f1cffecd6454c81802dad28c268a201176d394651a8293c268b68b89226a31dc

Analysis

max time kernel
176s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4600e3c90d9bb4805e907eb3a33bef3.exe
Size

45KB
MD5

b4600e3c90d9bb4805e907eb3a33bef3
SHA1

01001b6f8287265b300a151caad7c5b111ee9a65
SHA256

f1cffecd6454c81802dad28c268a201176d394651a8293c268b68b89226a31dc
SHA512

62c981b537f314e4b5fcee7115731f714bbeef086f6aa31a7ba9586a6a9ca65ab84904bc81ecc5966b5103bc7ea33ce24fc36324d56de3d86f661307acb651bc
SSDEEP

768:VtUBkZaY/N7SqiXtudepjZjMa30cywJymx5Ge8CiN/1H5UK:Z3/NOht5hZdEcxGe87

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkgdhp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lahbei32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b4600e3c90d9bb4805e907eb3a33bef3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llngbabj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kalcik32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lahbei32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b4600e3c90d9bb4805e907eb3a33bef3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqpbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdpiqehp.exe

Executes dropped EXE 20 IoCs

pid	Process
2588	Nqcejcha.exe
2604	Njljch32.exe
2592	Ocdnln32.exe
1812	Dgdncplk.exe
4328	Hjolie32.exe
4548	Ieqpbm32.exe
4748	Jdjfohjg.exe
5084	Jjihfbno.exe
3716	Kkpnga32.exe
3316	Klpjad32.exe
3532	Kalcik32.exe
1672	Khfkfedn.exe
2804	Kkgdhp32.exe
1164	Kdpiqehp.exe
112	Lacijjgi.exe
2952	Lklnconj.exe
220	Lhpnlclc.exe
4628	Lahbei32.exe
2384	Llngbabj.exe
2136	Ldikgdpe.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kkpnga32.exe	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Lacijjgi.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Fhkkfnao.dll	Ieqpbm32.exe
File opened for modification	C:\Windows\SysWOW64\Llngbabj.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Fpgkbmbm.dll	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Ieqpbm32.exe	Hjolie32.exe
File created	C:\Windows\SysWOW64\Jjihfbno.exe	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Llngbabj.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Llngbabj.exe
File opened for modification	C:\Windows\SysWOW64\Ocdnln32.exe	Njljch32.exe
File opened for modification	C:\Windows\SysWOW64\Jdjfohjg.exe	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Hhodke32.dll	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Kdpiqehp.exe	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Idhdlmdd.dll	Lklnconj.exe
File created	C:\Windows\SysWOW64\Hjolie32.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Ofbmdj32.dll	Hjolie32.exe
File created	C:\Windows\SysWOW64\Jdjfohjg.exe	Ieqpbm32.exe
File created	C:\Windows\SysWOW64\Llngbabj.exe	Lahbei32.exe
File created	C:\Windows\SysWOW64\Hmfchehg.dll	Lahbei32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqpbm32.exe	Hjolie32.exe
File created	C:\Windows\SysWOW64\Lajbnn32.dll	Kkpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Ocdnln32.exe
File opened for modification	C:\Windows\SysWOW64\Njljch32.exe	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Ikfbpdlg.dll	Ocdnln32.exe
File opened for modification	C:\Windows\SysWOW64\Lacijjgi.exe	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Llngbabj.exe
File created	C:\Windows\SysWOW64\Aaqcco32.dll	Jdjfohjg.exe
File created	C:\Windows\SysWOW64\Hpfohk32.dll	b4600e3c90d9bb4805e907eb3a33bef3.exe
File created	C:\Windows\SysWOW64\Jdockf32.dll	Njljch32.exe
File created	C:\Windows\SysWOW64\Kkgdhp32.exe	Khfkfedn.exe
File opened for modification	C:\Windows\SysWOW64\Kkgdhp32.exe	Khfkfedn.exe
File opened for modification	C:\Windows\SysWOW64\Lahbei32.exe	Lhpnlclc.exe
File created	C:\Windows\SysWOW64\Fljloomi.dll	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Kalcik32.exe	Klpjad32.exe
File created	C:\Windows\SysWOW64\Khfkfedn.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Nqcejcha.exe	b4600e3c90d9bb4805e907eb3a33bef3.exe
File created	C:\Windows\SysWOW64\Klpjad32.exe	Kkpnga32.exe
File opened for modification	C:\Windows\SysWOW64\Khfkfedn.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Mobpnd32.dll	Kalcik32.exe
File created	C:\Windows\SysWOW64\Epqblnhh.dll	Kkgdhp32.exe
File created	C:\Windows\SysWOW64\Jmjdlb32.dll	Kdpiqehp.exe
File created	C:\Windows\SysWOW64\Lhpnlclc.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Njljch32.exe	Nqcejcha.exe
File created	C:\Windows\SysWOW64\Lklnconj.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Lfeliqka.dll	Lhpnlclc.exe
File opened for modification	C:\Windows\SysWOW64\Jjihfbno.exe	Jdjfohjg.exe
File opened for modification	C:\Windows\SysWOW64\Kkpnga32.exe	Jjihfbno.exe
File opened for modification	C:\Windows\SysWOW64\Kalcik32.exe	Klpjad32.exe
File opened for modification	C:\Windows\SysWOW64\Lhpnlclc.exe	Lklnconj.exe
File created	C:\Windows\SysWOW64\Lahbei32.exe	Lhpnlclc.exe
File opened for modification	C:\Windows\SysWOW64\Nqcejcha.exe	b4600e3c90d9bb4805e907eb3a33bef3.exe
File created	C:\Windows\SysWOW64\Ocdnln32.exe	Njljch32.exe
File created	C:\Windows\SysWOW64\Ebpmamlm.dll	Khfkfedn.exe
File opened for modification	C:\Windows\SysWOW64\Kdpiqehp.exe	Kkgdhp32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnconj.exe	Lacijjgi.exe
File created	C:\Windows\SysWOW64\Jfdklc32.dll	Lacijjgi.exe
File opened for modification	C:\Windows\SysWOW64\Hjolie32.exe	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Klpjad32.exe	Kkpnga32.exe
File created	C:\Windows\SysWOW64\Pmbpeafn.dll	Klpjad32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4844	2136	WerFault.exe	113

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbpeafn.dll"	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebpmamlm.dll"	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdockf32.dll"	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll"	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljloomi.dll"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b4600e3c90d9bb4805e907eb3a33bef3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llngbabj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b4600e3c90d9bb4805e907eb3a33bef3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkpnga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobpnd32.dll"	Kalcik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofbmdj32.dll"	Hjolie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbpdlg.dll"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkkfnao.dll"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klpjad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdpiqehp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lacijjgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njljch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqpbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lajbnn32.dll"	Kkpnga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lahbei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b4600e3c90d9bb4805e907eb3a33bef3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jdjfohjg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkgdhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdklc32.dll"	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b4600e3c90d9bb4805e907eb3a33bef3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnconj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeliqka.dll"	Lhpnlclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llngbabj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjolie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqcco32.dll"	Jdjfohjg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klpjad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmjdlb32.dll"	Kdpiqehp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhpnlclc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgkbmbm.dll"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhodke32.dll"	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lacijjgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lahbei32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b4600e3c90d9bb4805e907eb3a33bef3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Llngbabj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdlmdd.dll"	Lklnconj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll"	b4600e3c90d9bb4805e907eb3a33bef3.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2588	1856	b4600e3c90d9bb4805e907eb3a33bef3.exe	91
PID 1856 wrote to memory of 2588	1856	b4600e3c90d9bb4805e907eb3a33bef3.exe	91
PID 1856 wrote to memory of 2588	1856	b4600e3c90d9bb4805e907eb3a33bef3.exe	91
PID 2588 wrote to memory of 2604	2588	Nqcejcha.exe	92
PID 2588 wrote to memory of 2604	2588	Nqcejcha.exe	92
PID 2588 wrote to memory of 2604	2588	Nqcejcha.exe	92
PID 2604 wrote to memory of 2592	2604	Njljch32.exe	94
PID 2604 wrote to memory of 2592	2604	Njljch32.exe	94
PID 2604 wrote to memory of 2592	2604	Njljch32.exe	94
PID 2592 wrote to memory of 1812	2592	Ocdnln32.exe	96
PID 2592 wrote to memory of 1812	2592	Ocdnln32.exe	96
PID 2592 wrote to memory of 1812	2592	Ocdnln32.exe	96
PID 1812 wrote to memory of 4328	1812	Dgdncplk.exe	97
PID 1812 wrote to memory of 4328	1812	Dgdncplk.exe	97
PID 1812 wrote to memory of 4328	1812	Dgdncplk.exe	97
PID 4328 wrote to memory of 4548	4328	Hjolie32.exe	98
PID 4328 wrote to memory of 4548	4328	Hjolie32.exe	98
PID 4328 wrote to memory of 4548	4328	Hjolie32.exe	98
PID 4548 wrote to memory of 4748	4548	Ieqpbm32.exe	99
PID 4548 wrote to memory of 4748	4548	Ieqpbm32.exe	99
PID 4548 wrote to memory of 4748	4548	Ieqpbm32.exe	99
PID 4748 wrote to memory of 5084	4748	Jdjfohjg.exe	100
PID 4748 wrote to memory of 5084	4748	Jdjfohjg.exe	100
PID 4748 wrote to memory of 5084	4748	Jdjfohjg.exe	100
PID 5084 wrote to memory of 3716	5084	Jjihfbno.exe	101
PID 5084 wrote to memory of 3716	5084	Jjihfbno.exe	101
PID 5084 wrote to memory of 3716	5084	Jjihfbno.exe	101
PID 3716 wrote to memory of 3316	3716	Kkpnga32.exe	102
PID 3716 wrote to memory of 3316	3716	Kkpnga32.exe	102
PID 3716 wrote to memory of 3316	3716	Kkpnga32.exe	102
PID 3316 wrote to memory of 3532	3316	Klpjad32.exe	104
PID 3316 wrote to memory of 3532	3316	Klpjad32.exe	104
PID 3316 wrote to memory of 3532	3316	Klpjad32.exe	104
PID 3532 wrote to memory of 1672	3532	Kalcik32.exe	105
PID 3532 wrote to memory of 1672	3532	Kalcik32.exe	105
PID 3532 wrote to memory of 1672	3532	Kalcik32.exe	105
PID 1672 wrote to memory of 2804	1672	Khfkfedn.exe	106
PID 1672 wrote to memory of 2804	1672	Khfkfedn.exe	106
PID 1672 wrote to memory of 2804	1672	Khfkfedn.exe	106
PID 2804 wrote to memory of 1164	2804	Kkgdhp32.exe	107
PID 2804 wrote to memory of 1164	2804	Kkgdhp32.exe	107
PID 2804 wrote to memory of 1164	2804	Kkgdhp32.exe	107
PID 1164 wrote to memory of 112	1164	Kdpiqehp.exe	108
PID 1164 wrote to memory of 112	1164	Kdpiqehp.exe	108
PID 1164 wrote to memory of 112	1164	Kdpiqehp.exe	108
PID 112 wrote to memory of 2952	112	Lacijjgi.exe	109
PID 112 wrote to memory of 2952	112	Lacijjgi.exe	109
PID 112 wrote to memory of 2952	112	Lacijjgi.exe	109
PID 2952 wrote to memory of 220	2952	Lklnconj.exe	110
PID 2952 wrote to memory of 220	2952	Lklnconj.exe	110
PID 2952 wrote to memory of 220	2952	Lklnconj.exe	110
PID 220 wrote to memory of 4628	220	Lhpnlclc.exe	111
PID 220 wrote to memory of 4628	220	Lhpnlclc.exe	111
PID 220 wrote to memory of 4628	220	Lhpnlclc.exe	111
PID 4628 wrote to memory of 2384	4628	Lahbei32.exe	112
PID 4628 wrote to memory of 2384	4628	Lahbei32.exe	112
PID 4628 wrote to memory of 2384	4628	Lahbei32.exe	112
PID 2384 wrote to memory of 2136	2384	Llngbabj.exe	113
PID 2384 wrote to memory of 2136	2384	Llngbabj.exe	113
PID 2384 wrote to memory of 2136	2384	Llngbabj.exe	113

C:\Users\Admin\AppData\Local\Temp\b4600e3c90d9bb4805e907eb3a33bef3.exe
"C:\Users\Admin\AppData\Local\Temp\b4600e3c90d9bb4805e907eb3a33bef3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\SysWOW64\Nqcejcha.exe
  C:\Windows\system32\Nqcejcha.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\Njljch32.exe
    C:\Windows\system32\Njljch32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Ocdnln32.exe
      C:\Windows\system32\Ocdnln32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
      - C:\Windows\SysWOW64\Hjolie32.exe
        
        C:\Windows\system32\Hjolie32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\SysWOW64\Ieqpbm32.exe
        
        C:\Windows\system32\Ieqpbm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Jdjfohjg.exe
        
        C:\Windows\system32\Jdjfohjg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Kkpnga32.exe
        
        C:\Windows\system32\Kkpnga32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Klpjad32.exe
        
        C:\Windows\system32\Klpjad32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Kkgdhp32.exe
        
        C:\Windows\system32\Kkgdhp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Kdpiqehp.exe
        
        C:\Windows\system32\Kdpiqehp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Lacijjgi.exe
        
        C:\Windows\system32\Lacijjgi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\Lklnconj.exe
        
        C:\Windows\system32\Lklnconj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Lhpnlclc.exe
        
        C:\Windows\system32\Lhpnlclc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\Lahbei32.exe
        
        C:\Windows\system32\Lahbei32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Llngbabj.exe
        
        C:\Windows\system32\Llngbabj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        21⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 408
        22⤵
        Program crash
        
        PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4012 --field-trial-handle=2588,i,4353937220825226770,7138584070663735671,262144 --variations-seed-version /prefetch:8
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2136 -ip 2136
1⤵
PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
45KB

MD5
34a15f20700602332d0487a5dd92c8ca

SHA1
ee278a40e29d336c59b1e30eb5c3db6a642b3bd3

SHA256
22226a8c64a48ab23c7a57a553c7327bd3a59cc41b084bee2c536bca0b3160b6

SHA512
eff1e6762c86771751adaa264503bff4387a378849146d26462449cc1f68dc66cd7bbef30b13788fb1f1f5ce85a8a9b313101f51280b5aa5230f2852197666a6

Download Submit
C:\Windows\SysWOW64\Hjolie32.exe

Filesize
45KB

MD5
d34b35bdece33cf34c20d15f261d932a

SHA1
f73f6a081030c98bb88ada3b6b347ca53de55684

SHA256
b5af3611395ef9fb151d3f6fc13746dae62c83719e2eac9e68f5366192c18807

SHA512
ac4ab0bf31fc749fd99cc103f3e450e51628c29350c5685f09fddf2cf86e718c3e8e28fa7e1bd58d2e6b28518a6e51d2eb98a6d27a86ab6adf50372e5b557a0a

Download Submit
C:\Windows\SysWOW64\Ieqpbm32.exe

Filesize
45KB

MD5
efb05f00b9059f2ace73fd7580fefba7

SHA1
915b4781fcfc59230be91a87e0440ace61686e4f

SHA256
864f427ee50b0dec28aa8d1b50ad4ffd06995d427df6d1dbbf23b8f36ac2bc47

SHA512
3ffd0afa6f193f4d710fca21e8a19fc82145a958adb13fdd5e1caaa87f5509d7f2e2a9547534882727cf92ee835bcda266e2001d928f3288ae30c79066284cf3

Download Submit
C:\Windows\SysWOW64\Jdjfohjg.exe

Filesize
45KB

MD5
c0e6e72efb4c6d693ea77e763afa203d

SHA1
6f7db045cbe618bfbfe4c9a127122daf2f09cd10

SHA256
4b824cd440cd7d4288b205ae866d28c151799de2494a04f8361921b1082e1fc2

SHA512
ff8bd0f7cf94dc36760388a7fc4281852f2586e15ccc46c6e4b7326117cdf0ef7c9840d30c8c49d87297db9bf52498c35b0cc7449ce9bad989023482ded50de5

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
45KB

MD5
b7d1125a620e7ec9d88e30a1996f2b50

SHA1
f715a0a126ab8af2b880248c2a70aead5f46adfe

SHA256
55eaedf814eb89d4f83ebe3d2a2cbe98c77e212ec27bcf34aa48521859ff4950

SHA512
e32db712b7e008140166e39207ddb0774fcb515bc13b1ce5d76a665405361999cb7000582582781d90e72cca799edba362fe34105f704991a0103cd8ade6dfa2

Download Submit
C:\Windows\SysWOW64\Kalcik32.exe

Filesize
45KB

MD5
e4ad7a13a9ff02712c93cdd885cb04c5

SHA1
e05094e843a3e09a5d1c624318ade2efaf01aa9d

SHA256
8245a172e33d1f74ade52650c6334e620e038ad6946c079b8780548447aabb52

SHA512
413c3339379dd183cb785d3c8e66ce1af9eb0665d6e5e7068bd1cbe2249e2d1eaf690fffd9066b37bb5c185314d156c3e5c077b11d04162429134260151ee6b6

Download Submit
C:\Windows\SysWOW64\Kdpiqehp.exe

Filesize
45KB

MD5
7679621a4452809263535ff2d66b93aa

SHA1
bf12e8908c8c882390ad31178f81d84d2d4b5cf5

SHA256
829917fd94e3caf11235ea54696a461387c595a8e9a43f3ec0f58d3200d5483e

SHA512
11536a47f26f24eea0fc65cb16c4e3af9bd2ed61f1f6760d2197ec18e0c75ce2a4f2613ba825a931d7e3a8c54dc0ce04ebe5696e60c17a5e2137b5ce3b9f8757

Download Submit
C:\Windows\SysWOW64\Khfkfedn.exe

Filesize
45KB

MD5
0a4f5b6bdb151c3104f5390b95315d8d

SHA1
9d14314b980d5e35b3ae0c6d0333d0a1abec5a25

SHA256
4b8ada7f7fd6c2eccc5e99d1a41d7c58736eac6417bbf7064236182666070fef

SHA512
f436bd89cdd1c385b0fdca7b5380fbb62043e96ab584640f47958571adb001dd51f3f31304ff8612ad904c540554aa34b10cb253599bb9e651660f1766660bc0

Download Submit
C:\Windows\SysWOW64\Kkgdhp32.exe

Filesize
45KB

MD5
05e2c1d115d3306cab82b92d460bec76

SHA1
7b0f12184827a98bcca3ea40b942a1e78ffeb2cb

SHA256
bd30e55ef50e027b6ffa45546e078e732a543b9f6ed50ee794e446f923aef49d

SHA512
5fbf2f3ee360cb7b99062abb5a69de28460baf1bb2f569b0986e8078550b1a4267e2cda761836a9c7c513744f18640a13064b387762cfcc438fc5fab6462f293

Download Submit
C:\Windows\SysWOW64\Kkpnga32.exe

Filesize
45KB

MD5
4dce0b2690b8f233871a4b8788bccf85

SHA1
63f588320854589a5cf89870a7b231b967286db9

SHA256
5fedf7fa73f0e27e6692911eb7c28a769a38d69fb7e908cc1faa5f6c1dd45805

SHA512
8a311683302b6e5ffa48950792a9da9103be51a4526b60a9ce9a0c6800e0c49ffea7168fab685fb189b377b34a86a2c98871af59fa4d97c8b484d07eec5fc8cf

Download Submit
C:\Windows\SysWOW64\Klpjad32.exe

Filesize
45KB

MD5
07d5213eacb2e63125c852ef14b3e083

SHA1
358c296ad569da1f5aa9d4f3037d2eeb2cabec65

SHA256
8f3e737233093c50038d589e09a079e37b46ee76a9636069772ea0a519a1cc50

SHA512
3fd041f59c41f9b6183c3454b0e8dc5323b72b902398ba247c0a970beb38f143613eb536546be98b03549de038c0cd4078bc396c5ed2d59e6636a2f39592671b

Download Submit
C:\Windows\SysWOW64\Lacijjgi.exe

Filesize
45KB

MD5
f69347a40f0b941d1c96becc40a767f0

SHA1
93d703f20cbb54bfcfd53aa60ba1f0a99c9207d9

SHA256
2e31043a4ff2c6195c85268ad57574acf995f2d7f96a34ed5044d6b9b972be8c

SHA512
810f9b7c0b12ef92dd4720458abaa4d8dcd244166257ae8fb64a2c96d246a6718062e3bfa06f9be7ef6b66d54d1e1f26b4c2f98e7a7f7e9fe17eee69a4c470e8

Download Submit
C:\Windows\SysWOW64\Lahbei32.exe

Filesize
45KB

MD5
d53ad27e89034584abdbc26d2b163948

SHA1
9d1da948fb663bf93963a39a9e72941f47a351eb

SHA256
1daf082798800dbdf8a26cd4e69738fb0a1c907cd209711c31370e8bbc660108

SHA512
69957b927de0375b027d6585e332c46a56e679223cc861b4feece5cbbd96d3014b1140a683971b36471847ac7bb67faede5639d10becd3311ebc03f9c25d3938

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
45KB

MD5
8e006300fe2533f9cfcecb523e371167

SHA1
b6827b8a8c444b7e46ac298f149456b7e00989ef

SHA256
d7c28bdb06a5bfa497988135bf9acb610d124652785778513539d6fd9ac5ffc7

SHA512
0ed5937a9a4762bdc443565e2b8a03dce961a371792bd4f81fb517a5012971881c1e022c8f1d019cb196086db69afb01fc67daf76e2e622d54c5d2719e285301

Download Submit
C:\Windows\SysWOW64\Lhpnlclc.exe

Filesize
45KB

MD5
e6e468e7fb9968fd70c3e66522f3d0c8

SHA1
363eb25e218405e12360febeec83b0c757c27131

SHA256
338f890480fbf4ce23dd46c6e08c352ee7cf2006665e1513657897b0702c5831

SHA512
d9466f558d2fc1e8db5920396a5cf0169a0bd5c2e7ca8991897528a10719e15f6dabcb56933102803db6f78f9172e3e2d6e7a9ec0687cb56781814cec2fc410c

Download Submit
C:\Windows\SysWOW64\Lklnconj.exe

Filesize
45KB

MD5
b8e524e7b93273d560bdbec2564aeb3b

SHA1
16a5a8419a3dca7545353f1da92714315f4ba2bc

SHA256
5087e7607d6cfc910475a294e6acc3ab61db0ee92a2189693bb3f920771801cd

SHA512
80db79266440f8bfd87edb0993a4b7e8b90fbf9319b693ed185dffd5b9e63884de435f47a495f1c2c3e20966234f4e5f38b47ca7ee7135f2b8a2a06659ded53a

Download Submit
C:\Windows\SysWOW64\Llngbabj.exe

Filesize
45KB

MD5
23dfdbe00bfb12ea0bb9066aa35503fb

SHA1
4142a41186231e58d97919d242c57c504a66aa2d

SHA256
5e54f84519834081f012ae39c646df34ed405c4314d539d591d905bbbd74f158

SHA512
fd7f3eb95dd055c88923a35ee358e8624e8eed5f6a93e8cc6a420059b583fa845773bf5953c39cdfb74624833aae12639522cfba85d97b5d6a72edf23f7f7801

Download Submit
C:\Windows\SysWOW64\Njljch32.exe

Filesize
45KB

MD5
7aff4435c5e9edba6ef63b7c3ba8ad63

SHA1
dac6322a14e56c9956afeb69a9f521df23f94f91

SHA256
4e0b2d97395da46ffd5c59caeea71a5ad1c9c630666634827ca3a8eed59230aa

SHA512
b3dd99fccd534f793f65f5225e1a9e034c3085d91f66a1b91692af04324f59dbfa2447a9c74be6906403438e7a281007f0287880af7b769705d012e223e0a8d9

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
45KB

MD5
dcb3b5616aabd58f814aa82f98b14806

SHA1
7f8c3a187751494301caf39fb34ffafd5e9fdae2

SHA256
afe7c740ae4d60a34ef55935b633a0f9aa4f79cc75cfc11cf8027ab175ee6052

SHA512
04e89fec5ad946d5e71148ee9e916c5de59bc50c2be564ed13f307e7bd16d9fdd255d668202150e15f5b03e8b49c05ea3c3b30c12a08fd79b3b7ae7e08b6eedb

Download Submit
C:\Windows\SysWOW64\Ocdnln32.exe

Filesize
45KB

MD5
1b3bfe2b81f0055cde0c52e2e38d4b47

SHA1
89d7b0d7bc9aeb3c213f630b62d9841e789dc590

SHA256
e438c7dc43d237ed4f287f421d93221bd4a1412a07751eabefecc59e1b4e6c9b

SHA512
0e0d34b40034479778b3c0ebecfa1d88aacd56b17d751ee84f9f4382b3502ad1bba1e84e9e5ff3fa60532f42b9af6af6d9c828f2614c8c5b02ea95c868db352c

Download Submit
memory/112-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/220-167-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/220-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1164-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-172-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-96-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1812-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2136-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2384-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2588-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-181-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2592-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-163-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-104-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2952-168-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3316-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3316-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-173-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3716-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4328-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4628-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4748-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5084-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads