cd27622dc26ebeee6f19723f72bac9bb49e0c988d8cc19479d3edb3a18359165

Analysis

max time kernel
0s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 15:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ccf82d6bb895a791dfb83b0f1ef08bb7.exe
Size

387KB
MD5

ccf82d6bb895a791dfb83b0f1ef08bb7
SHA1

aabbc6990ffcb21e175f3ca51ca36a28d68beeff
SHA256

cd27622dc26ebeee6f19723f72bac9bb49e0c988d8cc19479d3edb3a18359165
SHA512

dc0e198277378a10132f3e55efa8b4d91d6d2958aa1e15d3e29333c9740b81d1e4e3289f00d027470fc7088ad0ffd9083552f240c1a091ec21e8e565cc7a80fb
SSDEEP

3072:3jKJwuODCaZ5xOzBBUmEDxuHm9jqLsFmsdYXmpFmsd7IEsJG9hmfGsRA7xA6H:3jZuOOEgHixuqjwszeXmpzKPJG9EeIMT

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe

Executes dropped EXE 10 IoCs

pid	Process
1148	Lnhmng32.exe
3684	Lpfijcfl.exe
2608	Lcdegnep.exe
4160	Lklnhlfb.exe
4504	Lnjjdgee.exe
2296	Lcgblncm.exe
3828	Lknjmkdo.exe
2192	Mahbje32.exe
3228	Mciobn32.exe
4012	Mkpgck32.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Eeandl32.dll	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Dnapla32.dll	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lcdegnep.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	1228	WerFault.exe	21

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeandl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	ccf82d6bb895a791dfb83b0f1ef08bb7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 1148	4468	ccf82d6bb895a791dfb83b0f1ef08bb7.exe	49
PID 4468 wrote to memory of 1148	4468	ccf82d6bb895a791dfb83b0f1ef08bb7.exe	49
PID 4468 wrote to memory of 1148	4468	ccf82d6bb895a791dfb83b0f1ef08bb7.exe	49
PID 1148 wrote to memory of 3684	1148	Lnhmng32.exe	48
PID 1148 wrote to memory of 3684	1148	Lnhmng32.exe	48
PID 1148 wrote to memory of 3684	1148	Lnhmng32.exe	48
PID 3684 wrote to memory of 2608	3684	Lpfijcfl.exe	16
PID 3684 wrote to memory of 2608	3684	Lpfijcfl.exe	16
PID 3684 wrote to memory of 2608	3684	Lpfijcfl.exe	16
PID 2608 wrote to memory of 4160	2608	Lcdegnep.exe	47
PID 2608 wrote to memory of 4160	2608	Lcdegnep.exe	47
PID 2608 wrote to memory of 4160	2608	Lcdegnep.exe	47
PID 4160 wrote to memory of 4504	4160	Lklnhlfb.exe	17
PID 4160 wrote to memory of 4504	4160	Lklnhlfb.exe	17
PID 4160 wrote to memory of 4504	4160	Lklnhlfb.exe	17
PID 4504 wrote to memory of 2296	4504	Lnjjdgee.exe	46
PID 4504 wrote to memory of 2296	4504	Lnjjdgee.exe	46
PID 4504 wrote to memory of 2296	4504	Lnjjdgee.exe	46
PID 2296 wrote to memory of 3828	2296	Lcgblncm.exe	45
PID 2296 wrote to memory of 3828	2296	Lcgblncm.exe	45
PID 2296 wrote to memory of 3828	2296	Lcgblncm.exe	45
PID 3828 wrote to memory of 2192	3828	Lknjmkdo.exe	44
PID 3828 wrote to memory of 2192	3828	Lknjmkdo.exe	44
PID 3828 wrote to memory of 2192	3828	Lknjmkdo.exe	44
PID 2192 wrote to memory of 3228	2192	Mahbje32.exe	42
PID 2192 wrote to memory of 3228	2192	Mahbje32.exe	42
PID 2192 wrote to memory of 3228	2192	Mahbje32.exe	42
PID 3228 wrote to memory of 4012	3228	Mciobn32.exe	41
PID 3228 wrote to memory of 4012	3228	Mciobn32.exe	41
PID 3228 wrote to memory of 4012	3228	Mciobn32.exe	41

C:\Users\Admin\AppData\Local\Temp\ccf82d6bb895a791dfb83b0f1ef08bb7.exe
"C:\Users\Admin\AppData\Local\Temp\ccf82d6bb895a791dfb83b0f1ef08bb7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\SysWOW64\Lnhmng32.exe
  C:\Windows\system32\Lnhmng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1148

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Windows\SysWOW64\Lklnhlfb.exe
  C:\Windows\system32\Lklnhlfb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4160

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\SysWOW64\Lcgblncm.exe
  C:\Windows\system32\Lcgblncm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2296

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
1⤵
PID:1272
- C:\Windows\SysWOW64\Mpolqa32.exe
  C:\Windows\system32\Mpolqa32.exe
  2⤵
  PID:1660

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
PID:3244
- C:\Windows\SysWOW64\Nqmhbpba.exe
  C:\Windows\system32\Nqmhbpba.exe
  2⤵
  PID:4372

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
1⤵
PID:768

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:1228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 192
  2⤵
  - Program crash
  PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1228 -ip 1228
1⤵
PID:1452

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:4656

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
1⤵
PID:2668

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
PID:220

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
1⤵
PID:3560

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
PID:3512

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
PID:668

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
1⤵
PID:1308

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
1⤵
PID:1692

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
PID:1584

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
1⤵
PID:4856

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
1⤵
PID:3208

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
PID:2112

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3228

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
4KB

MD5
dd9886a4f765297110a0be8d91f1aa83

SHA1
fa668b44a03fc53aa5887ec6d96c094b4ae48cf5

SHA256
7e2df0ea8d56d346a4f4ed4076a94cceb442886756cb6798b82535ab0f775d4b

SHA512
2d764d6d7f7bf6728e46e19bdeb00b46c47efbc52a1b1d5f65ba28022d500bf925110adfb946bbded5f55b98c8d6fac2bab4028cc16bcce701eae226c2a3d0cb

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
15KB

MD5
99ac084e2b6941d1078978f84c8b23f5

SHA1
936fa83895417dcb10b57c3d26aba6c5168254d3

SHA256
404569f5855198e8cb871fcf5d8047e56c57d608b21503e46179337277a415db

SHA512
1ecc6d1514864591a4d4ba3184fc18f1783eacd191e5a68596c9e6b4ea024a121d0ba0704ac43507e85bf829a7a855fc9213eb86af525dc40d8e8e1a1c532071

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
29KB

MD5
cba00e9af8f9d0c28c03c97009506b02

SHA1
4c9dad3643a0fcf0b4f87160f82122ebdc8884e9

SHA256
a92788ec76a7c5af56dabacfe1b81c3becef5d0cda07fd033c723b577a7a3f28

SHA512
f87b050cb9523c167d8f388225be47252394c60752e717d0bc99d6b06e169a048a81cf5f3e98c3f259fe0a0dbf3978409875fd0247b43332db94324411934b4a

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
13KB

MD5
25e116c77c526dc01428a475df548437

SHA1
df1a4f6db89029615e48a19e166ca330d35fb919

SHA256
38bb5f11fdef3e662ac79fb7edec2974cffb7e1c9813161e501c21f48d65c8ac

SHA512
6868b929ff1472fab581c8d935e7b84c4cf8a80122d6e202e79c6b29411c58bf9b4b20fe775145da6dabc57fec3c01ca4a5c7a0549cfb4432488b0e87ca30504

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
14KB

MD5
081fecb1b5106aac8aead734d0d55433

SHA1
c5a8f0cea1a3b378925f2db89bfe397a44294437

SHA256
96c784f24b1d6fcc4245f081f2d374ec85246555631430463025937f22ad2ad6

SHA512
020982c851cd9d9a2d26808a23b8b17b55ce4e8bf6ead99ad37fc421d84e09b3e7c3ac7aa132e73f3e9970e84bc9c61fd97991ae3deaf9841c50fe6e3779e2f1

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
87KB

MD5
48d12445ae06f5a587f32544ec442a9a

SHA1
74960c0727e467401cd0459ffe1c7f06d65094ec

SHA256
ad21ed5dbe88ce81d22e6ca0756318ae12259ca9c97b6732955b32f2dbb05048

SHA512
22d1d3e9673b75aa5228dd9b5bae01ae385f52cb8a9130d1076729e8aeb143066e8fd203a2a0c501ba3121beb92d5365759c407cbb1c4f49c5aa1645ecf758cd

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
71KB

MD5
0387cabf72c8ad3b52459d246e5fbddd

SHA1
8630e35135fa559fdb220be19115878e6c3ba28d

SHA256
7c24585dca8a5b7b18cc6d9c1f5ce6b67d4dc06278ca9f75aca89adef328f7ec

SHA512
7a46efdbbdc5d8a0d904bc7e5703e69c2d601130369c7352f5f3591dca3b621c11fb2172dd554f0776d0ce7c1cd3f2e06dc3446e23152cc48e015b738e0683e9

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
182KB

MD5
9fc48b0058b4ba2a9043b676aac0c2bb

SHA1
0fdfe5c661cc6f1b3177554b65b6d3d8b7cb9108

SHA256
4d0c29b00f88e77abe7330bfe614d9d70724bd7398ac1e2d20f280e587dfc276

SHA512
e23992ecb28cccf11689735bb59d8467d54f86f66e2eb4df58310a9bcd69d3b63e6956811d702f64e0b414b802dd3e575c3e9e14cefac88a0ddb4d0959a84c2a

Download Submit
memory/220-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/668-236-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/668-154-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-227-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1228-226-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1272-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1308-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1692-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2192-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2296-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2608-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-186-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3228-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3244-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-235-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3512-162-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-172-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3684-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3828-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3828-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-83-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4012-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4160-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4372-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4468-4-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-218-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4656-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads