64f74fcf7cd6f00bc525a2783994b7140c46487dc37bbd07d13a51f5386e5dbe

Analysis

max time kernel
91s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f74fcf7cd6f00bc525a2783994b7140c46487dc37bbd07d13a51f5386e5dbe.exe
Size

401KB
MD5

844cda1039fe6daa655b3ac572f11f6d
SHA1

3effd50e15e451f7f68f54136c8d01f8220f654c
SHA256

64f74fcf7cd6f00bc525a2783994b7140c46487dc37bbd07d13a51f5386e5dbe
SHA512

19a5e557bf47bd891521b8dd9748eb8c8af1d8a8646f24b083056bd480296a4922d19f116edf16cb1ffa8f925598da2ce44758ee2f39af8999f49c6ed423a374
SSDEEP

6144:vwq8LOQndpui6yYPaIGckfru5xyDpui6yYPaIGckSU05836PGyA7:vGLpndpV6yYP4rbpV6yYPg058KrY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lnjjdgee.exe

Executes dropped EXE 64 IoCs

pid	Process
868	Kkbkamnl.exe
2920	Lmqgnhmp.exe
2480	Lpocjdld.exe
1272	Lcmofolg.exe
3548	Lkdggmlj.exe
3840	Lmccchkn.exe
4896	Lpappc32.exe
2056	Lcpllo32.exe
1896	Lgkhlnbn.exe
2180	Lijdhiaa.exe
416	Laalifad.exe
2880	Ldohebqh.exe
1136	Lcbiao32.exe
3580	Lgneampk.exe
4456	Lilanioo.exe
4544	Lnhmng32.exe
4692	Lpfijcfl.exe
864	Ldaeka32.exe
4448	Lgpagm32.exe
3176	Lklnhlfb.exe
2492	Lnjjdgee.exe
4792	Laefdf32.exe
4660	Lddbqa32.exe
2552	Lcgblncm.exe
1728	Lgbnmm32.exe
1404	Lknjmkdo.exe
4712	Mnlfigcc.exe
228	Mahbje32.exe
3440	Mdfofakp.exe
4120	Mciobn32.exe
4944	Mkpgck32.exe
4088	Mjcgohig.exe
4976	Mnocof32.exe
1624	Mpmokb32.exe
2992	Mdiklqhm.exe
4424	Mcklgm32.exe
3288	Mgghhlhq.exe
1160	Mjeddggd.exe
1640	Mnapdf32.exe
4288	Mamleegg.exe
4420	Mcnhmm32.exe
2972	Mgidml32.exe
4116	Mkepnjng.exe
3124	Mjhqjg32.exe
1488	Maohkd32.exe
5028	Mpaifalo.exe
1048	Mdmegp32.exe
4704	Mcpebmkb.exe
4936	Mglack32.exe
4508	Mcbahlip.exe
2712	Mgnnhk32.exe
4564	Nkjjij32.exe
860	Njljefql.exe
5044	Nnhfee32.exe
3172	Nqfbaq32.exe
3880	Ndbnboqb.exe
2488	Nceonl32.exe
2156	Ngpjnkpf.exe
2548	Njogjfoj.exe
4388	Nnjbke32.exe
3860	Nafokcol.exe
4828	Njacpf32.exe
2232	Nqklmpdd.exe
3516	Ngedij32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ldohebqh.exe	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ngedij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4836	4672	WerFault.exe	151

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	64f74fcf7cd6f00bc525a2783994b7140c46487dc37bbd07d13a51f5386e5dbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	64f74fcf7cd6f00bc525a2783994b7140c46487dc37bbd07d13a51f5386e5dbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcmofolg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdemcacc.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 868	2280	64f74fcf7cd6f00bc525a2783994b7140c46487dc37bbd07d13a51f5386e5dbe.exe	85
PID 2280 wrote to memory of 868	2280	64f74fcf7cd6f00bc525a2783994b7140c46487dc37bbd07d13a51f5386e5dbe.exe	85
PID 2280 wrote to memory of 868	2280	64f74fcf7cd6f00bc525a2783994b7140c46487dc37bbd07d13a51f5386e5dbe.exe	85
PID 868 wrote to memory of 2920	868	Kkbkamnl.exe	86
PID 868 wrote to memory of 2920	868	Kkbkamnl.exe	86
PID 868 wrote to memory of 2920	868	Kkbkamnl.exe	86
PID 2920 wrote to memory of 2480	2920	Lmqgnhmp.exe	87
PID 2920 wrote to memory of 2480	2920	Lmqgnhmp.exe	87
PID 2920 wrote to memory of 2480	2920	Lmqgnhmp.exe	87
PID 2480 wrote to memory of 1272	2480	Lpocjdld.exe	88
PID 2480 wrote to memory of 1272	2480	Lpocjdld.exe	88
PID 2480 wrote to memory of 1272	2480	Lpocjdld.exe	88
PID 1272 wrote to memory of 3548	1272	Lcmofolg.exe	89
PID 1272 wrote to memory of 3548	1272	Lcmofolg.exe	89
PID 1272 wrote to memory of 3548	1272	Lcmofolg.exe	89
PID 3548 wrote to memory of 3840	3548	Lkdggmlj.exe	90
PID 3548 wrote to memory of 3840	3548	Lkdggmlj.exe	90
PID 3548 wrote to memory of 3840	3548	Lkdggmlj.exe	90
PID 3840 wrote to memory of 4896	3840	Lmccchkn.exe	91
PID 3840 wrote to memory of 4896	3840	Lmccchkn.exe	91
PID 3840 wrote to memory of 4896	3840	Lmccchkn.exe	91
PID 4896 wrote to memory of 2056	4896	Lpappc32.exe	92
PID 4896 wrote to memory of 2056	4896	Lpappc32.exe	92
PID 4896 wrote to memory of 2056	4896	Lpappc32.exe	92
PID 2056 wrote to memory of 1896	2056	Lcpllo32.exe	93
PID 2056 wrote to memory of 1896	2056	Lcpllo32.exe	93
PID 2056 wrote to memory of 1896	2056	Lcpllo32.exe	93
PID 1896 wrote to memory of 2180	1896	Lgkhlnbn.exe	94
PID 1896 wrote to memory of 2180	1896	Lgkhlnbn.exe	94
PID 1896 wrote to memory of 2180	1896	Lgkhlnbn.exe	94
PID 2180 wrote to memory of 416	2180	Lijdhiaa.exe	95
PID 2180 wrote to memory of 416	2180	Lijdhiaa.exe	95
PID 2180 wrote to memory of 416	2180	Lijdhiaa.exe	95
PID 416 wrote to memory of 2880	416	Laalifad.exe	96
PID 416 wrote to memory of 2880	416	Laalifad.exe	96
PID 416 wrote to memory of 2880	416	Laalifad.exe	96
PID 2880 wrote to memory of 1136	2880	Ldohebqh.exe	97
PID 2880 wrote to memory of 1136	2880	Ldohebqh.exe	97
PID 2880 wrote to memory of 1136	2880	Ldohebqh.exe	97
PID 1136 wrote to memory of 3580	1136	Lcbiao32.exe	98
PID 1136 wrote to memory of 3580	1136	Lcbiao32.exe	98
PID 1136 wrote to memory of 3580	1136	Lcbiao32.exe	98
PID 3580 wrote to memory of 4456	3580	Lgneampk.exe	99
PID 3580 wrote to memory of 4456	3580	Lgneampk.exe	99
PID 3580 wrote to memory of 4456	3580	Lgneampk.exe	99
PID 4456 wrote to memory of 4544	4456	Lilanioo.exe	100
PID 4456 wrote to memory of 4544	4456	Lilanioo.exe	100
PID 4456 wrote to memory of 4544	4456	Lilanioo.exe	100
PID 4544 wrote to memory of 4692	4544	Lnhmng32.exe	101
PID 4544 wrote to memory of 4692	4544	Lnhmng32.exe	101
PID 4544 wrote to memory of 4692	4544	Lnhmng32.exe	101
PID 4692 wrote to memory of 864	4692	Lpfijcfl.exe	102
PID 4692 wrote to memory of 864	4692	Lpfijcfl.exe	102
PID 4692 wrote to memory of 864	4692	Lpfijcfl.exe	102
PID 864 wrote to memory of 4448	864	Ldaeka32.exe	103
PID 864 wrote to memory of 4448	864	Ldaeka32.exe	103
PID 864 wrote to memory of 4448	864	Ldaeka32.exe	103
PID 4448 wrote to memory of 3176	4448	Lgpagm32.exe	104
PID 4448 wrote to memory of 3176	4448	Lgpagm32.exe	104
PID 4448 wrote to memory of 3176	4448	Lgpagm32.exe	104
PID 3176 wrote to memory of 2492	3176	Lklnhlfb.exe	105
PID 3176 wrote to memory of 2492	3176	Lklnhlfb.exe	105
PID 3176 wrote to memory of 2492	3176	Lklnhlfb.exe	105
PID 2492 wrote to memory of 4792	2492	Lnjjdgee.exe	106

C:\Users\Admin\AppData\Local\Temp\64f74fcf7cd6f00bc525a2783994b7140c46487dc37bbd07d13a51f5386e5dbe.exe
"C:\Users\Admin\AppData\Local\Temp\64f74fcf7cd6f00bc525a2783994b7140c46487dc37bbd07d13a51f5386e5dbe.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\Kkbkamnl.exe
  C:\Windows\system32\Kkbkamnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\Lmqgnhmp.exe
    C:\Windows\system32\Lmqgnhmp.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\Lpocjdld.exe
      C:\Windows\system32\Lpocjdld.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1272
      - C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3176
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4712
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        31⤵
        Executes dropped EXE
        
        PID:4120
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4116
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        48⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:860
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        55⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        59⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4388
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        64⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        67⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        68⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 420
        69⤵
        Program crash
        
        PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4672 -ip 4672
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
401KB

MD5
ab33c60354079c6c9523073f63444d6d

SHA1
8b1911bc63dfb88013aefcd76ba086fdd3c365e7

SHA256
c0b2bd234c9409e0ab63705bb1d9f06bed01a58aa3ca20238e79b18ce6d217ec

SHA512
df22b67b076d0976d7b935d37dae9b4dea834b8945b71ef4aa01cc889153abd4d7d41f958d6bce41125a79f8c14f191b2276a9b074ba60270d52b9b7a74325b8

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
401KB

MD5
0c4c50218f27660c2ca632b0f9564c1a

SHA1
1bccd0717c7a665d17fd0cb99dbee031f8e39b91

SHA256
554f1265b68572b9602e35c6cfffeb9d165754a7538475ca9360831bc9790c3b

SHA512
4c25c640a115088944c7177dc52b69e9f79f0de6b52627b95a4a5e08f203b47dcbd2192be2e6e35684e1edba0a2e2b7a8f59c3b93a8344304571c15e4bf2369e

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
401KB

MD5
3bb9ba0ad848eb53cea348ab2fb9268f

SHA1
9c0e7acb49aa2522018c427d112f3e7f8f9bd904

SHA256
d7584f2302c737d44026daec35b4cd0b318b171beef155f392a25b8153b0037b

SHA512
98060399096191d0d5319e89914fd4e71cebb4fb51acb18eadc42876fc88baf95642272638e7273b2ffcfd36944b33999b38a0e0570bf8a034465f8faf68f269

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
401KB

MD5
58b3300596565fdd09a91298de1cb1e6

SHA1
b58b3e86cf5fcbdfd529dd1911c2411e51303709

SHA256
e5d1c757a1acace00e00b9098e3c53c891be60e44e65a5e410769411a1b69f4d

SHA512
4ce507b9a085a546a5407a3099c85363cf4dee6efe664a1baadeccc4e1bb3cfe5ddcdb8fc173e4313a4d1176db611546638393a3e96f94a59a9e4c0f4b48c656

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
401KB

MD5
85089d0402b524142e2867523866be14

SHA1
b42db2da282850faf9af6861e47b1afa65071d12

SHA256
a104a1be05719ba99d069b1375d7860931f773c6656d61cf8feab4b685bed03a

SHA512
8f5e2fb956ca8dfee53777e44b50f3cd6b0c478127e361716b2fa7ce79d9956169721dce4e0375148473159a3590d1449490aaec0e5ba1404e4deb9c64f7df2b

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
401KB

MD5
d85c54cbb7399a28ad180ea5c6be55a0

SHA1
7d76eb3898ecbd5008079f8ba84ab5854220af3f

SHA256
fca4897771ca5479caa3e484416d22c0da2b317ef58106217f75efc6db44e55f

SHA512
1657562b4a827844802b2c1149ac67f2cdb78006e69b1d86535f101b7232a2d057b0d88201baace05bc14507749205c5b6ef028e57e9424adf8acbc2743fe0d8

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
401KB

MD5
57889f56eac63fc83d46a7f549e37e60

SHA1
d0191c23c62c0e6c5670a54f80f66a51447920b0

SHA256
f55c22c817d402f5ee3347ca6379420efabe89215d21558072b1960776dd4fa3

SHA512
daca1532cb0754d78a9fd20b6dc727323fcef9a713ee19eefa7693cabf636730f39452e360511d03079593ffc2b758a002b3b10ae8d0c02d0249f5d493a5e692

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
401KB

MD5
be8547bf06a5adb6d21df98cb083e2fc

SHA1
668eb1425988c245a5da37036d3f67d3925ce57c

SHA256
fde33354fd335553d3c6906075c1ef46b4a9e2563b60181f570c9c4fa48b4a99

SHA512
9c8fabc1d46dfe4840ef5f6ae4ff2acab2c48eaba6f4acabaa47542a705877454b1f549e6cab1163bee1e5f56002b332eaf640fabf342f9fbdce0505cc27b757

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
384KB

MD5
4ac4871164e1beb3e715050cf89cb57d

SHA1
dfd9ee79f2fb499a76b00a9d54b692d11f283cb3

SHA256
b6f7cbd8847913eac4c3b8b9b6826ad2b90cb9c6c4d42f6e8fe9a59dd2a4d980

SHA512
3d310f5734bd012a3731fb5472bb96d19c8c4db305ff9a80b8fe1c84013f224e68390537b2c187aea20ebd64309cf145283d58a3934ba917d70c16e97a09e1f3

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
401KB

MD5
34e978a11c4515f5e3151b76afadf032

SHA1
33ad16bc6c79b841425a1542e83d6a990457e6b5

SHA256
ca1c4cbbe59f2b22648b480b4908d5fa6c3d918ddd5a6880bbc3e31e112bcd11

SHA512
06d967adbaaf502f9306a8d0319fa6327393c02428c53c91be99602a19744281dcbabe1e852ef4158a6bd71a19d2bba54b2e5f14fc71ac5e5b575054b0724435

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
401KB

MD5
84642a632f3091dfa2ec65962955d7c0

SHA1
fe3a0a48a94abae4fec654ef744c53dc82a797af

SHA256
e61c7535928e29224b905719481bc9a9766f96f39856f5f742f199bf7fd1fdda

SHA512
6fd882df91c47a010281d9979a59634eb3b6474295ae35f9f75fdf2c33487b2b5c81c0812942bb2993e445548d8a2bce1e1a33ae4537826b8523df3cc7dc5c3d

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
401KB

MD5
5e26c8722d78ce51268e92913f620624

SHA1
71a8e79f11057d865a639d5630c5acf67373fe07

SHA256
001d086178c2bd16ff817e58b352495ac2800636feeb39e6e808a38dff777362

SHA512
f057d7a214a339a478d6dd7fcab78debe9db077324c24a8ee87a04e1889167e0f2763e4528f39f24076240799dae371c1c5a01f53275ab9c64df6263b62e1bf2

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
401KB

MD5
5ca6022a56a3b64928e92ca37fbff79f

SHA1
f14a38f1ed4b9e46628e79517018122219d8eb76

SHA256
afba80bdfa24d0bf6a5ba89f49ccfb23f0f9533e20e623d9c14a285f8f4b44c4

SHA512
0487048489191d6c9b0a8e632b4047837344c6e6c613384e613ebfff2041cfd62b8ca1e18f4efb2a86d2ed4cb760dd4cde37a02a1ccc2dca2763e07ceb856883

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
401KB

MD5
c25402d2e9140428eff5e2c60a0bce36

SHA1
7767ceb0a11ab5818dd2818f0eeac5e00a3dca9e

SHA256
e9ea843c3346f64f7657d1e4489eeabb0e74748de9a24b800dd0c22dc71f909e

SHA512
0c4930e759ffb4b2feed5a04cb79502534aaa66d689fce7eeaacbcdbf1d53e49a6edaac25e36db87d45568ab494d556c6304cbe7078c0f77840357bd58c8b376

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
401KB

MD5
d51a7087361d783f2049419e7966ff1b

SHA1
7a8d1eec14a7d8ad4a29a19be30b953c262e0535

SHA256
49fcfff8034415080e864365ad944b4cd593fab5bee4e3fc33927e7f08c91c88

SHA512
4e44c5a62d64768f388f527ba6907364981545d2890ca5586ef8ceebdb5739f551c996aeb636a0fde5052990cdaaac4dcd2bdcc4df0ca0f96b78abb19fdd6815

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
401KB

MD5
61e76c1976dbd5a0bb6dc49a2e946a9d

SHA1
6aa1d24eed55a73697d41afc6cb55fd021cc83c5

SHA256
8f3e7eac7f06bd32c172bc86bf0437e8cd7da5a88c449f982132514e27583e96

SHA512
c66284f451d398d33cee50b53b147aef8de6f2dc395fcaa6a9c55b64e7467d1fcb2bac5da85bed5adf94b6434ae043aa3d502abc9aed7b7760346e7104157f38

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
401KB

MD5
01dd16bdc6242470bdcfe0ec9ce601ce

SHA1
4bfb1231dd83602ac9a86692619d85e71d0ab171

SHA256
5fe36c8c60dc8b5e49e89e1f8a090ef4b439e7076f9e0ddb3ad832922d861c52

SHA512
13d4e410b259ea2135956d6de7461c0feb8bd92bc68175e98f0e6f28b47c04b71f04607c814e66f4e232642ed337ade0817f0601ce891ab9b05d414818c9fc51

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
401KB

MD5
a19f7f0aa2818f9d46e694e9a43924e7

SHA1
df96f0a00ddc204289c3384158f0fcf9ed7073f6

SHA256
75eb58a99b50c90b5bf5271c0e9e1e62240a32fbd62fc61e7771de57abac10dc

SHA512
724c72f63eeef669299a9fdf6cb050fbfd547b2cde290bf032351ec885d33800a0343aa72aa1ecac07d2af4d2971fc367af839fbf65fb4e3ae8d94d56070dfde

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
401KB

MD5
a934291012ae513db20ad8ed18522394

SHA1
80d42681042c926ee19dacadbb50359634072323

SHA256
7d464b5f59558262c4d3cda3d1bae7376af392a00409c8be0673ad29dacfa227

SHA512
37c1cf9905477473c65b89ab1617bf4e2b73f112babfc029f998e340e2aa85b9c0bc0c041c3fbbcd8fa5f2e84ddc51ea99d6d393e501c418d85f345ff3ac2e1c

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
115KB

MD5
5ea124b6148928622763cff933894d9b

SHA1
8e458ca3d375e19288a1ae54c0f07c4f4aff283d

SHA256
cce2ac147ac4e2393966b8e969911a6231f8d5bba40bade28097ac5c0377f752

SHA512
245f2ef5d592ecd81a2f73c3fa3049aa7551f7d775235e2c6a43227b91f226506c5bcadd8dd5687a5a66a5dfd894db8d9995ad1d20b9aa8e149770382ed7e9ce

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
401KB

MD5
7e380cad1eebfbcdc852c7404f476730

SHA1
649f9df163a5744498bcfe65533d96395444826d

SHA256
e062707613cc2c63db7ad22a4040a5cf8e623c4b04c5895d337821ab6cabbba7

SHA512
202122b55d708858a391c56eaef9b29796117b7940731a423c510a5a59002b2f3f7b0bbb361827abb390b78ec868ec668b55904f9974397132bd1131f2482898

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
401KB

MD5
7ff56f402c86ef52a037c262c347738f

SHA1
95d0a69d100ed77b54b574c9fc472479813950fb

SHA256
f044988e16e96c261e9bf26152bf489d6b54a99e6067ce863ba5d30f9ab051f6

SHA512
f3967ae84a71fc867996875cd6653343e3ff44386557eb467cf949a16ce48d242c12e61ee0b3237a8f86783918226e69fb58446ccd19eb0971cebec3ef078183

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
401KB

MD5
11aed2da9f8fca0beb9d600fcc59e214

SHA1
c0bf6b843d7d17d9e5c8e2fccfd66d346716475b

SHA256
cf0b9b876f995853db85ec62f0b3538cfd7bf7634b53eb6c5de361a61b88766c

SHA512
d953c33b2d33b4fa964066c96469c2fa80b4a633004ff596404be7bd1284ae6663c36269cac50135189ac046f7c4bca6a14556aa17efa94efeb7637c96779b90

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
401KB

MD5
1593dc9285826fbea6202eb326937c34

SHA1
4457680519de7709f7c7f0be69c8161283160fb9

SHA256
3970edda5308936be1a076e4448cc1821695473b9d8c8b3d7c552c238b269b69

SHA512
4c7099c56b43f9bed2814ce26cb4f97f34a775dc101c8483ee1d037fab18b6fde38aae34eb21c194b959087b07e984168ba34dfb4930a2c4c8116ccd6ab7125c

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
384KB

MD5
673bfe3d563fecc59ea19d96c50753a9

SHA1
c7e8d9b7715e068714017c5dfbe8655194833907

SHA256
358b4a41a4cc878b830eb6f0866ebb9ce686a935a5c96e46917594b02930b173

SHA512
7159c45e9a5eb32f7f90370bb6faa98444a0e1b96938d153d15e4c0168753a0e5469fbeb86494817234f76428ee70da259e27c0bd513d4463208b0266a83ebca

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
401KB

MD5
add65afc20130ba9191baf28c8466dd1

SHA1
7d7389677902b90b70fce427b67d7ee5aebb5331

SHA256
4438c956d3070a4e451003025d6be2c09074436bc967ff0990251fa0b434093d

SHA512
88a043eab61a0cfd6c2617c8dcee682b97bd14b8a76a8437522240dbdd510603ead72f43d4274eea5851b81006cdad92327aa92bc8d325ab8948937a292900d6

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
192KB

MD5
1693f3518de64ff31ea1b8807de1adb2

SHA1
c87f61188448460bf0e337d684866188fff2f269

SHA256
c7a23ed1d7fc90964e19451d8f40e6265e6aeee71729af48d3552d44d12d716b

SHA512
d0f46b610f7bbfa366decde10da1f86ab40bb41c43008f1614b032371e7bb10682831fd727cebaec21312c3f6636a99af62677fc32c2fdaaea12a2350c08ea21

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
401KB

MD5
eedae4c1e1a436aa7c38d14d493635d5

SHA1
fb7baa3aff45359d71401ddc242c2fd4604cd988

SHA256
299b07475465a9bf408bdcf64e3793b9e065ead779bb588eb34c79f837495f89

SHA512
18aac75f7ef5cb564a5f1c26cb366e71eb257f33d5d676e7d16df893ffa99c3a75ca4d9f68e6d3cfa528ba7931f8ff48b5dd619757f50785d3868fd67201e8fb

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
401KB

MD5
729e585d31f9725dd9bbc378b940e474

SHA1
e237950025cb787c836d95e906e8a5b67834f2ee

SHA256
967ac79771f497cc3754546fb2e5ecdee3db1b75180e1701c9c1f7a3154d7188

SHA512
42e81a52e38824dec765f1b78782f79cc05bd799af93a3ff789171d8671d1da9419cce819e07f9bb00c13eb76cc60892df52832e0ddec35f8d909794eb64d726

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
401KB

MD5
1154362c7130e3a53fbfb1ec72718ab9

SHA1
edf84a134db948445ff0a2ee94a4401cc45c2e1e

SHA256
6bfb53b86383865bf875590b8b0966e9206cbdb900ab0bf53e467651981794dd

SHA512
f9041af9f0690996890dd9b5f149c89c309e8dfb86df0716b2f6c77540bc5e6a36f8354ac35190aa5831937433bd0b9e231e7460dcfad407bbdc4ead1fca6d68

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
401KB

MD5
49b46c95be98c369396691ede98b7aeb

SHA1
e43ad6a36f46d6fb40fbd0b70546139c1abcbe42

SHA256
4017a8ee7c45c155ac5d1fd2e27254f460533ab73d06b7f7879e230c2dd23e73

SHA512
e55221d0d8fcddf4e45c214f7b8ed7a85a40f77b1f12a133f41b8080191bd636dc6a36d698de9685a41a9760234dfe937e144bd56ca2ecfcd5978120daaff4ab

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
401KB

MD5
25fc3951b0f7099c593fc180479342b9

SHA1
3f0f46d099567fcb060acbd1f74b232ee68e699e

SHA256
63715f49f67bf2bd05cfe9d66deaeafcb243e4407f608e25261ef179597d9fa6

SHA512
5e64eb19e00be9ba201efd2b6dff226628485afd734d86833e14177aa7ab1fb2c1ada90f161ac3b25f4a124c2b13a420aca8a03ae1354e691ab8a97cc8089e5c

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
64KB

MD5
d2029332deaa674bfa630d31041c8d19

SHA1
bccf2f97b4f8408c72f9c20c0ac9b6a387432ece

SHA256
ad4326912ac2c065eef0ec5beb94a933549c3496df21fb92113736190e580e96

SHA512
393cbf2a343d0ebc3116afabd4ae9dc720cc52ab63fd4fb73291bb3a08e3f195efa0755d7d9582d2ced349e0b9c835c6b0acdc0d4c35830634dcb5fec6f465b1

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
401KB

MD5
fdfd00cfd1e3195bca3e8234323577d0

SHA1
24687b3561496b15e03892c629a54902f08e6664

SHA256
ccdd3f4a11f88ad64b8261894b3b7f31e2c77848d0525de9b929fb7ebd65eff3

SHA512
da4897a2a3ca4f64076ac77eff0704d3fe313fcc52f3f088e895bba109fd38bcc52f6bfd18574362471fe060f654096903a2691b538801148fef43b4b5427d96

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
401KB

MD5
ff8796df0f312f00d168764212cae243

SHA1
b2233fdf2c86e260d172d5140718f146a6010daf

SHA256
3065e84f3439386f28e9c15178a01155b84f2358eb350b887657aca01f858085

SHA512
7c176fe362bea45d0f356742a4321197f2d4d901b1c83666b159a832c9821ee10ca598d44d759353c931bc6c85579b208cb517059ce13be49e8e3f90eb535320

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
64KB

MD5
b5d96aaa30eb905ff2cf67f96e9cc48e

SHA1
6627b22d87da953fc75c726320b90739f13b140c

SHA256
3526cb1b7649f9cdea4d972b710a14c8588cfbe6a6bbbfd201b930aade8dff02

SHA512
fe204bcce60519d2d7b658b61da925fd6c3d4f224dd609d9b2667bf054ec7ea02e872b4881a0c339e3de37d6db740d11e19a8091212f782e132ad932a06d5bb6

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
401KB

MD5
54babb496dc89dfdad03fd0b7812558d

SHA1
dbbe64d3add7bafa47fc94c551e3ca364165012c

SHA256
8a37f9ac8fe6d6cbd672dd503420701ca25e5053d4a7b88d7fac61dbca5ff755

SHA512
86de64a8f571b76f76e67b671d1e787d3b0aed64134e4ee1e4bc49fcbd6b32c7391b9d6e3f2674a09a1b7f3f9ee2c9f22e7c17abc368d24dc41bcc2c99a0859a

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
401KB

MD5
ba0e7b1716746640136dfd50aa2ede08

SHA1
7603c49941ccc6eb602b931da1489f83d9565652

SHA256
78e343149540e9a771d17be565847ae6a9b77c7c193b5c5c3e35af69a480927a

SHA512
a46b360a6a1f3d86a15eaf8f839ea1e0bcd14313485847b074f33afcb78b10cb2a4e45b31d24cae945f6b9f89470f5ad095991158de133ca15e4a897e6b197d8

Download Submit
C:\Windows\SysWOW64\Qgejif32.dll

Filesize
7KB

MD5
f92f640a8f48538a54829fbd3a4472c8

SHA1
22e7e05b2cb2ec7ccc3429067c720d583e72b15a

SHA256
d3c2e070d5ddf84caf0d8deada2a3b75d77ff3ad59b48605241f9cadb2de3e17

SHA512
8d6418b0fe52009d2fd8baf5ded8d96605e2dcbe69af835b39c2817693fd6b3608d4eba8f08087c1f07d320a3114f56760eb32103e99366cfa9f66fe0e8a20f5

Download Submit
memory/228-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/416-373-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/860-450-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/864-389-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/868-12-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1048-444-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1136-379-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1160-435-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1272-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1404-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1488-442-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1624-431-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1640-436-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1728-412-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1896-366-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2056-364-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2156-455-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2180-371-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2232-462-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2280-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2480-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2488-454-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2492-393-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-458-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2552-406-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2712-448-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2880-378-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2920-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2972-439-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2992-432-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3124-441-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3172-452-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3176-392-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3288-434-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3440-426-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3548-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3580-381-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3840-456-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3860-460-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3880-453-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-429-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4116-440-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4120-427-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4288-437-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4388-459-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4420-438-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4424-433-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4448-391-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4456-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4508-447-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4544-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4564-449-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4660-400-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4692-388-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4704-445-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4712-419-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4792-398-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4828-461-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-457-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4936-446-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4944-428-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4976-430-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-443-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5044-451-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads