c58613bd1073e69e3e48557672dea7951ae11814311c91b18a5da2093305961f

Analysis

max time kernel
0s
max time network
84s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
08/01/2024, 20:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

09979eaabdd60e26c70db66ed31c366a.exe
Size

63KB
MD5

09979eaabdd60e26c70db66ed31c366a
SHA1

a6e9c6a6eedc85da222c94800dc38f26583e607f
SHA256

c58613bd1073e69e3e48557672dea7951ae11814311c91b18a5da2093305961f
SHA512

8c286c9e19326c6c8ace24b08a3d39a305455dc8f32d9ba80de839b369894e9f005a73edb96e824c6a67f9e59c7f0b4e4d6a0baa357ecc997a1fb24eaf062223
SSDEEP

1536:lFsyaUqkkRt/tqJrSWgB4AhLDzMSO0Na+V+En9rjDHE:jsy/3kRtY5Ra4A+0Nao+k9DHE

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	09979eaabdd60e26c70db66ed31c366a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	09979eaabdd60e26c70db66ed31c366a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe

Executes dropped EXE 10 IoCs

pid	Process
1740	Kgdbkohf.exe
4360	Kibnhjgj.exe
1700	Kdhbec32.exe
2248	Kgfoan32.exe
4540	Liekmj32.exe
4536	Lpocjdld.exe
3392	Lcmofolg.exe
2164	Lkdggmlj.exe
2016	Lmccchkn.exe
2608	Ldmlpbbj.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	09979eaabdd60e26c70db66ed31c366a.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	09979eaabdd60e26c70db66ed31c366a.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Liekmj32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	09979eaabdd60e26c70db66ed31c366a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	4604	WerFault.exe	31

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	09979eaabdd60e26c70db66ed31c366a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmafhe32.dll"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kgfoan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	09979eaabdd60e26c70db66ed31c366a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	09979eaabdd60e26c70db66ed31c366a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejif32.dll"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	09979eaabdd60e26c70db66ed31c366a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	09979eaabdd60e26c70db66ed31c366a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	09979eaabdd60e26c70db66ed31c366a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Liekmj32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 1740	3688	09979eaabdd60e26c70db66ed31c366a.exe	68
PID 3688 wrote to memory of 1740	3688	09979eaabdd60e26c70db66ed31c366a.exe	68
PID 3688 wrote to memory of 1740	3688	09979eaabdd60e26c70db66ed31c366a.exe	68
PID 1740 wrote to memory of 4360	1740	Kgdbkohf.exe	67
PID 1740 wrote to memory of 4360	1740	Kgdbkohf.exe	67
PID 1740 wrote to memory of 4360	1740	Kgdbkohf.exe	67
PID 4360 wrote to memory of 1700	4360	Kibnhjgj.exe	66
PID 4360 wrote to memory of 1700	4360	Kibnhjgj.exe	66
PID 4360 wrote to memory of 1700	4360	Kibnhjgj.exe	66
PID 1700 wrote to memory of 2248	1700	Kdhbec32.exe	17
PID 1700 wrote to memory of 2248	1700	Kdhbec32.exe	17
PID 1700 wrote to memory of 2248	1700	Kdhbec32.exe	17
PID 2248 wrote to memory of 4540	2248	Kgfoan32.exe	64
PID 2248 wrote to memory of 4540	2248	Kgfoan32.exe	64
PID 2248 wrote to memory of 4540	2248	Kgfoan32.exe	64
PID 4540 wrote to memory of 4536	4540	Liekmj32.exe	63
PID 4540 wrote to memory of 4536	4540	Liekmj32.exe	63
PID 4540 wrote to memory of 4536	4540	Liekmj32.exe	63
PID 4536 wrote to memory of 3392	4536	Lpocjdld.exe	62
PID 4536 wrote to memory of 3392	4536	Lpocjdld.exe	62
PID 4536 wrote to memory of 3392	4536	Lpocjdld.exe	62
PID 3392 wrote to memory of 2164	3392	Lcmofolg.exe	61
PID 3392 wrote to memory of 2164	3392	Lcmofolg.exe	61
PID 3392 wrote to memory of 2164	3392	Lcmofolg.exe	61
PID 2164 wrote to memory of 2016	2164	Lkdggmlj.exe	60
PID 2164 wrote to memory of 2016	2164	Lkdggmlj.exe	60
PID 2164 wrote to memory of 2016	2164	Lkdggmlj.exe	60
PID 2016 wrote to memory of 2608	2016	Lmccchkn.exe	59
PID 2016 wrote to memory of 2608	2016	Lmccchkn.exe	59
PID 2016 wrote to memory of 2608	2016	Lmccchkn.exe	59

C:\Users\Admin\AppData\Local\Temp\09979eaabdd60e26c70db66ed31c366a.exe
"C:\Users\Admin\AppData\Local\Temp\09979eaabdd60e26c70db66ed31c366a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Windows\SysWOW64\Kgdbkohf.exe
  C:\Windows\system32\Kgdbkohf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1740

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\Liekmj32.exe
  C:\Windows\system32\Liekmj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4540

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
1⤵
PID:536
- C:\Windows\SysWOW64\Lijdhiaa.exe
  C:\Windows\system32\Lijdhiaa.exe
  2⤵
  PID:4472

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
1⤵
PID:2512
- C:\Windows\SysWOW64\Lcdegnep.exe
  C:\Windows\system32\Lcdegnep.exe
  2⤵
  PID:4340

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
1⤵
PID:3476
- C:\Windows\SysWOW64\Mnlfigcc.exe
  C:\Windows\system32\Mnlfigcc.exe
  2⤵
  PID:3240
- - C:\Windows\SysWOW64\Mdfofakp.exe
    C:\Windows\system32\Mdfofakp.exe
    3⤵
    PID:4592
  - - C:\Windows\SysWOW64\Mkpgck32.exe
      C:\Windows\system32\Mkpgck32.exe
      4⤵
      PID:916
    - - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        5⤵
        
        PID:316

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
1⤵
PID:1812
- C:\Windows\SysWOW64\Mcnhmm32.exe
  C:\Windows\system32\Mcnhmm32.exe
  2⤵
  PID:2904

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
PID:2408
- C:\Windows\SysWOW64\Njogjfoj.exe
  C:\Windows\system32\Njogjfoj.exe
  2⤵
  PID:5012

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
1⤵
PID:4240
- C:\Windows\SysWOW64\Ncgkcl32.exe
  C:\Windows\system32\Ncgkcl32.exe
  2⤵
  PID:4992

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
PID:5024
- C:\Windows\SysWOW64\Nbhkac32.exe
  C:\Windows\system32\Nbhkac32.exe
  2⤵
  PID:3996

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:1392
- C:\Windows\SysWOW64\Nnolfdcn.exe
  C:\Windows\system32\Nnolfdcn.exe
  2⤵
  PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4604 -ip 4604
1⤵
PID:4492

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 412
  2⤵
  - Program crash
  PID:1204

C:\Windows\SysWOW64\Ndidbn32.exe
C:\Windows\system32\Ndidbn32.exe
1⤵
PID:4312

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
PID:5008

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
1⤵
PID:5088

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
PID:4704

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
1⤵
PID:3640

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
1⤵
PID:3540

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
1⤵
PID:3488

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
PID:2404

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
1⤵
PID:2356

C:\Windows\SysWOW64\Lpcmec32.exe
C:\Windows\system32\Lpcmec32.exe
1⤵
PID:4016

C:\Windows\SysWOW64\Laalifad.exe
C:\Windows\system32\Laalifad.exe
1⤵
PID:2252

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\SysWOW64\Lmccchkn.exe
C:\Windows\system32\Lmccchkn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\Lkdggmlj.exe
C:\Windows\system32\Lkdggmlj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
28KB

MD5
a293cac014f340abbdf9a19df1d7922b

SHA1
4e215d8ce451124e6c45386d35f499347cc41438

SHA256
de25e404d1f50cb4af1a984e16003f6020ea2c101b487c3b2f973fedba81a815

SHA512
8636f43f071872b44c0301063a7b78a46f74a45cd183493c457d7c20bd698be23fc9a84080e6db516132cfbbdd422f9bf36f3c176e35940f6a78120d1653f8cb

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
63KB

MD5
962adc5b53f1c37bf0db9d3ce66ca91d

SHA1
cfea10c5359a3cc7951efeb1c764d7d01bd22027

SHA256
0cf37ea43e6fcd9da2dc50beea1d2c8fd1d752f0f60ee5cf2a43de6a5ab6e4f6

SHA512
e58df58aad5a2e11771570e1d0a13cae830a25d88573e38f34a4287edbb5eee39912f735cad4f9fc72fcdde0ee0a901c4fb5b82d644e077c17cc0f63ff71a2e4

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
19KB

MD5
ef53ea0e45233bb3542f80214b6231f8

SHA1
846fb7098410b6a37e225c6667d44ef1dfccc5b5

SHA256
5cd2c8ff418a2509a454cceca90052d776025b7b7c8517b8b3d3b2f787904be9

SHA512
be5409635e522b969f2055ad28150448dd5caa5f9f1b0c6fe9b90ffac050ca89656afe69ad34c2a592e4598763f86fdc58085b5c3434a469c141180858d22388

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
35KB

MD5
8ec33006aa1cfdc63c748fe9b2e254f1

SHA1
721d088916b80f9fbe7262d1fe13fad532d4f54e

SHA256
11f592a77ea7205b206c6386b9cebd45800921552ebc982108cc7519a057becc

SHA512
ebc37d8ee8a3b8a5203babcd6751bdb1cda6b77599b6cc7af2b1cf369de001fd3593e976029f5d6d4fc8fe0c1166a2c0281d69244886a726c314e5bc3c1b8989

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
32KB

MD5
a308d570512b807707471aa80a5d760b

SHA1
36b2bb16c44f50af624e822110ad2bcfb5f64bb0

SHA256
51a7e7b0acd86d9085ff38b1aaf9f3d32d7c3cbf5cb0fa781a11c9e0cb7560d5

SHA512
c65529cdc5fbcf73fa85bc928cbc0adfc2dba1e3663a8f72793db72b94b655e7107e90a2a7a54661116a672131f305f310ed73b8b4b602a76a1ab34e00ada2f4

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
4KB

MD5
a02dc42d7a7c4ccc3184c618c388bdc2

SHA1
a83d37f93e2818f2adff41e61be01d78811f4dee

SHA256
0368ca74c872fa60404006601ef4fd6535bc38436f997742238043dee71056a2

SHA512
af05ffeaa65a38ff85cedc778a2604e41d0dc57bbdb33f4a6d3fcbd54b3990a7fc60d2a003d8a3286bc33ed024b4e459a5858dafc14476d758f6f81f75291a7e

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
32KB

MD5
4b1e36ad1f4605d1e3b12ba441c90abe

SHA1
d6d17182bb414ff7b9a9606a586b6053d3154f30

SHA256
b622f69bd4c047b5c50178eba64c6b3a2bb6d52f2dd88ef6c9f5d757d3c64e8e

SHA512
4e9ac8d20a07dc19a757bbd86d2d942e93d2f7f00f188b39b2791d89ab59f590c8fa83feccdae74c15c48d742bf5e6a53dd9ab8db89b32b05f064a41eee53e8e

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
4KB

MD5
fcb153abe703a25c58b50d57da683d0c

SHA1
401fa1665c5c6c5abf129bd3e98344312e77dae9

SHA256
b6cb75af0cf0a2a8fa33c28df6492a471f403bbcde0c7948ba6cfb281ad2f893

SHA512
aa71441d8fada60d0b17f2baea80e2eb9c1c1b4998d8a6aee48ac9e11e739168efdb29034c436ea72435ed2952fc27d44c540b6e908b8891d77e0476eafa08f5

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
32KB

MD5
5321d75daf1d0735cabb3844da80a323

SHA1
97380f35ffff628decb32ae729f7233d6e4bb143

SHA256
42a15d74149e3c129758737d883fa6012f123a7d72133bb16be1281b587685e9

SHA512
cf5bb7a3aa37493d5abd9583bcab81447f8ed2c02cecd7b761057954182bf06ae174c166022cf85a80c369a44a7bcef7012e847ad43b1789bf43e296dc60e671

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
63KB

MD5
41719e89e650fd14921faa2bdcc901f1

SHA1
12f704836431d63b7c031da5a42e6e7ac32cf547

SHA256
fa884f21284067a05fbda13d8c7bd6f1f299683d8a066675a9d511c8adedf2ce

SHA512
85b21f5305d26a75e95969f6a6455aa714970114f1f28ba9b387f90366355e949173917b759dbfd1ef3bbc0b472d68420fb731d5b750b2baa6c0c2c97f057d86

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
63KB

MD5
9030bca3e6f50ad0acce5e58f26f7eff

SHA1
376eabcedf3f073f9d39beacd50041444c43746a

SHA256
02f17f547b8882f3ff4e563a6c9be0418b07d3a0f45857134065e617b7511682

SHA512
56d4ad495f7704237a3a08cfcf04b0bd3afe89a139bbb97b25784f73ef3c9cfcecfc1b0e039c3cfc24fe2b45c234f8b2b61a815800b5ee0336637ae98a65701c

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
63KB

MD5
869c87ed2948cdc654179c48eaabd080

SHA1
c4ea987abb656d6ba29ac080976c8a543447e77e

SHA256
9395ef5ecab8d24c20e22fa92ffde14a85c1ff2114135e2f4fb40246f72d53c7

SHA512
02bed900f17170458f31e46dba6e7d1c4353e63f7fa9ef86ba5d599fb785e39021537c0d98b7804e5e156f601d821fbdda33c220e7b222851f66b49aeb58a13b

Download Submit
memory/316-208-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/316-319-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/536-332-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/536-88-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/916-320-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/916-200-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1240-298-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1240-313-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1392-296-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1700-24-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1740-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1812-235-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1812-317-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2016-72-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2164-64-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2248-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2252-330-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2252-103-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2356-328-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2356-120-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2404-127-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2404-326-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2408-256-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2408-315-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2512-327-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2512-136-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2608-84-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2904-316-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2904-240-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3240-321-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3240-184-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3392-56-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3476-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3488-152-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3488-324-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3540-323-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3540-160-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3640-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3640-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3688-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3996-291-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4016-112-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4016-329-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4240-273-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4312-304-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4312-312-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4340-325-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4340-144-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4360-16-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4472-95-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4472-331-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4536-47-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4540-40-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4592-196-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-311-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4604-310-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4704-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4992-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5008-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5012-266-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5024-314-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5024-280-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-318-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5088-224-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads