643f73ecd3ee3de0dd6590db1ac1375c1855c788e29e3cd0b7c7f2a83d209a5f

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce033d579908c1558f944c327ac54c10.exe
Size

359KB
MD5

ce033d579908c1558f944c327ac54c10
SHA1

ab38afb6e7b7111bfbf5988bdc0753d8c3bae499
SHA256

643f73ecd3ee3de0dd6590db1ac1375c1855c788e29e3cd0b7c7f2a83d209a5f
SHA512

eccecf5bbb7aad554ed3a4e59bc6e4026ff1c2cc7935069a3b153b214f2b2cd1a6c8f26f9c515cbf14965abcffb0cc762a378b6e617a16ca39e5af43d9d75931
SSDEEP

6144:UNd4IHWVBYVrOigcC6oQ6+EcC6oQ6+YahBQyiTACPTRN6+YahBQyiTAgiuMRlxZc:UNd4oWcK9E6n9E6vah6yiMCPTRN6vahm

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	mousocoreworker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbfiep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe

Executes dropped EXE 64 IoCs

pid	Process
3536	Kbfiep32.exe
540	Kckbqpnj.exe
1740	Liekmj32.exe
512	Lpocjdld.exe
1100	Lcmofolg.exe
4864	Lgikfn32.exe
4476	Lkdggmlj.exe
880	Lmccchkn.exe
2360	Laopdgcg.exe
2804	Ldmlpbbj.exe
4164	Lcpllo32.exe
2316	Lkgdml32.exe
3360	Lijdhiaa.exe
2024	Laalifad.exe
4828	Ldohebqh.exe
1632	Lcbiao32.exe
4552	Lkiqbl32.exe
4640	Lilanioo.exe
4736	Lnhmng32.exe
4560	Lpfijcfl.exe
3744	Ldaeka32.exe
4296	Lgpagm32.exe
2140	Lklnhlfb.exe
3512	Lnjjdgee.exe
2144	Laefdf32.exe
3984	Lddbqa32.exe
3752	Lcgblncm.exe
2408	Lknjmkdo.exe
1696	Mnlfigcc.exe
812	Mahbje32.exe
2004	Mdfofakp.exe
3896	Mgekbljc.exe
4344	Mkpgck32.exe
4796	Mjcgohig.exe
1608	Mnocof32.exe
868	Majopeii.exe
2236	Mdiklqhm.exe
3176	Mcklgm32.exe
4268	Mgghhlhq.exe
1928	Mjeddggd.exe
1368	Mnapdf32.exe
1780	Mamleegg.exe
3920	Mdkhapfj.exe
3204	Mkepnjng.exe
4244	Mjhqjg32.exe
4664	Maohkd32.exe
1700	Mpaifalo.exe
5116	Mcpebmkb.exe
3080	mousocoreworker.exe
5152	Mkgmcjld.exe
5200	Mnfipekh.exe
5244	Maaepd32.exe
5280	Mpdelajl.exe
5320	Mcbahlip.exe
5364	Nkjjij32.exe
5408	Njljefql.exe
5452	Nnhfee32.exe
5496	Nqfbaq32.exe
5536	Ndbnboqb.exe
5580	Nceonl32.exe
5616	Ngpjnkpf.exe
5660	Njogjfoj.exe
5700	Nnjbke32.exe
5744	Nafokcol.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kbfiep32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lgikfn32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Kbfiep32.exe	ce033d579908c1558f944c327ac54c10.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Laopdgcg.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5732	5524	WerFault.exe	112

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	mousocoreworker.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ce033d579908c1558f944c327ac54c10.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbfiep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 3536	5076	ce033d579908c1558f944c327ac54c10.exe	89
PID 5076 wrote to memory of 3536	5076	ce033d579908c1558f944c327ac54c10.exe	89
PID 5076 wrote to memory of 3536	5076	ce033d579908c1558f944c327ac54c10.exe	89
PID 3536 wrote to memory of 540	3536	Kbfiep32.exe	90
PID 3536 wrote to memory of 540	3536	Kbfiep32.exe	90
PID 3536 wrote to memory of 540	3536	Kbfiep32.exe	90
PID 540 wrote to memory of 1740	540	Kckbqpnj.exe	91
PID 540 wrote to memory of 1740	540	Kckbqpnj.exe	91
PID 540 wrote to memory of 1740	540	Kckbqpnj.exe	91
PID 1740 wrote to memory of 512	1740	Liekmj32.exe	181
PID 1740 wrote to memory of 512	1740	Liekmj32.exe	181
PID 1740 wrote to memory of 512	1740	Liekmj32.exe	181
PID 512 wrote to memory of 1100	512	Lpocjdld.exe	180
PID 512 wrote to memory of 1100	512	Lpocjdld.exe	180
PID 512 wrote to memory of 1100	512	Lpocjdld.exe	180
PID 1100 wrote to memory of 4864	1100	Lcmofolg.exe	179
PID 1100 wrote to memory of 4864	1100	Lcmofolg.exe	179
PID 1100 wrote to memory of 4864	1100	Lcmofolg.exe	179
PID 4864 wrote to memory of 4476	4864	Lgikfn32.exe	178
PID 4864 wrote to memory of 4476	4864	Lgikfn32.exe	178
PID 4864 wrote to memory of 4476	4864	Lgikfn32.exe	178
PID 4476 wrote to memory of 880	4476	Lkdggmlj.exe	177
PID 4476 wrote to memory of 880	4476	Lkdggmlj.exe	177
PID 4476 wrote to memory of 880	4476	Lkdggmlj.exe	177
PID 880 wrote to memory of 2360	880	Lmccchkn.exe	176
PID 880 wrote to memory of 2360	880	Lmccchkn.exe	176
PID 880 wrote to memory of 2360	880	Lmccchkn.exe	176
PID 2360 wrote to memory of 2804	2360	Laopdgcg.exe	174
PID 2360 wrote to memory of 2804	2360	Laopdgcg.exe	174
PID 2360 wrote to memory of 2804	2360	Laopdgcg.exe	174
PID 2804 wrote to memory of 4164	2804	Ldmlpbbj.exe	173
PID 2804 wrote to memory of 4164	2804	Ldmlpbbj.exe	173
PID 2804 wrote to memory of 4164	2804	Ldmlpbbj.exe	173
PID 4164 wrote to memory of 2316	4164	Lcpllo32.exe	172
PID 4164 wrote to memory of 2316	4164	Lcpllo32.exe	172
PID 4164 wrote to memory of 2316	4164	Lcpllo32.exe	172
PID 2316 wrote to memory of 3360	2316	Lkgdml32.exe	171
PID 2316 wrote to memory of 3360	2316	Lkgdml32.exe	171
PID 2316 wrote to memory of 3360	2316	Lkgdml32.exe	171
PID 3360 wrote to memory of 2024	3360	Lijdhiaa.exe	168
PID 3360 wrote to memory of 2024	3360	Lijdhiaa.exe	168
PID 3360 wrote to memory of 2024	3360	Lijdhiaa.exe	168
PID 2024 wrote to memory of 4828	2024	Laalifad.exe	166
PID 2024 wrote to memory of 4828	2024	Laalifad.exe	166
PID 2024 wrote to memory of 4828	2024	Laalifad.exe	166
PID 4828 wrote to memory of 1632	4828	Ldohebqh.exe	165
PID 4828 wrote to memory of 1632	4828	Ldohebqh.exe	165
PID 4828 wrote to memory of 1632	4828	Ldohebqh.exe	165
PID 1632 wrote to memory of 4552	1632	Lcbiao32.exe	164
PID 1632 wrote to memory of 4552	1632	Lcbiao32.exe	164
PID 1632 wrote to memory of 4552	1632	Lcbiao32.exe	164
PID 4552 wrote to memory of 4640	4552	Lkiqbl32.exe	163
PID 4552 wrote to memory of 4640	4552	Lkiqbl32.exe	163
PID 4552 wrote to memory of 4640	4552	Lkiqbl32.exe	163
PID 4640 wrote to memory of 4736	4640	Lilanioo.exe	162
PID 4640 wrote to memory of 4736	4640	Lilanioo.exe	162
PID 4640 wrote to memory of 4736	4640	Lilanioo.exe	162
PID 4736 wrote to memory of 4560	4736	Lnhmng32.exe	161
PID 4736 wrote to memory of 4560	4736	Lnhmng32.exe	161
PID 4736 wrote to memory of 4560	4736	Lnhmng32.exe	161
PID 4560 wrote to memory of 3744	4560	Lpfijcfl.exe	160
PID 4560 wrote to memory of 3744	4560	Lpfijcfl.exe	160
PID 4560 wrote to memory of 3744	4560	Lpfijcfl.exe	160
PID 3744 wrote to memory of 4296	3744	Ldaeka32.exe	158

C:\Users\Admin\AppData\Local\Temp\ce033d579908c1558f944c327ac54c10.exe
"C:\Users\Admin\AppData\Local\Temp\ce033d579908c1558f944c327ac54c10.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\Kbfiep32.exe
  C:\Windows\system32\Kbfiep32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3536
- - C:\Windows\SysWOW64\Kckbqpnj.exe
    C:\Windows\system32\Kckbqpnj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\Liekmj32.exe
      C:\Windows\system32\Liekmj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4344
- C:\Windows\SysWOW64\Mjcgohig.exe
  C:\Windows\system32\Mjcgohig.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4796

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1608
- C:\Windows\SysWOW64\Majopeii.exe
  C:\Windows\system32\Majopeii.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:868

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3176
- C:\Windows\SysWOW64\Mgghhlhq.exe
  C:\Windows\system32\Mgghhlhq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4268

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1928
- C:\Windows\SysWOW64\Mnapdf32.exe
  C:\Windows\system32\Mnapdf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1368
- - C:\Windows\SysWOW64\Mamleegg.exe
    C:\Windows\system32\Mamleegg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1780

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3920
- C:\Windows\SysWOW64\Mkepnjng.exe
  C:\Windows\system32\Mkepnjng.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3204

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4244
- C:\Windows\SysWOW64\Maohkd32.exe
  C:\Windows\system32\Maohkd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  PID:4664

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1700
- C:\Windows\SysWOW64\Mcpebmkb.exe
  C:\Windows\system32\Mcpebmkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:5116

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5244
- C:\Windows\SysWOW64\Mpdelajl.exe
  C:\Windows\system32\Mpdelajl.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5280

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5408
- C:\Windows\SysWOW64\Nnhfee32.exe
  C:\Windows\system32\Nnhfee32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:5452

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5536
- C:\Windows\SysWOW64\Nceonl32.exe
  C:\Windows\system32\Nceonl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:5580

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5744
- C:\Windows\SysWOW64\Nddkgonp.exe
  C:\Windows\system32\Nddkgonp.exe
  2⤵
  - Modifies registry class
  PID:5796

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5836
- C:\Windows\SysWOW64\Ngcgcjnc.exe
  C:\Windows\system32\Ngcgcjnc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:5872

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:5912
- C:\Windows\SysWOW64\Nnmopdep.exe
  C:\Windows\system32\Nnmopdep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:5948

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:6032
- C:\Windows\SysWOW64\Ncihikcg.exe
  C:\Windows\system32\Ncihikcg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:6072

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
1⤵
PID:6116
- C:\Windows\SysWOW64\Nkqpjidj.exe
  C:\Windows\system32\Nkqpjidj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  PID:3848

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4968
- C:\Windows\SysWOW64\Nbkhfc32.exe
  C:\Windows\system32\Nbkhfc32.exe
  2⤵
  - Drops file in System32 directory
  PID:2680

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5464
- C:\Windows\SysWOW64\Nkcmohbg.exe
  C:\Windows\system32\Nkcmohbg.exe
  2⤵
  PID:5524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5524 -s 420
    3⤵
    - Program crash
    PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5524 -ip 5524
1⤵
PID:5688

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:5396

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5304

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5992

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5700

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5660

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:5616

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5496

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5364

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:5320

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5200

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5152

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
1⤵
PID:3080

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2236

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3896

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2004

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:812

C:\Windows\SysWOW64\Mnlfigcc.exe
C:\Windows\system32\Mnlfigcc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1696

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2408

C:\Windows\SysWOW64\Lcgblncm.exe
C:\Windows\system32\Lcgblncm.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3752

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3984

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2144

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3512

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2140

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4296

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\Lnhmng32.exe
C:\Windows\system32\Lnhmng32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4640

C:\Windows\SysWOW64\Lkiqbl32.exe
C:\Windows\system32\Lkiqbl32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3080

C:\Windows\SysWOW64\Lijdhiaa.exe
C:\Windows\system32\Lijdhiaa.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3360

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2804

C:\Windows\SysWOW64\Laopdgcg.exe
C:\Windows\system32\Laopdgcg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kbfiep32.exe

Filesize
359KB

MD5
835a832259bd49ed33489ecb59e79e12

SHA1
e9cfa28f408e9d566b2a88e40a9b8b81312fb264

SHA256
c96c9148e969665c4f02b832990fac42087863d967107460fd0a61476317a7fd

SHA512
0e74575ec248affa1938c22a3aa4665df0cfa075cfbeb46813f3f3cd0a7c42e7d7a3c915c007095eb29c36f898f618f299fdf85d9dee7a452b7716f8c97f4874

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
359KB

MD5
cef37db6e6f11b77167678d8a46187de

SHA1
91682e02a2f47ccef1c5b282439a05ddb36e6b1f

SHA256
5be69f4cc1c14f3ce983ef033ccb2ac59d1d1a90c6192fe6f49acb2b493c1c71

SHA512
25285e828d79c23d27a3da32b13168f00bffca7d172fda414590e1cacf75f20338f8576d79ccc345d577a148f60ce1f16d98e36508a68f7639cd2dd0aa298ad9

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
359KB

MD5
c7797291eb4de1894a4e9cbf7d84f25a

SHA1
2708ab33ddd99e13aad147e1baae0bd245029d3b

SHA256
f65459f4bf44e7f1804d659cf438374961cd8835d5e648e7910f10735a2a79f4

SHA512
f70750122e86e356484f2386396b2c7c9b9c01aad582f5357f5ab87c43a4b14d4a61fc889238132836befa6df3a578af0ea7e826bb80761e1262d8c5ead17728

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
359KB

MD5
d50e3cca142a712871cacc30fa080630

SHA1
a798c8550b9237d4ca7fc5246c79db3c47b55958

SHA256
8a1ab7cffae7520e2a0909897d249e412c8362af9c91a67ba442ce7aec1a5a04

SHA512
a0b5f38783ad65283c8538eebe07254a87def89c7d8cbdf0a9881e25d068439bd078171479b8c8706e56bc569ddb2217ac657feafc109ab208b840e2a9358b6c

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
359KB

MD5
ed8e1c8f06ecba129c2eb80c2dd24ed2

SHA1
37ea8af0e7cb01484fc09f398763c2302c362b97

SHA256
a6faa4e20698c53334613427efd8f054500ce59196320374526380997fd587db

SHA512
94a6d2edf32073291216d69e588ad2a2f7635c8245ff55b77afdee3b61761a014275782d430958743a0dad8538b4fa70536385dd6345054905201d7f13b0b760

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
93KB

MD5
c06d1898d54efe11dad82e7adb0961fd

SHA1
b4887b8dcbd163fee00b36a29451511c731d6659

SHA256
6cb7642c060989144232a65eef473b9fa60a15a38ebea8e65d22be211489b36e

SHA512
18180c55cec9706ff64762d28c6d09af27f6c13c0545274e50a14eff1cb494ce43621944aa2085d8fe3e57793e0ab5248ad624ef378b6c27804075a868a9ecb6

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
359KB

MD5
d35b5f81cdacd7fd8f4de94e982c3159

SHA1
e3db7af03567448d4f0de8eb0bcae99fc996af72

SHA256
6d35d7ac98343ffd0b405ef2165f41a040b5a9952a8bac5c59c63305d2846b6c

SHA512
45bca8b05bd19dba397eb4552e1ca8a039d8dc2f63080f0e11780d12f10155b34818bee7eab86b5bdf0b0cdf23a72c5957b4f4cc3309bf7bdf16164f42439545

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
359KB

MD5
ec462640f01eaf29b11ff7c47cd8c1a2

SHA1
a6eaa698d04a4219e07e32b4c8c90e65d90a514d

SHA256
363a74b7c106fb93a63b0b14c3472c0745d5c71438af2a60ddf8793a70784c53

SHA512
ff2e97afb30aff5e0a53c1ec957378ea78c021b4b409a374bc2975bd993c49e3df3e4469bf08ec9f385d979562c6c6100f1b407d24b743790fe3729593e6e861

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
359KB

MD5
0bf29a4fa2fdeba11f00272be0891f1d

SHA1
1aa310d2d61300b78655f56cab85b0c99f26d37f

SHA256
8c8723d51a30fe2fecb186692bf7589efb760a0c360eaf9f9cfa998153e8aba5

SHA512
660cb306e62d104b399ab61b096e58feefb51875ebb7aac988930bb2a2d39e7a4feac331c22ed37eb434a0911294a91ede400ee9284924f55872c87bf16365e0

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
359KB

MD5
2fca16fcea69dab53606841e437a9a1b

SHA1
158a52d45470dc8e7c74823b45982aafcf7f9302

SHA256
a596cdb10b3fe38ef33775074bcbf9ea450af7fc5ab5c8d72bd91771da2f85dd

SHA512
41c4d01ba97345f4fe4e0b529b0326bacba5257b4204e7d54c623423e820572cb02084eeb10b23612cfbe2f7a3562c36968c5e917e7f714eda233253df4cb15a

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
359KB

MD5
29dff979b26d1b80e9727ff068e18bff

SHA1
f72193eb63cdd411d8587f3bed0a23f618853fee

SHA256
b3b2a9a24d997b9b11cba998700ec26229eaeba7002bb6569639c5a1d7ebb8b1

SHA512
5b47a2e217aaef806fbaef56b48f3eff17c35ed71c67ea56e7a0cffb9da426655351cc219083b70b8f82d6d67187d1b4721926031570e98d4cd1420d42f5153a

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
115KB

MD5
23d85c57862e4d87e87e9818163a0c82

SHA1
a858adb4abbe20c60e85e4d0fb58b94bbbda1c51

SHA256
3d7ff24fb8786397744a4d80b10bb4a29afa6e9890935eb328d64de4dc007b83

SHA512
da0f794e73dc7d0302767a733db898f81bc170ff553d71264e3e9a3fa7513e94928fbd9f34a70116aa22e1a6e8c479044fee9214f45103a774ca02acb8ecaf5b

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
145KB

MD5
0f03b5129c3e7bf3fff1c71bccc7ffa1

SHA1
c8053511be7f650fa6bb4153748ad9a103f266ab

SHA256
333860659d6d15e281f5abb66f73739a85eee29917c4da54a920f2d58171039d

SHA512
f3a07ac5f09a37ca5745ee44d92c716f0b94f17463e1d1baff977332e655aea186957d8f06b1a13d18d7e0e64ffe6fe6ebd2f4f8e0542f57f7de422ca9f25af2

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
359KB

MD5
ab8242c11b80f3c8fbb6bdac795931b9

SHA1
3f0417c74a168dd1f404e21e1034d5b019538cfe

SHA256
1ee826599cb91a12a2f1fb4c9cda2ce8a8c8c4a346f3ebb3390d264074a49ca5

SHA512
142ea55fcb08d2e6b19d0dad76147b5fba3f6d5a7a2ead778caef51a88d8c468edc9cf7a381b599bcb7434e5fd4b0e5ea4f5a3feaab97262fd934f7f1674ab2d

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
359KB

MD5
49d3f0bbe1d29c0024e8cde1092240bf

SHA1
1204f2775e69ac03453af3e35465275e7334b9f3

SHA256
60dfc8e177f0ce4f051ca646d926c690f2b462f88722e7c951bf6e55d4d30429

SHA512
fdba28db2a79f541f259e097e0f2a876dfa1131e062a3741b3233cde17f03d1bf7a9e892081991162a1b2c42ab5aef64a9e1a05483cbeff95255ea02da20283e

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
359KB

MD5
683c0ad164b406c5ffc793b06981a393

SHA1
68c7bf68952c036459e93e71a25cc0144a4aa174

SHA256
66305b61f6e3ffa435f284d10579b1f77dcc913a53b5e91b5b96b50b3a2ea335

SHA512
3e676f18613ac528e4f48e8ba25a8536aba280d031f95d8c6ff44f54fa1a7cb4328e6b2c9bd601e2ac0f81962904a20ebb888503db74ab2aead80543f3afa27c

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
359KB

MD5
5d9f26dcf968f7e3d9c362076217bb84

SHA1
f4d680fbf3bb426942d910c84771cdb261486d34

SHA256
86752a24f9d572c6470b8356b59ef71881310999910a54e3ef65dc5c81946ffd

SHA512
15988e3373046a5b59837b99695eeb3857fd07b341f6b54616411bd7c639ffdb5e4e960d70379066b553299049d6464a26c37b05adf0747e77a814d830cd9864

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
359KB

MD5
ab52cd7e8409bdba3201806faa81a6af

SHA1
d36b78011462f319081c79afef4872a809560fff

SHA256
c91ffd9d018fcd2b59f4281fa117ae41fca7201b09c0ce763f09bb19761ebbfa

SHA512
933df26b57a5eae9eb23ee620aa69a543149ca06e06b26e2ac2c2a3cd1226c660768cde9a863b2e4a5426aaea135f064e7db3c39f53f151f82acae8899eb15c8

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
359KB

MD5
f0375b6df3f2bb387925ea7fe8eef060

SHA1
124e5c0cf1ceccb95b40f34f840f1555c121dbb7

SHA256
6ce74b31a174decf9eef3408f9f81589d1081f259aca8289c204d8bbb737d604

SHA512
1909bdabeb76b1f029dc73e007b72d020611246b6e460e8c74bcd6297e910f8cc557322a41d980c7a16287658d03a50932413fe547f932690b685fa579bb3ee7

Download Submit
C:\Windows\SysWOW64\Offdjb32.dll

Filesize
7KB

MD5
ded77a96b5eceb594799c27a6201349f

SHA1
b71edc872fa7bb191e30fa7c63e97619d013b93e

SHA256
23d8ce0968e40c8a7b8c1d1479cf9af0f6ef7bb9260291d1d7fd190e13868361

SHA512
ac53899d5de140ec7859e8027c81c700266686d684478eefcece3845aebd474ab6de073dfe0f2ac3041228caa52a1d3f3c0fcb259bdfae21cd730569c5272533

Download Submit
memory/512-32-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/540-16-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/812-244-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/868-284-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/880-64-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1100-40-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1368-315-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1608-278-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1632-128-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1696-232-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1700-348-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1740-24-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1780-316-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/1928-313-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2004-248-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2024-111-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2140-184-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2144-201-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2236-286-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2316-96-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2360-73-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2408-223-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2804-80-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3080-362-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3176-297-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3204-330-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3360-104-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3512-196-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3536-7-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3744-172-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3752-218-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3896-258-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3920-324-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/3984-213-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4164-88-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4244-337-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4268-302-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4296-175-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4344-262-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4476-56-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4552-136-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4560-160-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4640-148-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4664-344-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4736-152-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4796-268-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4828-120-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/4864-54-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5076-0-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5116-357-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5152-364-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5200-370-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5244-381-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5280-387-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5320-388-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5364-394-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5408-404-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5452-406-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5496-416-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5536-420-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5580-428-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5616-430-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5660-436-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/5700-447-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads