9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900

Analysis

max time kernel
142s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
Size

100KB
MD5

787b1a76eaf05ac3628d3899dab95a91
SHA1

3377369511161714d5a011625ae940bb7146dfef
SHA256

9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900
SHA512

70f4aa5af22eece5d6009cb67261ad43c0b6ed46ff20ab930a5335f2086f383d5c24d0fe900683090778d4bd914449298e28d2aa435feb7aaba6d8253e7c0994
SSDEEP

3072:W2MSo6cJV+rBu9ZcZu/wHHXGRgb3a3+X13XRzT:VMSUU1aZcZu42e7aOl3BzT

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbgfhnhi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kblpcndd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klddlckd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lbebilli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbhool32.exe

Executes dropped EXE 18 IoCs

pid	Process
4000	Kdffjgpj.exe
840	Klmnkdal.exe
2936	Kbgfhnhi.exe
4636	Kefbdjgm.exe
2628	Kalcik32.exe
2544	Khfkfedn.exe
1756	Kblpcndd.exe
752	Klddlckd.exe
1172	Kbnlim32.exe
1064	Khkdad32.exe
4380	Loemnnhe.exe
3348	Ldbefe32.exe
2692	Lbcedmnl.exe
4028	Lknjhokg.exe
3256	Lbebilli.exe
780	Lhbkac32.exe
4924	Lbhool32.exe
4188	Ldikgdpe.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hgnfpc32.dll	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Pmbpeafn.dll	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Klddlckd.exe	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Kblpcndd.exe	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Loemnnhe.exe	Khkdad32.exe
File created	C:\Windows\SysWOW64\Najlgpeb.dll	Lbcedmnl.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Lbhool32.exe
File opened for modification	C:\Windows\SysWOW64\Kefbdjgm.exe	Kbgfhnhi.exe
File opened for modification	C:\Windows\SysWOW64\Klddlckd.exe	Kblpcndd.exe
File created	C:\Windows\SysWOW64\Kbnlim32.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Lbcedmnl.exe	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Kefbdjgm.exe	Kbgfhnhi.exe
File created	C:\Windows\SysWOW64\Hnggccfl.dll	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Lknjhokg.exe	Lbcedmnl.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Lamgof32.dll	Khfkfedn.exe
File opened for modification	C:\Windows\SysWOW64\Khkdad32.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Kdlmhj32.dll	Lbebilli.exe
File created	C:\Windows\SysWOW64\Klmnkdal.exe	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Lbcedmnl.exe	Ldbefe32.exe
File created	C:\Windows\SysWOW64\Oojnjjli.dll	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
File created	C:\Windows\SysWOW64\Odehaccj.dll	Klddlckd.exe
File created	C:\Windows\SysWOW64\Kjejmalo.dll	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Mnfooh32.dll	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Ekheml32.dll	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Ldbefe32.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Ldbefe32.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Lknjhokg.exe	Lbcedmnl.exe
File opened for modification	C:\Windows\SysWOW64\Lbhool32.exe	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Kdffjgpj.exe	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
File created	C:\Windows\SysWOW64\Ofnfbijk.dll	Kblpcndd.exe
File opened for modification	C:\Windows\SysWOW64\Lbebilli.exe	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Fhjaco32.dll	Lhbkac32.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Lbhool32.exe
File created	C:\Windows\SysWOW64\Kalcik32.exe	Kefbdjgm.exe
File opened for modification	C:\Windows\SysWOW64\Kalcik32.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Khkdad32.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Lhbkac32.exe	Lbebilli.exe
File opened for modification	C:\Windows\SysWOW64\Lhbkac32.exe	Lbebilli.exe
File created	C:\Windows\SysWOW64\Lbhool32.exe	Lhbkac32.exe
File opened for modification	C:\Windows\SysWOW64\Klmnkdal.exe	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Kbnlim32.exe	Klddlckd.exe
File created	C:\Windows\SysWOW64\Eilbckfb.dll	Khkdad32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffjgpj.exe	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
File created	C:\Windows\SysWOW64\Mobpnd32.dll	Kalcik32.exe
File opened for modification	C:\Windows\SysWOW64\Loemnnhe.exe	Khkdad32.exe
File created	C:\Windows\SysWOW64\Fncnpk32.dll	Kdffjgpj.exe
File opened for modification	C:\Windows\SysWOW64\Kbgfhnhi.exe	Klmnkdal.exe
File created	C:\Windows\SysWOW64\Khfkfedn.exe	Kalcik32.exe
File opened for modification	C:\Windows\SysWOW64\Kblpcndd.exe	Khfkfedn.exe
File created	C:\Windows\SysWOW64\Lbebilli.exe	Lknjhokg.exe
File created	C:\Windows\SysWOW64\Kbgfhnhi.exe	Klmnkdal.exe
File opened for modification	C:\Windows\SysWOW64\Khfkfedn.exe	Kalcik32.exe
File created	C:\Windows\SysWOW64\Jhmimi32.dll	Loemnnhe.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4176	4188	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kblpcndd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcedmnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldikgdpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loemnnhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdffjgpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klmnkdal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khfkfedn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbnlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbgfhnhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhbkac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbhool32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khkdad32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldbefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lknjhokg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbebilli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kefbdjgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kalcik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klddlckd.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncnpk32.dll"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khfkfedn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll"	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnfbijk.dll"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffjgpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klddlckd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khkdad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekheml32.dll"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamgof32.dll"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmbpeafn.dll"	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilbckfb.dll"	Khkdad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najlgpeb.dll"	Lbcedmnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjaco32.dll"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnggccfl.dll"	Ldbefe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lhbkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdffjgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbgfhnhi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bekdaogi.dll"	Lbhool32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Khfkfedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjejmalo.dll"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbebilli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lbhool32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kblpcndd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lknjhokg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klmnkdal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kalcik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odehaccj.dll"	Klddlckd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfooh32.dll"	Lknjhokg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oojnjjli.dll"	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhmimi32.dll"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlmhj32.dll"	Lbebilli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lhbkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobpnd32.dll"	Kalcik32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lbcedmnl.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4000	4988	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe	91
PID 4988 wrote to memory of 4000	4988	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe	91
PID 4988 wrote to memory of 4000	4988	9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe	91
PID 4000 wrote to memory of 840	4000	Kdffjgpj.exe	92
PID 4000 wrote to memory of 840	4000	Kdffjgpj.exe	92
PID 4000 wrote to memory of 840	4000	Kdffjgpj.exe	92
PID 840 wrote to memory of 2936	840	Klmnkdal.exe	93
PID 840 wrote to memory of 2936	840	Klmnkdal.exe	93
PID 840 wrote to memory of 2936	840	Klmnkdal.exe	93
PID 2936 wrote to memory of 4636	2936	Kbgfhnhi.exe	94
PID 2936 wrote to memory of 4636	2936	Kbgfhnhi.exe	94
PID 2936 wrote to memory of 4636	2936	Kbgfhnhi.exe	94
PID 4636 wrote to memory of 2628	4636	Kefbdjgm.exe	95
PID 4636 wrote to memory of 2628	4636	Kefbdjgm.exe	95
PID 4636 wrote to memory of 2628	4636	Kefbdjgm.exe	95
PID 2628 wrote to memory of 2544	2628	Kalcik32.exe	96
PID 2628 wrote to memory of 2544	2628	Kalcik32.exe	96
PID 2628 wrote to memory of 2544	2628	Kalcik32.exe	96
PID 2544 wrote to memory of 1756	2544	Khfkfedn.exe	97
PID 2544 wrote to memory of 1756	2544	Khfkfedn.exe	97
PID 2544 wrote to memory of 1756	2544	Khfkfedn.exe	97
PID 1756 wrote to memory of 752	1756	Kblpcndd.exe	98
PID 1756 wrote to memory of 752	1756	Kblpcndd.exe	98
PID 1756 wrote to memory of 752	1756	Kblpcndd.exe	98
PID 752 wrote to memory of 1172	752	Klddlckd.exe	99
PID 752 wrote to memory of 1172	752	Klddlckd.exe	99
PID 752 wrote to memory of 1172	752	Klddlckd.exe	99
PID 1172 wrote to memory of 1064	1172	Kbnlim32.exe	100
PID 1172 wrote to memory of 1064	1172	Kbnlim32.exe	100
PID 1172 wrote to memory of 1064	1172	Kbnlim32.exe	100
PID 1064 wrote to memory of 4380	1064	Khkdad32.exe	101
PID 1064 wrote to memory of 4380	1064	Khkdad32.exe	101
PID 1064 wrote to memory of 4380	1064	Khkdad32.exe	101
PID 4380 wrote to memory of 3348	4380	Loemnnhe.exe	103
PID 4380 wrote to memory of 3348	4380	Loemnnhe.exe	103
PID 4380 wrote to memory of 3348	4380	Loemnnhe.exe	103
PID 3348 wrote to memory of 2692	3348	Ldbefe32.exe	104
PID 3348 wrote to memory of 2692	3348	Ldbefe32.exe	104
PID 3348 wrote to memory of 2692	3348	Ldbefe32.exe	104
PID 2692 wrote to memory of 4028	2692	Lbcedmnl.exe	106
PID 2692 wrote to memory of 4028	2692	Lbcedmnl.exe	106
PID 2692 wrote to memory of 4028	2692	Lbcedmnl.exe	106
PID 4028 wrote to memory of 3256	4028	Lknjhokg.exe	107
PID 4028 wrote to memory of 3256	4028	Lknjhokg.exe	107
PID 4028 wrote to memory of 3256	4028	Lknjhokg.exe	107
PID 3256 wrote to memory of 780	3256	Lbebilli.exe	108
PID 3256 wrote to memory of 780	3256	Lbebilli.exe	108
PID 3256 wrote to memory of 780	3256	Lbebilli.exe	108
PID 780 wrote to memory of 4924	780	Lhbkac32.exe	109
PID 780 wrote to memory of 4924	780	Lhbkac32.exe	109
PID 780 wrote to memory of 4924	780	Lhbkac32.exe	109
PID 4924 wrote to memory of 4188	4924	Lbhool32.exe	110
PID 4924 wrote to memory of 4188	4924	Lbhool32.exe	110
PID 4924 wrote to memory of 4188	4924	Lbhool32.exe	110

C:\Users\Admin\AppData\Local\Temp\9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe
"C:\Users\Admin\AppData\Local\Temp\9a05da36cfabbe5c25d83760b3810b3982ac96fc71a8b4e787ea671dad4d4900.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SysWOW64\Kdffjgpj.exe
  C:\Windows\system32\Kdffjgpj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\Klmnkdal.exe
    C:\Windows\system32\Klmnkdal.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:840
  - - C:\Windows\SysWOW64\Kbgfhnhi.exe
      C:\Windows\system32\Kbgfhnhi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\SysWOW64\Kalcik32.exe
        
        C:\Windows\system32\Kalcik32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Khfkfedn.exe
        
        C:\Windows\system32\Khfkfedn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\SysWOW64\Kblpcndd.exe
        
        C:\Windows\system32\Kblpcndd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Klddlckd.exe
        
        C:\Windows\system32\Klddlckd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:752
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Khkdad32.exe
        
        C:\Windows\system32\Khkdad32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ldbefe32.exe
        
        C:\Windows\system32\Ldbefe32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Lbcedmnl.exe
        
        C:\Windows\system32\Lbcedmnl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Lknjhokg.exe
        
        C:\Windows\system32\Lknjhokg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Lbebilli.exe
        
        C:\Windows\system32\Lbebilli.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Lhbkac32.exe
        
        C:\Windows\system32\Lhbkac32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\SysWOW64\Lbhool32.exe
        
        C:\Windows\system32\Lbhool32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 416
        20⤵
        Program crash
        
        PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4188 -ip 4188
1⤵
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:8
1⤵
PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kalcik32.exe

Filesize
100KB

MD5
2bdec76939d075df470b8c787eb45bed

SHA1
97a180817181b1ca9a933432de27477e7f16e56c

SHA256
418d5c77ff5d31c5ee47e6f3e3206a1dabe1866c57cd7508f22bd9da03f26b51

SHA512
c6a9f71262f78bfd955db03c67690cc9832b99371d0e757435dfb076103254f2069824f4086e1704bacf4e999db424f9d7aff6edbf2f83ba7025a69331e86ccb

Download Submit
C:\Windows\SysWOW64\Kbgfhnhi.exe

Filesize
100KB

MD5
5541f8b8c4eb43c16b9a108785f12b9b

SHA1
ca5ca4935b570fdeed6e2604aad5af0d66fb0675

SHA256
362f40fd969c5c67ba311f3ff8f69d3c6bd49edf7f6bb7c74b872589da188bc7

SHA512
618553d8c1d5a00d323b8ab3a0af65c73e1c8d9d8ae1d7caa633299df902f0acd3a78e1f0e3f490bc8bdc173335a8dda3f41319872bb75cc3f1a3d39234a60ca

Download Submit
C:\Windows\SysWOW64\Kblpcndd.exe

Filesize
100KB

MD5
4b69c8c211fdb22613ee19b85538450e

SHA1
7f8cdf90cfb8fc7ff636ae3280e96fadfb85f455

SHA256
f122584606095f2a3a9233fe56529911a91c4c74ed146f6f9008107a22e34fd6

SHA512
2e21601b984cf953f500cbc2127dd9736c3feadedd988acc204585719a053337250049b8356a346fc45bea230bcc6224957797d92add3c464d4bcda26d0980b9

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
100KB

MD5
5f1617c093b89170df7b49ba6593b64c

SHA1
4d82b2cda998a682c2f06524233293980b62245e

SHA256
1f3963a8a0c1585f9535fbfd16b2a04737849b935ba218c0c18210f7aef0912b

SHA512
12308ad280df190c9307440e69ebbb5c264eaa760138b3cc94ddf2a698d5e861dc8b24747b0897467925a1ffb40c39bb4b41db7557cabcb8a9ad6c55b40b17ed

Download Submit
C:\Windows\SysWOW64\Kdffjgpj.exe

Filesize
100KB

MD5
a4ea5996adf7e3e259ac615123606b3d

SHA1
61082d74c7ccde645e16a5f5557a17dcdde50f77

SHA256
b75d2f243cc3569e67068156a03716b6c2fcc76c952d8032528b687f0dc3144e

SHA512
54a1f64d4901927de605d179baccc4f690b1e72a91cb32d9df5c711bccbcb03e7390581146706cc517af70caa626d3b45aec36317baedc61811187f865187f97

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
100KB

MD5
e1add95f174f3a936827463a1d0e7df1

SHA1
e804ff1cbbd196295a9c57037902abae98d8dc91

SHA256
3f9bf02e142eb2ba00506f706c4c465b61679e86ee73e3b861cc39f070583bff

SHA512
6c116424d22f3e5ce86a3c72c92c7888b34bb40608f0471674e87fafdedf8177b6f5ef541700870cf95221dab02a82258277d1c860b9f42f815cabb7e1a77967

Download Submit
C:\Windows\SysWOW64\Khfkfedn.exe

Filesize
100KB

MD5
98fea04a228846bb95bdb9599a50c015

SHA1
0e4e51edfb6b6e22350cf21e1519aebd02e676a3

SHA256
fb11f46400c289d985cce8faa4ceefebe2124904cf716f5a8f79df1642ba974a

SHA512
1324bb2aea979d121acc0f820961fa28db244b635ab97a73dcf3338853c9aa9bc31f818c3fffeb7c73ae7b51c7b1a520b296f054fba12e6f311b1bf29fc97356

Download Submit
C:\Windows\SysWOW64\Khkdad32.exe

Filesize
100KB

MD5
6e71b128cab52240fc8a6f0655242ddb

SHA1
f923ab14c2438bf003fe64114ad6ac220041164c

SHA256
ab255171e2cb172977bfe8d2bbd4cd4baad26b59f006a85a2f89948ab2e2015e

SHA512
5a9ba024bbb0274294a8abc52a371fe3abd60a9c355c5e1bf10a96892ba6f927f2547c1fc9280100992400cf36f17e700aae3c7aa599ae87b86407e162ca080e

Download Submit
C:\Windows\SysWOW64\Klddlckd.exe

Filesize
100KB

MD5
0e27a8c30e9848c724c382f426447f29

SHA1
021ca258121e541e39bc1b2273be2ae1aee1cb15

SHA256
ca35293ab5fcacab90f2c4ae1b5058835ab4007228057712350b4af5a2f5e4e9

SHA512
21eb818bc0af78b2f7558d030e245861b801cc314565c6df4d3774dbefe0f658b3d3dd6f2fd7e8f5137c0448052a439a4936b5e0d3f439a21c90b03c03d79c58

Download Submit
C:\Windows\SysWOW64\Klmnkdal.exe

Filesize
100KB

MD5
c68d70083e23e5625ebbd6a131e676cf

SHA1
72a2a3de126d46a857ae4e8cce9586ab114fd995

SHA256
e984bf408d8adaa0729d1da8e29cc3d71a234d50b539afa7aa4d9fcc3fd6e9cb

SHA512
489335e60cb3c527061a8e61fe6d553de0800eb1a9e77c3e70e9da1cc3e4fcc19b3a9d577102dd4c6c3a3b88c983d469179d174c75564a10c9e1de3b67f80c92

Download Submit
C:\Windows\SysWOW64\Lbcedmnl.exe

Filesize
100KB

MD5
a4ef3338927c49a9b3d2904b1ff7d9a4

SHA1
d24a8c4e54a017260ada2e4bdef057edc92f0fac

SHA256
560bcc20cf5eaa75fbf74aa8017bb4da02ae20e819849b475f587c7f3945094c

SHA512
be1bd444d45f2acbb8dd1044d8e17d536842775a1a4bac29f7306cacc27edb0bda51b2616f12422e388fac714ad030f2cac8b6017298293137218b4de79a5931

Download Submit
C:\Windows\SysWOW64\Lbebilli.exe

Filesize
100KB

MD5
2c2fe05012996c1a7a8cc995d631631c

SHA1
eb86bf9d9999a71c05868f55fd37d71bce71a60b

SHA256
9e620dc51fa01c405dda609e210e5800d8c43a2653743ffd5bcf44af7f8456c4

SHA512
87e58da2262e35ca5026cfb5721afe5bf3bb57ab12fe2caa15931c6fbc1a216a5f0ca5bd6b444f5a6723323d346566c7a7d23d9c21b1c4b737e46312fddcf934

Download Submit
C:\Windows\SysWOW64\Lbhool32.exe

Filesize
100KB

MD5
bbc223469c6a125428353a477f6c00ca

SHA1
29aa05824335a662b575db4c186fb932719bff7a

SHA256
3a3688bdbf810ee0f060e304f59ec7180b9532abfd2bbe345fbb549dcf0ec2ce

SHA512
7e9409498bfae22c99935f06f51324e454b0da08186fe985953d16442ebe0a2b59ffe43b763b526bc5d97dbf6edf4237e227bd7c8388388a38fd81be7beb7a30

Download Submit
C:\Windows\SysWOW64\Ldbefe32.exe

Filesize
100KB

MD5
71e095b1aea8ceb8a6b421ee178aa8cc

SHA1
f0ac37695508c63e6a567809188d33484886503a

SHA256
76e46372907c8a030ac23eeb39ce90f05a1470e35266c56543e240334b1ea64a

SHA512
dd83ae571cde6402c2a6179c6e1ef3679f68da9125a406c01e7a9413798bb1ed38e952abbf56787a741f2d8bde5362b235d6414185b078a74d1e858ff92aaaa6

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
100KB

MD5
9bc996f7b8d1daa0f822b6c05814e19b

SHA1
85b26c1b994d5e2c15554ef47669770e7c9ef6eb

SHA256
395ab0bbe95fc2e480f73f086e8181dcf40459055ede81f7a7cca2fe1eee48e6

SHA512
4d5f7995ebc65ea41dad5de360ba3e2edb023eada0a2bfe50796952498914a6e00a8366c016a07c7129699944b22fcdbc053a29257a6fe859b3da199a72bfadd

Download Submit
C:\Windows\SysWOW64\Lhbkac32.exe

Filesize
100KB

MD5
96606de1882e8a816be55011bc536a4e

SHA1
eee126c89fc6b075ea77fee95b968eea69eb7994

SHA256
0905812af166e695326216eff1f9326fc8d56743168386cc1309203c4bd358f2

SHA512
7dfefc090c745eaafe8ea5520fa070f4c469c5eb6ca2425179752a53494e7364a5379ee043209b52b4b315e306d61b0b9cca66809acb4de1404dd22a98f9fe3d

Download Submit
C:\Windows\SysWOW64\Lknjhokg.exe

Filesize
100KB

MD5
3736e11477f3e7045666b8013833dc86

SHA1
f5a16b3e2af579e84a9d8c43d2b22c859716bd48

SHA256
3c345fc1620babb32fcebcab2b630bc2a638c04e8362a58554762ec690629841

SHA512
79425298bb65c46f1ffe85d2b63ce1ef9da4022f6b60d664a020a1f1553209b789c626a8568f961cef021a6291902cb98cf24e776d378a4dabec2bbc45ac3cdd

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
100KB

MD5
b9c07401edaa7c6a5575e0a1c3e85ec4

SHA1
f05aa57cd0ff69a3744a5f36139310bc9ec528c3

SHA256
49c51a2520392e50c76e6d2c61a7eb322022f79f9528f9d13a55a83fcba2cf2a

SHA512
3cfeb0c66e3412654bdcb38fbbbb5d745609966d475cef4a919138cc442b8d99e558ff05e7f131ccd36546ebbc1abe84253455413b167aef482acf81ac7ce32b

Download Submit
C:\Windows\SysWOW64\Pmbpeafn.dll

Filesize
7KB

MD5
bac7af3038b6a25d9c0e6779d747e52d

SHA1
10b43dfc4926f337a8568dfb9986344652b3b877

SHA256
0a32b13179b0aaa0af832a5e0b222dc456f2fe4337be104d7b6c6bc000c76bd7

SHA512
a5d75aa3a89804f12f6b60dd226375585ef5c659ac69997d23a416487137916036adf8bd3ab2d1894d050d98585b569e32c95029b06c63546c9ee83196ed3126

Download Submit
memory/752-154-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/752-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/780-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/780-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/840-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1064-163-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1172-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1756-155-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1756-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2544-156-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2544-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2628-157-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2692-150-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-120-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3256-148-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3348-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3348-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4000-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4000-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4028-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4028-149-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-145-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4188-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4380-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4380-152-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-158-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4636-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-146-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-162-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4988-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads