1355b0919661bee3dedd4912a2cc30e065302a53f20e89a9991ec6c556902b78

Analysis

max time kernel
0s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2023 18:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

004cf3993f4c834f58cb0a6c1f66cf85.exe
Size

111KB
MD5

004cf3993f4c834f58cb0a6c1f66cf85
SHA1

7e0b6b7fec57d0f81da82297d1851adc61a26961
SHA256

1355b0919661bee3dedd4912a2cc30e065302a53f20e89a9991ec6c556902b78
SHA512

a5e456bcddffd91da22423074eeb7837004de2ecbc5ba79fa8ecc75935bee2019232e741369a897faae752887200c9d5ff8b9ed05de07f1447324840759938fc
SSDEEP

3072:Tmd0Q54nzWkiqx+tb7C+TG86lbxxafCf8:oB4iqQtbO3jvaKf8

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	004cf3993f4c834f58cb0a6c1f66cf85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	004cf3993f4c834f58cb0a6c1f66cf85.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe

Executes dropped EXE 11 IoCs

pid	Process
2128	Ldaeka32.exe
2212	Lcdegnep.exe
3304	Lklnhlfb.exe
1104	Ljnnch32.exe
724	Laefdf32.exe
3844	Lphfpbdi.exe
3896	Lddbqa32.exe
4836	Lgbnmm32.exe
4292	Mjqjih32.exe
4604	Mnlfigcc.exe
1620	Mahbje32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	004cf3993f4c834f58cb0a6c1f66cf85.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	004cf3993f4c834f58cb0a6c1f66cf85.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	004cf3993f4c834f58cb0a6c1f66cf85.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5300	5188	WerFault.exe	24

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	004cf3993f4c834f58cb0a6c1f66cf85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	004cf3993f4c834f58cb0a6c1f66cf85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	004cf3993f4c834f58cb0a6c1f66cf85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	004cf3993f4c834f58cb0a6c1f66cf85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	004cf3993f4c834f58cb0a6c1f66cf85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	004cf3993f4c834f58cb0a6c1f66cf85.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 2128	924	004cf3993f4c834f58cb0a6c1f66cf85.exe	76
PID 924 wrote to memory of 2128	924	004cf3993f4c834f58cb0a6c1f66cf85.exe	76
PID 924 wrote to memory of 2128	924	004cf3993f4c834f58cb0a6c1f66cf85.exe	76
PID 2128 wrote to memory of 2212	2128	Ldaeka32.exe	75
PID 2128 wrote to memory of 2212	2128	Ldaeka32.exe	75
PID 2128 wrote to memory of 2212	2128	Ldaeka32.exe	75
PID 2212 wrote to memory of 3304	2212	Lcdegnep.exe	74
PID 2212 wrote to memory of 3304	2212	Lcdegnep.exe	74
PID 2212 wrote to memory of 3304	2212	Lcdegnep.exe	74
PID 3304 wrote to memory of 1104	3304	Lklnhlfb.exe	73
PID 3304 wrote to memory of 1104	3304	Lklnhlfb.exe	73
PID 3304 wrote to memory of 1104	3304	Lklnhlfb.exe	73
PID 1104 wrote to memory of 724	1104	Ljnnch32.exe	72
PID 1104 wrote to memory of 724	1104	Ljnnch32.exe	72
PID 1104 wrote to memory of 724	1104	Ljnnch32.exe	72
PID 724 wrote to memory of 3844	724	Laefdf32.exe	71
PID 724 wrote to memory of 3844	724	Laefdf32.exe	71
PID 724 wrote to memory of 3844	724	Laefdf32.exe	71
PID 3844 wrote to memory of 3896	3844	Lphfpbdi.exe	70
PID 3844 wrote to memory of 3896	3844	Lphfpbdi.exe	70
PID 3844 wrote to memory of 3896	3844	Lphfpbdi.exe	70
PID 3896 wrote to memory of 4836	3896	Lddbqa32.exe	15
PID 3896 wrote to memory of 4836	3896	Lddbqa32.exe	15
PID 3896 wrote to memory of 4836	3896	Lddbqa32.exe	15
PID 4836 wrote to memory of 4292	4836	Lgbnmm32.exe	69
PID 4836 wrote to memory of 4292	4836	Lgbnmm32.exe	69
PID 4836 wrote to memory of 4292	4836	Lgbnmm32.exe	69
PID 4292 wrote to memory of 4604	4292	Mjqjih32.exe	68
PID 4292 wrote to memory of 4604	4292	Mjqjih32.exe	68
PID 4292 wrote to memory of 4604	4292	Mjqjih32.exe	68
PID 4604 wrote to memory of 1620	4604	Mnlfigcc.exe	67
PID 4604 wrote to memory of 1620	4604	Mnlfigcc.exe	67
PID 4604 wrote to memory of 1620	4604	Mnlfigcc.exe	67

C:\Users\Admin\AppData\Local\Temp\004cf3993f4c834f58cb0a6c1f66cf85.exe
"C:\Users\Admin\AppData\Local\Temp\004cf3993f4c834f58cb0a6c1f66cf85.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\SysWOW64\Ldaeka32.exe
  C:\Windows\system32\Ldaeka32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2128

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Windows\SysWOW64\Mjqjih32.exe
  C:\Windows\system32\Mjqjih32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4292

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
1⤵
PID:896
- C:\Windows\SysWOW64\Mdkhapfj.exe
  C:\Windows\system32\Mdkhapfj.exe
  2⤵
  PID:3060

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
PID:1820
- C:\Windows\SysWOW64\Njljefql.exe
  C:\Windows\system32\Njljefql.exe
  2⤵
  PID:3768

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
PID:3268
- C:\Windows\SysWOW64\Nqfbaq32.exe
  C:\Windows\system32\Nqfbaq32.exe
  2⤵
  PID:4640

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
1⤵
PID:4432
- C:\Windows\SysWOW64\Nafokcol.exe
  C:\Windows\system32\Nafokcol.exe
  2⤵
  PID:4968

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
1⤵
PID:3684
- C:\Windows\SysWOW64\Ncgkcl32.exe
  C:\Windows\system32\Ncgkcl32.exe
  2⤵
  PID:2660

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
PID:4928
- C:\Windows\SysWOW64\Nqklmpdd.exe
  C:\Windows\system32\Nqklmpdd.exe
  2⤵
  PID:4068

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:5100
- C:\Windows\SysWOW64\Ngedij32.exe
  C:\Windows\system32\Ngedij32.exe
  2⤵
  PID:2912

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
PID:3932
- C:\Windows\SysWOW64\Nbkhfc32.exe
  C:\Windows\system32\Nbkhfc32.exe
  2⤵
  PID:4192

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:5188
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5188 -s 400
  2⤵
  - Program crash
  PID:5300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5188 -ip 5188
1⤵
PID:5252

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:5152

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:400

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
PID:3980

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
1⤵
PID:1964

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
1⤵
PID:780

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
PID:3264

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
1⤵
PID:3344

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
1⤵
PID:4268

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
PID:1988

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
PID:4980

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
1⤵
PID:4460

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
1⤵
PID:872

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
PID:1772

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
1⤵
PID:4752

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
PID:2364

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
1⤵
PID:4856

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
1⤵
PID:2108

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
PID:4952

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
1⤵
PID:2768

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
PID:1072

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
1⤵
PID:1228

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
PID:2076

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
PID:3164

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
1⤵
PID:4628

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4604

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/724-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/780-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/924-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1104-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1228-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1620-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1772-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1964-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1988-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3060-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3268-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-249-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3896-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3932-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4928-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5152-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5188-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads