e744c11b6ff0ca9634d55e001732f924cc81af7b56c113ffa992c19c755fa7a3

Analysis

max time kernel
0s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10de2c14aee372f4d7e68c50304a677d.exe
Size

1.2MB
MD5

10de2c14aee372f4d7e68c50304a677d
SHA1

e4291b40af3fa46b2100ebc75bc717e236d43fd5
SHA256

e744c11b6ff0ca9634d55e001732f924cc81af7b56c113ffa992c19c755fa7a3
SHA512

523778bd3cdb52f69ec5c1569eedee68c24c56cdf346ff5d2262f2c5d3ced7d57b26b7a44d3cc54d46d842c8c8c5962de7f16d3418d6e3faf3b9cf9475e55e1c
SSDEEP

12288:jZP1i6qqpV6yYPoBVgsPpV6yYPHGlW4AsQTpV6yYPoBVgsPpV6yYPHGl8akmEpVf:jC9qWSPWHPVWSPWHvFWSPWHPVWSPWH5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	10de2c14aee372f4d7e68c50304a677d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	10de2c14aee372f4d7e68c50304a677d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laciofpa.exe

Executes dropped EXE 11 IoCs

pid	Process
556	Lcbiao32.exe
2940	Lkiqbl32.exe
1800	Laciofpa.exe
3892	Ldaeka32.exe
1348	Lgpagm32.exe
1772	Lnjjdgee.exe
3292	Laefdf32.exe
1140	Lcgblncm.exe
3316	Lknjmkdo.exe
4508	Mdfofakp.exe
5104	Mkpgck32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	10de2c14aee372f4d7e68c50304a677d.exe
File opened for modification	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	10de2c14aee372f4d7e68c50304a677d.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	10de2c14aee372f4d7e68c50304a677d.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mdfofakp.exe

Program crash 1 IoCs

pid	pid_target	Process
1728	2848	WerFault.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	10de2c14aee372f4d7e68c50304a677d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	10de2c14aee372f4d7e68c50304a677d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	10de2c14aee372f4d7e68c50304a677d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	10de2c14aee372f4d7e68c50304a677d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	10de2c14aee372f4d7e68c50304a677d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	10de2c14aee372f4d7e68c50304a677d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 556	2200	10de2c14aee372f4d7e68c50304a677d.exe	58
PID 2200 wrote to memory of 556	2200	10de2c14aee372f4d7e68c50304a677d.exe	58
PID 2200 wrote to memory of 556	2200	10de2c14aee372f4d7e68c50304a677d.exe	58
PID 556 wrote to memory of 2940	556	Lcbiao32.exe	57
PID 556 wrote to memory of 2940	556	Lcbiao32.exe	57
PID 556 wrote to memory of 2940	556	Lcbiao32.exe	57
PID 2940 wrote to memory of 1800	2940	Lkiqbl32.exe	56
PID 2940 wrote to memory of 1800	2940	Lkiqbl32.exe	56
PID 2940 wrote to memory of 1800	2940	Lkiqbl32.exe	56
PID 1800 wrote to memory of 3892	1800	Laciofpa.exe	17
PID 1800 wrote to memory of 3892	1800	Laciofpa.exe	17
PID 1800 wrote to memory of 3892	1800	Laciofpa.exe	17
PID 3892 wrote to memory of 1348	3892	Ldaeka32.exe	55
PID 3892 wrote to memory of 1348	3892	Ldaeka32.exe	55
PID 3892 wrote to memory of 1348	3892	Ldaeka32.exe	55
PID 1348 wrote to memory of 1772	1348	Lgpagm32.exe	54
PID 1348 wrote to memory of 1772	1348	Lgpagm32.exe	54
PID 1348 wrote to memory of 1772	1348	Lgpagm32.exe	54
PID 1772 wrote to memory of 3292	1772	Lnjjdgee.exe	53
PID 1772 wrote to memory of 3292	1772	Lnjjdgee.exe	53
PID 1772 wrote to memory of 3292	1772	Lnjjdgee.exe	53
PID 3292 wrote to memory of 1140	3292	Laefdf32.exe	52
PID 3292 wrote to memory of 1140	3292	Laefdf32.exe	52
PID 3292 wrote to memory of 1140	3292	Laefdf32.exe	52
PID 1140 wrote to memory of 3316	1140	Lcgblncm.exe	50
PID 1140 wrote to memory of 3316	1140	Lcgblncm.exe	50
PID 1140 wrote to memory of 3316	1140	Lcgblncm.exe	50
PID 3316 wrote to memory of 4508	3316	Lknjmkdo.exe	49
PID 3316 wrote to memory of 4508	3316	Lknjmkdo.exe	49
PID 3316 wrote to memory of 4508	3316	Lknjmkdo.exe	49
PID 4508 wrote to memory of 5104	4508	Mdfofakp.exe	47
PID 4508 wrote to memory of 5104	4508	Mdfofakp.exe	47
PID 4508 wrote to memory of 5104	4508	Mdfofakp.exe	47

C:\Users\Admin\AppData\Local\Temp\10de2c14aee372f4d7e68c50304a677d.exe
"C:\Users\Admin\AppData\Local\Temp\10de2c14aee372f4d7e68c50304a677d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\Lcbiao32.exe
  C:\Windows\system32\Lcbiao32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:556

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Windows\SysWOW64\Lgpagm32.exe
  C:\Windows\system32\Lgpagm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1348

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
PID:5004
- C:\Windows\SysWOW64\Mnfipekh.exe
  C:\Windows\system32\Mnfipekh.exe
  2⤵
  PID:1972

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
PID:2740
- C:\Windows\SysWOW64\Nnmopdep.exe
  C:\Windows\system32\Nnmopdep.exe
  2⤵
  PID:4812

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
1⤵
PID:972
- C:\Windows\SysWOW64\Njcpee32.exe
  C:\Windows\system32\Njcpee32.exe
  2⤵
  PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2848 -ip 2848
1⤵
PID:4592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 420
1⤵
- Program crash
PID:1728

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:2848

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:380

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:5088

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
1⤵
PID:816

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
PID:1344

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
1⤵
PID:1360

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
PID:1288

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
PID:2220

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
PID:1168

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
1⤵
PID:1684

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
1⤵
PID:656

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
1⤵
PID:3580

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
1⤵
PID:1420

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3316

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3292

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/656-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/816-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-245-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1344-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-266-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1360-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1684-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2848-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2940-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3292-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3580-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3892-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4508-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4528-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5004-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5088-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads