138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e

Analysis

max time kernel
59s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e.exe
Size

896KB
MD5

c442ba8a41e6597a824b9dd0432c422a
SHA1

cf9be7a130d9ce600e9ee8bd12d12096c8e64421
SHA256

138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e
SHA512

eaaf2129e078c97f09bbe5b587587a2704a80bab833761be936df8160066541ddebac22c66adfdecf91b8aa9e887e0ab71c0a27bbfb5c60f9acd5a07cc915297
SSDEEP

12288:S3786xFMusMH0QiRLsR4P377a20R01F50+5:2786xILX3a20R0v50+5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe

Executes dropped EXE 64 IoCs

pid	Process
1100	Ldkojb32.exe
3288	Lgikfn32.exe
3064	Liggbi32.exe
772	Lmccchkn.exe
708	Lpappc32.exe
1540	Lcpllo32.exe
3228	Lgkhlnbn.exe
4396	Lijdhiaa.exe
5048	Lnepih32.exe
4140	Laalifad.exe
1040	Ldohebqh.exe
548	Lcbiao32.exe
332	Lkiqbl32.exe
2732	Lilanioo.exe
2008	Laciofpa.exe
2428	Lpfijcfl.exe
3236	Lcdegnep.exe
4444	Lgpagm32.exe
4552	Ljnnch32.exe
2912	Lnjjdgee.exe
1688	Lphfpbdi.exe
1932	Lddbqa32.exe
4608	Lgbnmm32.exe
652	Lknjmkdo.exe
3244	Mjqjih32.exe
3652	Mahbje32.exe
1864	Mpkbebbf.exe
1920	Mciobn32.exe
4572	Mgekbljc.exe
2244	Mjcgohig.exe
4392	Mnocof32.exe
3940	Mpmokb32.exe
4052	Mdiklqhm.exe
2392	Mgghhlhq.exe
2504	Mkbchk32.exe
5036	Mnapdf32.exe
1248	Mamleegg.exe
680	Mdkhapfj.exe
1432	Mcnhmm32.exe
444	Mkepnjng.exe
3444	Mncmjfmk.exe
4292	Maohkd32.exe
1516	Mdmegp32.exe
3028	Mglack32.exe
2424	Mkgmcjld.exe
4468	Mnfipekh.exe
4756	Maaepd32.exe
2116	Mdpalp32.exe
1488	Mgnnhk32.exe
1968	Nkjjij32.exe
4852	Nnhfee32.exe
4648	Nqfbaq32.exe
4280	Nceonl32.exe
1844	Ngpjnkpf.exe
4240	Njogjfoj.exe
2600	Nafokcol.exe
4876	Nqiogp32.exe
2476	Ncgkcl32.exe
3744	Nkncdifl.exe
3416	Nnmopdep.exe
3928	Nbhkac32.exe
5012	Ndghmo32.exe
4680	Ngedij32.exe
4448	Njcpee32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Lgikfn32.exe	Ldkojb32.exe
File created	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Lijdhiaa.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Lmccchkn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Laalifad.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lkiqbl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe

Program crash 1 IoCs

pid	pid_target	Process
4032	1716	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laalifad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbaohn32.dll"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 1100	4788	138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e.exe	83
PID 4788 wrote to memory of 1100	4788	138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e.exe	83
PID 4788 wrote to memory of 1100	4788	138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e.exe	83
PID 1100 wrote to memory of 3288	1100	Ldkojb32.exe	84
PID 1100 wrote to memory of 3288	1100	Ldkojb32.exe	84
PID 1100 wrote to memory of 3288	1100	Ldkojb32.exe	84
PID 3288 wrote to memory of 3064	3288	Lgikfn32.exe	85
PID 3288 wrote to memory of 3064	3288	Lgikfn32.exe	85
PID 3288 wrote to memory of 3064	3288	Lgikfn32.exe	85
PID 3064 wrote to memory of 772	3064	Liggbi32.exe	86
PID 3064 wrote to memory of 772	3064	Liggbi32.exe	86
PID 3064 wrote to memory of 772	3064	Liggbi32.exe	86
PID 772 wrote to memory of 708	772	Lmccchkn.exe	87
PID 772 wrote to memory of 708	772	Lmccchkn.exe	87
PID 772 wrote to memory of 708	772	Lmccchkn.exe	87
PID 708 wrote to memory of 1540	708	Lpappc32.exe	88
PID 708 wrote to memory of 1540	708	Lpappc32.exe	88
PID 708 wrote to memory of 1540	708	Lpappc32.exe	88
PID 1540 wrote to memory of 3228	1540	Lcpllo32.exe	89
PID 1540 wrote to memory of 3228	1540	Lcpllo32.exe	89
PID 1540 wrote to memory of 3228	1540	Lcpllo32.exe	89
PID 3228 wrote to memory of 4396	3228	Lgkhlnbn.exe	90
PID 3228 wrote to memory of 4396	3228	Lgkhlnbn.exe	90
PID 3228 wrote to memory of 4396	3228	Lgkhlnbn.exe	90
PID 4396 wrote to memory of 5048	4396	Lijdhiaa.exe	91
PID 4396 wrote to memory of 5048	4396	Lijdhiaa.exe	91
PID 4396 wrote to memory of 5048	4396	Lijdhiaa.exe	91
PID 5048 wrote to memory of 4140	5048	Lnepih32.exe	92
PID 5048 wrote to memory of 4140	5048	Lnepih32.exe	92
PID 5048 wrote to memory of 4140	5048	Lnepih32.exe	92
PID 4140 wrote to memory of 1040	4140	Laalifad.exe	93
PID 4140 wrote to memory of 1040	4140	Laalifad.exe	93
PID 4140 wrote to memory of 1040	4140	Laalifad.exe	93
PID 1040 wrote to memory of 548	1040	Ldohebqh.exe	94
PID 1040 wrote to memory of 548	1040	Ldohebqh.exe	94
PID 1040 wrote to memory of 548	1040	Ldohebqh.exe	94
PID 548 wrote to memory of 332	548	Lcbiao32.exe	95
PID 548 wrote to memory of 332	548	Lcbiao32.exe	95
PID 548 wrote to memory of 332	548	Lcbiao32.exe	95
PID 332 wrote to memory of 2732	332	Lkiqbl32.exe	96
PID 332 wrote to memory of 2732	332	Lkiqbl32.exe	96
PID 332 wrote to memory of 2732	332	Lkiqbl32.exe	96
PID 2732 wrote to memory of 2008	2732	Lilanioo.exe	97
PID 2732 wrote to memory of 2008	2732	Lilanioo.exe	97
PID 2732 wrote to memory of 2008	2732	Lilanioo.exe	97
PID 2008 wrote to memory of 2428	2008	Laciofpa.exe	98
PID 2008 wrote to memory of 2428	2008	Laciofpa.exe	98
PID 2008 wrote to memory of 2428	2008	Laciofpa.exe	98
PID 2428 wrote to memory of 3236	2428	Lpfijcfl.exe	99
PID 2428 wrote to memory of 3236	2428	Lpfijcfl.exe	99
PID 2428 wrote to memory of 3236	2428	Lpfijcfl.exe	99
PID 3236 wrote to memory of 4444	3236	Lcdegnep.exe	100
PID 3236 wrote to memory of 4444	3236	Lcdegnep.exe	100
PID 3236 wrote to memory of 4444	3236	Lcdegnep.exe	100
PID 4444 wrote to memory of 4552	4444	Lgpagm32.exe	101
PID 4444 wrote to memory of 4552	4444	Lgpagm32.exe	101
PID 4444 wrote to memory of 4552	4444	Lgpagm32.exe	101
PID 4552 wrote to memory of 2912	4552	Ljnnch32.exe	102
PID 4552 wrote to memory of 2912	4552	Ljnnch32.exe	102
PID 4552 wrote to memory of 2912	4552	Ljnnch32.exe	102
PID 2912 wrote to memory of 1688	2912	Lnjjdgee.exe	103
PID 2912 wrote to memory of 1688	2912	Lnjjdgee.exe	103
PID 2912 wrote to memory of 1688	2912	Lnjjdgee.exe	103
PID 1688 wrote to memory of 1932	1688	Lphfpbdi.exe	104

C:\Users\Admin\AppData\Local\Temp\138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e.exe
"C:\Users\Admin\AppData\Local\Temp\138e2c7f0a7391b08efbde0145396c133406596da93d14f7644153e697b8e66e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SysWOW64\Ldkojb32.exe
  C:\Windows\system32\Ldkojb32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\SysWOW64\Lgikfn32.exe
    C:\Windows\system32\Lgikfn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\SysWOW64\Liggbi32.exe
      C:\Windows\system32\Liggbi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
      - C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4572
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2392
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2504
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1248
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:444
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        61⤵
        Executes dropped EXE
        
        PID:3416
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        65⤵
        Executes dropped EXE
        
        PID:4448
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:3400
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        69⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 400
        70⤵
        Program crash
        
        PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1716 -ip 1716
1⤵
PID:2924

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laalifad.exe

Filesize
896KB

MD5
a858b38c3c377aa6ba2eb4ba8af2b398

SHA1
7de684c021bbd14b146edcfc2a1309b7b998abb1

SHA256
f23cc399dc483c23cb9d38b2a415a18cdc8c2bfa56d83c27e225a503f28d2c2d

SHA512
7c1d9681f56e2b46efc53f3cd44bb262e14f103686dc11ae8dd76b52a84215cfd233778af777ce62bcf0dbc532a3a559bffbac78f00f707da2dc1b02ad538623

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
896KB

MD5
a5e34c2a741b4be53560388534456bf1

SHA1
3bc47c371e68a3a66bed057fea8d17f8b8367a04

SHA256
360d03a979ba34213a3ba581a02b0fd1f9bbbe9dfc96b532cefa538757cdd7fb

SHA512
ccfad2f96846ad46aa4c36242c693287360f02c34cd32dcdd85ad61b2826e7a1783a28926924265e55f6e893bfd607034c77eb1128a28f71cbbebf4934501540

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
896KB

MD5
7323077fb330bc07918d4a026291e996

SHA1
68452b7e0e64327e21e5650aa2679da2b31c18ef

SHA256
2b360c1dd9731df2a25f2139a5d5e57acfe00e6b6f75a25d8204aaa6de4106f7

SHA512
21cad20c48fe11fb8f13a57f253aa411216de4d8b7e263c26d40df24dce493455238ee13413db1aa3379e83f5fffc437e9d91dc3e67cd1246f488e67babc34c6

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
896KB

MD5
f4022fa84c9388308ae5614fd14cc91e

SHA1
5786e47905421a7969d4cec0ae2c6da79183c879

SHA256
dc16c4a0694832bc0316f806c1abba031dcce558bd972ad9c796016ac68aa635

SHA512
7f08754a2abb2ab616386e866b65490133a097b6edcd52c82403d7965aadc8871a2859983a741531cf5bbd586df1473dfd61053a471ea6246cf0c529131720dd

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
896KB

MD5
063660411ed157ce5395068b88dc174b

SHA1
aa8f4eca5e0ef3b63f5fc082636a16431c571066

SHA256
2e25a6e51749ad204aebd63ed5c462f2c3cd61c87f5b03ece3221d3fd941bc61

SHA512
3d1181ff89561d6981b30dac638f1112a24c16200437ee3c4149f73131fb2a31179dd9ba3f47ad73442d81615535bd92638d2a2cb7d9006b04c1c0a27b6f7534

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
896KB

MD5
f531bd4866ccb09f7b238b6234d7a7e4

SHA1
04ef64f2c3321a6c281c9c59155830b3a6ff42d4

SHA256
e599547abc2923412b787b2c98342ffa04c69dbb5e8cf8578dfe1f718d4d1901

SHA512
47b4802d1e0c5c3d54dfc2218338b4fdb4dfc5a545627d5fc164e06bc539ccfadf52e1e7c719b218e56c395bc758aa1abb0585053397b62113828ad0b3c7c9a7

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
896KB

MD5
3c771393045f66032cdc6f23105a8b28

SHA1
7028d0844c806383bcfcb174a4145a34d332b42f

SHA256
0e146c0e4114469373c193ddd1f9836ab2cc48b5e4e761a64a8c893fc3d5c601

SHA512
319d050acc72a0a7207d1bd466ed5efb52253ada46a845d48f96e77463f20d9cc45b9f6b26a09b6422e7e9f69fc797445ef1e6acf2dc78aa5e9126750f9e5d78

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
896KB

MD5
78a5ed94e1146564ab7d2bff560fa803

SHA1
229aff4f167bfe138564c765a4317da77bb3eef9

SHA256
41ac7992eb3325dd94ef4f1cd1f16973ccb9b68b786828e4e49ee439ccb3a747

SHA512
03903e734880962807f0516d6d86f34f094b3a9a558187f7ebcf53d6ebec6ef8305d0c7ed93602f17f6954d9e23d8ea412919ff882410fe9667dc2be38de04f4

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
896KB

MD5
a08796c04a6feeacdf43aeb1b280f0b2

SHA1
0e5088f4f73d2088f013a908751fe8fe25b9e7b1

SHA256
0c570c35d69082233a047cc4d837560b4e444cde245fca0d0fe15b496db4d677

SHA512
63fcf1836bf92a0943212675d7f907bbaf4b017709e5ce953a06a6a03da12ccd81f7f74348aa1c1f80f271a4d4a81aa3562aed6e7efeeb36887690c693ce6355

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
896KB

MD5
db3675f155670bf652857ceb132f3506

SHA1
66acd6c0509aaa5e53aeecdf768af33af38a9cc1

SHA256
d236ac1825898de5c91acbb10b9c09e5a88c36dea2d775701c7cdfb4aff39105

SHA512
a841378b159e7f17403f21c15d7a6e6ab3ed6d4d09dbd57e56ff68cbca903a239942af2bba79614469e5176698a50b939af0adc31f78a8e1f1a8b74884f64c1e

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
896KB

MD5
3d039cf3f0316b0b3771c80e0b6674a4

SHA1
97a33af029159b4acfb59820eb622496dd61b19a

SHA256
6aafe42e993f765367e07600b2dda65c887714bb02750de586ee9b231a4c34c2

SHA512
28943d185f0292124a546017a0d8de0d97ac7b9f32e09dc27e5e5d5819c2a2a57f9dcf7742f1ef224f3f5f856b7f5c10536715d2966cd71d2d7ff134c7035b96

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
896KB

MD5
60af67c8aac3334fa44a1dbce1a9bbf5

SHA1
3079e871bb68036f7dc94b6aaba02c219e83694c

SHA256
d7e64d9c9d612c93837758d2f5fddb9604d5e87a6c9f3a89b881864bb8ce87f4

SHA512
d55fbaaff79afbdc5f34a5199ba85f9d1a775ffb714da957addcce9d6228ada32a6dc47e10b577b3ab99db619d03a7cf418a51d6ec4467e847551b244431ed6b

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
896KB

MD5
ec3a5054e3cdd6226ebcfe2db9f55e9c

SHA1
7cdfd02548edd7d2ae2e6a1bbf51ab31d53340ce

SHA256
a55fc7d9bc558ba6aa24ee5973da7d9667a0f724d683c0cd028e89b4b814501a

SHA512
72373de0b8bffddfdc5f58d3298d56a522823c8472c2f1c6a6ed658808b50d4f6bf95478f0b4e54d399988bcdff367518fcfd40b61f127d228c6138d8e0842a6

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
896KB

MD5
6ff0273bd8d0b6518eabbae0c59406db

SHA1
eb6c4698702ce76e9c4d5cfcf8ecf02e9f1f2c7b

SHA256
dfdcba3aea0d613fa33215927827b9da4d4d5d52d888b3040374c2c6a8a87d80

SHA512
b0361b4346bee7a1df7ff21d00edf7925a22e58d047fa9115fc8d23c10e6539511925bf11c19091f9a48181d658d23ab349a067022458dac8b463ee5f520961a

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
896KB

MD5
f26ef169f0390384fc5571bdec809750

SHA1
c116ac2650c6d0dfacbe538dd2e3cce4af324b82

SHA256
8dffbc1037871efb4104fe6788fac090b792161c95035974640da9d3178cba65

SHA512
dddb453ea29b6d55e1160f94ce37e8fab1c75b0276845ad3036c64418ee4bcf2ec7843821696e138e45e92405ea96e60e1f692b1730f40884dcf9248b5866289

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
896KB

MD5
5f0eeb77d8e0d87fcedb36b4ad96f428

SHA1
21613d4f606c04d3a2cd14c1a86144ddabbc6930

SHA256
99edeaca8c892035da0307bf3a3cf15e10bd58b0186efc7a78a025695c2e96ff

SHA512
d2e5eaeb5241a9d658c5d3479e591fddeb1c3e7c3298ec63256de88657ecef3deb7c769e250f35dc07b450a7c629e48330f6d5fca88057bc0e5a5509d34b0cf8

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
896KB

MD5
616fc3379672db006dd9f6c0ca37ac32

SHA1
896adc3ca5e2b725ade4c0448d854ed32c7b9dfb

SHA256
4b1505009acf30edea01a292c3afb988542012d829b55e8615f0a619cad310ac

SHA512
4a3414e4a8919eca029fe595e2c23d4c293d9892e6e83d06fb5e515d0aeab91971d1dcfa1bd69febf6a87c0a970aada8552726e617cff337aecb116689d4721c

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
896KB

MD5
c15546cc1333233df3c47f731ee994e7

SHA1
a1a2aea58596d48f24268b89d268271014a7716a

SHA256
3d0678ffce4a98ae648f7c5026bc758d854633e9ce555317a5c76210683fd069

SHA512
704747ffb8f62a63b6bbb2f3e04679dbc1a69f866e27b2a8ea9e46be6e173706314c82d73409a328586383fdd04cef499840f49a22f105dcce87295c9d265352

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
896KB

MD5
0e53289dcc0d4b5bcd11a68d1cf69089

SHA1
ec26f7650187566f111d9df4e3a37518be68468c

SHA256
726790272638d0b31d1eae57fdef8a665ea0f8a196b3025a1105ca5f434c83a6

SHA512
42bfcc32e96afbd7e8d7122f0989c35e41df9f2b7df5d02a195321f920045b18dfa0c8c87b2c6432d90acbeb411cf8a736c02f59dfb6b37f0f36836c291e73fa

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
896KB

MD5
71311cd1fa4eb1cdcd11a2badd39b325

SHA1
f12284f210c1cea746541219f42bc526fa89a128

SHA256
7e4c5e633d63440c70137653dfe6158f42a2b03bf3d4073a2357972feafd37b0

SHA512
be76a2325b1e1c747dad73146674f3dd366f3712f069fa474c7ca05598756552cb79f2a6db729a1b3e683409913589dc672c0e79fb1ca14aa6eb27af6e7c826a

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
896KB

MD5
f3254308e783127c31c30c984bf6a635

SHA1
9acda00f9b9e93724122ad068b09e0bb4f4808d8

SHA256
03f677720ef50e493be74853e57b6a2d4b257c52e5c552e19c18aab0df139ed5

SHA512
5d5f65bbf8c35e3d52bf2b095fae3811b151adbf0b32b5143bd73768b1d9ca02b891c15bc9e37fdb318cbf98dac9804f1bb980bc5a254c6fdc563cd278e3dfe2

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
896KB

MD5
0fffe2dc3090e7546c161bc7c4fc88c7

SHA1
88ae2962989263ea253f2e20b8fd1a7332dbeff7

SHA256
387734a03b3116df88b7a7bb1df1788cd7459427fcf8cb4167b27161744c2434

SHA512
ddeda28870b7ac27c11936d7dcd2eff999041f2f83a19dca392a4b9b02ca673cfd43e0d43edab08faa6c96e7f8dae86a689f3b94d9ad55bcf2ae86908c4bccdb

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
896KB

MD5
015ad2252ba53f07b37ea09a5cbcabfd

SHA1
df466293bd03ddea53bdf7fd4a5893acb561e74f

SHA256
76c1ffba2281376038ea894f7b2e3929c59626edf85b4434b5e618cb4348a6c1

SHA512
a87ab387e458c49348bee3db1a7574ecf3c99040770e01334bc8639ba811a91f113c4558a2b740ee9fdbdbae3e9dc8c2307049b057f2cfbf142cef4e9d29e8c1

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
896KB

MD5
5447491718fbf5e07330f6a141a105d0

SHA1
904a0d65132a3e5207f45326e5fcbea2e5d83c15

SHA256
f9dd50904d6f3f3b6458b19c79023f9e3ddfb9954ff7e0ff9a1ff9a1e45e8ebf

SHA512
60fe2a8be4c4ab57502c97ab2e422772b085ea26b4315d621acdd3167ecee345aab3a2d34b5e20bc35ff3b09f07f6357e4889025f4e314c4a9f63dc891b79735

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
896KB

MD5
c0bed8f29175e16b89efdca9d1d0dfc3

SHA1
6dd246b25f0a2bb451d3efc84771468ce653d36a

SHA256
25f59d29673b95931dcfda1ec4cbbb10947f83f40325d773634979f701071998

SHA512
211f99fcffaf723c303cfb96f5d7337c5663a4c058a820bb9c143237482c507b311d4bebc639a596bd54e3d283b56c7705b34c3d7208379c77ec48c40cb5f6df

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
896KB

MD5
d9ba06a8b16334d8d7dc7e3170aa3001

SHA1
a3af7a1ed10578aea5d893fff1b37464a47bdfe2

SHA256
a9b6e7a121b0e2a364133b5322dad513ac3608baf342c7ca3d7255bccdd10c49

SHA512
471dae6f2212bff285c563ed86d07298feffbb9479237d859e9b0d1529dbcc35ad28d7cee51b58394ac5db18778cdeb6372c631913d0084b3dad861cbcc76097

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
896KB

MD5
4c71ca0be61b384bd7af0913b5c70c87

SHA1
23c7ed9475cd34034a84b2aec120764d9b8de0c8

SHA256
a166e50224d0c6b9be324184b0c82d4e24d8c0988d587d20d3b2b77c22c8de05

SHA512
3155d5195ec90903b994c20ca6700425c5d56ab4e5171798878024c1a130859d832c30bca988d3aef98094ad5f4ce25533e3958ded662a10c3f0e1904bc9cf23

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
896KB

MD5
1f285542ad00219e80e8bd0a650dbdc5

SHA1
bed8a5ef6aac0ddf133b947a447b1c43a2fb553f

SHA256
6068bde10b95a3f3b389ff2811a91eebc8f98c99564a96b57f724c1de8f47a2c

SHA512
b08bb6b3da359b3f51ca79cddc65c8606ca90fbb2d0c016dbe74e91ff7365288863089f558a0d377f50b51fa227a376e87ca73e33f4be3c020cede2f4a75451b

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
896KB

MD5
4b8c5cb32eaf95ae39d0127bb92557b3

SHA1
00664d016939b37836c6146e50a2ac4959479b81

SHA256
56e48af417591d575e3f76721cd0e7fcc137edd263ca6a2e6ebec5123808c375

SHA512
a6d9c09793baae36cb687c50fea7dc8fd1a7ae62d1e4c2cc3e2d1d4d9b7aa9682fdd132d596ae5555735132572805492047d95a16f6634e76af040b7e1cf82b5

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
896KB

MD5
7dd6bca11bac2cce7a245769ef61281a

SHA1
170c8be302d08c3e88e13e02855b247c7498f610

SHA256
272cdb32781c07f796d63a617042156b761bf4eed3e07acd911addcefbe4659e

SHA512
98711348c874c9c8f7af6541887a918950db42f88a2228373cd944aba6897fa648bbf6cf2bab505d32e05e0b747114873526e27e197780801c594d0f3712b24d

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
896KB

MD5
8cc66a4d53a23bd3bb78d00b5d96ff25

SHA1
bfaa7a9717905064e97e8048a106e450d0146e8a

SHA256
e0c0ef4292d2ed82701b6c51a546d018991211871c9c27e06ba337ac0177ccc2

SHA512
8f6e97388d533bcaca382a18159493539178068f59dcb11a72ee55508d4d395017cedd7f573a51820eb1969922f153280bc557f07879742bde2cdec0ef117315

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
896KB

MD5
0a99f3f0cd6d254f5fcd701f6bb984d7

SHA1
a33d4e0cff519e794d6323a206b7f3fd03147df6

SHA256
7ccdbc71cdcfba8853afd011ff86166a51e7c3d3a5a10d18b9a808d2e9d7bf86

SHA512
f7adaa6f087b1497051090b522d759da6591a792e0d97401a916bc7487b3122003eb4789d72437f9dfcfc11adb15782e238c95c9c310f9017656c130c8e17721

Download Submit
memory/332-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/444-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/652-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/708-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/772-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1488-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1716-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1932-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3028-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3064-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3228-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3244-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3416-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3744-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3940-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4140-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4240-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4608-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5048-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads