5cd629165f995be1d4f4a3e5d7133817f7395f125fdc2e091e3f85c2beae22f4

Analysis

max time kernel
0s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca57e4cdc63115be351b05ffd87f5f32.exe
Size

512KB
MD5

ca57e4cdc63115be351b05ffd87f5f32
SHA1

399e22a0796632463b5a388009a5ee0896498172
SHA256

5cd629165f995be1d4f4a3e5d7133817f7395f125fdc2e091e3f85c2beae22f4
SHA512

b5c49751a38f0c45f970e92ab2ba310618ad6a3e1131a620a7121d57590ea57e0577b5eec77be33408b032b91f275d4a8c7b2e738f9165964a9cac81ab18d953
SSDEEP

6144:a9M4853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:gbQBpnchWcZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ca57e4cdc63115be351b05ffd87f5f32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ca57e4cdc63115be351b05ffd87f5f32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe

Executes dropped EXE 10 IoCs

pid	Process
4204	Kibnhjgj.exe
1960	Kpmfddnf.exe
1700	Kckbqpnj.exe
1464	Kgfoan32.exe
3120	Lmqgnhmp.exe
4268	Lpocjdld.exe
4188	Lcmofolg.exe
1668	Liggbi32.exe
1664	Lpappc32.exe
224	Lcpllo32.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kgfoan32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Bnjdmn32.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Pipagf32.dll	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	ca57e4cdc63115be351b05ffd87f5f32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Kgfoan32.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	ca57e4cdc63115be351b05ffd87f5f32.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	ca57e4cdc63115be351b05ffd87f5f32.exe
File created	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lmqgnhmp.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kgfoan32.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5588	5488	WerFault.exe	29

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ca57e4cdc63115be351b05ffd87f5f32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ca57e4cdc63115be351b05ffd87f5f32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	ca57e4cdc63115be351b05ffd87f5f32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	ca57e4cdc63115be351b05ffd87f5f32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdmn32.dll"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	ca57e4cdc63115be351b05ffd87f5f32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kgfoan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ca57e4cdc63115be351b05ffd87f5f32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipagf32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lcmofolg.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 4204	3444	ca57e4cdc63115be351b05ffd87f5f32.exe	13
PID 3444 wrote to memory of 4204	3444	ca57e4cdc63115be351b05ffd87f5f32.exe	13
PID 3444 wrote to memory of 4204	3444	ca57e4cdc63115be351b05ffd87f5f32.exe	13
PID 4204 wrote to memory of 1960	4204	Kibnhjgj.exe	84
PID 4204 wrote to memory of 1960	4204	Kibnhjgj.exe	84
PID 4204 wrote to memory of 1960	4204	Kibnhjgj.exe	84
PID 1960 wrote to memory of 1700	1960	Kpmfddnf.exe	83
PID 1960 wrote to memory of 1700	1960	Kpmfddnf.exe	83
PID 1960 wrote to memory of 1700	1960	Kpmfddnf.exe	83
PID 1700 wrote to memory of 1464	1700	Kckbqpnj.exe	14
PID 1700 wrote to memory of 1464	1700	Kckbqpnj.exe	14
PID 1700 wrote to memory of 1464	1700	Kckbqpnj.exe	14
PID 1464 wrote to memory of 3120	1464	Kgfoan32.exe	82
PID 1464 wrote to memory of 3120	1464	Kgfoan32.exe	82
PID 1464 wrote to memory of 3120	1464	Kgfoan32.exe	82
PID 3120 wrote to memory of 4268	3120	Lmqgnhmp.exe	81
PID 3120 wrote to memory of 4268	3120	Lmqgnhmp.exe	81
PID 3120 wrote to memory of 4268	3120	Lmqgnhmp.exe	81
PID 4268 wrote to memory of 4188	4268	Lpocjdld.exe	80
PID 4268 wrote to memory of 4188	4268	Lpocjdld.exe	80
PID 4268 wrote to memory of 4188	4268	Lpocjdld.exe	80
PID 4188 wrote to memory of 1668	4188	Lcmofolg.exe	77
PID 4188 wrote to memory of 1668	4188	Lcmofolg.exe	77
PID 4188 wrote to memory of 1668	4188	Lcmofolg.exe	77
PID 1668 wrote to memory of 1664	1668	Liggbi32.exe	76
PID 1668 wrote to memory of 1664	1668	Liggbi32.exe	76
PID 1668 wrote to memory of 1664	1668	Liggbi32.exe	76
PID 1664 wrote to memory of 224	1664	Lpappc32.exe	75
PID 1664 wrote to memory of 224	1664	Lpappc32.exe	75
PID 1664 wrote to memory of 224	1664	Lpappc32.exe	75

C:\Users\Admin\AppData\Local\Temp\ca57e4cdc63115be351b05ffd87f5f32.exe
"C:\Users\Admin\AppData\Local\Temp\ca57e4cdc63115be351b05ffd87f5f32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\Kibnhjgj.exe
  C:\Windows\system32\Kibnhjgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\Kpmfddnf.exe
    C:\Windows\system32\Kpmfddnf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1960

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\Lmqgnhmp.exe
  C:\Windows\system32\Lmqgnhmp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3120

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
1⤵
PID:2848
- C:\Windows\SysWOW64\Mnapdf32.exe
  C:\Windows\system32\Mnapdf32.exe
  2⤵
  PID:2088

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
PID:1572
- C:\Windows\SysWOW64\Mnfipekh.exe
  C:\Windows\system32\Mnfipekh.exe
  2⤵
  PID:1020

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
PID:972
- C:\Windows\SysWOW64\Nkjjij32.exe
  C:\Windows\system32\Nkjjij32.exe
  2⤵
  PID:4616
- - C:\Windows\SysWOW64\Njljefql.exe
    C:\Windows\system32\Njljefql.exe
    3⤵
    PID:4380

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
1⤵
PID:3964
- C:\Windows\SysWOW64\Ndbnboqb.exe
  C:\Windows\system32\Ndbnboqb.exe
  2⤵
  PID:3560

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
PID:4568
- C:\Windows\SysWOW64\Nklfoi32.exe
  C:\Windows\system32\Nklfoi32.exe
  2⤵
  PID:208
- - C:\Windows\SysWOW64\Nnjbke32.exe
    C:\Windows\system32\Nnjbke32.exe
    3⤵
    PID:3016

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
PID:3004
- C:\Windows\SysWOW64\Ncgkcl32.exe
  C:\Windows\system32\Ncgkcl32.exe
  2⤵
  PID:2644

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
PID:1332
- C:\Windows\SysWOW64\Nnmopdep.exe
  C:\Windows\system32\Nnmopdep.exe
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\Nbhkac32.exe
    C:\Windows\system32\Nbhkac32.exe
    3⤵
    PID:5132

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:5172
- C:\Windows\SysWOW64\Ngedij32.exe
  C:\Windows\system32\Ngedij32.exe
  2⤵
  PID:5220

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:5356
- C:\Windows\SysWOW64\Ndidbn32.exe
  C:\Windows\system32\Ndidbn32.exe
  2⤵
  PID:5396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5488 -ip 5488
1⤵
PID:5556

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:5488
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5488 -s 400
  2⤵
  - Program crash
  PID:5588

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
1⤵
PID:5444

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
1⤵
PID:5312

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
PID:5268

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
1⤵
PID:2104

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
1⤵
PID:624

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
1⤵
PID:2500

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
1⤵
PID:5044

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
PID:4892

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
1⤵
PID:2532

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
PID:4808

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
PID:228

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
1⤵
PID:3044

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
PID:628

C:\Windows\SysWOW64\Majopeii.exe
C:\Windows\system32\Majopeii.exe
1⤵
PID:1044

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
1⤵
PID:1768

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
PID:3112

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
1⤵
PID:3568

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
1⤵
PID:4264

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
1⤵
PID:744

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
1⤵
PID:4928

C:\Windows\SysWOW64\Lphfpbdi.exe
C:\Windows\system32\Lphfpbdi.exe
1⤵
PID:2976

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
1⤵
PID:1308

C:\Windows\SysWOW64\Lklnhlfb.exe
C:\Windows\system32\Lklnhlfb.exe
1⤵
PID:5060

C:\Windows\SysWOW64\Lcdegnep.exe
C:\Windows\system32\Lcdegnep.exe
1⤵
PID:1408

C:\Windows\SysWOW64\Lpfijcfl.exe
C:\Windows\system32\Lpfijcfl.exe
1⤵
PID:1924

C:\Windows\SysWOW64\Lilanioo.exe
C:\Windows\system32\Lilanioo.exe
1⤵
PID:2468

C:\Windows\SysWOW64\Lcbiao32.exe
C:\Windows\system32\Lcbiao32.exe
1⤵
PID:796

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
1⤵
PID:4924

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
1⤵
PID:1832

C:\Windows\SysWOW64\Lcpllo32.exe
C:\Windows\system32\Lcpllo32.exe
1⤵
- Executes dropped EXE
PID:224

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
92KB

MD5
83b30d48d37231d5631532c6e05c971d

SHA1
c5a8f41dbb39e7de1a0ae2bef97341c89dbcf412

SHA256
e078ec1bcfd3f8ee694a8eea152098767250abb0e5c28f18f605aea07d21d2be

SHA512
d895f543e37c817b6bc47177647d49f8dd20e646f6038e1a172fa9f38251ae83300902112f44b1ce51e41466032871d609eebdee8addb188bf4686f6d044fdfc

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
512KB

MD5
318e5f0050b08c99a996d7439eb08e96

SHA1
42be6d2ff3b77d7fcde4e97fda867fcf4c69323e

SHA256
6ae466167101406eadc8e8d156311b4a69e693aa84a5eea4a6a5e988c8e10fde

SHA512
30e8dbb1467ecfb202f8c666033e7af3f37920d4e149db2e6c0c033fe64d3013443f11c26d324a707dd0072754f311922f163f111088988a0db4e1b7c8b332e8

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
512KB

MD5
77780e276cdf5f87cc6d079f2ebfa913

SHA1
87a59b0cc8ef76d2e040405e7f35b834cc3fa912

SHA256
096ecd4c424490af69c09ab698e1f0a4fed418b8775c9b81b50506e02ffb9f87

SHA512
f50cf5ba33b7d9a700aa16b968662b218db19fe23d4a343ec9af1d046f9a4131c486520c3a781f939a9fe8fe20189e7d01ecf01d98f6c6a29d0180a25e0d0dce

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
512KB

MD5
80499b584f94c87fe83dcf7b9e0f60f2

SHA1
a82bf6b0ca0fdd6ccf3aacbc08b89385e41a04f7

SHA256
4b510d7cc9d4914eb8c25456d0c47ce8a68c476a8412a4520d03cd511320419b

SHA512
526259561db468090cf08ce13889c50d88e9073c38eeb6336558520f921664388d26b69ca24a6494bfa3bc4e9d16252910ddc51ebd9e93ac15a8bfb1e13999ac

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
512KB

MD5
09570a5bb7e6d278f0cb21508c0cd5c4

SHA1
82e91f6dc6b17b9b35f5ca6c9ea3ccc8b7a2989c

SHA256
e105fe8fb02be6716adb7c5253a9355e749e1cf20d7eb96d7ad4f73d1454a255

SHA512
e37432b07dbc1845ebda0f9e429646fd98c2f0208d2095a3ba59a6941c2e31500c728555c78bedebe349e1a74c935d658aa1797210c860590e0e9a320ecf7997

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
512KB

MD5
e11febdb78d76816965e3e4c0cf97b4c

SHA1
8492cfb97c2717523cc061744aa5dcc0c49f6e26

SHA256
5b1a44c92ae2c781a4064308d93f30a5e1f6d9837b2996af82508805598f90f1

SHA512
ce274e5c57b18af2a24c4d28b6f9cfda28a28752503ca619d5e9c2fcf6155ee257e5e87f6f86b5ec38da6da719d98b2f499c9a5d56b6a4f174b33f157bf56264

Download Submit
memory/224-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/224-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-269-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/624-311-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/628-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/796-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1020-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-222-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1308-157-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1464-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1572-314-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-161-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1668-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1700-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-214-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1768-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-179-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1832-90-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1960-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-121-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2500-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-284-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2848-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-251-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-162-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-313-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3044-243-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3112-208-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3568-279-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3568-196-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4204-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4268-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4396-475-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4808-273-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4892-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-255-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5044-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5172-473-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5220-472-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5268-471-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5396-468-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads