb8ab8b284bbdc6168264fe7471e70d911ab7572db2ca

Download Submit
C:\Windows\SysWOW64\Jjkdlall.exe

Filesize
96KB

MD5
abf15b8cf382b530b344a31f9768da23

SHA1
dd6611bf8961a0b888c65a5ae80cdf0aaa9c574f

SHA256
d69619ccbafa24580b1fb571ebf2a53ee9aa8774698696d6b28cd9621be836e8

SHA512
0100558cc66330ed25919dbc341eebee1197b1f377d2dadf026e984820074c1d0c5a35512e90aeaa26e13a9439056c62f45795783da13284cf02ac555dd3d2f3

Download Submit
C:\Windows\SysWOW64\Jlkafdco.exe

Filesize
96KB

MD5
4b4835902463940b3bcdcdd8bfb828a7

SHA1
be75b2c3e48bc1a50a7ebe6cedea9d9575bba2cf

SHA256
124b8e74e5152a9494b15b338ebf1bede6851c0e6e3ccc1c94d7d34703e212e4

SHA512
e7bb318d71aa9bf5e5504bd6c40a09eb0717dc110289770f5606f59cb12bbccecd9f0ba7c4011b0719fe07b09036a933602b8592f4e9421344bb2b533553c45e

Download Submit
C:\Windows\SysWOW64\Jnbgaa32.exe

Filesize
96KB

MD5
3f98d269b64043a1884efd1ed8ec8f43

SHA1
d2881a5f01a7176393b23bdbf37c9aea017fd8d0

SHA256
d182624a05352a616da6b33b299f4886a2c87db7ba1af7fcd727350194c6227a

SHA512
3b6b3965849eda3da99986c2473a51cd394e0cb39c610aaae75bc90d358e1df9cb88a5e8b9c0d1ef8f367ae986b62d96f2e4790fef2e4d1977e6189d335745d9

Download Submit
C:\Windows\SysWOW64\Jnnnfalp.exe

Filesize
96KB

MD5
4c0e9aa7651b58baf404dff19dda6ff5

SHA1
bb3ded0db42052cdcbe890aedf0394bfe32f0ea9

SHA256
24ed1ca2f245a54ee9a66b626aa7e6eb71a7f2543fec6a2ebbff196cf636bcd4

SHA512
7d024c935291f048d468560e65d72d07722dd44e6d759d41366712ba1d3f956f4a14986c63f206efca6c095612684591560103a16852eb4ea7c049fec40619e5

Download Submit
C:\Windows\SysWOW64\Jnpjlajn.exe

Filesize
96KB

MD5
19a397c6d4ec32a280329d44b36b2c3f

SHA1
9dd08122918505dc0c260c200101b6f2c52d651b

SHA256
d806d00df3dd84bdb346735527073911bb6b161266d42078ac5b13a5a6802a4e

SHA512
c7aba4836e3dbd7c6f80b2ce68babe43212b3591594517a3089670fce48da9cd79382dc8d29bd0b3adfad4ad5d2b49522a4b8a2ebbd693276e2fed48303818ac

Download Submit
C:\Windows\SysWOW64\Kaaldjil.exe

Filesize
96KB

MD5
6b10e6a6031a1de9d5250e8fd0a7c004

SHA1
21e44fc1d4e7973d448398be3c70e409dffebe93

SHA256
2e72b1243de5538143662280c4ca60ce509a3d48e54b277236b293821c4bcb53

SHA512
d9fe33047c11903040c00f9db546e9ad766d4768b0acf51615f0bebdbdfba2d81998fc95ef7c23d926ae8ee2a75b9df5698a8ce413c87be2421c5b80c4a387b1

Download Submit
C:\Windows\SysWOW64\Kahinkaf.exe

Filesize
96KB

MD5
91c98d7a9b82d2e0d6f0f1eb016964e2

SHA1
58eb1c3484eb9aa80d0092faf8bde22c61d949d3

SHA256
eaed0fc25e6b03e47e487c47dfc4cc23ccdc6f18203a177156b95d0355ef5408

SHA512
4fc0a1b61a586f0c7aedefc232bcda079fd0864f3eae2775ddc5a9b442e03ae8dfcc72da180e584d511ddfd355685793603d650c06179beab09276e8b62a864e

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
96KB

MD5
7bbb1e7c9ea910db54cc00dafe85d94a

SHA1
dc8cb1ab91861eae71c90b43970582684b98d5be

SHA256
e87327007b794caee18aab67574e12320eb0f7e1a65e79294facd801a63ff634

SHA512
6629bd56f0f7cc6951955c6af5db61abe73bd52bc72e1938be89bf46d03690ca4bf556093bc1daf4d5e481b0488a443e7f9d6d3353a969c41f651f6a0cca073c

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
96KB

MD5
63fe3dd6c923b908cf1dd9b23b0c726a

SHA1
80deefdf76007f1f3cd96b0a3d4a29c05fc5cd1d

SHA256
96a627c682c5f7ca0d1b292d30912bd93ae3fff4f3d704d4e2a9433033a70738

SHA512
dae03155b2dd827a5363bc397e7f39542cb8bb7a5be60011d4bf201d6bf80dccd2b8c89b42cec944a75880a4762f353ff0552a4f1d35cf66fe6ebeb9de611415

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
96KB

MD5
d43625d53cb484d312e310af36b460e5

SHA1
819999966c22fa84bf7b97943123ccfe1d30327e

SHA256
117da2c23fd6192f45dfec3dfdb11f9a47fadef61e274162973e4ed4d5b49098

SHA512
21e28554cf3c1319c082f04f8a3185bfa2b22a213653235959140c7e190db1a98dcd2e3a3591029106394b6b2496e612c8134f52bf25ca0989b3dd6720930158

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
96KB

MD5
79e0d2f0e4731915b4598eca1e01bee8

SHA1
0eb3d182b46532568adfff31021343fd889698cb

SHA256
05c04981c9122f00a4194b5c1836d5f15712a2ede01f957b83a4c1b3914eeef8

SHA512
dc49e7c8e59dcb3e451292f37cb29990710f8c5b8cdab1fcd5295ae081d63727214ccfcf8cfd4f09d794e44b572c58b19ab234879f55157d106216dfdcc70eef

Download Submit
C:\Windows\SysWOW64\Khabke32.exe

Filesize
96KB

MD5
c6df233e8d911f1cf7d4f1c3d82ed5d4

SHA1
055c726de221a8e3f8777cf5fee91ed1f7bf7af5

SHA256
21984314109270b7e1cf28695f86d430709589473ea295315f691cf96f5aebf3

SHA512
031a57464337c0dd32a2422fe23fff203631854ff8c8e19f277ba65639e2eb06430772bd03840ff6df05f03b360ca7146a76f943bcbc46ef17447986955acf6a

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
96KB

MD5
c55d10467a30edd2f9f86c61706b4446

SHA1
24310152ce9bf46fde6d391c105de0647284eca2

SHA256
5e7c2e00913c92d5b9bc53fca395118b10aa93d1c743a44348a34016db32f35f

SHA512
959de25d74aa82622ec7f0cb49e2b5e3ce397c0ffadef32bf847117d0042021e697a85f5de01bbe6ed4fc9c37ddd916f20a4f93a37d2968e4186eaae0028bba4

Download Submit
C:\Windows\SysWOW64\Kkegbpca.exe

Filesize
96KB

MD5
a96d4b59d1d4ea863fc15907cb8c0b8b

SHA1
24cf9776a8f3aaa803e86c4c2f3f952f4fa905f7

SHA256
a28f9fbf7ce9d16dfc971f60fa3741c589b1d2092b5aadd70cbf812400d4f473

SHA512
6fc7cf0f0135f20f63ef0e2e98a2225db9addca3fbb260b2dff758dd78e813ddd90e133a5f87c88f07c3d661032bea10b80d3b94f4a25535bea699bee850ea48

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
96KB

MD5
eb8f6e762770287929a3795e31498635

SHA1
aef37069a3c0f65ed29430bb0b7487a1e51f26e8

SHA256
5a7bf75f460ec9085108381cad851abb2be9075856179cc3fffb6457e9caf6d0

SHA512
301d38a1387375652481b96a86b7133c7bb1ded00a8e27aca8df3ac0d4f7e24644018ae2d7d21f4a330c7d358b84c94736a4a1da98bbb8176a5cadb621d5aaf4

Download Submit
C:\Windows\SysWOW64\Kocphojh.exe

Filesize
96KB

MD5
92986a3582cc1cd6818a0a264f2158c8

SHA1
2449d7686b90f7cdf92a2525adf5c7f48ac45090

SHA256
555c20fd848152123554f39050d8e9332d1517930219e2e3fb037d17b39b63ed

SHA512
9f6b808e67455be7691e2c9e80d22a595e62318f6f7904dbcedaab1d252bf09dc02089abcb4363bdca1d280243abe85372500aa76b638b677baa26560cc8f44e

Download Submit
C:\Windows\SysWOW64\Koljgppp.exe

Filesize
96KB

MD5
4aec24d8cd4a80c93536a7d34ea44636

SHA1
a42c8d436ea86e7b821cbc1ae8d2af31b3c0e218

SHA256
b1013bee5f5a68d40256851892deb5bdd06fbdac21877090435c9878b8f6171b

SHA512
19e1f60df2dd998eb6b5c59f8a363293eaa0e2aa49f30f9a61876c642d54350ccefcd1dd94f7b878c81640c5187f72b032b3ab6574ee1833ab47481b290642de

Download Submit
C:\Windows\SysWOW64\Ncapfeoc.dll

Filesize
7KB

MD5
078c927f39107327d244db3d61de3d1d

SHA1
73cf9d5d9451836308fc58f49c8a29ad3fa745c9

SHA256
8fa08c6ebfa3d4fd0b64d9979c733c1fcb5a5a355c50abda82ff724ff3ff63b9

SHA512
a05aeb2061f4174b63f4ac2985b655e9a644f717d0b546b65615e96e94053f411845b7a31c303e9b1f27de4f1e1f83078eb8d93156e05b958ecda012f1c229f7

Download Submit
memory/732-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/732-350-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/916-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1020-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1020-365-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1032-370-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1032-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1116-351-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1116-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1140-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1140-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-374-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-360-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1648-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1668-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1696-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1696-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2052-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-366-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2228-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2460-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2548-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-363-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2612-87-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-215-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-364-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2976-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-356-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3156-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3156-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3404-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3404-357-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3492-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3492-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3524-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3576-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3576-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3796-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3796-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3872-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3872-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4044-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4044-372-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4272-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4272-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4344-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4344-352-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4380-368-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4380-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-361-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4428-103-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4552-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4552-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4596-354-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4752-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4788-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-373-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4800-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4820-355-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4832-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads