cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/08/2024, 02:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
Size

80KB
MD5

8b4cace44c8173d9b410121ca1fd4117
SHA1

79388cd89908d6229c25f5f198599a2b3385799c
SHA256

cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0
SHA512

a429548bd2cd0c8f5e92edb95d289389b6636be57c7fbcb7a57ac68a79fd231a195fe4e1b508ae54109969bf48f83c40c23561f62a6a6f722b3fa9dde5dadc09
SSDEEP

1536:RVteIar9L58y+y1NLKLDHGlV7L766a2LdES5DUHRbPa9b6i+sIk:RVtV0dXTuLDHGvLJeS5DSCopsIk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcnahoo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgfjggll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llepen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Loclai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkmmlgik.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lemdncoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lifcib32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lplbjm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmklh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llepen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkojbf32.exe

Executes dropped EXE 19 IoCs

pid	Process
1084	Kmimcbja.exe
2672	Kdbepm32.exe
2592	Kkmmlgik.exe
1936	Kpieengb.exe
1772	Kgcnahoo.exe
2984	Kkojbf32.exe
2528	Llpfjomf.exe
2808	Lplbjm32.exe
2440	Lgfjggll.exe
2420	Lpnopm32.exe
2560	Lcmklh32.exe
2392	Lifcib32.exe
2656	Llepen32.exe
1756	Loclai32.exe
2332	Lemdncoa.exe
2088	Lhlqjone.exe
2208	Lkjmfjmi.exe
1644	Lcadghnk.exe
688	Lepaccmo.exe

Loads dropped DLL 42 IoCs

pid	Process
3012	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
3012	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
1084	Kmimcbja.exe
1084	Kmimcbja.exe
2672	Kdbepm32.exe
2672	Kdbepm32.exe
2592	Kkmmlgik.exe
2592	Kkmmlgik.exe
1936	Kpieengb.exe
1936	Kpieengb.exe
1772	Kgcnahoo.exe
1772	Kgcnahoo.exe
2984	Kkojbf32.exe
2984	Kkojbf32.exe
2528	Llpfjomf.exe
2528	Llpfjomf.exe
2808	Lplbjm32.exe
2808	Lplbjm32.exe
2440	Lgfjggll.exe
2440	Lgfjggll.exe
2420	Lpnopm32.exe
2420	Lpnopm32.exe
2560	Lcmklh32.exe
2560	Lcmklh32.exe
2392	Lifcib32.exe
2392	Lifcib32.exe
2656	Llepen32.exe
2656	Llepen32.exe
1756	Loclai32.exe
1756	Loclai32.exe
2332	Lemdncoa.exe
2332	Lemdncoa.exe
2088	Lhlqjone.exe
2088	Lhlqjone.exe
2208	Lkjmfjmi.exe
2208	Lkjmfjmi.exe
1644	Lcadghnk.exe
1644	Lcadghnk.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe
2320	WerFault.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kmimcbja.exe	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
File created	C:\Windows\SysWOW64\Llpfjomf.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Bccjfi32.dll	Kkojbf32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmklh32.exe	Lpnopm32.exe
File opened for modification	C:\Windows\SysWOW64\Lemdncoa.exe	Loclai32.exe
File created	C:\Windows\SysWOW64\Kpieengb.exe	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Lplbjm32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Lifcib32.exe	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Kmimcbja.exe	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
File opened for modification	C:\Windows\SysWOW64\Kkmmlgik.exe	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kkmmlgik.exe
File opened for modification	C:\Windows\SysWOW64\Llpfjomf.exe	Kkojbf32.exe
File created	C:\Windows\SysWOW64\Lkjmfjmi.exe	Lhlqjone.exe
File opened for modification	C:\Windows\SysWOW64\Lplbjm32.exe	Llpfjomf.exe
File created	C:\Windows\SysWOW64\Lioglifg.dll	Loclai32.exe
File created	C:\Windows\SysWOW64\Gffdobll.dll	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Dlcdel32.dll	Llpfjomf.exe
File opened for modification	C:\Windows\SysWOW64\Lgfjggll.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Llepen32.exe	Lifcib32.exe
File created	C:\Windows\SysWOW64\Bodilc32.dll	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
File created	C:\Windows\SysWOW64\Kdbepm32.exe	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Kkojbf32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Fhdikdfj.dll	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Kkmmlgik.exe	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Kgcnahoo.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Lcmklh32.exe	Lpnopm32.exe
File created	C:\Windows\SysWOW64\Hnanlhmd.dll	Lpnopm32.exe
File created	C:\Windows\SysWOW64\Lemdncoa.exe	Loclai32.exe
File created	C:\Windows\SysWOW64\Pihbeaea.dll	Kkmmlgik.exe
File created	C:\Windows\SysWOW64\Onkckhkp.dll	Lemdncoa.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File created	C:\Windows\SysWOW64\Pgodelnq.dll	Kpieengb.exe
File created	C:\Windows\SysWOW64\Dllqqh32.dll	Lgfjggll.exe
File created	C:\Windows\SysWOW64\Mcbniafn.dll	Lifcib32.exe
File created	C:\Windows\SysWOW64\Onpeobjf.dll	Kdbepm32.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lcadghnk.exe
File opened for modification	C:\Windows\SysWOW64\Lpnopm32.exe	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Loclai32.exe	Llepen32.exe
File created	C:\Windows\SysWOW64\Lhlqjone.exe	Lemdncoa.exe
File opened for modification	C:\Windows\SysWOW64\Lhlqjone.exe	Lemdncoa.exe
File opened for modification	C:\Windows\SysWOW64\Lkjmfjmi.exe	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Lcadghnk.exe	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Lgfjggll.exe	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Lpnopm32.exe	Lgfjggll.exe
File opened for modification	C:\Windows\SysWOW64\Lifcib32.exe	Lcmklh32.exe
File opened for modification	C:\Windows\SysWOW64\Lcadghnk.exe	Lkjmfjmi.exe
File created	C:\Windows\SysWOW64\Hfopbgif.dll	Lplbjm32.exe
File created	C:\Windows\SysWOW64\Alhpic32.dll	Kmimcbja.exe
File created	C:\Windows\SysWOW64\Kgcnahoo.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Kkojbf32.exe	Kgcnahoo.exe
File created	C:\Windows\SysWOW64\Gkeeihpg.dll	Lcmklh32.exe
File created	C:\Windows\SysWOW64\Loclai32.exe	Llepen32.exe
File created	C:\Windows\SysWOW64\Agpqch32.dll	Llepen32.exe
File created	C:\Windows\SysWOW64\Iekhhnol.dll	Lhlqjone.exe
File created	C:\Windows\SysWOW64\Oldhgaef.dll	Lcadghnk.exe
File opened for modification	C:\Windows\SysWOW64\Kdbepm32.exe	Kmimcbja.exe
File opened for modification	C:\Windows\SysWOW64\Llepen32.exe	Lifcib32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2320	688	WerFault.exe	48

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpnopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loclai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhlqjone.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcadghnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lplbjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgfjggll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lifcib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llepen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lemdncoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkjmfjmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkmmlgik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdbepm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kkojbf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llpfjomf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcmklh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmimcbja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcnahoo.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekhhnol.dll"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhlqjone.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhdikdfj.dll"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkmmlgik.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llepen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpeobjf.dll"	Kdbepm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll"	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkjmfjmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkojbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpnopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkjmfjmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlcdel32.dll"	Llpfjomf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll"	Lpnopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkckhkp.dll"	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhlqjone.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lioglifg.dll"	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gffdobll.dll"	Kgcnahoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lifcib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjfi32.dll"	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llpfjomf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Loclai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcadghnk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhpic32.dll"	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkeeihpg.dll"	Lcmklh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lcadghnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmimcbja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lplbjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpqch32.dll"	Llepen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllqqh32.dll"	Lgfjggll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lemdncoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdbepm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkojbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpnopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lifcib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llepen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmimcbja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll"	Kkmmlgik.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1084	3012	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe	30
PID 3012 wrote to memory of 1084	3012	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe	30
PID 3012 wrote to memory of 1084	3012	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe	30
PID 3012 wrote to memory of 1084	3012	cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe	30
PID 1084 wrote to memory of 2672	1084	Kmimcbja.exe	31
PID 1084 wrote to memory of 2672	1084	Kmimcbja.exe	31
PID 1084 wrote to memory of 2672	1084	Kmimcbja.exe	31
PID 1084 wrote to memory of 2672	1084	Kmimcbja.exe	31
PID 2672 wrote to memory of 2592	2672	Kdbepm32.exe	32
PID 2672 wrote to memory of 2592	2672	Kdbepm32.exe	32
PID 2672 wrote to memory of 2592	2672	Kdbepm32.exe	32
PID 2672 wrote to memory of 2592	2672	Kdbepm32.exe	32
PID 2592 wrote to memory of 1936	2592	Kkmmlgik.exe	33
PID 2592 wrote to memory of 1936	2592	Kkmmlgik.exe	33
PID 2592 wrote to memory of 1936	2592	Kkmmlgik.exe	33
PID 2592 wrote to memory of 1936	2592	Kkmmlgik.exe	33
PID 1936 wrote to memory of 1772	1936	Kpieengb.exe	34
PID 1936 wrote to memory of 1772	1936	Kpieengb.exe	34
PID 1936 wrote to memory of 1772	1936	Kpieengb.exe	34
PID 1936 wrote to memory of 1772	1936	Kpieengb.exe	34
PID 1772 wrote to memory of 2984	1772	Kgcnahoo.exe	35
PID 1772 wrote to memory of 2984	1772	Kgcnahoo.exe	35
PID 1772 wrote to memory of 2984	1772	Kgcnahoo.exe	35
PID 1772 wrote to memory of 2984	1772	Kgcnahoo.exe	35
PID 2984 wrote to memory of 2528	2984	Kkojbf32.exe	36
PID 2984 wrote to memory of 2528	2984	Kkojbf32.exe	36
PID 2984 wrote to memory of 2528	2984	Kkojbf32.exe	36
PID 2984 wrote to memory of 2528	2984	Kkojbf32.exe	36
PID 2528 wrote to memory of 2808	2528	Llpfjomf.exe	37
PID 2528 wrote to memory of 2808	2528	Llpfjomf.exe	37
PID 2528 wrote to memory of 2808	2528	Llpfjomf.exe	37
PID 2528 wrote to memory of 2808	2528	Llpfjomf.exe	37
PID 2808 wrote to memory of 2440	2808	Lplbjm32.exe	38
PID 2808 wrote to memory of 2440	2808	Lplbjm32.exe	38
PID 2808 wrote to memory of 2440	2808	Lplbjm32.exe	38
PID 2808 wrote to memory of 2440	2808	Lplbjm32.exe	38
PID 2440 wrote to memory of 2420	2440	Lgfjggll.exe	39
PID 2440 wrote to memory of 2420	2440	Lgfjggll.exe	39
PID 2440 wrote to memory of 2420	2440	Lgfjggll.exe	39
PID 2440 wrote to memory of 2420	2440	Lgfjggll.exe	39
PID 2420 wrote to memory of 2560	2420	Lpnopm32.exe	40
PID 2420 wrote to memory of 2560	2420	Lpnopm32.exe	40
PID 2420 wrote to memory of 2560	2420	Lpnopm32.exe	40
PID 2420 wrote to memory of 2560	2420	Lpnopm32.exe	40
PID 2560 wrote to memory of 2392	2560	Lcmklh32.exe	41
PID 2560 wrote to memory of 2392	2560	Lcmklh32.exe	41
PID 2560 wrote to memory of 2392	2560	Lcmklh32.exe	41
PID 2560 wrote to memory of 2392	2560	Lcmklh32.exe	41
PID 2392 wrote to memory of 2656	2392	Lifcib32.exe	42
PID 2392 wrote to memory of 2656	2392	Lifcib32.exe	42
PID 2392 wrote to memory of 2656	2392	Lifcib32.exe	42
PID 2392 wrote to memory of 2656	2392	Lifcib32.exe	42
PID 2656 wrote to memory of 1756	2656	Llepen32.exe	43
PID 2656 wrote to memory of 1756	2656	Llepen32.exe	43
PID 2656 wrote to memory of 1756	2656	Llepen32.exe	43
PID 2656 wrote to memory of 1756	2656	Llepen32.exe	43
PID 1756 wrote to memory of 2332	1756	Loclai32.exe	44
PID 1756 wrote to memory of 2332	1756	Loclai32.exe	44
PID 1756 wrote to memory of 2332	1756	Loclai32.exe	44
PID 1756 wrote to memory of 2332	1756	Loclai32.exe	44
PID 2332 wrote to memory of 2088	2332	Lemdncoa.exe	45
PID 2332 wrote to memory of 2088	2332	Lemdncoa.exe	45
PID 2332 wrote to memory of 2088	2332	Lemdncoa.exe	45
PID 2332 wrote to memory of 2088	2332	Lemdncoa.exe	45

C:\Users\Admin\AppData\Local\Temp\cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe
"C:\Users\Admin\AppData\Local\Temp\cc3e69c06943532341e09c0bd4bdee39e7e013a152c729342b490afa629bd4a0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\Kmimcbja.exe
  C:\Windows\system32\Kmimcbja.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\Kdbepm32.exe
    C:\Windows\system32\Kdbepm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\Kkmmlgik.exe
      C:\Windows\system32\Kkmmlgik.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
      - C:\Windows\SysWOW64\Kgcnahoo.exe
        
        C:\Windows\system32\Kgcnahoo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\SysWOW64\Kkojbf32.exe
        
        C:\Windows\system32\Kkojbf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Llpfjomf.exe
        
        C:\Windows\system32\Llpfjomf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Lplbjm32.exe
        
        C:\Windows\system32\Lplbjm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Lgfjggll.exe
        
        C:\Windows\system32\Lgfjggll.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Lpnopm32.exe
        
        C:\Windows\system32\Lpnopm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Lcmklh32.exe
        
        C:\Windows\system32\Lcmklh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Lifcib32.exe
        
        C:\Windows\system32\Lifcib32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Llepen32.exe
        
        C:\Windows\system32\Llepen32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Loclai32.exe
        
        C:\Windows\system32\Loclai32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Lemdncoa.exe
        
        C:\Windows\system32\Lemdncoa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Lhlqjone.exe
        
        C:\Windows\system32\Lhlqjone.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Lkjmfjmi.exe
        
        C:\Windows\system32\Lkjmfjmi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Lcadghnk.exe
        
        C:\Windows\system32\Lcadghnk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:688
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 140
        21⤵
        Loads dropped DLL
        Program crash
        
        PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdbepm32.exe

Filesize
80KB

MD5
83503eb5ff5cf20524115b0912511df2

SHA1
5efb670ef0bca9a0d65859dde43edbf906418994

SHA256
50239a26b573e05a1929bdb619f1b784764c16175a8a49a517364db4f2be273c

SHA512
1eaaada5f3c28927c570b022ac5f3c2d00b9d57da7e54bfb54986ded10f734a758fb277e986ed346b339e44af53201a65d826c5523b6d678d9b00466e15dfa22

Download Submit
C:\Windows\SysWOW64\Kkmmlgik.exe

Filesize
80KB

MD5
c202dd754f4cea931fc4627809178f4c

SHA1
daef9dfa5c33dbd772e728b84a30c428777ce8af

SHA256
21582b645b2e6df4d1a841f8daf4af9dcb786ae7a1f09623c2b45e35397bfdaa

SHA512
c527faeb2578334a9d00feb2378ede1447af58d89593fdd3206d6020e7cab61abe38bd45bdb129e076984b8680e0d7566658ff46b3c51b108d490e8e5f5ef659

Download Submit
C:\Windows\SysWOW64\Lcadghnk.exe

Filesize
80KB

MD5
b0abd24fae9876b8dbebc73dd8b9bd76

SHA1
7d32f451dfe437eba5506876465ef2febcab785a

SHA256
3eb6f81e0a39556bb59ac51983a40afa3ccc4a8d6e4ae40da926be3c10e18191

SHA512
14a101c0b2c1540c52dad9c909797cd4eed4dda83e220707f0a816653b093bd39efb861272854603d0638889d089ad967e4626317fe7ce48f88f3006283119c2

Download Submit
C:\Windows\SysWOW64\Lemdncoa.exe

Filesize
80KB

MD5
5e72392662f80345b16c93f7a17f4a4c

SHA1
e74235c738ee9c4cf58f1b3bb1b89780544cfccc

SHA256
d8716cdaa6c8216b18d4328dfb779b44e0901a786c4c9ff2d8b6f5e756038cd3

SHA512
9f6c91f9781c0ebd49571301b95988add1d7095460d25763ee75785b36153305fbe82dc0d4547359d581256bcbe7899cde939cea0de33bfe01bb04ec30c6efba

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
80KB

MD5
25fb5042c5c0938dac3266f4d1c911a9

SHA1
7d18c76c5e7abc3aa16aa47d2373caac65df3991

SHA256
ea9b341e6476852905ed58326d91febebd28464c47e3df6eaacf5d401526b991

SHA512
0a0761c5ba142d7d1f116173a05729ca6e7db1cf9b031708ed9173ffa07234583e9aeb3181845640ec7aa7992428cda89fca43aac99c8af59c393ebfddd32181

Download Submit
C:\Windows\SysWOW64\Lgfjggll.exe

Filesize
80KB

MD5
35bd7df6cba129b419c2b984206939c5

SHA1
813a6fb5c4255633a8f807aa28d7dd7856065565

SHA256
18eb7e5b3ae4f46536e1f74b7c8fbe13013a8f23b5b09e89b5fbaa0b58c40dd3

SHA512
f9e322104739d6dc02d3f5733d7826a90e47b6f2886b26baab381be30fc621018b9fd851d5ff3abb57cf4d4642ac5ed05da5853972e255c90e793d89ca20ca1c

Download Submit
C:\Windows\SysWOW64\Lkjmfjmi.exe

Filesize
80KB

MD5
42dec80b21e847052aebad1a4a2142db

SHA1
1b2dcde7bc960788c7bade68985fb532b7d27951

SHA256
f12cb2fab0d4dba0aa147d292b341c27725eeff8a8618befd59ba995f7d0ece0

SHA512
0ba012c9d5085d782c671b777f7b194a9cf2a63c8b97cd3d54ad87b37eae4721ec092bd9adcccaca91580440028861c99c031bb4ac71f666e8b3cdfdd8ce6365

Download Submit
C:\Windows\SysWOW64\Llepen32.exe

Filesize
80KB

MD5
90faa7628149023df7dc08e31c5eeb85

SHA1
77ba0c0c2fbbaab3dbc6d40cb56481bf8a0324f9

SHA256
69c77be59d587d0b50952d0c9fed1455f51b7cf0b7622e1e9aeb162655ef2acd

SHA512
8d0be483c02f078b49582216a3789ba534ad6ce81315c1658f75fc9d41e7b86819b7f71e4703d2bc8f64f4872c91bc87efcae4fa68845e4070f52867d6eb0e80

Download Submit
\Windows\SysWOW64\Kgcnahoo.exe

Filesize
80KB

MD5
5332461c07da74a23449a6abe833cb5e

SHA1
8b55fcd31b0236c216120120ae9fee17ccff675f

SHA256
bdeeeef5dd370c2521a662b8404a948cea2d05b4f5010e0318a8174ba4dc8b53

SHA512
52d3c14b7119d81fb596834455cff4674ec9bb997fe4974512bf0f7217d859a56963da5015174b05cece937738270f51ea5a245863fd834f161bc4bc76fc2a6a

Download Submit
\Windows\SysWOW64\Kkojbf32.exe

Filesize
80KB

MD5
2d4482311292a12342a8cfd577908093

SHA1
e388645ba3d66871e094ef80b3fd3535d14c403e

SHA256
c87fa523c24014ab9ee13361052c164bbf979df7c044e2379dd44d941340c779

SHA512
ec78eeceff016bd899856e101a476124eb2b9d5c0cc5a0f0351ebb91d8611199c45331242e8e234bb9e7c1be9f8db6aab37d8bf826aa2b4693a0025f4763a412

Download Submit
\Windows\SysWOW64\Kmimcbja.exe

Filesize
80KB

MD5
d97cee4c4f3e56b7484e661f7807ecc8

SHA1
ced49023b5b577e0f0f1c2360c5aac2eff3a93b4

SHA256
9b2ed8c1df85cb6a3472aaec3fdd601667907dc2241f685a0787dab4ebfe85bc

SHA512
2efa82c491f4b5b50b79b3d15360bb1d186bde2f6337b915c1b787cbaa52629d1f565a146eb604b8b023c6213e406b26dfdce1f8fe0f15bf0d8d7addc9ebd6e8

Download Submit
\Windows\SysWOW64\Kpieengb.exe

Filesize
80KB

MD5
2ce9422bd8ec070d384520329cf0d023

SHA1
1d7f17c1b0c920f8b95184cb9d46235c34fe0bf6

SHA256
af4e9cb15b156f0235d6c23141ca81b0b91367493fe17e9680aa6f27895d587b

SHA512
b2565f3bab221866db76969a2e025ae09169d96d129e2edddd6e23168f7f3e24ef6ce6ff038bf5493474a6a4dcdcb3340a22bdeb36d03543638a8dc21f817fd0

Download Submit
\Windows\SysWOW64\Lcmklh32.exe

Filesize
80KB

MD5
a4a2399e8b2ad20261739399ec3521f1

SHA1
544c9f2f79f3e3c644cd7e577836039f6b8640ee

SHA256
bbdbc19df9cf830127422b7da77f8fbed2b7d633c888bbf3860f64a6c3ddf931

SHA512
5eabac9660dd3fdff47aa3ee1ec3f355d240f3f2650348445f1219e6c7ce5e22b6a1ae5c75e78b2a721cc414c780445c16536ba1c2d34256baa941ea864e5bb8

Download Submit
\Windows\SysWOW64\Lhlqjone.exe

Filesize
80KB

MD5
c849808296f9552181d029e9583b8282

SHA1
32e010592cd55a24b60e9f557ae3f34e8eb399ef

SHA256
ac53fe7d579dd79301a77549c48e5eef9afc503a4b945889369c31cd4d1f6b2a

SHA512
467efddac8f43fd8f81917266b0c5af851ab5948814c046811f539b125bbb2d92ba0cdd378d17f598c5867e54b50499bc9d22ec061bb133ca7660f46b23d20a8

Download Submit
\Windows\SysWOW64\Lifcib32.exe

Filesize
80KB

MD5
105857ca25f027afc94872ddcb10092c

SHA1
0ba29490b13561a25ce7a8b7820a307035158cf5

SHA256
525b3a465970b87a2ad236bfd749637da697114228e48d9125760c9c22fa6635

SHA512
ccf76c639f55aad8feea321c2b49889343f98a5a456b58f99581c390567840be47344c0bb4a329a63343f72914c1a3c298f097babdfa04287abf623e4c3408c8

Download Submit
\Windows\SysWOW64\Llpfjomf.exe

Filesize
80KB

MD5
83480dee6e8eb0795d178ec464f8943a

SHA1
aaa85e31deb7b4600520bd8910b1cb73dfdb9756

SHA256
1a884a2ece01b730b86e6cbc1c6fa9e0d2ac1d92ef5ec1dbc678710418cdd830

SHA512
7b0cc0c0754314064865445f1a5c43d771eef7aa0dc2959fc79d916b5365fe025e48d6f432f122bd75c711f508c58fac469680f479138add64d01a72f5fb01e5

Download Submit
\Windows\SysWOW64\Loclai32.exe

Filesize
80KB

MD5
98d91a0cece9c5468fb4f1873ca1cda4

SHA1
f55c8fb2915271d2a55f64f7d96584cb92e78238

SHA256
a5062aea4e12b6e9360441152ba1e2cdf5db5295fe75d10eb86c606a2438eee8

SHA512
4838561d9a7880f7f53c3e1761f59089e06d5ab4849004c53de833ff4e82829bfa536a52cd22334a3e68cf95a986a9a809863ecf64d44a91f4a0a02e5d4cc07f

Download Submit
\Windows\SysWOW64\Lplbjm32.exe

Filesize
80KB

MD5
5153d19b610733a82e279e7348837b1d

SHA1
d12973273e42816fed11dd5d048d65e95c75634d

SHA256
4a439bc4709c8b3023b598b68c122446078a2adb47fe4c2dadcdcc02d99df0b9

SHA512
d80b78e850c0914ae8095e02e5c744e2822b2744332c41b8c67293db48f865fd69b1a8ca51c70838e3e44a18c9f2c0f7948396c13bbf239d6151d2123aabfe64

Download Submit
\Windows\SysWOW64\Lpnopm32.exe

Filesize
80KB

MD5
7bf9dff95d4d74d3940882f24854ceab

SHA1
fd3af562a096697e00989e28cadd9f5592dccba5

SHA256
38b7f8c33d44e4f6163dc85870bfe70e3aa58fb7bea801f68f5531c1e023c05c

SHA512
613c4380ca5b5055205a757e5bfc03a5437cde18fa1dbd9b8406d6d6499cec16b640ddfa5c0d63b42d31cde6fa186c4e876f7551da8a565c038a724615256afb

Download Submit
memory/688-242-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-27-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1084-26-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1084-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1084-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1644-233-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-191-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1756-198-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1772-248-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1772-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1936-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-223-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2088-257-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-219-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2208-258-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2208-228-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2332-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2420-141-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/2420-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-251-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-253-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-54-0x0000000000330000-0x000000000036E000-memory.dmp

Filesize
248KB

Download
memory/2592-41-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2592-246-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-177-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2808-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-7-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/3012-243-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-4-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads