fc9701041db51abd38c25bdd3e34fe24aa92cfb25d824ea1106f143e3c8df730

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 08:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be12e96fccf5bc692a51a1c6fdfb2b30N.exe
Size

576KB
MD5

be12e96fccf5bc692a51a1c6fdfb2b30
SHA1

0cd3a276782e1c191026ab07de1c55bb2bd502ca
SHA256

fc9701041db51abd38c25bdd3e34fe24aa92cfb25d824ea1106f143e3c8df730
SHA512

9a032129247ef48ab936c22b6b914dbc1a9bd689d0122f19020341c1b0c047d37beb32d6fa4cc70f3a1d538d02e842cb08f5e9cc817c8c1390c043fc84e8b535
SSDEEP

12288:2TL5qbTGyXu1jGG1wsGeBgRTGAzciETdqvZNemWrsiLk6mqgSgRDO:8L5qbTGyXsGG1wsLUT3IipX6

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khihld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jldkeeig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ibdplaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhfbog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiamp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laffpi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jdalog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolcnman.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbqinm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leabphmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iajmmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkegbpca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ledoegkm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jacpcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kemhei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	be12e96fccf5bc692a51a1c6fdfb2b30N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leoejh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jldkeeig.exe

Executes dropped EXE 36 IoCs

pid	Process
836	Ibdplaho.exe
3440	Iajmmm32.exe
2700	Jbijgp32.exe
3272	Jhfbog32.exe
5020	Jldkeeig.exe
464	Jacpcl32.exe
2568	Jdalog32.exe
3348	Jhoeef32.exe
416	Kajfdk32.exe
1004	Kefbdjgm.exe
2180	Kdkoef32.exe
4908	Kkegbpca.exe
4316	Kaopoj32.exe
2572	Khihld32.exe
2056	Kocphojh.exe
2220	Kaaldjil.exe
4016	Kemhei32.exe
112	Khkdad32.exe
1932	Lkiamp32.exe
1160	Loemnnhe.exe
2796	Lbqinm32.exe
4980	Leoejh32.exe
4788	Lhmafcnf.exe
688	Llimgb32.exe
4216	Logicn32.exe
440	Laffpi32.exe
4828	Leabphmp.exe
3388	Lhpnlclc.exe
4308	Lknjhokg.exe
4900	Lbebilli.exe
5076	Ledoegkm.exe
2156	Lhbkac32.exe
3868	Lkqgno32.exe
3396	Lolcnman.exe
3544	Lajokiaa.exe
3888	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lkqgno32.exe	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Iajmmm32.exe	Ibdplaho.exe
File opened for modification	C:\Windows\SysWOW64\Jldkeeig.exe	Jhfbog32.exe
File opened for modification	C:\Windows\SysWOW64\Kkegbpca.exe	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Bkjbah32.dll	Khihld32.exe
File created	C:\Windows\SysWOW64\Lkiamp32.exe	Khkdad32.exe
File created	C:\Windows\SysWOW64\Leabphmp.exe	Laffpi32.exe
File created	C:\Windows\SysWOW64\Hopaik32.dll	Lbebilli.exe
File created	C:\Windows\SysWOW64\Jacpcl32.exe	Jldkeeig.exe
File opened for modification	C:\Windows\SysWOW64\Loemnnhe.exe	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Fbbojb32.dll	Kdkoef32.exe
File created	C:\Windows\SysWOW64\Laffpi32.exe	Logicn32.exe
File opened for modification	C:\Windows\SysWOW64\Khihld32.exe	Kaopoj32.exe
File created	C:\Windows\SysWOW64\Kocphojh.exe	Khihld32.exe
File created	C:\Windows\SysWOW64\Kaaldjil.exe	Kocphojh.exe
File created	C:\Windows\SysWOW64\Lbqinm32.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Llimgb32.exe	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Oofial32.dll	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Lhmafcnf.exe	Leoejh32.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Kdlmhj32.dll	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Mapchaef.dll	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Lajokiaa.exe	Lolcnman.exe
File opened for modification	C:\Windows\SysWOW64\Jacpcl32.exe	Jldkeeig.exe
File created	C:\Windows\SysWOW64\Jbijgp32.exe	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Kaopoj32.exe	Kkegbpca.exe
File created	C:\Windows\SysWOW64\Khihld32.exe	Kaopoj32.exe
File opened for modification	C:\Windows\SysWOW64\Kemhei32.exe	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Bfdkqcmb.dll	Kaaldjil.exe
File created	C:\Windows\SysWOW64\Fcnhog32.dll	Khkdad32.exe
File created	C:\Windows\SysWOW64\Mnfooh32.dll	Lknjhokg.exe
File opened for modification	C:\Windows\SysWOW64\Lkqgno32.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Hgnfpc32.dll	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Loemnnhe.exe	Lkiamp32.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lajokiaa.exe
File created	C:\Windows\SysWOW64\Cboleq32.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Kemhei32.exe	Kaaldjil.exe
File opened for modification	C:\Windows\SysWOW64\Lhmafcnf.exe	Leoejh32.exe
File opened for modification	C:\Windows\SysWOW64\Logicn32.exe	Llimgb32.exe
File created	C:\Windows\SysWOW64\Ledoegkm.exe	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Kajfdk32.exe	Jhoeef32.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Leabphmp.exe
File created	C:\Windows\SysWOW64\Lolcnman.exe	Lkqgno32.exe
File created	C:\Windows\SysWOW64\Jldkeeig.exe	Jhfbog32.exe
File created	C:\Windows\SysWOW64\Cjbdmo32.dll	Lhmafcnf.exe
File created	C:\Windows\SysWOW64\Jhoeef32.exe	Jdalog32.exe
File created	C:\Windows\SysWOW64\Kefbdjgm.exe	Kajfdk32.exe
File opened for modification	C:\Windows\SysWOW64\Lbqinm32.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Ledoegkm.exe
File created	C:\Windows\SysWOW64\Hbfhni32.dll	Lolcnman.exe
File created	C:\Windows\SysWOW64\Jdiphhpk.dll	Iajmmm32.exe
File created	C:\Windows\SysWOW64\Eloeba32.dll	Jdalog32.exe
File created	C:\Windows\SysWOW64\Kjejmalo.dll	Kemhei32.exe
File created	C:\Windows\SysWOW64\Ieaqqigc.dll	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Elmoqj32.dll	Jldkeeig.exe
File opened for modification	C:\Windows\SysWOW64\Kefbdjgm.exe	Kajfdk32.exe
File created	C:\Windows\SysWOW64\Fooqlnoa.dll	Llimgb32.exe
File created	C:\Windows\SysWOW64\Jgcnomaa.dll	Logicn32.exe
File created	C:\Windows\SysWOW64\Ibdplaho.exe	be12e96fccf5bc692a51a1c6fdfb2b30N.exe
File opened for modification	C:\Windows\SysWOW64\Jdalog32.exe	Jacpcl32.exe
File opened for modification	C:\Windows\SysWOW64\Jhoeef32.exe	Jdalog32.exe
File opened for modification	C:\Windows\SysWOW64\Lkiamp32.exe	Khkdad32.exe
File created	C:\Windows\SysWOW64\Lbebilli.exe	Lknjhokg.exe

Program crash 1 IoCs

pid	pid_target	Process
976	3888	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkqgno32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iajmmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kajfdk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logicn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jdalog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkiamp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laffpi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be12e96fccf5bc692a51a1c6fdfb2b30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jacpcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdkoef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leabphmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhpnlclc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jldkeeig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhoeef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaopoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kocphojh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbqinm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhmafcnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolcnman.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ibdplaho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbijgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkegbpca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khihld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaaldjil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llimgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jhfbog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khkdad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lajokiaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kemhei32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leoejh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ledoegkm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jdalog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	be12e96fccf5bc692a51a1c6fdfb2b30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedkhf32.dll"	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kajfdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhmafcnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	be12e96fccf5bc692a51a1c6fdfb2b30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll"	Kajfdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaaldjil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ibdplaho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdkoef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehilac32.dll"	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfooh32.dll"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll"	Jdalog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjbah32.dll"	Khihld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khkdad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lajokiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomqdipk.dll"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilbckfb.dll"	Lkiamp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laffpi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaopoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjejmalo.dll"	Kemhei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojglddfj.dll"	Jhfbog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kocphojh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Logicn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leabphmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfood32.dll"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ledoegkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkqgno32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaopoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll"	Kocphojh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khihld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaqqigc.dll"	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	be12e96fccf5bc692a51a1c6fdfb2b30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbdmo32.dll"	Lhmafcnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofial32.dll"	Lkqgno32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lolcnman.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaaldjil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbqinm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Llimgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapchaef.dll"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbojb32.dll"	Kdkoef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jacpcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkegbpca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopaik32.dll"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcnhog32.dll"	Khkdad32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 836	1720	be12e96fccf5bc692a51a1c6fdfb2b30N.exe	90
PID 1720 wrote to memory of 836	1720	be12e96fccf5bc692a51a1c6fdfb2b30N.exe	90
PID 1720 wrote to memory of 836	1720	be12e96fccf5bc692a51a1c6fdfb2b30N.exe	90
PID 836 wrote to memory of 3440	836	Ibdplaho.exe	91
PID 836 wrote to memory of 3440	836	Ibdplaho.exe	91
PID 836 wrote to memory of 3440	836	Ibdplaho.exe	91
PID 3440 wrote to memory of 2700	3440	Iajmmm32.exe	93
PID 3440 wrote to memory of 2700	3440	Iajmmm32.exe	93
PID 3440 wrote to memory of 2700	3440	Iajmmm32.exe	93
PID 2700 wrote to memory of 3272	2700	Jbijgp32.exe	95
PID 2700 wrote to memory of 3272	2700	Jbijgp32.exe	95
PID 2700 wrote to memory of 3272	2700	Jbijgp32.exe	95
PID 3272 wrote to memory of 5020	3272	Jhfbog32.exe	96
PID 3272 wrote to memory of 5020	3272	Jhfbog32.exe	96
PID 3272 wrote to memory of 5020	3272	Jhfbog32.exe	96
PID 5020 wrote to memory of 464	5020	Jldkeeig.exe	98
PID 5020 wrote to memory of 464	5020	Jldkeeig.exe	98
PID 5020 wrote to memory of 464	5020	Jldkeeig.exe	98
PID 464 wrote to memory of 2568	464	Jacpcl32.exe	99
PID 464 wrote to memory of 2568	464	Jacpcl32.exe	99
PID 464 wrote to memory of 2568	464	Jacpcl32.exe	99
PID 2568 wrote to memory of 3348	2568	Jdalog32.exe	100
PID 2568 wrote to memory of 3348	2568	Jdalog32.exe	100
PID 2568 wrote to memory of 3348	2568	Jdalog32.exe	100
PID 3348 wrote to memory of 416	3348	Jhoeef32.exe	101
PID 3348 wrote to memory of 416	3348	Jhoeef32.exe	101
PID 3348 wrote to memory of 416	3348	Jhoeef32.exe	101
PID 416 wrote to memory of 1004	416	Kajfdk32.exe	102
PID 416 wrote to memory of 1004	416	Kajfdk32.exe	102
PID 416 wrote to memory of 1004	416	Kajfdk32.exe	102
PID 1004 wrote to memory of 2180	1004	Kefbdjgm.exe	103
PID 1004 wrote to memory of 2180	1004	Kefbdjgm.exe	103
PID 1004 wrote to memory of 2180	1004	Kefbdjgm.exe	103
PID 2180 wrote to memory of 4908	2180	Kdkoef32.exe	104
PID 2180 wrote to memory of 4908	2180	Kdkoef32.exe	104
PID 2180 wrote to memory of 4908	2180	Kdkoef32.exe	104
PID 4908 wrote to memory of 4316	4908	Kkegbpca.exe	105
PID 4908 wrote to memory of 4316	4908	Kkegbpca.exe	105
PID 4908 wrote to memory of 4316	4908	Kkegbpca.exe	105
PID 4316 wrote to memory of 2572	4316	Kaopoj32.exe	106
PID 4316 wrote to memory of 2572	4316	Kaopoj32.exe	106
PID 4316 wrote to memory of 2572	4316	Kaopoj32.exe	106
PID 2572 wrote to memory of 2056	2572	Khihld32.exe	107
PID 2572 wrote to memory of 2056	2572	Khihld32.exe	107
PID 2572 wrote to memory of 2056	2572	Khihld32.exe	107
PID 2056 wrote to memory of 2220	2056	Kocphojh.exe	108
PID 2056 wrote to memory of 2220	2056	Kocphojh.exe	108
PID 2056 wrote to memory of 2220	2056	Kocphojh.exe	108
PID 2220 wrote to memory of 4016	2220	Kaaldjil.exe	109
PID 2220 wrote to memory of 4016	2220	Kaaldjil.exe	109
PID 2220 wrote to memory of 4016	2220	Kaaldjil.exe	109
PID 4016 wrote to memory of 112	4016	Kemhei32.exe	110
PID 4016 wrote to memory of 112	4016	Kemhei32.exe	110
PID 4016 wrote to memory of 112	4016	Kemhei32.exe	110
PID 112 wrote to memory of 1932	112	Khkdad32.exe	111
PID 112 wrote to memory of 1932	112	Khkdad32.exe	111
PID 112 wrote to memory of 1932	112	Khkdad32.exe	111
PID 1932 wrote to memory of 1160	1932	Lkiamp32.exe	112
PID 1932 wrote to memory of 1160	1932	Lkiamp32.exe	112
PID 1932 wrote to memory of 1160	1932	Lkiamp32.exe	112
PID 1160 wrote to memory of 2796	1160	Loemnnhe.exe	113
PID 1160 wrote to memory of 2796	1160	Loemnnhe.exe	113
PID 1160 wrote to memory of 2796	1160	Loemnnhe.exe	113
PID 2796 wrote to memory of 4980	2796	Lbqinm32.exe	114

C:\Users\Admin\AppData\Local\Temp\be12e96fccf5bc692a51a1c6fdfb2b30N.exe
"C:\Users\Admin\AppData\Local\Temp\be12e96fccf5bc692a51a1c6fdfb2b30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\Ibdplaho.exe
  C:\Windows\system32\Ibdplaho.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\SysWOW64\Iajmmm32.exe
    C:\Windows\system32\Iajmmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\SysWOW64\Jbijgp32.exe
      C:\Windows\system32\Jbijgp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Jhfbog32.exe
        
        C:\Windows\system32\Jhfbog32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
      - C:\Windows\SysWOW64\Jldkeeig.exe
        
        C:\Windows\system32\Jldkeeig.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Jacpcl32.exe
        
        C:\Windows\system32\Jacpcl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Jdalog32.exe
        
        C:\Windows\system32\Jdalog32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Kajfdk32.exe
        
        C:\Windows\system32\Kajfdk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Kdkoef32.exe
        
        C:\Windows\system32\Kdkoef32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Kkegbpca.exe
        
        C:\Windows\system32\Kkegbpca.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Kaopoj32.exe
        
        C:\Windows\system32\Kaopoj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\SysWOW64\Khihld32.exe
        
        C:\Windows\system32\Khihld32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\SysWOW64\Kocphojh.exe
        
        C:\Windows\system32\Kocphojh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Kaaldjil.exe
        
        C:\Windows\system32\Kaaldjil.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\SysWOW64\Kemhei32.exe
        
        C:\Windows\system32\Kemhei32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Lkiamp32.exe
        
        C:\Windows\system32\Lkiamp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\SysWOW64\Lbqinm32.exe
        
        C:\Windows\system32\Lbqinm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Leoejh32.exe
        
        C:\Windows\system32\Leoejh32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Lhmafcnf.exe
        
        C:\Windows\system32\Lhmafcnf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Llimgb32.exe
        
        C:\Windows\system32\Llimgb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\Logicn32.exe
        
        C:\Windows\system32\Logicn32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\Laffpi32.exe
        
        C:\Windows\system32\Laffpi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Leabphmp.exe
        
        C:\Windows\system32\Leabphmp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Ledoegkm.exe
        
        C:\Windows\system32\Ledoegkm.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Lkqgno32.exe
        
        C:\Windows\system32\Lkqgno32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Lolcnman.exe
        
        C:\Windows\system32\Lolcnman.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Lajokiaa.exe
        
        C:\Windows\system32\Lajokiaa.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 412
        38⤵
        Program crash
        
        PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3888 -ip 3888
1⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4224,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8
1⤵
PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Iajmmm32.exe

Filesize
576KB

MD5
be422d073225bba33f18f4977838392f

SHA1
810911d8e3bf71359410a18ac16f9258dbfb37a3

SHA256
d50d5ff2a8f4107c417c5fdf2e212ad1602105f401aa1126db39b69bf2d59bd3

SHA512
8340c42f173eb2ca984d2749622f1cc17e5c5cb970ab6e65ac1c499317ed44c2608492d4310b812b62ad735d14667a7869cfadd947b89dfdd3ee7bcb4b8761dc

Download Submit
C:\Windows\SysWOW64\Ibdplaho.exe

Filesize
576KB

MD5
278581c283486adbdddab07c5aa5209a

SHA1
c95ed351e1a2d3ebd90e801cb89779d871d82db8

SHA256
eb31b5c557c98a7d8cada4bfff26badfca0d7fd5b7304b1e4c02cec313ebcaed

SHA512
2e6391536fffa96a047e12b9fb2003a80e973e0779167f028791188e508fa12aa375731146eeb1dd501be8e83475e448f5444345e633d9ebb91250f7b217ea7b

Download Submit
C:\Windows\SysWOW64\Jacpcl32.exe

Filesize
576KB

MD5
b79a70acaf6d36fbb34580bbb3e78c46

SHA1
e0f284e0d6aed6d3b73f9e0a99541aed45a6b161

SHA256
8ca5d2a7237bb58fa0f39325768008d2a8876c038931e52f86a280753b4c97b7

SHA512
b342ea1ebb743593b25f0a8e46b2193e76cc2cfa7858876e0e65c910d0177a14432e9453a95176f0959b05af196c4e055fa3f5623612ed2fda0e682f4627041f

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
576KB

MD5
7ff819da45f515aa176fb58a034649e7

SHA1
8a982582084268c3e63fdd3452176b472194a8c7

SHA256
e362bcdfe5eec125904f3e4aa5289cb87e7b0e46d3753bc44ecd4db941e2c0d4

SHA512
273f337a4cb1592f4d7e96fae028f0df57ffe5f403f0c96a65137fc46654de5855d05e5ed5a0b5d2ffbf2c949998f58420a06f6340c018bf9881c1650dd46aac

Download Submit
C:\Windows\SysWOW64\Jdalog32.exe

Filesize
576KB

MD5
39f675287d3e5f092ccd381415eae730

SHA1
3c7bb6bde227f6456645b35d6ff25e01028f5719

SHA256
3ba009858a56f0d5c05d2805e7f35d4eab44c5321ee174a8a43f22bc64dc7ecb

SHA512
e090bb076c0f23b3218754f4e4eb9661d4525c6d80ef099acf64c567bb0583ddecbb068d13f607f9f4577888dc02380372a46e9d32efd03d8d9f3bf8ff10e85e

Download Submit
C:\Windows\SysWOW64\Jhfbog32.exe

Filesize
576KB

MD5
4700ec7074b0517da174fa6bebcbe17e

SHA1
5ba03c093666b15b05e607bac68b70d44ac227e1

SHA256
69994c3590743fd9945285207595cc71af6859397b013c8e7da75c57516443e9

SHA512
6c1ddeac19b108b820b66a25c880e8fdc093ac158ad144dc0d5a510d6137b115dc87ce9a078c6fca8b0805c388e7ab991d9ff32998a4179ef04ac4e36a4f1450

Download Submit
C:\Windows\SysWOW64\Jhoeef32.exe

Filesize
576KB

MD5
94e367c9e2d153d00e79121ea0dab54c

SHA1
b95e25d89f00b024783df78002fb539624c86e97

SHA256
a3c963dab11baa00fa448dec3c5a7bb0951dd4ba2bd7d12a90eac5f65231cddd

SHA512
13af1da639f5dd45f8744096fb435d61c91bed6bd6ed51c34b77a83d448b0c6c0e6f058423be48d1d7ec6e4ad962a322eb8e2ff9c962585207176403c9279a02

Download Submit
C:\Windows\SysWOW64\Jldkeeig.exe

Filesize
576KB

MD5
e55a08e3c710e9bfd8fb6278071be997

SHA1
fe5bd081852350c1816d8bc9763f078d414cfda9

SHA256
8657bc2966bd6bef2bf72c820834315c7ea3abb57c7068c327d6cb68bee1577c

SHA512
f6dd0feaeb67419de751799e1b3273b1ad99f486d7595c2a2ccd26257e3b74342e2098d468538978c4bb706f6790ec06e0900b218818ef7135a1c67dbefe4e70

Download Submit
C:\Windows\SysWOW64\Kaaldjil.exe

Filesize
576KB

MD5
e7691c174bfa195770e003fc8081b3ff

SHA1
081ee0b88c3fc730bee754ed83839bab7e3cc947

SHA256
6a9d9b41b26809f147af4955464cad45ae40a0d9759d11a88726dc7763c0806e

SHA512
9a3e792d6b412585e66ce5f8d4366ad85444a36393979517979d06ab16ffe33eff7138ac23cdab393d65af3be33aa8b635fc8166ce0b6b8c2cefe749c233f9df

Download Submit
C:\Windows\SysWOW64\Kajfdk32.exe

Filesize
576KB

MD5
969755b616702af1e1dffcb29f054246

SHA1
5c56209f4282b300383fb054b1135c33bba78a60

SHA256
12f63b4bcbae720cfdcaf682679c42db0908b5ef239e1d5dbfd0cd2fd88792ff

SHA512
c9aca99f15d5e1f4008f804f1ba9ceab2158f516d59eb4261e6a80c60d45984d15c86e79c25d04a2f4084e708a475f99781cc45e78eedc18dca68ba536d27d69

Download Submit
C:\Windows\SysWOW64\Kaopoj32.exe

Filesize
576KB

MD5
ef281e48765e801b7b25762cf7d68e87

SHA1
2f18d41d3ebd89a272cc976a638c2badd669ec89

SHA256
45d031877ca4095996e991a3fcfd7df8448584f6ab6704cc7867749b066352b9

SHA512
797a5b3a3eb6445c209f387c926cc55ccf407c6af7d67928a048442368e026e44ee516d389417cb9f18be135b299af05031342e09696f699f4db3cd0478c4aee

Download Submit
C:\Windows\SysWOW64\Kdkoef32.exe

Filesize
576KB

MD5
60442b72df09395bb837baedf031c4ee

SHA1
a4211c26a8262d40ef2308a467ebdf1a16db0256

SHA256
cb55461d8ac260183f2565c1bcedde7a8e1546bb6a359eb7c4c243f179b06f83

SHA512
76fa9f0f60eb0e69655b47175b398a78556ed2a30ea6625d32e30da3561ad00c07c103b374c88b66f861c5286f54f9c15f0c7ed1135c51cb689093dfbdef30c4

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
576KB

MD5
ae758085f2a70b461d38a341f4cbfc5e

SHA1
b5f4a6ee1270926017019d24dbcca40310fccf23

SHA256
dde3cf6fbc2b068760b0084ddc72d7625d6760f30c06e14a82e296b0cbbeadc8

SHA512
c0feb55957323ab872dc805ed1da2a97fd373651ddef7fcd7c70ff2c2328d5265bae85efc6d319fc3180cf10986c4fc9190eaed202155b7cf62e4c90f97cc07d

Download Submit
C:\Windows\SysWOW64\Kemhei32.exe

Filesize
576KB

MD5
e89c340d741cd9636d0374e618128c46

SHA1
b58b463126ad258cc2afd675ce995c447d086df6

SHA256
8bef1a55eb8eef02d71c6dfd72b23f121b2d6110dbe071ae741303857e13fb93

SHA512
d4070392cb9ce26f5fa004e5fd23c7842a9948dca04e75e56d4a6fd29b83854d2c5b77aef7e3051da31ea9f32b3e64ec187a0bf441e63a7d25f00bda96172f0d

Download Submit
C:\Windows\SysWOW64\Khihld32.exe

Filesize
576KB

MD5
3e48392869758ef817a373dfd1514277

SHA1
bc7111f883b114720b8641d698abb35b4c1e1c00

SHA256
da9af4da53f16ca46a3c66108e16cd77a2f519ec59160a1c6013abbccdb3daa7

SHA512
9afdd0484b8c2a1aa773fc0acd025ecdc06d308426a8700836ca0bf6284b5dd8ee21c95610bbcc429441e696505332dbafffc096e2d3c80d6c3ba971bc3ae75f

Download Submit
C:\Windows\SysWOW64\Khkdad32.exe

Filesize
576KB

MD5
09dd3ba0b8486bea91cfb4f2e006e092

SHA1
93cb58059cfdcf4616adb081f4a10143f46905c0

SHA256
045274615840549a8bc7b59d081ee48a19ab7b1c7265b87526807f035ef0c4f1

SHA512
f4994e05e5021a27ba218f68eae41212e87361a005bd76d246d7e72b4849c991e2d13599485a9e0ced6a89853499f6784cb4e54e526ec300982fd7065d63dc48

Download Submit
C:\Windows\SysWOW64\Kkegbpca.exe

Filesize
576KB

MD5
5962d68dd360bdff79b82b03b0682550

SHA1
901ed6d14f6471de565a561dbc767cb50601f775

SHA256
5fbfd3090a89e6f7dc6116cbd08885fc3d11672ec9a0d207fdce37be29e46ea5

SHA512
81e944e8d66e1e326eb9bd7634dfc2b66d2054a22c19853e1ed7659ec3375ec1c3b2491b86beedcce6297afdfd7e29ea46809a78d4cffee9534a173fbff6e204

Download Submit
C:\Windows\SysWOW64\Kocphojh.exe

Filesize
576KB

MD5
65d7dbc38530a46b7c57b2456428349e

SHA1
2f0669afec2ebe99545677c35c694a9ef6dc32a0

SHA256
0e2093e10a9de0909c3d061241186fb4c409b71e3ae9f3e7e8d84606089e03b9

SHA512
956e6506925286499ecfa41c59b54d662ffc4f6267cfc5cce0b7674e1a8dd21054adf1837d977c4268112eb1e917cad46ed4a9a32ab72cf93640b99bccf04b82

Download Submit
C:\Windows\SysWOW64\Laffpi32.exe

Filesize
576KB

MD5
32e131910791ae5ca086f0f7671797d4

SHA1
84618ea51570feda97df2d30de97fbdd1c55bd8a

SHA256
0388f97fc487ba41165864bc675b26bc8df276b73344329457ba7d142e7be687

SHA512
191cff3dcec55eaba11f1a7cd6f4a727c39ea3608878d1cb96a09aaddbeb00b3328e426cf064dafb60935b5693ba6b7f58d1cc0770de52209577d3a731e466fc

Download Submit
C:\Windows\SysWOW64\Lbebilli.exe

Filesize
576KB

MD5
988a6a0be4b825faa56ad1814ccb9812

SHA1
e23f19b79bf807f1522bbd0aa4caa47432738181

SHA256
edb1fbf5ec52700dc6db12e88212577960afbc6e0e0c6857d7547f037f5bd5e6

SHA512
d91eb2a5a45a5202f6e399992709edf353dba71bc55874f9d719ca072bfb728e9a6b522244c52c8b199b010f69d3c09bde2b9167a3404aec6d96a40bfbbb7966

Download Submit
C:\Windows\SysWOW64\Lbqinm32.exe

Filesize
576KB

MD5
382fc72e5c5e39a7ab3180083ec0ca18

SHA1
c3a9f99f40644788a55e2689aba1bc835f68e149

SHA256
641aabf98aae77294a6e1765c1f8481de6ceaf6f78381fae5aea2ee058497e7b

SHA512
e6358cae1ee898934b6122d129727546a49498a45688428d31d96363ab2c58178d20d23604a65acd1dfc02c2e299ddf1b49686eb96c2a0a7a3252bc038b47bd9

Download Submit
C:\Windows\SysWOW64\Leabphmp.exe

Filesize
576KB

MD5
28013e8e1705fe669857bc9f5cd104a4

SHA1
b3d0a5e646f2ec34d55babb1db6e4207212a6f00

SHA256
d1db0fddbdca8dbc70dde06846c4c41e2373de18620140b24a025bbd9d7ae24b

SHA512
151874fb974b640827528981f67283c6933ce89a0a25f7b5785bd1489cd1acb046862ca3d9863b19e373ddb38016d436fd1efb5590913c4bf2ebe47eee82b419

Download Submit
C:\Windows\SysWOW64\Ledoegkm.exe

Filesize
576KB

MD5
f932d710156d34ddb067c18508c08044

SHA1
0d443f0d9ba7203c034da5bd37151b2938cd2fe5

SHA256
62c711f50d320c46fad018105b78f9a42c10f2bcc70455de83f51275fd49d6d7

SHA512
cfde3cf538209215e254f888f84618a6e78d375a07caed4fb530a8d51ede209706a43e8a0bf55ab241499ad68553869c37271015adf374686feb41fc2f924645

Download Submit
C:\Windows\SysWOW64\Leoejh32.exe

Filesize
576KB

MD5
a3bd9f1d94c5c495c7dc50b3e8303403

SHA1
04bb523076a77be82898779c0b48aa16100c0239

SHA256
f7b6d7dd331a4c6ca9478da831b97c82bda891ac8869aba9378bcc0e1dc211c2

SHA512
f423e39a7b9aab68b6cd78b463720a959b8c4687eaf0474111d7155197c008d921ac621d3541e1ed62d4bb6e6c92cb19d01f6998a3f2f25e2e8eb36846dabc93

Download Submit
C:\Windows\SysWOW64\Lhbkac32.exe

Filesize
576KB

MD5
0ebad51f6f40ad15a3a639d39a6d087f

SHA1
26f512227f50e7adb2f9ba4e567ad225bd67118c

SHA256
0c4246c4188d0ff9cb1eb338eaac79fd86a868a0be42d572835b7917be6a5076

SHA512
c8b866a134c75bd959bf19ac893649e60694b43390adbaa7bb33820e11e34c77ada44f8b310fe71fd4e949065fd7b886f5c799d9bae649a26cbb52d36d032130

Download Submit
C:\Windows\SysWOW64\Lhmafcnf.exe

Filesize
576KB

MD5
41767167c863022f18a3984516f7c2c5

SHA1
516dfb83a3106f4e5af5280d71636b054c07d0f0

SHA256
9c25fe3e03af5ff0d6bd3011ff9bf7894c101bff5a40735b05a600df0bb043ff

SHA512
a504000c702175c6da05355e177b2c88c2746860151bd5a657277380f04daf0748b54af1c9ce79b9dbd2743e5fdab5048b3478e6292d8c862f2d2f5e4c112749

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe

Filesize
576KB

MD5
704a2fdcaec09dfde92a822e9ca9326c

SHA1
ebfb8ca48f235ac99c5fe897c9cb7652451c8434

SHA256
b3fd2ab43ef6bdec8ea820804efb315e681db91aafc04ac4ea43aa8f91f77430

SHA512
9b75ec04cbff6ab9d111017960e9cd224edf2fe0e6a1d9b7de99f1d8520284f4a71c630a5595a935b442273d49b88fc76a1b23e9be95a8adc37702cc4f65727d

Download Submit
C:\Windows\SysWOW64\Lkiamp32.exe

Filesize
576KB

MD5
b5af7858c3d9321a7de211e3020d3035

SHA1
13e159d8154971bfce47e8fecf607c586f29c936

SHA256
361baaf0815490f878a901877e1dde1cf157db38bf907e67959d90543d2c4015

SHA512
067aa90d14f581eff29b49b34daa96611117193b329de46d5cd7f42f945086decf74ea021eda4c38dd97e870a92feffd78edb18183e8689f14132838c2593090

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
576KB

MD5
ad742bde67c9ce8c89bda0973366c05f

SHA1
d64f017790da1c37199066646c5bad69cc13087a

SHA256
11de09913481bcd31b5d1f0dcff7d47a014d6cac0b594ccc674d4d0462576531

SHA512
1ddaf7e5de630fbfda36bee90007fd39bc65860ddb8016d730879419e179d710599a6e4b18872dcec3b7a72dd757c9cce35b157f88d6d893701a913dc1cb7229

Download Submit
C:\Windows\SysWOW64\Llimgb32.exe

Filesize
576KB

MD5
865141d5c549f1c54cd108d5f73db72c

SHA1
2ca6688705e0045f52e18d01c37017055cbf5d3f

SHA256
8e93e8b6c7227d203f066de196bda8a8d131a73165066ab7708ca409944ee58f

SHA512
97344bda3d19d93b317f19dc2271d71c76b3b9a8b330b370bceb80c68caf009b9ddb512d3a590c238aa6f596aaec7977d8d95db5d57df2a8e4b99626ec3c3960

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
576KB

MD5
b6cd10db71becfbc87508809ec5e89bf

SHA1
f3a35026fa68a1fe7d7cb220b24b6c3b9f67ab8a

SHA256
f9cdfeb821206f33aae7dcbcec9932dde3fe3b0d8c1b2c11d0b43bc35dfd14ed

SHA512
001fd53b0c09ae53e3aa42cf4cec73dd7caba582d5e3b137ce648670fef165f49255b67fb0b9c9e5563fae36c3a4d3693a4017735041c65a4370c02deb4a58dc

Download Submit
C:\Windows\SysWOW64\Logicn32.exe

Filesize
576KB

MD5
dd2d91b9e861fc50f72b71308bde8a0a

SHA1
ac8ba7ca72a0bb316cf4d91b857c5e519223c557

SHA256
7b6ec4ab7c41a006e64afcf9fa21414f7722acdd7a14eb4853dd7fd2c2544798

SHA512
f18aeb657e4f10dd31a894204124839eed48eff6f1c12da98075a00fd0dedc198160e62fbdefb89011bdc1da769365618669b9aceb851d4e65dbf7f3e1518159

Download Submit
C:\Windows\SysWOW64\Ojglddfj.dll

Filesize
7KB

MD5
9b1bec8dbe75d860a78bf4644993f352

SHA1
5b13966b5a9b14b9e8fef4ef877903526da12317

SHA256
e85f0d413bd242dd003b8067f3371484ae6e34878a6e3bec1a33664f97319144

SHA512
d94692c7d6527a715d02d702b20c9a8468290f0121df5173b4f4df36542b88295e464fc402630bd48b21614433b53d667d13e37efdd2efd70cb27aab8b368d9f

Download Submit
memory/112-149-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/416-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/416-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/464-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/688-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/836-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1004-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-164-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1932-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2056-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2220-132-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-315-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2572-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2796-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3272-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3348-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3388-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3396-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3544-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3868-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3888-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4016-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4216-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4316-108-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4900-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4980-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5020-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads