393d4a202e0cce560fe4fa8d3d98c4bdb3f85a5c44d74915b9dc5558f7227377

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 20:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

393d4a202e0cce560fe4fa8d3d98c4bdb3f85a5c44d74915b9dc5558f7227377.exe
Size

415KB
MD5

d41eea8f0860e6c91dd5cbeb01a3826f
SHA1

77cacfeb8cdf37a63910cbe8376dc25f8959748d
SHA256

393d4a202e0cce560fe4fa8d3d98c4bdb3f85a5c44d74915b9dc5558f7227377
SHA512

8620c666c059c8782c349c5f0ff22233c9ecc123f18f82e920c38e4e72657b08c7a5e5ec121b0aeff9f71f1e504777a2e44d33c42cf3ca9ae180c57fcbf2af92
SSDEEP

12288:4EE2XmkAoWj7NtInBBBBBBBBBBBBBBBBBBBBBBBBB0kfBBBBBBBBBBBBBBBBBBBJ:1HXmkAklp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	393d4a202e0cce560fe4fa8d3d98c4bdb3f85a5c44d74915b9dc5558f7227377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe

Executes dropped EXE 64 IoCs

pid	Process
1860	Kgdbkohf.exe
636	Kdhbec32.exe
4248	Kkbkamnl.exe
4496	Lmqgnhmp.exe
2900	Lpocjdld.exe
1868	Lcmofolg.exe
5004	Lkdggmlj.exe
808	Liggbi32.exe
1524	Lmccchkn.exe
2916	Lpappc32.exe
1176	Ldmlpbbj.exe
1492	Lgkhlnbn.exe
2480	Lkgdml32.exe
4992	Lnepih32.exe
1872	Lpcmec32.exe
4576	Lcbiao32.exe
1956	Lgneampk.exe
4872	Lilanioo.exe
4564	Lnhmng32.exe
2184	Lpfijcfl.exe
3364	Ldaeka32.exe
2636	Lgpagm32.exe
4016	Lklnhlfb.exe
2644	Lnjjdgee.exe
4848	Laefdf32.exe
4500	Lddbqa32.exe
1412	Lcgblncm.exe
4548	Lgbnmm32.exe
2544	Lknjmkdo.exe
3444	Mjqjih32.exe
1516	Mahbje32.exe
2324	Mpkbebbf.exe
3724	Mdfofakp.exe
3528	Mciobn32.exe
4320	Mgekbljc.exe
432	Mkpgck32.exe
2196	Mjcgohig.exe
2792	Mnocof32.exe
1856	Mpmokb32.exe
3212	Mdiklqhm.exe
4188	Mgghhlhq.exe
3348	Mkbchk32.exe
3540	Mjeddggd.exe
1656	Mamleegg.exe
4444	Mpolqa32.exe
3636	Mdkhapfj.exe
64	Mcnhmm32.exe
5016	Mgidml32.exe
4616	Mjhqjg32.exe
3236	Mncmjfmk.exe
2052	Maohkd32.exe
2808	Mpaifalo.exe
4804	Mdmegp32.exe
1504	Mcpebmkb.exe
2252	Mkgmcjld.exe
2960	Mjjmog32.exe
3208	Mnfipekh.exe
928	Maaepd32.exe
2548	Mdpalp32.exe
776	Mcbahlip.exe
2160	Nkjjij32.exe
2536	Njljefql.exe
1036	Nnhfee32.exe
4516	Nqfbaq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Offdjb32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Dngdgf32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lnepih32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Qgejif32.dll	Lcmofolg.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kgkocp32.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lkdggmlj.exe
File created	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Bheenp32.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmlpbbj.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lcmofolg.exe	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2020	4440	WerFault.exe	165

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	393d4a202e0cce560fe4fa8d3d98c4bdb3f85a5c44d74915b9dc5558f7227377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Lpocjdld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1860	1688	393d4a202e0cce560fe4fa8d3d98c4bdb3f85a5c44d74915b9dc5558f7227377.exe	82
PID 1688 wrote to memory of 1860	1688	393d4a202e0cce560fe4fa8d3d98c4bdb3f85a5c44d74915b9dc5558f7227377.exe	82
PID 1688 wrote to memory of 1860	1688	393d4a202e0cce560fe4fa8d3d98c4bdb3f85a5c44d74915b9dc5558f7227377.exe	82
PID 1860 wrote to memory of 636	1860	Kgdbkohf.exe	83
PID 1860 wrote to memory of 636	1860	Kgdbkohf.exe	83
PID 1860 wrote to memory of 636	1860	Kgdbkohf.exe	83
PID 636 wrote to memory of 4248	636	Kdhbec32.exe	84
PID 636 wrote to memory of 4248	636	Kdhbec32.exe	84
PID 636 wrote to memory of 4248	636	Kdhbec32.exe	84
PID 4248 wrote to memory of 4496	4248	Kkbkamnl.exe	85
PID 4248 wrote to memory of 4496	4248	Kkbkamnl.exe	85
PID 4248 wrote to memory of 4496	4248	Kkbkamnl.exe	85
PID 4496 wrote to memory of 2900	4496	Lmqgnhmp.exe	86
PID 4496 wrote to memory of 2900	4496	Lmqgnhmp.exe	86
PID 4496 wrote to memory of 2900	4496	Lmqgnhmp.exe	86
PID 2900 wrote to memory of 1868	2900	Lpocjdld.exe	87
PID 2900 wrote to memory of 1868	2900	Lpocjdld.exe	87
PID 2900 wrote to memory of 1868	2900	Lpocjdld.exe	87
PID 1868 wrote to memory of 5004	1868	Lcmofolg.exe	88
PID 1868 wrote to memory of 5004	1868	Lcmofolg.exe	88
PID 1868 wrote to memory of 5004	1868	Lcmofolg.exe	88
PID 5004 wrote to memory of 808	5004	Lkdggmlj.exe	89
PID 5004 wrote to memory of 808	5004	Lkdggmlj.exe	89
PID 5004 wrote to memory of 808	5004	Lkdggmlj.exe	89
PID 808 wrote to memory of 1524	808	Liggbi32.exe	90
PID 808 wrote to memory of 1524	808	Liggbi32.exe	90
PID 808 wrote to memory of 1524	808	Liggbi32.exe	90
PID 1524 wrote to memory of 2916	1524	Lmccchkn.exe	91
PID 1524 wrote to memory of 2916	1524	Lmccchkn.exe	91
PID 1524 wrote to memory of 2916	1524	Lmccchkn.exe	91
PID 2916 wrote to memory of 1176	2916	Lpappc32.exe	92
PID 2916 wrote to memory of 1176	2916	Lpappc32.exe	92
PID 2916 wrote to memory of 1176	2916	Lpappc32.exe	92
PID 1176 wrote to memory of 1492	1176	Ldmlpbbj.exe	93
PID 1176 wrote to memory of 1492	1176	Ldmlpbbj.exe	93
PID 1176 wrote to memory of 1492	1176	Ldmlpbbj.exe	93
PID 1492 wrote to memory of 2480	1492	Lgkhlnbn.exe	94
PID 1492 wrote to memory of 2480	1492	Lgkhlnbn.exe	94
PID 1492 wrote to memory of 2480	1492	Lgkhlnbn.exe	94
PID 2480 wrote to memory of 4992	2480	Lkgdml32.exe	95
PID 2480 wrote to memory of 4992	2480	Lkgdml32.exe	95
PID 2480 wrote to memory of 4992	2480	Lkgdml32.exe	95
PID 4992 wrote to memory of 1872	4992	Lnepih32.exe	96
PID 4992 wrote to memory of 1872	4992	Lnepih32.exe	96
PID 4992 wrote to memory of 1872	4992	Lnepih32.exe	96
PID 1872 wrote to memory of 4576	1872	Lpcmec32.exe	97
PID 1872 wrote to memory of 4576	1872	Lpcmec32.exe	97
PID 1872 wrote to memory of 4576	1872	Lpcmec32.exe	97
PID 4576 wrote to memory of 1956	4576	Lcbiao32.exe	98
PID 4576 wrote to memory of 1956	4576	Lcbiao32.exe	98
PID 4576 wrote to memory of 1956	4576	Lcbiao32.exe	98
PID 1956 wrote to memory of 4872	1956	Lgneampk.exe	99
PID 1956 wrote to memory of 4872	1956	Lgneampk.exe	99
PID 1956 wrote to memory of 4872	1956	Lgneampk.exe	99
PID 4872 wrote to memory of 4564	4872	Lilanioo.exe	100
PID 4872 wrote to memory of 4564	4872	Lilanioo.exe	100
PID 4872 wrote to memory of 4564	4872	Lilanioo.exe	100
PID 4564 wrote to memory of 2184	4564	Lnhmng32.exe	101
PID 4564 wrote to memory of 2184	4564	Lnhmng32.exe	101
PID 4564 wrote to memory of 2184	4564	Lnhmng32.exe	101
PID 2184 wrote to memory of 3364	2184	Lpfijcfl.exe	102
PID 2184 wrote to memory of 3364	2184	Lpfijcfl.exe	102
PID 2184 wrote to memory of 3364	2184	Lpfijcfl.exe	102
PID 3364 wrote to memory of 2636	3364	Ldaeka32.exe	103

C:\Users\Admin\AppData\Local\Temp\393d4a202e0cce560fe4fa8d3d98c4bdb3f85a5c44d74915b9dc5558f7227377.exe
"C:\Users\Admin\AppData\Local\Temp\393d4a202e0cce560fe4fa8d3d98c4bdb3f85a5c44d74915b9dc5558f7227377.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Windows\SysWOW64\Kgdbkohf.exe
  C:\Windows\system32\Kgdbkohf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Windows\SysWOW64\Kdhbec32.exe
    C:\Windows\system32\Kdhbec32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\SysWOW64\Kkbkamnl.exe
      C:\Windows\system32\Kkbkamnl.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2636
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        25⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4848
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1412
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        39⤵
        Executes dropped EXE
        
        PID:2792
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3212
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        46⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4444
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        48⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        56⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        60⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2548
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:776
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        69⤵
        Drops file in System32 directory
        
        PID:1536
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4812
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4208
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:464
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        81⤵
        Drops file in System32 directory
        
        PID:4048
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        84⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        85⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 400
        86⤵
        Program crash
        
        PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4440 -ip 4440
1⤵
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
415KB

MD5
a04a3edb155f52f2ed99ce21f0ca359e

SHA1
59f5a9342d21b861c5611cdb3120d79f94d48744

SHA256
7bca4a003188a8ec0af587636ad338d2678179b38eeefc19654fc9d59e7d7f00

SHA512
be33e38f954bd7b9342a0fbdcb20200b5463ce6a6b78ad90021ce93a2ca14b03ca53c2200b48f1b1af69881797ae8f9fce32ccdfe4422f9b2bfb6808f1759373

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
415KB

MD5
72d07583618114c54b28f39f09e0bdd8

SHA1
cf9eb096eec87e21f52aaaa069a0be164bbdc5f4

SHA256
63f1df091dbaef8f2356c6ab83d8d45b69be8c4e05bea96f53425cf7f370d8f3

SHA512
63d17f311d315a0955c26cfae2054d67ae37010403405b289d83d52dfb9d6c92f0db8332f8f3b43cbb8045f4df579ce85714599770cdb0ffe941117a6ea2d1e9

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
415KB

MD5
ef7896d82d27bb4c56c3955ac10fc48d

SHA1
9e5994df49517ed0a079b868b2826732893791eb

SHA256
caa1fb8492fe722105f3cb59a8ecb4244fcae5142e0c6c60f1be7f4079369120

SHA512
2e9000e74b3ae69e8979cef28556d1f25d7340bc43907fa5cfd76e6bcc2944e898cadec72e81a91f332877ba57b2daca84455cd562fe8bd871759073da547cfa

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
415KB

MD5
0549bec589371033851cfd44d63c3280

SHA1
f2c344b958d55874acd8bfb59ae25de2b8ee743f

SHA256
05f9f740df94016b26a1a1a1e7e44dad96f07533143f357cf631fca252db35da

SHA512
d3a662b172a12437fdb37c1813da3baa55ccb883ca14925483c713db9e08f989e0328ef85518cdb0cfa81d2ccadf321a37ba126c8b3909ae9abe9ace1ef783af

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
415KB

MD5
abfac743494081f96c2a858c29021d70

SHA1
2a111fd2f8e1b897192284c34625f83860b4dd82

SHA256
df3ba6178bd4bda4a7ea49851cd3d1a9b5d2fad85ce6fb9700e8c4313a66181d

SHA512
49b5a7f33e1f1e9ca99f43fce94e2fb5582c606a5798c64a1f0e826d8d379b4aa69325c0cc68cfaabbe19741a0a8e723752fa7a6c8e8bcedd75315c8724e2b63

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
415KB

MD5
d15cce270a6a319fe2092bbadb5b3461

SHA1
8445cd0d40356a38809ce19174c8d86ef6836eeb

SHA256
e6c929ff7dff1f29b61558e8dee42a9ecd7a930337fbfac12a6bba82358b8d2a

SHA512
2945537832a06638e01bcb770387ba2f6d8b89304ab5e2faad65ad8774219e91b8edbb7e4206f0c892def9bb576b2ef1e2164d885c427f0ce36b95d7cc8902ed

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
415KB

MD5
a126b8d1c8320c698de8aacd860f4dd7

SHA1
7803035197c49cf45dd7f9db71894df09077e93d

SHA256
bba406c8bb249df1c5f2d5806ad3d28ae47cec5d74c151f88d79a8ec08ff58c6

SHA512
982d37fefb4e23826c4a16a1490dba86d6b8c421fb4d0c5197f064cb4f99bea2a2d337cfe19b4c9dcd9dae691568814d3c3f0a2b59e29c6d9843b077d84017c2

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
415KB

MD5
9b8777501533b13f79366c921304caed

SHA1
0a072bf5bd74afab6ae59214984e710be651c3e3

SHA256
3e99420cc59edc1c670c9b4158c6490fce884be9298a58a447003058f3315257

SHA512
9079c7b1edf8b181bac7e7581ba35942203d9ba79455600cda366f48044d8c34610e549bb1f812fb829995a4ec2b42fde78cddc8ebe6dbb02396c235ab091b7f

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
415KB

MD5
89a5c5e13f51948908eb422b3d36fc56

SHA1
b5fbdf37ae7550153e0b71a61fc74f7a2443c4e5

SHA256
8179fccfe3a8bc9db7d0084b7ed4a1302a11b37d1257fc0fe845904efd5c2031

SHA512
cd8e62c2aa0c0c5ab101dabafb7bc909c922a2efc671386265214f91aee000c3887114c18d4a956f42b61d9bcd530aacf38ce7782dde75578e0d728e065c6044

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
415KB

MD5
c0d34afce36909321914f8c5175e7916

SHA1
257829c5e0e4e66761a4db0d86b4b11817a15e3e

SHA256
ee03ea68367d7aa48a2fa48e6f634e71a5cc41826627cabd5003ca11f4047576

SHA512
efe84d23c967a738e4a853740d6bafb82f2f6ffacf7681312786ed77e9ba466521337fc6b07c72c54365c3a75f9cb5251541fc95749a1ee67a6f140c873f0472

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
415KB

MD5
ce6a37ba3bcb57fb7b28ad28b5420ffc

SHA1
795944902720c6cb1774c688f88e6af301eb0066

SHA256
cd9a516c46d8404a30eda3f54e0e7214f659a9b798e471bdc49222f63f97498f

SHA512
ed2a6e32d483d7acf31d6ad92d8f4468958d69b94115957c8b5c581bacdd62eeadc54d95fc912ae991c3665c15ed1b69fd87bce32c5f8a24eaae7e35ca25a3cb

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
415KB

MD5
6ed4f403ea502a2c585b003f2e4b7b17

SHA1
f76a0043b32627d488421773be6f06cb8e5c4cb9

SHA256
25a957e7c8e44ae20d93e346fe4faea660f3fc7ba7dde9f6bf2432e3441917f9

SHA512
269eda8af76b58cffb9aff6856fbbff1743cad63301351229df258d1c4b6af97424e686ea5e78fc03e350e1e543ca8f6253f4c87942d8c57be3940f4197abcaf

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
415KB

MD5
096c86ab61e5866d282593d9a9fa8f4a

SHA1
81bc9975d950c45bc7d8591b19cd3eeadbde42d1

SHA256
b9b39fcdc5a06985d0fa73523a622745918bd1d5eacdd40398002c4d07b15ebd

SHA512
2a95856423ac0842bc964d647002a800b4978c49ee883baa6e63980c9d9499a6a08bd78ad1625ccda748f21a59c7f07d2218ed9b08f3553f9110017f9b313c51

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
415KB

MD5
d64a30ccbe62245fd52f968cc600155a

SHA1
041bb04aaab9f95d43098b6c25be8c0f64379c27

SHA256
62951eb671a0529958adf85b7ee19246c1b0a2b9f892cd16ca04317e411006ed

SHA512
823432d1c62fb7c3918bd701dcd4d06cf0b7bc386494c64d86a795e5c707d644824e3bbd7a0041a1e92e37f39c23d9bc1ce9440901fb3ab159fae2984d89566a

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
415KB

MD5
aaa5f6249eaff141c130437279a06204

SHA1
a383d23ab35ce3470bb4471a040078c6dfe8e03b

SHA256
3d6783e09b8d4de7f1a24ed05f75dc36a8ced1b52b029c88e1f6a8ab49dfa2fe

SHA512
be1e44689bbe24cc7f790ca79711a6d2e6fff2b4b3886c9a64e52026d9afe6dcd29a4ebe331ec31890ca613554ac83a772891a18d2db5f04996e6f7f26dd4c5e

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
415KB

MD5
777794da2c53990f2a9af58cfd8dfb07

SHA1
d42736459453f37bc44aa5917643fbcbc7607276

SHA256
06894bd18f16590fa103698a26eaf5363ac383922f227b89b87a596acd1a8131

SHA512
655a5370262f02419c802914ec5e360e6455783249127117ef7cc600aa08ed1576ef6b6755301cc0f13b4ebc29fa400b68543379fcf86e34fc4d9a0e961cdee8

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
415KB

MD5
83e1c4c49a8760df670f515ab72f994a

SHA1
34592eda18ae52c8cf29545d1f3624d7d939d60b

SHA256
f43c76a566343fce755c4327eb7d559a1cf046524785896aefd389e07ae9016c

SHA512
b485b10293ce5aa5bc424b00659119b5721abfdc8bb3d1d30a0776d5941b42763e2a32fea12fc4d76bdad8e81c7a7e4ca829df43b2b12f74b883bb30f55f48ef

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
415KB

MD5
68017d1f9b0d36c9797cc5c682ec67d0

SHA1
0eafcb1dffb281f209f3ca9d322e835e72262389

SHA256
3c6707b550fb23658be0de7c448dd7adcb6353df01a5d3cd7bfac24306a1aeb9

SHA512
297312f6f2d57a1638d921bab163440e1023c348180cae4ed015fd2fcac0f1796aa8bbcd6e7bf4240edf9000b8512da47668703bbd38916d094a74fe125c1a46

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
415KB

MD5
159faa2ae5e5208d1573cc4771672212

SHA1
6f4b04ba394b3ba4b111b626f779ff9bfa8474f1

SHA256
b4d93985fa840dd5ef81040af266282aead469a7fdd78dfb8ab9c4c1c8765f03

SHA512
db582b7516c0c22672638499d10bfc5e399a1a3a6dcd39e90cfb571eae64db0e7bf48157c3a26bfc295728cfd545a9e486d258539781c9b50f7409a16f3f1faa

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
415KB

MD5
3fe6b535b58aa0af4581f57fbe3b1eaa

SHA1
8730df31288c09625951c1fbc55ce820b66f26ff

SHA256
f33af2fc12ec97862439e576224e978f819282de6ee83c42a4ea58d052e261bd

SHA512
e1745190778ea4a5cfd725bc05bcb131a10656bc1b5c9b72a053bff85826ad3f5cb7e8b79a923544c72b8afe8e8ca9672372f585f93682c8455958857f84af51

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
415KB

MD5
c434a359b9df8538e57c98162c06ded2

SHA1
8d7c53dfad73ebf32d01305a321433438260bed5

SHA256
466e9ff1c0a5da0fd3b84a2cec04d0fb7908959e5ff7f78ad14bed6dca0605a7

SHA512
1fc834c71b5a8564315a2f14ef9bf7961bdae1c7fc794b9bfb1832293752cb493ce56fdb50d7be798e32422ad9ba8d74daf8002c6befb458f37c588cea76a9b5

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
415KB

MD5
9e403962bf1850e3c2d693da80e32d96

SHA1
9a10cc96bd668a7eda414c8345ec5e34d78f4f65

SHA256
43b54e92c8644ff713be3fbde27d32422ffe78cd8f76088c0b071c2b2bc13319

SHA512
a9008e4a3fe7bc13015aaa55f3553b5ffc5027fcffaf205e8f2bc134528d7d3c0295cc732a816b61fcf00ad72423f5b5e7401ab3e86bb566d38e6a5d9d466129

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
415KB

MD5
3dfcf64cf3fbb170520c5701efcd962d

SHA1
92a99d378d42c8366126ac075043ec2d199af2e0

SHA256
19befbe248d7a90e22e838403e46b2c3b3dac6b82c454ae8b472f5032642775f

SHA512
4f45789ff15005bb728b4890da61740c93e230b9ee16b364105938fee2e84ecf0f09cdd07fd3bcc9dbcd38a83a79f7809610889cad5920fac7ae998d43411891

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
415KB

MD5
ce27cfd3b54a5baea5f9f6675136c658

SHA1
7db34875f0d36642988d464ab8405d0883323832

SHA256
88d5eb482fa70fee2e8b775621be571bea227cbb904a4ae6cb90efa846fa8061

SHA512
5865da459414b8cbfb8be142e05ecf35e046cbe7bfe8f03aa5f83ee4362e261846ed0b7f7950eeb8a11776382d7502fc039036541c6d033acca5f8d7fafcfe33

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
415KB

MD5
80b09f979a45eb995d7a66ae220472b2

SHA1
738e8c2ebd70d4577bbdb626e67afe10fcf27b25

SHA256
6430c50a97553ab82c77b14999267e804958e947a40616d27bf82b1e386ff97b

SHA512
9af6a03f2df7c083d90d716c78e6df0fdce5c92167b1021557324ecf5b35480c26a93d6d009e9b38d490f4cbbf180aac9c8d805c5aa02ac796c56bcc9f2bcd9c

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
415KB

MD5
ac3714b8d76f27c6ae4d56dff4765a26

SHA1
d5a63db0536aad853b5c90ee59797b704975eee7

SHA256
300065b26f5e59a0be295ff8d644f72c06dc07197a7725fe2f7da0059000e793

SHA512
5b65b02327bc56423ebae0d0105886fe5275efe9ef7e82d3b0cb6f8ae3d1c4a0716e3da8a39ca6e25e7430fa22352c622c149b5efa313c0b6407b23c7485a20d

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
415KB

MD5
4c562be660e6158ab8a5a7c77b17e338

SHA1
fb48c787283491066bbd298737b253c87dd434c9

SHA256
126990d9e67a18bfeb695c36b367edf139d6bfab064c10a808a69e08c97dbfd7

SHA512
c397396e99d566b9d9b79441a7e8acaaf8944d9ecca5a5b9d659a5a5793681c3bece8c329bc861cdca5edd2023149679337d23f7e3f8e2abddf5c118909df444

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
415KB

MD5
aeb10837f1275e920667413468a6716b

SHA1
3249656f2027adb899375650a48ac76be9fb6fc2

SHA256
0cb6a4eece646e60a129966d3c5eb28173f5c1d2122f459061adf2ce3773453e

SHA512
a3832151ce3765fa83102064817865e95e7c64b443c0903216758c075e3c640f8902fa2c142bd968dd3efe14ee4ca6b74161d76c61c73e4c3694faf56aafddf8

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
415KB

MD5
e3061e14e09ac5d3c1487b91d44195f6

SHA1
debd3377b6096a952591707ca9cc1e90bf8f15ca

SHA256
442d70c3488d80d0fb0b9ff205623b4aa05165399741f0980c3aa14d82c28ec0

SHA512
f9b1cde92979dcae7fa46c35fe665da535971184d67101328c4a555af38dc1ecc60d4b5771396b7b6f27c43478f90d2875c9070152b4909f370ab17ac265cf8a

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
415KB

MD5
e5c2e8d6313c8357ad88d1295cfcc9a1

SHA1
d5e5b727104fe062775f730695ddd2540783052a

SHA256
615f2828a4bdb2d1ff898532227656f39b0e2c53d4f7b9ba3af0a0976cd41c31

SHA512
e72843d13c400a3b43bf6eaf4738133ac972daf00d6b3da9af3b96d37b9c44afe0ff7de662e13ac0bcc9fb4a86d8a673981fddb6e14175c1222d765e5c3606d6

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
415KB

MD5
277e7564a75564bc7c6fc6a994efdce4

SHA1
7a3f082443fb7699252d718b0ebdbba9844fe860

SHA256
72d7296eacf6a93ee8d656f005abaa1490018997dddd918ebabc3faa60c503f1

SHA512
892e09212deb2440e51089588c703cad9ccfe3a014b1790819c8dc2af4d7aa0a7d8265b8cd52de2ad7fea5fc518fd25f1e7700b0c786caf665308cf75bbb1afe

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
415KB

MD5
2103072b6d0ed11f7707202c6610b001

SHA1
784e7458e224294c9b317c5c0a7ed14f6a4662cd

SHA256
2ec4991382b71b0d9efd525cc3de82384734fbd66237fb8f0bab1c36c5b86aee

SHA512
98a7d74e4ca84d48e31385a0b8b3b368c868288b783ed941134103acb5d8eed46c870395183468bb60712800f2d443041419a3fee36db99df83a6afff8b94699

Download Submit
memory/64-527-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/432-515-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/464-556-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/496-549-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/636-648-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/776-540-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/808-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/900-545-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/928-538-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-543-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1176-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1412-506-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1492-491-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1504-534-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-510-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-488-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1536-547-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-560-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1628-554-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-524-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-652-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1856-518-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-650-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1860-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1868-52-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1872-494-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1956-496-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2052-531-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-557-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2160-541-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-499-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2196-516-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2252-535-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-511-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-492-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2516-548-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2536-542-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2544-508-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2548-539-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2636-501-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2644-503-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-517-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-532-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2900-51-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-489-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2960-536-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-546-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3208-537-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-519-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-530-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-522-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3364-500-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-509-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-513-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3540-523-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3556-555-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3636-526-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3724-512-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4016-502-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4048-559-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4072-558-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4188-521-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-552-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4248-646-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4280-520-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4320-514-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-563-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4444-525-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4496-36-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4500-505-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-544-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4528-553-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4548-507-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4564-498-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4576-495-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4616-529-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4728-561-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4804-533-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4812-550-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-504-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4872-497-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4936-562-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-493-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5004-486-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5016-528-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5036-551-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads