0135f767ad0daf98ef4bdfe1a57bb239a0bc8a87f9ae7a6d47103e2473141dc0

Analysis

max time kernel
0s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1357f4aa3c543af7852757a017f5fd1.exe
Size

361KB
MD5

e1357f4aa3c543af7852757a017f5fd1
SHA1

71777fe502d0cbf7c8a066e2ba36e3ae8bc01788
SHA256

0135f767ad0daf98ef4bdfe1a57bb239a0bc8a87f9ae7a6d47103e2473141dc0
SHA512

4f58cc6612545a7da730753914c61c3a99e327503e6d05191fa8fc87c48c7d5cb7f1e53af257dabf720794d50e9529e7f8c7bdbdab2ba131b7f89ff9193aa0d5
SSDEEP

6144:nwb79mhQsVQ///NR5fLvQ///NREQ///NR5fLYG3eujPQ///NR5f:wb72w/Nq/NZ/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e1357f4aa3c543af7852757a017f5fd1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e1357f4aa3c543af7852757a017f5fd1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe

Executes dropped EXE 11 IoCs

pid	Process
2612	Kdhbec32.exe
1268	Kgfoan32.exe
1992	Kkbkamnl.exe
2144	Lmqgnhmp.exe
4892	Lpocjdld.exe
3512	Lcmofolg.exe
4400	Lgikfn32.exe
4664	Liggbi32.exe
2940	Lmccchkn.exe
208	Lpappc32.exe
3848	Lcpllo32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	e1357f4aa3c543af7852757a017f5fd1.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	e1357f4aa3c543af7852757a017f5fd1.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Liggbi32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	e1357f4aa3c543af7852757a017f5fd1.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5752	5640	WerFault.exe	38

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e1357f4aa3c543af7852757a017f5fd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	e1357f4aa3c543af7852757a017f5fd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e1357f4aa3c543af7852757a017f5fd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e1357f4aa3c543af7852757a017f5fd1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e1357f4aa3c543af7852757a017f5fd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e1357f4aa3c543af7852757a017f5fd1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2612	1548	e1357f4aa3c543af7852757a017f5fd1.exe	92
PID 1548 wrote to memory of 2612	1548	e1357f4aa3c543af7852757a017f5fd1.exe	92
PID 1548 wrote to memory of 2612	1548	e1357f4aa3c543af7852757a017f5fd1.exe	92
PID 2612 wrote to memory of 1268	2612	Kdhbec32.exe	91
PID 2612 wrote to memory of 1268	2612	Kdhbec32.exe	91
PID 2612 wrote to memory of 1268	2612	Kdhbec32.exe	91
PID 1268 wrote to memory of 1992	1268	Kgfoan32.exe	90
PID 1268 wrote to memory of 1992	1268	Kgfoan32.exe	90
PID 1268 wrote to memory of 1992	1268	Kgfoan32.exe	90
PID 1992 wrote to memory of 2144	1992	Kkbkamnl.exe	89
PID 1992 wrote to memory of 2144	1992	Kkbkamnl.exe	89
PID 1992 wrote to memory of 2144	1992	Kkbkamnl.exe	89
PID 2144 wrote to memory of 4892	2144	Lmqgnhmp.exe	88
PID 2144 wrote to memory of 4892	2144	Lmqgnhmp.exe	88
PID 2144 wrote to memory of 4892	2144	Lmqgnhmp.exe	88
PID 4892 wrote to memory of 3512	4892	Lpocjdld.exe	87
PID 4892 wrote to memory of 3512	4892	Lpocjdld.exe	87
PID 4892 wrote to memory of 3512	4892	Lpocjdld.exe	87
PID 3512 wrote to memory of 4400	3512	Lcmofolg.exe	17
PID 3512 wrote to memory of 4400	3512	Lcmofolg.exe	17
PID 3512 wrote to memory of 4400	3512	Lcmofolg.exe	17
PID 4400 wrote to memory of 4664	4400	Lgikfn32.exe	86
PID 4400 wrote to memory of 4664	4400	Lgikfn32.exe	86
PID 4400 wrote to memory of 4664	4400	Lgikfn32.exe	86
PID 4664 wrote to memory of 2940	4664	Liggbi32.exe	85
PID 4664 wrote to memory of 2940	4664	Liggbi32.exe	85
PID 4664 wrote to memory of 2940	4664	Liggbi32.exe	85
PID 2940 wrote to memory of 208	2940	Lmccchkn.exe	83
PID 2940 wrote to memory of 208	2940	Lmccchkn.exe	83
PID 2940 wrote to memory of 208	2940	Lmccchkn.exe	83
PID 208 wrote to memory of 3848	208	Lpappc32.exe	82
PID 208 wrote to memory of 3848	208	Lpappc32.exe	82
PID 208 wrote to memory of 3848	208	Lpappc32.exe	82

C:\Users\Admin\AppData\Local\Temp\e1357f4aa3c543af7852757a017f5fd1.exe
"C:\Users\Admin\AppData\Local\Temp\e1357f4aa3c543af7852757a017f5fd1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\Kdhbec32.exe
  C:\Windows\system32\Kdhbec32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2612

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\SysWOW64\Liggbi32.exe
  C:\Windows\system32\Liggbi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4664

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
1⤵
PID:4596
- C:\Windows\SysWOW64\Lcdegnep.exe
  C:\Windows\system32\Lcdegnep.exe
  2⤵
  PID:3164

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
1⤵
PID:4680
- C:\Windows\SysWOW64\Lgbnmm32.exe
  C:\Windows\system32\Lgbnmm32.exe
  2⤵
  PID:1088

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
1⤵
PID:3256
- C:\Windows\SysWOW64\Mdiklqhm.exe
  C:\Windows\system32\Mdiklqhm.exe
  2⤵
  PID:2836

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
1⤵
PID:2116
- C:\Windows\SysWOW64\Mkbchk32.exe
  C:\Windows\system32\Mkbchk32.exe
  2⤵
  PID:3620
- - C:\Windows\SysWOW64\Mnapdf32.exe
    C:\Windows\system32\Mnapdf32.exe
    3⤵
    PID:3800

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
1⤵
PID:1528
- C:\Windows\SysWOW64\Mglack32.exe
  C:\Windows\system32\Mglack32.exe
  2⤵
  PID:744

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
1⤵
PID:2400
- C:\Windows\SysWOW64\Maaepd32.exe
  C:\Windows\system32\Maaepd32.exe
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\Mdpalp32.exe
    C:\Windows\system32\Mdpalp32.exe
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\Mgnnhk32.exe
      C:\Windows\system32\Mgnnhk32.exe
      4⤵
      PID:216

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
PID:2228
- C:\Windows\SysWOW64\Nacbfdao.exe
  C:\Windows\system32\Nacbfdao.exe
  2⤵
  PID:3668
- - C:\Windows\SysWOW64\Ndbnboqb.exe
    C:\Windows\system32\Ndbnboqb.exe
    3⤵
    PID:2248

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
1⤵
PID:2444
- C:\Windows\SysWOW64\Njogjfoj.exe
  C:\Windows\system32\Njogjfoj.exe
  2⤵
  PID:5140
- - C:\Windows\SysWOW64\Nqiogp32.exe
    C:\Windows\system32\Nqiogp32.exe
    3⤵
    PID:5184
  - - C:\Windows\SysWOW64\Ncgkcl32.exe
      C:\Windows\system32\Ncgkcl32.exe
      4⤵
      PID:5224

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
PID:5268
- C:\Windows\SysWOW64\Nnmopdep.exe
  C:\Windows\system32\Nnmopdep.exe
  2⤵
  PID:5312
- - C:\Windows\SysWOW64\Nqklmpdd.exe
    C:\Windows\system32\Nqklmpdd.exe
    3⤵
    PID:5348

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
PID:5516
- C:\Windows\SysWOW64\Ndidbn32.exe
  C:\Windows\system32\Ndidbn32.exe
  2⤵
  PID:5552

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
1⤵
PID:5600
- C:\Windows\SysWOW64\Nkcmohbg.exe
  C:\Windows\system32\Nkcmohbg.exe
  2⤵
  PID:5640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 412
    3⤵
    - Program crash
    PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5640 -ip 5640
1⤵
PID:5700

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
PID:5468

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
PID:5428

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:5392

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
PID:3692

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
PID:4436

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
1⤵
PID:3216

C:\Windows\SysWOW64\Mgidml32.exe
C:\Windows\system32\Mgidml32.exe
1⤵
PID:3476

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
PID:1004

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
1⤵
PID:4148

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
PID:2476

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
PID:2132

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
PID:2336

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
1⤵
PID:4464

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
1⤵
PID:4812

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
1⤵
PID:2960

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
1⤵
PID:3100

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
PID:4496

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
1⤵
PID:4640

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
1⤵
PID:1480

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
1⤵
PID:4220

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
1⤵
PID:1632

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
1⤵
PID:4216

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
1⤵
PID:4000

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
1⤵
PID:3060

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
1⤵
PID:2920

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/216-349-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/744-328-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1004-292-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1088-205-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1268-21-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1480-145-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1528-318-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1548-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1548-81-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1548-5-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1632-133-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1672-346-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1992-25-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2116-268-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2132-234-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2144-37-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2228-354-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2248-366-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2336-225-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2400-330-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2444-373-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2476-245-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2612-9-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2836-257-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2920-97-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2940-73-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2960-209-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3060-108-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3100-185-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3164-161-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3216-304-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3256-249-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3476-294-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3512-48-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3620-270-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3668-360-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3692-312-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3800-280-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3848-89-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3976-336-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4000-112-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4148-282-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4216-127-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4220-141-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4400-57-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4436-311-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4464-217-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4496-181-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4596-153-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4640-173-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4664-69-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4680-193-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4812-216-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4892-41-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5140-378-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5184-389-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5224-390-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5268-396-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5312-407-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5348-408-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5392-418-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5428-424-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5468-426-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/5516-436-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads