5acc90bf6b21d642bfec2cb86f4ea4bf105c2a80cea009d2bc98bd8942962a39

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2024, 22:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5acc90bf6b21d642bfec2cb86f4ea4bf105c2a80cea009d2bc98bd8942962a39.exe
Size

860KB
MD5

7c6fa7a133cdd6f132568bbeb178f6a0
SHA1

f9bc4d60e652cf59307c633fd7e794e808dee127
SHA256

5acc90bf6b21d642bfec2cb86f4ea4bf105c2a80cea009d2bc98bd8942962a39
SHA512

0ca5026927b60db730371510ce05c9424dc8bca25b9a5a8046030a013cb01e982cecf465951135978c98fc0276ae9b43792ceae2461ce78c53d9bb1d1cd7a104
SSDEEP

24576:x5hPuh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YS:IbazR0vD

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe

Executes dropped EXE 64 IoCs

pid	Process
2964	Kdffocib.exe
4800	Kckbqpnj.exe
3472	Kkbkamnl.exe
3572	Lpocjdld.exe
1624	Lgikfn32.exe
2408	Lkdggmlj.exe
4664	Lmccchkn.exe
1244	Laopdgcg.exe
2180	Lpappc32.exe
4940	Lcpllo32.exe
4596	Lgkhlnbn.exe
3008	Lijdhiaa.exe
4616	Lnepih32.exe
5036	Lpcmec32.exe
4856	Lcbiao32.exe
3508	Lgneampk.exe
4772	Lkiqbl32.exe
552	Lnhmng32.exe
1724	Laciofpa.exe
4896	Ldaeka32.exe
4340	Lcdegnep.exe
3340	Lgpagm32.exe
1268	Ljnnch32.exe
1560	Lnjjdgee.exe
3024	Laefdf32.exe
2276	Lddbqa32.exe
2040	Lgbnmm32.exe
1884	Lknjmkdo.exe
3728	Mnlfigcc.exe
2552	Mdfofakp.exe
3308	Mgekbljc.exe
3680	Mjcgohig.exe
4072	Mnocof32.exe
1404	Majopeii.exe
1420	Mdiklqhm.exe
2888	Mcklgm32.exe
824	Mkbchk32.exe
1016	Mjeddggd.exe
4028	Mnapdf32.exe
4280	Mamleegg.exe
3452	Mdkhapfj.exe
5020	Mcnhmm32.exe
3488	Mgidml32.exe
4952	Mjhqjg32.exe
4168	Mncmjfmk.exe
2488	Mpaifalo.exe
2972	Mdmegp32.exe
184	Mglack32.exe
4992	Mkgmcjld.exe
4836	Mnfipekh.exe
2948	Mpdelajl.exe
4564	Mdpalp32.exe
1756	Mgnnhk32.exe
2164	Njljefql.exe
1580	Nnhfee32.exe
4752	Nqfbaq32.exe
1540	Ndbnboqb.exe
3444	Ngpjnkpf.exe
3800	Njogjfoj.exe
3436	Nnjbke32.exe
1556	Nqiogp32.exe
556	Ncgkcl32.exe
896	Nkncdifl.exe
1544	Njacpf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lkdggmlj.exe
File opened for modification	C:\Windows\SysWOW64\Lcpllo32.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Pellipfm.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lcdegnep.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	5acc90bf6b21d642bfec2cb86f4ea4bf105c2a80cea009d2bc98bd8942962a39.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lkiqbl32.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3724	4512	WerFault.exe	154

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiidlll.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdikig.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogijli32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidmdfdo.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lijdhiaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcpllo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgikfn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 2964	4472	5acc90bf6b21d642bfec2cb86f4ea4bf105c2a80cea009d2bc98bd8942962a39.exe	82
PID 4472 wrote to memory of 2964	4472	5acc90bf6b21d642bfec2cb86f4ea4bf105c2a80cea009d2bc98bd8942962a39.exe	82
PID 4472 wrote to memory of 2964	4472	5acc90bf6b21d642bfec2cb86f4ea4bf105c2a80cea009d2bc98bd8942962a39.exe	82
PID 2964 wrote to memory of 4800	2964	Kdffocib.exe	83
PID 2964 wrote to memory of 4800	2964	Kdffocib.exe	83
PID 2964 wrote to memory of 4800	2964	Kdffocib.exe	83
PID 4800 wrote to memory of 3472	4800	Kckbqpnj.exe	84
PID 4800 wrote to memory of 3472	4800	Kckbqpnj.exe	84
PID 4800 wrote to memory of 3472	4800	Kckbqpnj.exe	84
PID 3472 wrote to memory of 3572	3472	Kkbkamnl.exe	85
PID 3472 wrote to memory of 3572	3472	Kkbkamnl.exe	85
PID 3472 wrote to memory of 3572	3472	Kkbkamnl.exe	85
PID 3572 wrote to memory of 1624	3572	Lpocjdld.exe	86
PID 3572 wrote to memory of 1624	3572	Lpocjdld.exe	86
PID 3572 wrote to memory of 1624	3572	Lpocjdld.exe	86
PID 1624 wrote to memory of 2408	1624	Lgikfn32.exe	87
PID 1624 wrote to memory of 2408	1624	Lgikfn32.exe	87
PID 1624 wrote to memory of 2408	1624	Lgikfn32.exe	87
PID 2408 wrote to memory of 4664	2408	Lkdggmlj.exe	88
PID 2408 wrote to memory of 4664	2408	Lkdggmlj.exe	88
PID 2408 wrote to memory of 4664	2408	Lkdggmlj.exe	88
PID 4664 wrote to memory of 1244	4664	Lmccchkn.exe	89
PID 4664 wrote to memory of 1244	4664	Lmccchkn.exe	89
PID 4664 wrote to memory of 1244	4664	Lmccchkn.exe	89
PID 1244 wrote to memory of 2180	1244	Laopdgcg.exe	90
PID 1244 wrote to memory of 2180	1244	Laopdgcg.exe	90
PID 1244 wrote to memory of 2180	1244	Laopdgcg.exe	90
PID 2180 wrote to memory of 4940	2180	Lpappc32.exe	91
PID 2180 wrote to memory of 4940	2180	Lpappc32.exe	91
PID 2180 wrote to memory of 4940	2180	Lpappc32.exe	91
PID 4940 wrote to memory of 4596	4940	Lcpllo32.exe	92
PID 4940 wrote to memory of 4596	4940	Lcpllo32.exe	92
PID 4940 wrote to memory of 4596	4940	Lcpllo32.exe	92
PID 4596 wrote to memory of 3008	4596	Lgkhlnbn.exe	93
PID 4596 wrote to memory of 3008	4596	Lgkhlnbn.exe	93
PID 4596 wrote to memory of 3008	4596	Lgkhlnbn.exe	93
PID 3008 wrote to memory of 4616	3008	Lijdhiaa.exe	94
PID 3008 wrote to memory of 4616	3008	Lijdhiaa.exe	94
PID 3008 wrote to memory of 4616	3008	Lijdhiaa.exe	94
PID 4616 wrote to memory of 5036	4616	Lnepih32.exe	95
PID 4616 wrote to memory of 5036	4616	Lnepih32.exe	95
PID 4616 wrote to memory of 5036	4616	Lnepih32.exe	95
PID 5036 wrote to memory of 4856	5036	Lpcmec32.exe	96
PID 5036 wrote to memory of 4856	5036	Lpcmec32.exe	96
PID 5036 wrote to memory of 4856	5036	Lpcmec32.exe	96
PID 4856 wrote to memory of 3508	4856	Lcbiao32.exe	97
PID 4856 wrote to memory of 3508	4856	Lcbiao32.exe	97
PID 4856 wrote to memory of 3508	4856	Lcbiao32.exe	97
PID 3508 wrote to memory of 4772	3508	Lgneampk.exe	98
PID 3508 wrote to memory of 4772	3508	Lgneampk.exe	98
PID 3508 wrote to memory of 4772	3508	Lgneampk.exe	98
PID 4772 wrote to memory of 552	4772	Lkiqbl32.exe	99
PID 4772 wrote to memory of 552	4772	Lkiqbl32.exe	99
PID 4772 wrote to memory of 552	4772	Lkiqbl32.exe	99
PID 552 wrote to memory of 1724	552	Lnhmng32.exe	100
PID 552 wrote to memory of 1724	552	Lnhmng32.exe	100
PID 552 wrote to memory of 1724	552	Lnhmng32.exe	100
PID 1724 wrote to memory of 4896	1724	Laciofpa.exe	101
PID 1724 wrote to memory of 4896	1724	Laciofpa.exe	101
PID 1724 wrote to memory of 4896	1724	Laciofpa.exe	101
PID 4896 wrote to memory of 4340	4896	Ldaeka32.exe	102
PID 4896 wrote to memory of 4340	4896	Ldaeka32.exe	102
PID 4896 wrote to memory of 4340	4896	Ldaeka32.exe	102
PID 4340 wrote to memory of 3340	4340	Lcdegnep.exe	103

C:\Users\Admin\AppData\Local\Temp\5acc90bf6b21d642bfec2cb86f4ea4bf105c2a80cea009d2bc98bd8942962a39.exe
"C:\Users\Admin\AppData\Local\Temp\5acc90bf6b21d642bfec2cb86f4ea4bf105c2a80cea009d2bc98bd8942962a39.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Windows\SysWOW64\Kdffocib.exe
  C:\Windows\system32\Kdffocib.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\Kckbqpnj.exe
    C:\Windows\system32\Kckbqpnj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Windows\SysWOW64\Kkbkamnl.exe
      C:\Windows\system32\Kkbkamnl.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
      - C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4664
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1268
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3728
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3308
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3680
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        40⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3488
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4952
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:184
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4564
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2164
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:556
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:896
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        66⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        67⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        71⤵
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        73⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        74⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4512 -s 400
        75⤵
        Program crash
        
        PID:3724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4512 -ip 4512
1⤵
PID:1516

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
860KB

MD5
98e0670c2b8701aef0c45c1b172c605d

SHA1
66ea46673110f4bb0daddbb96b0f758467578749

SHA256
66e67dfe7e83860a95edf0d6baedd4d1e2e77cf7965ff90ddb095312f0383189

SHA512
6472f8d1f9a034471bc0a77a707e68fc21d1974cb62ae4a219959e86ce329731a7773fbaef19f868732c607daae4829c487cf14dca94a7737ab942939eca2f9c

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
860KB

MD5
748541941b1c0ceee4ce78abedce5e47

SHA1
041f7f4320bb510a25d0d25f2262097e74fcc37c

SHA256
a01d7ca543c5050aef7189f917d7e2bfef3a68b6dacb2bb32de05a51452f81d8

SHA512
8df861627edba9448afaefc61a3077d52e681021f3cbbac181242197ed1c623612aded5293c813c1c72d6039cd72cff2883a9d88ce530ff654b3526af5bed6e8

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
860KB

MD5
29f88c23c2546c7dae100eec62b74458

SHA1
8a0da764164218913fcbefce6289c292a33fcee6

SHA256
09f94ff0499c5581beeb87f3a9a59c81c88833aa6935ca20bc8b7e4fe2f792db

SHA512
84d7225f3cb33f1287b024a29bd7db647ea08265d88b2b829e9e5ca7f5db6902a08067bb33a052c53e0421ce188e010148d5402ac99a8a9e28fb6d1482cd201e

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
860KB

MD5
295360d45a4c42c80c9fddc811840a47

SHA1
636e269f7b2484b2562cdd1324cdd7adab493b5c

SHA256
15cd67d8d8f60cfe34b46c69e1776d8321995c7137f5d23314416153b8b62077

SHA512
8a03a419f9ae58da88d7b2d71b06d81e41d089c4f9c2f680cba3cd60a1774d1babe59bf37df9de88d331607690dd088c0a81d1a9f8f21ce81c77392c326c122f

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
860KB

MD5
aed5458ad6ae0e718be3b3a908fa739c

SHA1
8dca68500b2f33ded5052a337868580f2f32ec75

SHA256
6707b22953255ad786d6939e661e6a413d081c8a2e4128b6bfe65e6d9f87e3b7

SHA512
f7b9fc429ea23b7b8904dd179ef35d787ebbfa19e963ca843ae5aa26914f23354f554d81b15f8567036b832f317b97990952662f7f424a8c9564f80493cba6fc

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
860KB

MD5
a702e374615992ec719420743a796704

SHA1
1202d08aa8d5dadafb43a240326ef14d57440503

SHA256
7da79e6a02e2d6c504dd42dc2599012759cc045ca770f758a81aec04ccc66c39

SHA512
0594c081dc4c60fc93558fc55a6820a34ac32dc0cb5888cbd43c7507bfdf4abc23ef348dfb9fcff8374217b96cfc58bcfb642c2e1f5363c29b6c8a549d5cf08f

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
860KB

MD5
55bdb96b4ca50eb80580e9ebe559423d

SHA1
dfa10aabe28f9a12df52380570b631fdd71459f9

SHA256
94df23b2133d27ca8ebd217bec6936111aa0e832b5773c1be7ead35ec617ead9

SHA512
0d008fc514b8c89bff639e58e02b6d0a1114970f02ee4c0f648769f0e7546e01362e717085aa465b753a39458ee8580f2a08da0c19d0b9f58f659717d724080b

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
860KB

MD5
29be99a2114997b3ba57e3ba3d5787d8

SHA1
76d789761b687a77206e2c740455570f9300c25c

SHA256
6aaba428dfb4cb0bb98457014b71b8429e4660f3cfe39397dd32122df4179551

SHA512
a984dfd6c801c7c0c98cae06c41affa4ba25409c166972c8b1975981a4936a8789e72811b72f1e7c3153f04244479027dbc5f65f1552de8d7eebebb734480ab6

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
860KB

MD5
a3d2e46286a4246df85b03550f81f1ac

SHA1
fe7d20c130ff59ac527e75e9adc14e61141b107d

SHA256
cccafc08d5244895aa926f7a835756622948563d505ff80c2a678975dd107fbe

SHA512
2b2de99db2817dc741c31a56a606602df1042d52be14daa3a5ac9f2623b90f2854397176a47a6c7fc122ace1cbf3b48824c04c7a9ea6b129008216cd952994c1

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
860KB

MD5
668ebdeed816bc1db36a45d034d5718c

SHA1
bde9c43bfd3f6144e0ec92899c9ce3bb759bdabf

SHA256
d41131749cc2c150d322190293823971951097f4e006481704d1a6c8817be816

SHA512
f10be0759f0280953c3452ccdd0426a75636bccb76311dc6bd8eadeb9dc6d66c704c887bfbe4214c5a3f5908dab79b1f90fd4ee739fc1fce545e2eede21b4d2e

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
860KB

MD5
ff35833aa4fb2c9a6b6b290ca55ab0d4

SHA1
b2a0841f76b09573584c650bf4f02467932cb999

SHA256
0e3d59abe99b205a88951a34380f7bbdda79cde0e7409416aa808bb1d23bb524

SHA512
e203f210cc4b575d60cba293c29e6c215460c5e99cfc2e03aa0ecbf5b1f5486d9a247d539969b2257783271e8427fdb5c8d567b6a0b2e68035613a0e0e0bdba1

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
860KB

MD5
4760ed318f8547867c209430aa08da95

SHA1
2e4f4365253c84801fcd57eabb3c63e766f6c189

SHA256
5e536371c5981f803227dc88e56390a128d8025f4ba75b7787f61983b68e564a

SHA512
3bd3c253c574acf8fe03f71fa5c349cfdc2ff00c46334ecca1ea798a81a2ecb5b3687cfe4e7242c23b676dbb90f5ffe3b05d01330710d9b952e4222ccd3ccc9e

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
860KB

MD5
1d280faec8dde65d3b87b132860f0718

SHA1
b376e6cc2fba8b57c709a2e2e620f0c96cd79bac

SHA256
83a75d931a288bceb821b4ee57b68afff44dc7d92844f6cf0d9f916eee99d6bf

SHA512
23df80348bd6a3b454073040ccd12144d8532e69b5d605f90173fd21a7d5d7229a465a9f33fa45e3c94333973f3f3746c9de91061bf71d4a7efb29c4424284d1

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
860KB

MD5
77ac2dabcfccd3ad7245bf7b2cfa8e4b

SHA1
b34f29e8e043cb4812ed3ffa9dc69ea68d87bec3

SHA256
7177f51484044aaaf76b8f18d2afb19e262f697f7f6f50ccb74259918736642e

SHA512
88cc149581c227ae39ee640fb30a167bb71fb1c0ab772b7d573c5b009cae9eea61be31702e6f1d5fffa0945fb5e5f73bf7dd930c76a32e36516a4903403baec5

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
860KB

MD5
f9c27a98e08ef832299198f67d4b65cf

SHA1
1f657fb0e731cd4f327ebf72d605c0a517e6ae79

SHA256
ef7b4af96bc528b9226c84affaab0ae5a0922062b4dcba17c656863ab45e3099

SHA512
cd5263ae60e29956778b2b55fed9b7a24ea7b8bd7e4572ce820ce6c32579542c2304212c6e81a2d133b4eea17b011c46ef2f236149f66cd96ee4770b2f5bea62

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
860KB

MD5
2fa6521502a5c1c5d9340bfbe21675dc

SHA1
d84cfde4eba58827729d0c9c609b7ccea34e72b7

SHA256
62c0191c27845f535942685f437cfa87c98a4abebfef4afc32c72c7a9bbd9db3

SHA512
89e39ed7f6bed58c1c4cc241df3d84931a3861ca148693e321b1679346b3a44bac00bed7a095da406138e1ae5b375239c44e4d0281f27f627de5bb8790db391e

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
860KB

MD5
2e2e21c9d3125f58e475bd8d51c125ac

SHA1
096b3f5488b438f16f4e2736df8f3436c44cfae4

SHA256
0fbff98acd8d73da8cf7b9141cc4e22d90b30f6dd22320d6bfd71bc9bdb7810d

SHA512
7ca801680f386cb694388815de9dc01f02d70116a2c09c509b880702d57f793b18c706856178c315708eb2d932e1c861f7dc19108c23592a08d403456c76d963

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
860KB

MD5
8f893c7257da04f94bdd557b0b98e1b4

SHA1
277d402647f1132109f7891174d7b1aa31afe91d

SHA256
0758ac85a14cf02a56773565f285033671b8006174edba2ae5eb665c8214bf1a

SHA512
cb339a341c66db654b302e68bac0bf665fd4172d1e848ec5f4c1997b14bbf14a02273abdb165291f4abb74e725c8a47621ed690cba81a2236000ccd8fcf0ed51

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
860KB

MD5
2c96ebf1ee5debc16c454e9f64292191

SHA1
d4b462e5b6f0a5cca106d71383b0bd7ffaed5b9f

SHA256
8f64d3c5de52f7a72458575e2d81c6da3406b0eb4991d1049cef89d26a8b620e

SHA512
ad865e8634c77c57eac87a229826863b24d11d8a5b47d318927aa9ac32c67fcf2a3d084972c9315829a90ae71738dda898928752f3a88fa044268024334a71be

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
860KB

MD5
81a63a7a07e9e0af2199ae572168e623

SHA1
244ec2088725dc2cd120676bb08a8f8f1d443598

SHA256
eb27a8fc3775044d0569ce2425263ece139e0dae392509aa6b0382666fc695d6

SHA512
8042346866cbba2309f77112277a5971338497f29122df78eefaf79d357326abb5e40a5924d005e4e6bc697ee16f7145d6c79dbc897787538b16662a1d35a728

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
860KB

MD5
d7cafe08b906c20d0fa411561eb33c92

SHA1
c08b1048af36d023fb73579f8c0bc10e2f550178

SHA256
4a31e35384b66570a2bf748bcede7f9dcc8e647f7014543308d797b35de5a050

SHA512
f8b2e78690707046cd44cf27622f8d2607e35aee0a277ec9cd961253211380753267d77ca125e70671c57fc184abd8faee38e11951e939c4a2bacb7d721c9cde

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
860KB

MD5
0619b6dad0ed1ace650518de8036a2b5

SHA1
bd86084eece64667eb736743b9b45f083520c236

SHA256
f91e5396b0adc404752d1cf470d97161ef0c16ff1603f29cfa18b34b2c2146f0

SHA512
c1989f40235c7f0691cb020a537d5820709d59fe851dea6576a2bc80394a832b23ebd1f30afbb6aa37e5d22efdae4b08075b49d08acc882c6f6040194e362b31

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
860KB

MD5
e98af1e4913c07d796be86461e737e60

SHA1
6929fd5b18d1a5dfe89452dcff8953d695da36a5

SHA256
413f4bdfcf9766b36f343371d77b286be8e08af9dbe410556fb8e24bb530a388

SHA512
74f0caab2507eaa777b25e81ea08ed3ada23b42e5d11657a09233c231385ba1962d8b83520403642088ed513f2cc14d8d5f510328763872f8a655d422f73c8d5

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
860KB

MD5
5f85fcf683665642e59218ffa91881a9

SHA1
0d8b7126a2a7060e07502894abd2700b5767ed9e

SHA256
ad3f8552c74cc84eb539c14a8aad8c2e7e911d56d07edb12a858c2dc3eb6e47e

SHA512
75e64261157d384c389c8b5b0d9b8ab3c9973ad6c4c8977e232d3f7d83ba61512b4f6b736567c3a2b9bff297252c21532b8d45ae858e09058aac0e33128b3de8

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
860KB

MD5
18a34a9a7a18567419db3d2f22fa3c31

SHA1
b880d522f0d94c26d3aec766e8e0dfe1b498bb5e

SHA256
bf73c62e88867537997e09c769a1ccf8100b7982ec1e8238ef50b4936a396a93

SHA512
f3c62cb47a9b19bf7c740ba516f8a55fd609a8bb66c5be1af3070a1da787203517410ee28824ae7f9ccc41206dfc4e9be2f7905246b0f083bcc40f832b5b73d6

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
860KB

MD5
652c98916c0a2432056c61eda7d8aeb4

SHA1
81b3ce4e29ffbad3089bd9a01a083324e3e7f17d

SHA256
c8b7e1051a2c690dc1d03cbfb04dd1ff21abda46241dba5f16c548bf862eaed4

SHA512
1457f1489b212752c64dc58dd1308a79602b0785fa59abd29c8b255dfeaf894b5e18aee0efaf040f8f854d75ccf778bcb87e35c67e4f8f2aa267cda714438436

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
860KB

MD5
ac2865ab163ec104f2f52582e2ea3c21

SHA1
7528147a464a79b272bb0577dcc2acc7c9405763

SHA256
77adf96d3f78329bc8c51dbe8f161c3fd1e17cee5423cc5ec8ebe651b5eca088

SHA512
0808e44ca5a946d30c6f25b542462877be1b3732e15c3ee70281910710901b2d0406a3e4dc1a0fcf4f56dfb5ef8bc098d12f1385a411d6fe82724d295ccae47f

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
860KB

MD5
a99c44d7c891041e7aa1ec79ea315251

SHA1
9ad85ae2c0f8def7fc7bc83aabda60ff868c2e05

SHA256
9cc1487b6fb8c4b0116b8087984a469dadd80dd7e302fea8ad27ff434049d340

SHA512
c2e9a5e7411661da3260b78328ba4ee014dac8fdecdd36c1008c6199ddfcdc1b9c778c9be65a72e1a80241affa11217099ee1f7e86729dbab8925515f20fffee

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
860KB

MD5
997cd1f4831b4c068b3c3948e4702412

SHA1
9805a81f53abc507428136b5c9fac9990114bfc9

SHA256
00f9bfddda7f16929ec2d2df43463a1e5cb30d234217694b6bce3d55bf5bddef

SHA512
1c62ae4cd341ec694945680df653c0d65e28b01cee9d0d0ef9cf39c934970c0baeda160ca93f1fa1ca4ab935678d58d55fd73db6134662796011694587573c53

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
860KB

MD5
01e1fe30891dd389e060329379602cad

SHA1
ef69bc296bd1b5f574499e503e6b7fc2e4277407

SHA256
210bf2b0873aaec63ea520d2b263f58b64d0aaf5716c2a2a390158e4f3dd815d

SHA512
a6151f101e88051bc107ec747397ef471ca9803f90dfb980a36052e4ac8f35f0c02b7053142c28402c09801ffdc373997184af6d9cedb4a53e989edf4e450256

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
860KB

MD5
ce2766ecbb1273a6beb7cf488dbf1dac

SHA1
e36667de5133a4c1a1ed2b4691a3e68c251de465

SHA256
e237a3685ff4f47b3cb971d0384191da3f5d6f59c4014915b2c211cd9fe45ace

SHA512
93b6995c17baa27126a793304f0d3096106100167742df7ff183f0da9c55b003dc0b7e2e3307125d367787513bd862f22891b212f008f1f68f3e6cf82d63d8c8

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
860KB

MD5
47a18669bdad8d202f485a6eadbb4b63

SHA1
8c5147f466906c8d568851d804addb73aa2600f8

SHA256
ab036d047881eb207cfde3bff4e88c5af95da66ab774b9245a739f266a5068ee

SHA512
a40450d8a756a407dad1f7b43d26683f0bb0b3bc3776bfaafb1ce36778e1b873c25f850aebfbb962d43ffeee156360eaf721ff106ddebca01951d7f2972d7e0c

Download Submit
memory/184-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/552-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/556-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/824-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1268-536-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-512-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1540-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-534-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1624-572-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1656-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-544-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1868-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-526-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1956-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-528-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2236-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2276-530-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-570-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2488-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-577-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-558-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3024-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-520-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3340-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3444-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3508-550-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3572-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-518-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3728-524-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4072-516-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4392-444-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4472-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4472-579-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4596-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4616-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-552-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-542-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-554-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads