2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac

Analysis

max time kernel
92s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe
Size

412KB
MD5

f53a0d736f09d2c054aae032fa48db10
SHA1

9c553e5b7db1babc1701c1e6e55ada21f8042660
SHA256

2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac
SHA512

30530efda86a09543cec38de4a0810fb66d16180ac0e02065d9ede23d173c592bbff793906dac6bce41e3fb08a90c2ca5d0924525021703c0722a2c5d047e23a
SSDEEP

6144:2EBeQlGYLuSaoBB5CMHP7RQmfMishe4Zgufq+cREyR/yfjoshaphaiB00:reEGuCMHieikLB

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkdggmlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcpllo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lijdhiaa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcmofolg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcdegnep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldohebqh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe

Executes dropped EXE 64 IoCs

pid	Process
3976	Kibnhjgj.exe
1056	Kpmfddnf.exe
1672	Kckbqpnj.exe
532	Kkbkamnl.exe
4364	Lmqgnhmp.exe
2796	Lalcng32.exe
3596	Ldkojb32.exe
1392	Lcmofolg.exe
2900	Lkdggmlj.exe
5008	Liggbi32.exe
884	Laopdgcg.exe
1684	Lpappc32.exe
4108	Lcpllo32.exe
5080	Lgkhlnbn.exe
3388	Lijdhiaa.exe
3124	Lnepih32.exe
1112	Laalifad.exe
2408	Ldohebqh.exe
2356	Lcbiao32.exe
1072	Lgneampk.exe
3448	Lilanioo.exe
3224	Lnhmng32.exe
4116	Laciofpa.exe
2524	Ldaeka32.exe
4572	Lcdegnep.exe
5036	Lgpagm32.exe
4588	Lklnhlfb.exe
1104	Lnjjdgee.exe
5044	Lphfpbdi.exe
3980	Lcgblncm.exe
5028	Lgbnmm32.exe
228	Lknjmkdo.exe
4456	Mjqjih32.exe
2276	Mahbje32.exe
508	Mpkbebbf.exe
4268	Mdfofakp.exe
860	Mgekbljc.exe
3524	Mkpgck32.exe
5108	Mjcgohig.exe
2348	Majopeii.exe
2312	Mpmokb32.exe
3876	Mdiklqhm.exe
4612	Mgghhlhq.exe
4656	Mkbchk32.exe
2024	Mjeddggd.exe
4328	Mnapdf32.exe
4172	Mamleegg.exe
3528	Mdkhapfj.exe
1940	Mcnhmm32.exe
404	Mgidml32.exe
1836	Mkepnjng.exe
3844	Mncmjfmk.exe
2352	Maohkd32.exe
3920	Mpaifalo.exe
4876	Mdmegp32.exe
1948	Mglack32.exe
3280	Mkgmcjld.exe
2344	Mnfipekh.exe
4704	Maaepd32.exe
2648	Mpdelajl.exe
4996	Mdpalp32.exe
1736	Mgnnhk32.exe
4176	Nkjjij32.exe
2396	Nnhfee32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldohebqh.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lcpllo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lkdggmlj.exe	Lcmofolg.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ogijli32.dll	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Laopdgcg.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Lcdegnep.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Kpmfddnf.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Laopdgcg.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nngcpm32.dll	Lijdhiaa.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Bgcomh32.dll	Laalifad.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Lklnhlfb.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ldkojb32.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kpmfddnf.exe
File created	C:\Windows\SysWOW64\Gjoceo32.dll	Lpappc32.exe

Program crash 1 IoCs

pid	pid_target	Process
4636	3636	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Offdjb32.dll"	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lklnhlfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kpmfddnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laalifad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bheenp32.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoceo32.dll"	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldohebqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jifkeoll.dll"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldkojb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lcdegnep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpmfddnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkdggmlj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 3976	1924	2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe	81
PID 1924 wrote to memory of 3976	1924	2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe	81
PID 1924 wrote to memory of 3976	1924	2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe	81
PID 3976 wrote to memory of 1056	3976	Kibnhjgj.exe	82
PID 3976 wrote to memory of 1056	3976	Kibnhjgj.exe	82
PID 3976 wrote to memory of 1056	3976	Kibnhjgj.exe	82
PID 1056 wrote to memory of 1672	1056	Kpmfddnf.exe	83
PID 1056 wrote to memory of 1672	1056	Kpmfddnf.exe	83
PID 1056 wrote to memory of 1672	1056	Kpmfddnf.exe	83
PID 1672 wrote to memory of 532	1672	Kckbqpnj.exe	84
PID 1672 wrote to memory of 532	1672	Kckbqpnj.exe	84
PID 1672 wrote to memory of 532	1672	Kckbqpnj.exe	84
PID 532 wrote to memory of 4364	532	Kkbkamnl.exe	85
PID 532 wrote to memory of 4364	532	Kkbkamnl.exe	85
PID 532 wrote to memory of 4364	532	Kkbkamnl.exe	85
PID 4364 wrote to memory of 2796	4364	Lmqgnhmp.exe	86
PID 4364 wrote to memory of 2796	4364	Lmqgnhmp.exe	86
PID 4364 wrote to memory of 2796	4364	Lmqgnhmp.exe	86
PID 2796 wrote to memory of 3596	2796	Lalcng32.exe	87
PID 2796 wrote to memory of 3596	2796	Lalcng32.exe	87
PID 2796 wrote to memory of 3596	2796	Lalcng32.exe	87
PID 3596 wrote to memory of 1392	3596	Ldkojb32.exe	88
PID 3596 wrote to memory of 1392	3596	Ldkojb32.exe	88
PID 3596 wrote to memory of 1392	3596	Ldkojb32.exe	88
PID 1392 wrote to memory of 2900	1392	Lcmofolg.exe	89
PID 1392 wrote to memory of 2900	1392	Lcmofolg.exe	89
PID 1392 wrote to memory of 2900	1392	Lcmofolg.exe	89
PID 2900 wrote to memory of 5008	2900	Lkdggmlj.exe	90
PID 2900 wrote to memory of 5008	2900	Lkdggmlj.exe	90
PID 2900 wrote to memory of 5008	2900	Lkdggmlj.exe	90
PID 5008 wrote to memory of 884	5008	Liggbi32.exe	91
PID 5008 wrote to memory of 884	5008	Liggbi32.exe	91
PID 5008 wrote to memory of 884	5008	Liggbi32.exe	91
PID 884 wrote to memory of 1684	884	Laopdgcg.exe	92
PID 884 wrote to memory of 1684	884	Laopdgcg.exe	92
PID 884 wrote to memory of 1684	884	Laopdgcg.exe	92
PID 1684 wrote to memory of 4108	1684	Lpappc32.exe	93
PID 1684 wrote to memory of 4108	1684	Lpappc32.exe	93
PID 1684 wrote to memory of 4108	1684	Lpappc32.exe	93
PID 4108 wrote to memory of 5080	4108	Lcpllo32.exe	94
PID 4108 wrote to memory of 5080	4108	Lcpllo32.exe	94
PID 4108 wrote to memory of 5080	4108	Lcpllo32.exe	94
PID 5080 wrote to memory of 3388	5080	Lgkhlnbn.exe	95
PID 5080 wrote to memory of 3388	5080	Lgkhlnbn.exe	95
PID 5080 wrote to memory of 3388	5080	Lgkhlnbn.exe	95
PID 3388 wrote to memory of 3124	3388	Lijdhiaa.exe	96
PID 3388 wrote to memory of 3124	3388	Lijdhiaa.exe	96
PID 3388 wrote to memory of 3124	3388	Lijdhiaa.exe	96
PID 3124 wrote to memory of 1112	3124	Lnepih32.exe	97
PID 3124 wrote to memory of 1112	3124	Lnepih32.exe	97
PID 3124 wrote to memory of 1112	3124	Lnepih32.exe	97
PID 1112 wrote to memory of 2408	1112	Laalifad.exe	98
PID 1112 wrote to memory of 2408	1112	Laalifad.exe	98
PID 1112 wrote to memory of 2408	1112	Laalifad.exe	98
PID 2408 wrote to memory of 2356	2408	Ldohebqh.exe	99
PID 2408 wrote to memory of 2356	2408	Ldohebqh.exe	99
PID 2408 wrote to memory of 2356	2408	Ldohebqh.exe	99
PID 2356 wrote to memory of 1072	2356	Lcbiao32.exe	100
PID 2356 wrote to memory of 1072	2356	Lcbiao32.exe	100
PID 2356 wrote to memory of 1072	2356	Lcbiao32.exe	100
PID 1072 wrote to memory of 3448	1072	Lgneampk.exe	101
PID 1072 wrote to memory of 3448	1072	Lgneampk.exe	101
PID 1072 wrote to memory of 3448	1072	Lgneampk.exe	101
PID 3448 wrote to memory of 3224	3448	Lilanioo.exe	102

C:\Users\Admin\AppData\Local\Temp\2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe
"C:\Users\Admin\AppData\Local\Temp\2399f9f1cdaf5361cc377ea4013f4bb38b3800957abf0d2b414bfdc08cbdb0ac.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Windows\SysWOW64\Kibnhjgj.exe
  C:\Windows\system32\Kibnhjgj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\Kpmfddnf.exe
    C:\Windows\system32\Kpmfddnf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1056
  - - C:\Windows\SysWOW64\Kckbqpnj.exe
      C:\Windows\system32\Kckbqpnj.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1672
    - - C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:532
      - C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\SysWOW64\Lalcng32.exe
        
        C:\Windows\system32\Lalcng32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Ldkojb32.exe
        
        C:\Windows\system32\Ldkojb32.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Lcmofolg.exe
        
        C:\Windows\system32\Lcmofolg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Lkdggmlj.exe
        
        C:\Windows\system32\Lkdggmlj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Laopdgcg.exe
        
        C:\Windows\system32\Laopdgcg.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Lcpllo32.exe
        
        C:\Windows\system32\Lcpllo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Lijdhiaa.exe
        
        C:\Windows\system32\Lijdhiaa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Laalifad.exe
        
        C:\Windows\system32\Laalifad.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Ldohebqh.exe
        
        C:\Windows\system32\Ldohebqh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        21⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\Lcdegnep.exe
        
        C:\Windows\system32\Lcdegnep.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1104
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5044
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3980
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:228
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        35⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:508
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3524
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5108
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2312
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3876
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4328
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        49⤵
        Executes dropped EXE
        
        PID:3528
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:404
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2352
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3920
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3280
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1736
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4176
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:4240
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        70⤵
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        72⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        74⤵
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        77⤵
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        78⤵
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1304
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        82⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        83⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        84⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3636 -s 400
        85⤵
        Program crash
        
        PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3636 -ip 3636
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
412KB

MD5
8879601b0c30e34dba156e0364f39652

SHA1
6675296d3a314ff969f73cb0601bba09aa7bf312

SHA256
c9bc5a7d5196cc6b6d9d955645ba0346c5d2d12a0dd81db7b8d2e35a4a62f2c5

SHA512
3b34ce12433b52aa8be323786edf25aa27ed6a5bd53ccb66f720bf2508460e658fc8a3a327bebae6859ee24a45443e787117d4e8c4ab1b35ca7cc2300fbeb5a1

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
412KB

MD5
7c68eb7e6583b2583f667db5cf3772db

SHA1
3f6b31f03fd194944e1ca68d5ad18137db618f3a

SHA256
4731976dc9991473ef7f94ccea9a8f9bb633a19b738dd5d9642e690815d6da35

SHA512
fc89507ef43819db63a62368c27dc5708e31de24aa3167feedfd0fccfe57cdd5bc69e04081701d73e5fbe080df4bd308c559d45da55311ebb08483e0c4a8ba63

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
412KB

MD5
3cf1fca3499ecbaa4ee0599c70e541dc

SHA1
c5110da034bb9ccb2dc8014de75df5c2475023e9

SHA256
0019960c5d83c49b9434090801fe03f29ad984ed9cb0c046ffd0614be0dd44f6

SHA512
fa095cfe726c6b7b88409215312829eaec19d21fee6803bcf1fdaff69654ec4f08fa82f72183f4f27fddf5f6e8a7a72feefa02198ef2e362f5a346f19c7e53bf

Download Submit
C:\Windows\SysWOW64\Kpmfddnf.exe

Filesize
412KB

MD5
83536fcbd2715db71adbec04424b3e60

SHA1
474a7edee6a254d9b8f7c9e762397205ea7a08b2

SHA256
e7364a7d5fb53aa59d3d462691e71a8746a9d538408442a7f0c6a30a6ea95502

SHA512
7457a4576a28fe4d54403e253957b3c0b958f983f6be01e8d945ef5b60ff827da08862f34d56f80155cba9351f02c03ac9e4432c47e4cd835e0cc301600be6c2

Download Submit
C:\Windows\SysWOW64\Laalifad.exe

Filesize
412KB

MD5
7a9aa7aaf0afdc2e9655987530a61618

SHA1
77af9dc17d971d591c8e41dd9ed706ad236263f5

SHA256
d86dae75005fb2ad669033227d74736bb765cb93ad0fafbe0f9883e0f72159bb

SHA512
8a6e943cd31a11bda4b23cd0ead66ba4207928f09b1156c525fdd79a332a1b659f47f91374b9721e3f9b03f008c75a9c50ae2bcbc3934c7ed97651a10a361c04

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
412KB

MD5
ce0b356822501f94269a6a925c3e04c6

SHA1
2b973669fb95822a8c157d45b860832e4c1ce2c1

SHA256
10dcfdfa33e845b93a2c3a2399f56b2b8c5b7e6cf88a187e7d844edcceec9c41

SHA512
9dd602a62e5eb7f615d5b48e131f3c8817f34d2e53f4dc8872ab9eab13aa129412d323ff2508b6b28252194b5697e0435ce5e9493402c21398d8b325e862fb99

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
412KB

MD5
af45501f61ef57773e3fc44607c4f380

SHA1
c10be88993454a2147602e47fa08d3f6a49e05df

SHA256
f3881296bdc2344adabffb40907e09e43b49fe1e7e773558e164173bf363b7b4

SHA512
85b7ef92a0b16c65fa3d6330757590fc213d059d393a12c3ade2d0569568c5f77c0c5326a762821b35eb19061f1dd857765100a6b986cb7808dc4d2a57f74f77

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
412KB

MD5
79281a413dc48fc1a2513247c70f92af

SHA1
657c09477ab1bc84a77e2e40a8eb7a9493027de7

SHA256
a07581c205e475d9fad6d0d4709f3856174383db9bee1bb96cd5af83dbb79545

SHA512
717380341089f5f37148ef2a35becd35153041b4eb4cdc1ecfbb39287646436645e71b4ec512fd4f710cc918010c7158f28bb6e2a68dcbbd65cdd8044668b441

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
412KB

MD5
7402e40685df4dcce33c8cab4d9a6689

SHA1
9939dea859a96f0212aeb5c1f70d570fc87df011

SHA256
0127dee26f84d2488759d7002f320d0b3478fe32ff3552d8788ff6abe195aed0

SHA512
b718835333efbfacc0f5e9b2048cd6f1075d7c7e31248efe91f4eea6e05f5d3260f10291ae2e5a7932ab962387466c6e295a12f8844f53885608f8763fdd580a

Download Submit
C:\Windows\SysWOW64\Lcdegnep.exe

Filesize
412KB

MD5
b3b441af65e5ff1a377fdeba065cae89

SHA1
468cca964e3db6d1ec75c08105b77d4a6175b2a4

SHA256
dd9c006f1f994383c10544bc1c8cf46998489bbac1d2a54452165ec5d3408813

SHA512
c1d441616b91875895551b9ba503023f025fcb204a0c8218f0acf4e0b0b02c144e42fecde87380b1fedf522de02b66396612c66f0e3a87c9bdf133faeb741a46

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
412KB

MD5
e42c53a57aec335b14238cc3822c4f8a

SHA1
74bfab64af98668ae6eb8f31d964f1a280e629fa

SHA256
98aafe550b7ba174903901f8a01da00ce50ed484afbb8054adb4dd73b241e91a

SHA512
7895829b054342edf39751a4193c23a26973b093ea4e8e0dda149fd7046dabfd41ebf045041ad1b47b902c70836b8b62f22f15924f8902b65a1c7dd82ed12f3a

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
412KB

MD5
d9b73cfd517dd6def2929e4e3d1a02c1

SHA1
978e4a5a064ce530b831945860af5daf4c6d6885

SHA256
7c3fbbdb0368c3c3f059685c9c9c849b55ecd36b7cc009f1236fff9422af7f29

SHA512
ff3024c7294bf4e74b47783e1158da57ea2458644869214a9300c22a4f70ea879da1e3d662a506ae52afc5683aa9a520a7b9abae2c8ccffe603e3d29460c5898

Download Submit
C:\Windows\SysWOW64\Lcpllo32.exe

Filesize
412KB

MD5
eef75bdc86c505a87c8f66b3328729ae

SHA1
58b06b31d723750e5c13804b2ceff92072eb0cd1

SHA256
4ad68961f6ebe2b3793a273e6fe165cf9dbe2f76940b895c6fadd2570ed39244

SHA512
160fcf0fe88554fa59fc0872fd3a14f032772d811a16fa444ef311cd6865ad01b930cf1361802bd28723f1d8de470c03bc859741ac4d378a449e28a0be8f2c2f

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
412KB

MD5
3438e7c822e66a51407d70b4bac5bc88

SHA1
a7a0d7c8f6f74adaf5783ceda9e2d1986d87b4e8

SHA256
d245ca80f749e13808ed964cf4c66af556fc324c10f5066e420ebc3e52aab5fd

SHA512
ce3082e95a899b4d16b601ad8b63a31e4f94064e7b604d2830504ba5a3d10acf0ea648635782337bfc1189652524f8d7460ef6df3484dd7a0aefbb545e5c89b8

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
412KB

MD5
5a0c17bc86d943569870ef595047a930

SHA1
efcfa890880826b384826c8991adddd3f382c677

SHA256
2327bbac71718acff4cfe0c926d90c1a2947ef8dc05e8fb667645fdb2ff2cfca

SHA512
3e5ac2e1121c5d51b25cad496f6f142e1decdf5228ce3112583ff341dc5f95a88b8d1abbdb8be67930087cf6e8b7d8f4e9fec363fc2cbe5196fdc78120bdac87

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
412KB

MD5
1c70dbc8d26cfbbe0128ae6e52d1b4ea

SHA1
4fb2ee2c9be9d572ecf4fb00761aeb568f2df889

SHA256
1469aef3675c90a6e83e7f7f54a18f00cf6c4877b423c74090c22135861511d3

SHA512
1e8316bbc2e84d7dca491087bb4aa568be3e491894652304170fe3cb842ce793dd41b9ef2db3ba68e5b9d5f0ac5e14683fc582c311e8077c000b595d6d50f552

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
412KB

MD5
3b84323291ecbbff559573fd656e0003

SHA1
5ebfbe252f230690191de654d3cc2970c244fb15

SHA256
c8b7cdbe626bf298df356b0510f328959c443407a1a96916f1c5d92d26031fab

SHA512
1102201827dfea90606362b88788d617654d80e1708ca50cabd40238f2f4582d6747554edb0aa82c068e256e7cabfe1ceb476eb93853c7fa25ebcad80c8426a3

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
412KB

MD5
aa1e50fb4906b5b8bfc6fb597906de1a

SHA1
d3d2a3cb72ae72ab76489fa250b2486ef4839eb2

SHA256
e069c8058f9bca2b7ac483d73405e21fb94eebcd34723103d23b318117259e60

SHA512
4d6793f95d232be0a487b3f83e6287764963af03372f9d62bf52fdb2b9b9b51947753bd204d180689c1609c9731478fe9184b7b5abe42c391988eba7d78a7883

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
412KB

MD5
303a33e14d0c713882ebee001a8e4e5b

SHA1
6bfef75f49dcf4d4c9a3a8e67a144d6048f7b7fc

SHA256
58990461e77eb19bf4adb17032e337731cd25aec1c86f4074667b012681842c7

SHA512
d05347261329fb3886a505f6a71dcd9dbcc476913e2de3c65934e01ee04255b8687c81c0d0806877658e40d4d09f9cb7dde8589ed18761f8f42e253b52b901d2

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
412KB

MD5
d108ea7e523b28c2bedd779dcf1f2a4b

SHA1
ca53735f505d089a40d1364586be6fe621c6885b

SHA256
3e6272ed65eb690e4d164dc66b09582648548468172b01ac9376546acfd9d0c6

SHA512
b277ea36a6732e814c5a05ca3906084cc0466757b165ea99e215ba439f532ca24804224920d1883a5631ca56cacfc01f9aec515bcac00115b15957940f852d6d

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
412KB

MD5
e3befac7be17426e44e020c46417e871

SHA1
d81f5e01864086be86a5df3b61c4e21a122ad982

SHA256
ee39ebaa44fd9f7c516b53df8d7b72d4402299a63119881665b2ee2ba583c019

SHA512
d66ef3918ed7a5ec86972ef2efed5b8a23b433fe347a698a1b3acbe2d2ec0dbe3804876b465374ea2a948c7ea72049e8ccf7e12a7ab3ab0dd56933d9bf0279e8

Download Submit
C:\Windows\SysWOW64\Lijdhiaa.exe

Filesize
412KB

MD5
73c956bb94fbad829a099174b9a58dd4

SHA1
6283a9bd36076e322df6a308fa1f8a29451831f3

SHA256
6cf9c9859299d4a3f203a7b4c7afca7cee2381d0eafb1eb08dc5e84bb53a09ec

SHA512
b1763c7627f0f68b25ddfac055313f751aeec28f81383d26e0bc1cab1a4629c00e3652214431f1f59872134ec7deabbf470b699be19385307573351aac833dfc

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
412KB

MD5
387180f47ba30e32672eb3b41d28622a

SHA1
ddf45a857abf12bf3989879f50691721a940d351

SHA256
9bc864e0ffaf1d4a0e15db414eeaa3095cc4ea971bf02bfe50a7152750756074

SHA512
df6a4a972b93ca34156f810f8b21d7de7f5889bfe612536d1973d7deb647fdfd631cea9babf1531aaf6af7a0e8960374ae5605667e73854a3bf735e334e2e219

Download Submit
C:\Windows\SysWOW64\Lkdggmlj.exe

Filesize
412KB

MD5
1777fd1b21cea4f7394b2e51ffaf64b6

SHA1
9ac7694f702f11aa64a1cc4dd5de870babbafbee

SHA256
fbf57055788515fcb66c519a5e9589df107a78503dc70815d4ac52c10bba1006

SHA512
a77974f499ae6f1cd103ecce0ab5b780a7827fda00fb347861dce3c40c3e493e986f6ceaf957f7ad4d73ab229abc2fe97c436cc12a3a5baf8f0eaa571fc53bcf

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
412KB

MD5
0c27e0040b55d52dde442eb68b326871

SHA1
1c5087a75c8ff7a43d348ef246e1b585e20c4939

SHA256
b6151de04e780f485e779a9f6de875266df6cba6ff5572b9fbfc7d2ff636e540

SHA512
47d09ebb351f06abaeb753366f2bb816f5ef1924a50e6dafdc2d36942d71c665ca419d47b7a26410f7504f41d59de7474bd5416fde1b2b87026f5eb49a6b36fe

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
412KB

MD5
4abdf3397e5e1bf96a84229eda4b02bf

SHA1
3e4d93e9d241950682d4fc3213122d256bc66970

SHA256
85105c82e929347c34db4ea29b6567480a022de6bdd3256bd8eab761d8dc05fd

SHA512
4a6ef41cf1afa0985d8e451a7edc26d000953da213b95ec238924fe418af0772bb518da8dfd92d4b086cf411790b5b5665ecf858b44353ebee517c436749c7b8

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
412KB

MD5
534d358ec48e5fe0326bcc760ab745f9

SHA1
fb31c10bacd36d2e6ade36739027ff592cbe0af2

SHA256
eb9d2e5c094e1d6a59560bd3ef0621df2206cc307495b1bdf8d93aa0a71b8af6

SHA512
fb16bd8f9aa5a9b3208f2fc24bbaaab9fc7b296b682029a6ed178341a18bc0e290a628a01c699d9063d35b4631b87c48e94d777d24811811bd6f3c003da14075

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
412KB

MD5
c08f8ce2c02e368a2b347a8ebe17770c

SHA1
d591d5086856976a7c8ed8d6cae9aed31e78c03b

SHA256
fcb6adec81bff37b166bf9929abeb14f26405a88925e0a5f5412f31338d369b8

SHA512
9e91d82b6d84fdd5d8c88699dffa93cd9869714df9475f0feef3c062be42ef9a067241f83c84a950163e448ee8d857e9af02ccc6f9fd8727c8e4af50b75dd7f4

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
412KB

MD5
57325a01dcb338341afb921e8dfcfba2

SHA1
70f241ebd55e8d0b307275b3d51286474df95b68

SHA256
be273621f8a9a6335f677c8262c49da421a5648f1030ad5958adf936f8eaad30

SHA512
4c4a3ad0b25b00bdad38f06f5625be883dcce7952754ba5ccbdf3bd5a1f217965f7ccab2dd3a3c2b5eb3deeb4a9fc7c292ef0c452c36564ada66d1cbebec9905

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
412KB

MD5
30437f89be14346af273d238d92c1089

SHA1
4d03e7146538224d97f04c89fac909558eff84c7

SHA256
b7e9d295eb80165ed12960aafadf6831aec35d59ece03872e1621cd45126c272

SHA512
4f0f939cc05c0d4540409e09add568337cb21a1e28c9888632c1079a3eccdd946757fb24a98223fedc3b559d6ed8f1aacf5866cc3a8ed9b29ca6e8bc1d4a7c1b

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
412KB

MD5
429edecd02b4f092afe2762a1149d1f6

SHA1
cb237b339108d4be99b07be3eb9d46fc99b7189e

SHA256
b77e78a25b0df746c7b0e6aa79e1a1d3cad6c942d639bf274445d54bbac973df

SHA512
63b37df3396c71e718538d63e5a4197759ef17ac5155afd878767d23da8ea7451936aa36278676894de1e6ce570de5177342c60f16f8ebf7fce576a4b3438798

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
412KB

MD5
c8f8f1d7bd77d6558db341d731681a95

SHA1
d381ce86bbc51e798501610dc8fdd5f4a656a254

SHA256
e7a7d9176dc7abc4e80e6cc2eb603a903635d3e6794f8944c063b114e5d4a708

SHA512
7effa6ea8165cd2f268d0c5718a86efc1f911e3ab87e7e4601c671afcad4320b050a7d46097af532a6d3ba41e927ba69fa8aa0df8879931941c965a0ff8cfe2c

Download Submit
memory/228-613-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/232-516-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/404-577-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/508-503-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/508-607-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/532-484-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/636-530-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/656-518-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/860-603-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/860-505-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/884-491-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1056-29-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1072-637-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1072-500-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1104-621-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1112-497-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1140-524-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1212-532-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1304-520-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1392-488-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1672-28-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1684-492-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1736-554-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1836-575-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1924-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1924-0-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1940-579-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2024-587-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2276-609-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2308-514-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2312-509-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2312-595-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2344-562-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2348-597-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2348-508-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2352-571-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2356-639-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2356-499-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2384-534-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2396-550-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2408-498-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2444-522-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2460-528-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2524-629-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2648-558-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2796-486-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2900-489-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3120-544-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3124-496-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3148-526-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3224-633-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3280-564-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3312-542-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3340-536-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3388-495-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3448-501-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3448-635-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3452-538-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3524-506-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3524-601-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3528-581-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3596-487-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3636-512-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3740-548-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3844-573-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3876-510-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3876-593-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3920-569-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3968-540-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3976-27-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3980-617-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4108-493-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4116-631-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4172-583-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4176-552-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4240-546-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4268-504-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4268-605-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4328-585-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4364-485-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4456-502-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4456-611-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4572-627-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4588-623-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4612-591-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4656-589-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4704-560-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4876-567-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/4996-556-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5008-490-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5028-615-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5036-625-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5044-619-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5080-494-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5108-599-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/5108-507-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads