6a8b9dded85b93ec98136a838267103588d48ffec4d6ee80fa10807ff1c3f28b

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
03/10/2023, 17:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
Size

329KB
MD5

26e4c1d4f5360d2ee5ee50917bae5eae
SHA1

2e4bb9a6cb4ddd4c94851eaa7034b4519a1a523c
SHA256

6a8b9dded85b93ec98136a838267103588d48ffec4d6ee80fa10807ff1c3f28b
SHA512

88b60d609cde860c27279b5fe0ffc3fbf6f3ca14bf0f48b5e0ece14aa25e8a7d7b972d928d59480076dc880bba6ee20d776ccf0dae500cf22651caafacb9bc2d
SSDEEP

6144:oimIQRM7LXqCgcOAp9Dn4qCgcK/tdoYxUqCgcCTFa:oAmM7TqC+qCCiqCaT0

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmneda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjdjmfp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplmop32.exe

Executes dropped EXE 11 IoCs

pid	Process
2916	Kfbcbd32.exe
1904	Kbkameaf.exe
2820	Lcagpl32.exe
2684	Lpjdjmfp.exe
2396	Mmneda32.exe
2492	Migbnb32.exe
2328	Mholen32.exe
268	Nplmop32.exe
1636	Ngibaj32.exe
1476	Ngkogj32.exe
1156	Nlhgoqhh.exe

Loads dropped DLL 22 IoCs

pid	Process
2104	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
2104	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
2916	Kfbcbd32.exe
2916	Kfbcbd32.exe
1904	Kbkameaf.exe
1904	Kbkameaf.exe
2820	Lcagpl32.exe
2820	Lcagpl32.exe
2684	Lpjdjmfp.exe
2684	Lpjdjmfp.exe
2396	Mmneda32.exe
2396	Mmneda32.exe
2492	Migbnb32.exe
2492	Migbnb32.exe
2328	Mholen32.exe
2328	Mholen32.exe
268	Nplmop32.exe
268	Nplmop32.exe
1636	Ngibaj32.exe
1636	Ngibaj32.exe
1476	Ngkogj32.exe
1476	Ngkogj32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gkcfcoqm.dll	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Migbnb32.exe	Mmneda32.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Kfbcbd32.exe	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
File opened for modification	C:\Windows\SysWOW64\Migbnb32.exe	Mmneda32.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Kfbcbd32.exe	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
File opened for modification	C:\Windows\SysWOW64\Kbkameaf.exe	Kfbcbd32.exe
File created	C:\Windows\SysWOW64\Lcagpl32.exe	Kbkameaf.exe
File opened for modification	C:\Windows\SysWOW64\Mmneda32.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Ogbknfbl.dll	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
File created	C:\Windows\SysWOW64\Djmffb32.dll	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Cpbplnnk.dll	Mmneda32.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	Mholen32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Nplmop32.exe
File created	C:\Windows\SysWOW64\Ngkogj32.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Lpjdjmfp.exe	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Mmneda32.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Jhcfhi32.dll	Lpjdjmfp.exe
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Nldodg32.dll	Migbnb32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Kbkameaf.exe	Kfbcbd32.exe
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Kfbcbd32.exe
File opened for modification	C:\Windows\SysWOW64\Lcagpl32.exe	Kbkameaf.exe
File opened for modification	C:\Windows\SysWOW64\Lpjdjmfp.exe	Lcagpl32.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	Mholen32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcfhi32.dll"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfbcbd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Mmneda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll"	Kfbcbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmffb32.dll"	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmneda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbknfbl.dll"	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpjdjmfp.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2916	2104	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe	28
PID 2104 wrote to memory of 2916	2104	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe	28
PID 2104 wrote to memory of 2916	2104	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe	28
PID 2104 wrote to memory of 2916	2104	26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe	28
PID 2916 wrote to memory of 1904	2916	Kfbcbd32.exe	29
PID 2916 wrote to memory of 1904	2916	Kfbcbd32.exe	29
PID 2916 wrote to memory of 1904	2916	Kfbcbd32.exe	29
PID 2916 wrote to memory of 1904	2916	Kfbcbd32.exe	29
PID 1904 wrote to memory of 2820	1904	Kbkameaf.exe	30
PID 1904 wrote to memory of 2820	1904	Kbkameaf.exe	30
PID 1904 wrote to memory of 2820	1904	Kbkameaf.exe	30
PID 1904 wrote to memory of 2820	1904	Kbkameaf.exe	30
PID 2820 wrote to memory of 2684	2820	Lcagpl32.exe	31
PID 2820 wrote to memory of 2684	2820	Lcagpl32.exe	31
PID 2820 wrote to memory of 2684	2820	Lcagpl32.exe	31
PID 2820 wrote to memory of 2684	2820	Lcagpl32.exe	31
PID 2684 wrote to memory of 2396	2684	Lpjdjmfp.exe	32
PID 2684 wrote to memory of 2396	2684	Lpjdjmfp.exe	32
PID 2684 wrote to memory of 2396	2684	Lpjdjmfp.exe	32
PID 2684 wrote to memory of 2396	2684	Lpjdjmfp.exe	32
PID 2396 wrote to memory of 2492	2396	Mmneda32.exe	33
PID 2396 wrote to memory of 2492	2396	Mmneda32.exe	33
PID 2396 wrote to memory of 2492	2396	Mmneda32.exe	33
PID 2396 wrote to memory of 2492	2396	Mmneda32.exe	33
PID 2492 wrote to memory of 2328	2492	Migbnb32.exe	34
PID 2492 wrote to memory of 2328	2492	Migbnb32.exe	34
PID 2492 wrote to memory of 2328	2492	Migbnb32.exe	34
PID 2492 wrote to memory of 2328	2492	Migbnb32.exe	34
PID 2328 wrote to memory of 268	2328	Mholen32.exe	35
PID 2328 wrote to memory of 268	2328	Mholen32.exe	35
PID 2328 wrote to memory of 268	2328	Mholen32.exe	35
PID 2328 wrote to memory of 268	2328	Mholen32.exe	35
PID 268 wrote to memory of 1636	268	Nplmop32.exe	36
PID 268 wrote to memory of 1636	268	Nplmop32.exe	36
PID 268 wrote to memory of 1636	268	Nplmop32.exe	36
PID 268 wrote to memory of 1636	268	Nplmop32.exe	36
PID 1636 wrote to memory of 1476	1636	Ngibaj32.exe	37
PID 1636 wrote to memory of 1476	1636	Ngibaj32.exe	37
PID 1636 wrote to memory of 1476	1636	Ngibaj32.exe	37
PID 1636 wrote to memory of 1476	1636	Ngibaj32.exe	37
PID 1476 wrote to memory of 1156	1476	Ngkogj32.exe	38
PID 1476 wrote to memory of 1156	1476	Ngkogj32.exe	38
PID 1476 wrote to memory of 1156	1476	Ngkogj32.exe	38
PID 1476 wrote to memory of 1156	1476	Ngkogj32.exe	38

C:\Users\Admin\AppData\Local\Temp\26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe
"C:\Users\Admin\AppData\Local\Temp\26e4c1d4f5360d2ee5ee50917bae5eae_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\SysWOW64\Kfbcbd32.exe
  C:\Windows\system32\Kfbcbd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\Kbkameaf.exe
    C:\Windows\system32\Kbkameaf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\Lcagpl32.exe
      C:\Windows\system32\Lcagpl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Windows\SysWOW64\Mmneda32.exe
        
        C:\Windows\system32\Mmneda32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:268
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        12⤵
        Executes dropped EXE
        
        PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kbkameaf.exe

Filesize
329KB

MD5
e8fbfc3874d1beeed374e40ff08d06d8

SHA1
c56ef0d6c1a7dd90727b481c87c3783fd38559d3

SHA256
df50931b9b8cd78df740487d7009c62c3facff00e6fa43db6582b4be7bcbc62d

SHA512
c8d1571179c50f1e111966856d387426e739019b01e70be85146fce81bd32b2e5fd07cb1d00bb75c9c38a0c3d3f77bf99e95028d5e4e99f93ad3927e142fc8dd

Download Submit
C:\Windows\SysWOW64\Kbkameaf.exe

Filesize
329KB

MD5
e8fbfc3874d1beeed374e40ff08d06d8

SHA1
c56ef0d6c1a7dd90727b481c87c3783fd38559d3

SHA256
df50931b9b8cd78df740487d7009c62c3facff00e6fa43db6582b4be7bcbc62d

SHA512
c8d1571179c50f1e111966856d387426e739019b01e70be85146fce81bd32b2e5fd07cb1d00bb75c9c38a0c3d3f77bf99e95028d5e4e99f93ad3927e142fc8dd

Download Submit
C:\Windows\SysWOW64\Kbkameaf.exe

Filesize
329KB

MD5
e8fbfc3874d1beeed374e40ff08d06d8

SHA1
c56ef0d6c1a7dd90727b481c87c3783fd38559d3

SHA256
df50931b9b8cd78df740487d7009c62c3facff00e6fa43db6582b4be7bcbc62d

SHA512
c8d1571179c50f1e111966856d387426e739019b01e70be85146fce81bd32b2e5fd07cb1d00bb75c9c38a0c3d3f77bf99e95028d5e4e99f93ad3927e142fc8dd

Download Submit
C:\Windows\SysWOW64\Kfbcbd32.exe

Filesize
329KB

MD5
eb9d9746af2a3c93c5d0f0078ea4d1ee

SHA1
642d637a9696d72b6727706395729ba2b63515d8

SHA256
5af01a3ddac65aaef833216b138445e99560f74ebf650a4a1baf6634e4fc67bd

SHA512
2771f47550d143b75bbf410ad4be45a3f6ca4aafc3786f4c8acb0d25b050d38c92a9c0365f77ba6cbd30c58fd7755ab5a73d1292910bfd62fed093d9af612f72

Download Submit
C:\Windows\SysWOW64\Kfbcbd32.exe

Filesize
329KB

MD5
eb9d9746af2a3c93c5d0f0078ea4d1ee

SHA1
642d637a9696d72b6727706395729ba2b63515d8

SHA256
5af01a3ddac65aaef833216b138445e99560f74ebf650a4a1baf6634e4fc67bd

SHA512
2771f47550d143b75bbf410ad4be45a3f6ca4aafc3786f4c8acb0d25b050d38c92a9c0365f77ba6cbd30c58fd7755ab5a73d1292910bfd62fed093d9af612f72

Download Submit
C:\Windows\SysWOW64\Kfbcbd32.exe

Filesize
329KB

MD5
eb9d9746af2a3c93c5d0f0078ea4d1ee

SHA1
642d637a9696d72b6727706395729ba2b63515d8

SHA256
5af01a3ddac65aaef833216b138445e99560f74ebf650a4a1baf6634e4fc67bd

SHA512
2771f47550d143b75bbf410ad4be45a3f6ca4aafc3786f4c8acb0d25b050d38c92a9c0365f77ba6cbd30c58fd7755ab5a73d1292910bfd62fed093d9af612f72

Download Submit
C:\Windows\SysWOW64\Lcagpl32.exe

Filesize
329KB

MD5
dbe0c5ef306a4f5da8ecf46988a4aa18

SHA1
60b807aa980706fbdd01f2c964e6be4e4e34a433

SHA256
f3cb7c851a3118ec14615ebac842f7d032fcd16ad557bcc3f42c29b719866e73

SHA512
eaa2d58ce8efcf04ba1d582797aae3a2b9b1eefc0adc228367ede4127396762e9226319c0df51ebb5a71358983b2b6b7a2534686b28690bea76086ee91c1d8ee

Download Submit
C:\Windows\SysWOW64\Lcagpl32.exe

Filesize
329KB

MD5
dbe0c5ef306a4f5da8ecf46988a4aa18

SHA1
60b807aa980706fbdd01f2c964e6be4e4e34a433

SHA256
f3cb7c851a3118ec14615ebac842f7d032fcd16ad557bcc3f42c29b719866e73

SHA512
eaa2d58ce8efcf04ba1d582797aae3a2b9b1eefc0adc228367ede4127396762e9226319c0df51ebb5a71358983b2b6b7a2534686b28690bea76086ee91c1d8ee

Download Submit
C:\Windows\SysWOW64\Lcagpl32.exe

Filesize
329KB

MD5
dbe0c5ef306a4f5da8ecf46988a4aa18

SHA1
60b807aa980706fbdd01f2c964e6be4e4e34a433

SHA256
f3cb7c851a3118ec14615ebac842f7d032fcd16ad557bcc3f42c29b719866e73

SHA512
eaa2d58ce8efcf04ba1d582797aae3a2b9b1eefc0adc228367ede4127396762e9226319c0df51ebb5a71358983b2b6b7a2534686b28690bea76086ee91c1d8ee

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
329KB

MD5
e22580f4ab23579b720405ef296f1787

SHA1
e382abd1deaad9e646a5b84256a3c7cf7c920ed5

SHA256
0cca54f1b4df555a25ee146e124d486dd20114c312a0df8552fab37d2017f356

SHA512
31fbaa11cc24a7b0af904847ce029044d7e95e2ec8a7d1214b28eb45ce79269c15a55a3831181e322409c8aabc27ce19dde754eb7eaab15a5935e920c565f906

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
329KB

MD5
e22580f4ab23579b720405ef296f1787

SHA1
e382abd1deaad9e646a5b84256a3c7cf7c920ed5

SHA256
0cca54f1b4df555a25ee146e124d486dd20114c312a0df8552fab37d2017f356

SHA512
31fbaa11cc24a7b0af904847ce029044d7e95e2ec8a7d1214b28eb45ce79269c15a55a3831181e322409c8aabc27ce19dde754eb7eaab15a5935e920c565f906

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
329KB

MD5
e22580f4ab23579b720405ef296f1787

SHA1
e382abd1deaad9e646a5b84256a3c7cf7c920ed5

SHA256
0cca54f1b4df555a25ee146e124d486dd20114c312a0df8552fab37d2017f356

SHA512
31fbaa11cc24a7b0af904847ce029044d7e95e2ec8a7d1214b28eb45ce79269c15a55a3831181e322409c8aabc27ce19dde754eb7eaab15a5935e920c565f906

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
329KB

MD5
3cde0764f8a0dc55d513c1b3f6efe766

SHA1
6aec67115b3a4acb67275bcedf1194c6b4b1ec4b

SHA256
2a071ae0764583cf1fc6e5d11f965804453921b1b6e78c5b324badeda7b24715

SHA512
e85c2abcba35e59516531d494ae69b8920eea88a8bcd84d089e9fafd6acab2e0516f999f44364a539dbdb324f59ca409b460bff6128324a48e4e2874a9cacf24

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
329KB

MD5
3cde0764f8a0dc55d513c1b3f6efe766

SHA1
6aec67115b3a4acb67275bcedf1194c6b4b1ec4b

SHA256
2a071ae0764583cf1fc6e5d11f965804453921b1b6e78c5b324badeda7b24715

SHA512
e85c2abcba35e59516531d494ae69b8920eea88a8bcd84d089e9fafd6acab2e0516f999f44364a539dbdb324f59ca409b460bff6128324a48e4e2874a9cacf24

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
329KB

MD5
3cde0764f8a0dc55d513c1b3f6efe766

SHA1
6aec67115b3a4acb67275bcedf1194c6b4b1ec4b

SHA256
2a071ae0764583cf1fc6e5d11f965804453921b1b6e78c5b324badeda7b24715

SHA512
e85c2abcba35e59516531d494ae69b8920eea88a8bcd84d089e9fafd6acab2e0516f999f44364a539dbdb324f59ca409b460bff6128324a48e4e2874a9cacf24

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
329KB

MD5
311943819015fb88793b7b7da0e457b1

SHA1
6addb13384cd76bd718dc402af2cc24b605d01d1

SHA256
382ff752f91ba8774b2a4135e99db80f90f33b07ed0551486cde01a6747cc0e0

SHA512
a2c97f8e4df78ea8bc5a08e09d701ed860c76553fb9607e463e1be2a8ee185796dfa0f9bffa6923cff0f83a6a881c8df34b66f8d66fd2fc771b6390470d4088a

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
329KB

MD5
311943819015fb88793b7b7da0e457b1

SHA1
6addb13384cd76bd718dc402af2cc24b605d01d1

SHA256
382ff752f91ba8774b2a4135e99db80f90f33b07ed0551486cde01a6747cc0e0

SHA512
a2c97f8e4df78ea8bc5a08e09d701ed860c76553fb9607e463e1be2a8ee185796dfa0f9bffa6923cff0f83a6a881c8df34b66f8d66fd2fc771b6390470d4088a

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
329KB

MD5
311943819015fb88793b7b7da0e457b1

SHA1
6addb13384cd76bd718dc402af2cc24b605d01d1

SHA256
382ff752f91ba8774b2a4135e99db80f90f33b07ed0551486cde01a6747cc0e0

SHA512
a2c97f8e4df78ea8bc5a08e09d701ed860c76553fb9607e463e1be2a8ee185796dfa0f9bffa6923cff0f83a6a881c8df34b66f8d66fd2fc771b6390470d4088a

Download Submit
C:\Windows\SysWOW64\Mmneda32.exe

Filesize
329KB

MD5
b3112cef0da3654db7a57d30b5f4b6f6

SHA1
339a46575f5cf18ade775086d3c645e8cb646cda

SHA256
1b4c40964f7cc79d627a43ad9059fe5a1abfc418416b7b890eaec08ff0d4f9bf

SHA512
2e1aa1fefded8466336799dc78e20d7270477a1c1f075d01824a58725f6963599b7b5fc28931617742434b46f5a00392e00e0202fe5b7dab92bb8859e17f419a

Download Submit
C:\Windows\SysWOW64\Mmneda32.exe

Filesize
329KB

MD5
b3112cef0da3654db7a57d30b5f4b6f6

SHA1
339a46575f5cf18ade775086d3c645e8cb646cda

SHA256
1b4c40964f7cc79d627a43ad9059fe5a1abfc418416b7b890eaec08ff0d4f9bf

SHA512
2e1aa1fefded8466336799dc78e20d7270477a1c1f075d01824a58725f6963599b7b5fc28931617742434b46f5a00392e00e0202fe5b7dab92bb8859e17f419a

Download Submit
C:\Windows\SysWOW64\Mmneda32.exe

Filesize
329KB

MD5
b3112cef0da3654db7a57d30b5f4b6f6

SHA1
339a46575f5cf18ade775086d3c645e8cb646cda

SHA256
1b4c40964f7cc79d627a43ad9059fe5a1abfc418416b7b890eaec08ff0d4f9bf

SHA512
2e1aa1fefded8466336799dc78e20d7270477a1c1f075d01824a58725f6963599b7b5fc28931617742434b46f5a00392e00e0202fe5b7dab92bb8859e17f419a

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
329KB

MD5
9cde2df8c354eb97d1adf49fd9f3f89c

SHA1
adcd3dc266e5337c2dcdefdfb548915bbe02d147

SHA256
200ae599e38be1fd68e086df641fe8eafbcf4d74c6c54bff36d305a7e48c41d0

SHA512
07f9167c3afdb275de7117f440942ce91c7c2a23855e2796f7a6597e4a18f37716233006ce90703a62c99cf1538191c3eea17ded38c726051d925c99ff11d9ac

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
329KB

MD5
9cde2df8c354eb97d1adf49fd9f3f89c

SHA1
adcd3dc266e5337c2dcdefdfb548915bbe02d147

SHA256
200ae599e38be1fd68e086df641fe8eafbcf4d74c6c54bff36d305a7e48c41d0

SHA512
07f9167c3afdb275de7117f440942ce91c7c2a23855e2796f7a6597e4a18f37716233006ce90703a62c99cf1538191c3eea17ded38c726051d925c99ff11d9ac

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
329KB

MD5
9cde2df8c354eb97d1adf49fd9f3f89c

SHA1
adcd3dc266e5337c2dcdefdfb548915bbe02d147

SHA256
200ae599e38be1fd68e086df641fe8eafbcf4d74c6c54bff36d305a7e48c41d0

SHA512
07f9167c3afdb275de7117f440942ce91c7c2a23855e2796f7a6597e4a18f37716233006ce90703a62c99cf1538191c3eea17ded38c726051d925c99ff11d9ac

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
329KB

MD5
7679b704ca71757813210c771f9b9a52

SHA1
321add01e0f88d8b122fb9d73c23e0f28c6f64e2

SHA256
3facb512d6b5af24dc6f7ec9373494fe209bf86ec0ab572d01065d1c44424223

SHA512
17c6fc4b67690e421ad66a26b065b02bfb421baa1f0454b2ffa4c5be09bc5d5f75de8ee7c02ea00ffd0963e6a290ea62fbb09c822653bb0f06f0782079c457e7

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
329KB

MD5
7679b704ca71757813210c771f9b9a52

SHA1
321add01e0f88d8b122fb9d73c23e0f28c6f64e2

SHA256
3facb512d6b5af24dc6f7ec9373494fe209bf86ec0ab572d01065d1c44424223

SHA512
17c6fc4b67690e421ad66a26b065b02bfb421baa1f0454b2ffa4c5be09bc5d5f75de8ee7c02ea00ffd0963e6a290ea62fbb09c822653bb0f06f0782079c457e7

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
329KB

MD5
7679b704ca71757813210c771f9b9a52

SHA1
321add01e0f88d8b122fb9d73c23e0f28c6f64e2

SHA256
3facb512d6b5af24dc6f7ec9373494fe209bf86ec0ab572d01065d1c44424223

SHA512
17c6fc4b67690e421ad66a26b065b02bfb421baa1f0454b2ffa4c5be09bc5d5f75de8ee7c02ea00ffd0963e6a290ea62fbb09c822653bb0f06f0782079c457e7

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
329KB

MD5
042732748c5fe607ed86c932dec834be

SHA1
f11df856cbf677eeab0c8deb62ba6d4e3722883c

SHA256
5a650c7107338c0202a997c91682f1ed072ccfa23ec42f721d0a78eb6a25a280

SHA512
be42c91dc2b190647c9fed6201329f4e79678bc3cbb0f60105a363c258f5152abceb5573cc2fb10d79fce8f619ae97fb1b3b6bc9558f8fe4430d74e723177dec

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
329KB

MD5
042732748c5fe607ed86c932dec834be

SHA1
f11df856cbf677eeab0c8deb62ba6d4e3722883c

SHA256
5a650c7107338c0202a997c91682f1ed072ccfa23ec42f721d0a78eb6a25a280

SHA512
be42c91dc2b190647c9fed6201329f4e79678bc3cbb0f60105a363c258f5152abceb5573cc2fb10d79fce8f619ae97fb1b3b6bc9558f8fe4430d74e723177dec

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
329KB

MD5
7148cfc036fa1852ddb0bf3411b3d5d0

SHA1
1221291c57b68c142b73814caa7b924cb4019957

SHA256
663adc73f9b87bcd721b675b01e0e1087c30d0c85d562607efa01d85f7e3e0c2

SHA512
726151f3f39e0e89d315620458cac1db2b145dffbd0b33069723a954d1bb9c8d3597b1705c23f40a049ff2fe5eba4c0f87f0fb119a3c5cb2791ad9bce7a821c3

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
329KB

MD5
7148cfc036fa1852ddb0bf3411b3d5d0

SHA1
1221291c57b68c142b73814caa7b924cb4019957

SHA256
663adc73f9b87bcd721b675b01e0e1087c30d0c85d562607efa01d85f7e3e0c2

SHA512
726151f3f39e0e89d315620458cac1db2b145dffbd0b33069723a954d1bb9c8d3597b1705c23f40a049ff2fe5eba4c0f87f0fb119a3c5cb2791ad9bce7a821c3

Download Submit
C:\Windows\SysWOW64\Nplmop32.exe

Filesize
329KB

MD5
7148cfc036fa1852ddb0bf3411b3d5d0

SHA1
1221291c57b68c142b73814caa7b924cb4019957

SHA256
663adc73f9b87bcd721b675b01e0e1087c30d0c85d562607efa01d85f7e3e0c2

SHA512
726151f3f39e0e89d315620458cac1db2b145dffbd0b33069723a954d1bb9c8d3597b1705c23f40a049ff2fe5eba4c0f87f0fb119a3c5cb2791ad9bce7a821c3

Download Submit
\Windows\SysWOW64\Kbkameaf.exe

Filesize
329KB

MD5
e8fbfc3874d1beeed374e40ff08d06d8

SHA1
c56ef0d6c1a7dd90727b481c87c3783fd38559d3

SHA256
df50931b9b8cd78df740487d7009c62c3facff00e6fa43db6582b4be7bcbc62d

SHA512
c8d1571179c50f1e111966856d387426e739019b01e70be85146fce81bd32b2e5fd07cb1d00bb75c9c38a0c3d3f77bf99e95028d5e4e99f93ad3927e142fc8dd

Download Submit
\Windows\SysWOW64\Kbkameaf.exe

Filesize
329KB

MD5
e8fbfc3874d1beeed374e40ff08d06d8

SHA1
c56ef0d6c1a7dd90727b481c87c3783fd38559d3

SHA256
df50931b9b8cd78df740487d7009c62c3facff00e6fa43db6582b4be7bcbc62d

SHA512
c8d1571179c50f1e111966856d387426e739019b01e70be85146fce81bd32b2e5fd07cb1d00bb75c9c38a0c3d3f77bf99e95028d5e4e99f93ad3927e142fc8dd

Download Submit
\Windows\SysWOW64\Kfbcbd32.exe

Filesize
329KB

MD5
eb9d9746af2a3c93c5d0f0078ea4d1ee

SHA1
642d637a9696d72b6727706395729ba2b63515d8

SHA256
5af01a3ddac65aaef833216b138445e99560f74ebf650a4a1baf6634e4fc67bd

SHA512
2771f47550d143b75bbf410ad4be45a3f6ca4aafc3786f4c8acb0d25b050d38c92a9c0365f77ba6cbd30c58fd7755ab5a73d1292910bfd62fed093d9af612f72

Download Submit
\Windows\SysWOW64\Kfbcbd32.exe

Filesize
329KB

MD5
eb9d9746af2a3c93c5d0f0078ea4d1ee

SHA1
642d637a9696d72b6727706395729ba2b63515d8

SHA256
5af01a3ddac65aaef833216b138445e99560f74ebf650a4a1baf6634e4fc67bd

SHA512
2771f47550d143b75bbf410ad4be45a3f6ca4aafc3786f4c8acb0d25b050d38c92a9c0365f77ba6cbd30c58fd7755ab5a73d1292910bfd62fed093d9af612f72

Download Submit
\Windows\SysWOW64\Lcagpl32.exe

Filesize
329KB

MD5
dbe0c5ef306a4f5da8ecf46988a4aa18

SHA1
60b807aa980706fbdd01f2c964e6be4e4e34a433

SHA256
f3cb7c851a3118ec14615ebac842f7d032fcd16ad557bcc3f42c29b719866e73

SHA512
eaa2d58ce8efcf04ba1d582797aae3a2b9b1eefc0adc228367ede4127396762e9226319c0df51ebb5a71358983b2b6b7a2534686b28690bea76086ee91c1d8ee

Download Submit
\Windows\SysWOW64\Lcagpl32.exe

Filesize
329KB

MD5
dbe0c5ef306a4f5da8ecf46988a4aa18

SHA1
60b807aa980706fbdd01f2c964e6be4e4e34a433

SHA256
f3cb7c851a3118ec14615ebac842f7d032fcd16ad557bcc3f42c29b719866e73

SHA512
eaa2d58ce8efcf04ba1d582797aae3a2b9b1eefc0adc228367ede4127396762e9226319c0df51ebb5a71358983b2b6b7a2534686b28690bea76086ee91c1d8ee

Download Submit
\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
329KB

MD5
e22580f4ab23579b720405ef296f1787

SHA1
e382abd1deaad9e646a5b84256a3c7cf7c920ed5

SHA256
0cca54f1b4df555a25ee146e124d486dd20114c312a0df8552fab37d2017f356

SHA512
31fbaa11cc24a7b0af904847ce029044d7e95e2ec8a7d1214b28eb45ce79269c15a55a3831181e322409c8aabc27ce19dde754eb7eaab15a5935e920c565f906

Download Submit
\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
329KB

MD5
e22580f4ab23579b720405ef296f1787

SHA1
e382abd1deaad9e646a5b84256a3c7cf7c920ed5

SHA256
0cca54f1b4df555a25ee146e124d486dd20114c312a0df8552fab37d2017f356

SHA512
31fbaa11cc24a7b0af904847ce029044d7e95e2ec8a7d1214b28eb45ce79269c15a55a3831181e322409c8aabc27ce19dde754eb7eaab15a5935e920c565f906

Download Submit
\Windows\SysWOW64\Mholen32.exe

Filesize
329KB

MD5
3cde0764f8a0dc55d513c1b3f6efe766

SHA1
6aec67115b3a4acb67275bcedf1194c6b4b1ec4b

SHA256
2a071ae0764583cf1fc6e5d11f965804453921b1b6e78c5b324badeda7b24715

SHA512
e85c2abcba35e59516531d494ae69b8920eea88a8bcd84d089e9fafd6acab2e0516f999f44364a539dbdb324f59ca409b460bff6128324a48e4e2874a9cacf24

Download Submit
\Windows\SysWOW64\Mholen32.exe

Filesize
329KB

MD5
3cde0764f8a0dc55d513c1b3f6efe766

SHA1
6aec67115b3a4acb67275bcedf1194c6b4b1ec4b

SHA256
2a071ae0764583cf1fc6e5d11f965804453921b1b6e78c5b324badeda7b24715

SHA512
e85c2abcba35e59516531d494ae69b8920eea88a8bcd84d089e9fafd6acab2e0516f999f44364a539dbdb324f59ca409b460bff6128324a48e4e2874a9cacf24

Download Submit
\Windows\SysWOW64\Migbnb32.exe

Filesize
329KB

MD5
311943819015fb88793b7b7da0e457b1

SHA1
6addb13384cd76bd718dc402af2cc24b605d01d1

SHA256
382ff752f91ba8774b2a4135e99db80f90f33b07ed0551486cde01a6747cc0e0

SHA512
a2c97f8e4df78ea8bc5a08e09d701ed860c76553fb9607e463e1be2a8ee185796dfa0f9bffa6923cff0f83a6a881c8df34b66f8d66fd2fc771b6390470d4088a

Download Submit
\Windows\SysWOW64\Migbnb32.exe

Filesize
329KB

MD5
311943819015fb88793b7b7da0e457b1

SHA1
6addb13384cd76bd718dc402af2cc24b605d01d1

SHA256
382ff752f91ba8774b2a4135e99db80f90f33b07ed0551486cde01a6747cc0e0

SHA512
a2c97f8e4df78ea8bc5a08e09d701ed860c76553fb9607e463e1be2a8ee185796dfa0f9bffa6923cff0f83a6a881c8df34b66f8d66fd2fc771b6390470d4088a

Download Submit
\Windows\SysWOW64\Mmneda32.exe

Filesize
329KB

MD5
b3112cef0da3654db7a57d30b5f4b6f6

SHA1
339a46575f5cf18ade775086d3c645e8cb646cda

SHA256
1b4c40964f7cc79d627a43ad9059fe5a1abfc418416b7b890eaec08ff0d4f9bf

SHA512
2e1aa1fefded8466336799dc78e20d7270477a1c1f075d01824a58725f6963599b7b5fc28931617742434b46f5a00392e00e0202fe5b7dab92bb8859e17f419a

Download Submit
\Windows\SysWOW64\Mmneda32.exe

Filesize
329KB

MD5
b3112cef0da3654db7a57d30b5f4b6f6

SHA1
339a46575f5cf18ade775086d3c645e8cb646cda

SHA256
1b4c40964f7cc79d627a43ad9059fe5a1abfc418416b7b890eaec08ff0d4f9bf

SHA512
2e1aa1fefded8466336799dc78e20d7270477a1c1f075d01824a58725f6963599b7b5fc28931617742434b46f5a00392e00e0202fe5b7dab92bb8859e17f419a

Download Submit
\Windows\SysWOW64\Ngibaj32.exe

Filesize
329KB

MD5
9cde2df8c354eb97d1adf49fd9f3f89c

SHA1
adcd3dc266e5337c2dcdefdfb548915bbe02d147

SHA256
200ae599e38be1fd68e086df641fe8eafbcf4d74c6c54bff36d305a7e48c41d0

SHA512
07f9167c3afdb275de7117f440942ce91c7c2a23855e2796f7a6597e4a18f37716233006ce90703a62c99cf1538191c3eea17ded38c726051d925c99ff11d9ac

Download Submit
\Windows\SysWOW64\Ngibaj32.exe

Filesize
329KB

MD5
9cde2df8c354eb97d1adf49fd9f3f89c

SHA1
adcd3dc266e5337c2dcdefdfb548915bbe02d147

SHA256
200ae599e38be1fd68e086df641fe8eafbcf4d74c6c54bff36d305a7e48c41d0

SHA512
07f9167c3afdb275de7117f440942ce91c7c2a23855e2796f7a6597e4a18f37716233006ce90703a62c99cf1538191c3eea17ded38c726051d925c99ff11d9ac

Download Submit
\Windows\SysWOW64\Ngkogj32.exe

Filesize
329KB

MD5
7679b704ca71757813210c771f9b9a52

SHA1
321add01e0f88d8b122fb9d73c23e0f28c6f64e2

SHA256
3facb512d6b5af24dc6f7ec9373494fe209bf86ec0ab572d01065d1c44424223

SHA512
17c6fc4b67690e421ad66a26b065b02bfb421baa1f0454b2ffa4c5be09bc5d5f75de8ee7c02ea00ffd0963e6a290ea62fbb09c822653bb0f06f0782079c457e7

Download Submit
\Windows\SysWOW64\Ngkogj32.exe

Filesize
329KB

MD5
7679b704ca71757813210c771f9b9a52

SHA1
321add01e0f88d8b122fb9d73c23e0f28c6f64e2

SHA256
3facb512d6b5af24dc6f7ec9373494fe209bf86ec0ab572d01065d1c44424223

SHA512
17c6fc4b67690e421ad66a26b065b02bfb421baa1f0454b2ffa4c5be09bc5d5f75de8ee7c02ea00ffd0963e6a290ea62fbb09c822653bb0f06f0782079c457e7

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
329KB

MD5
042732748c5fe607ed86c932dec834be

SHA1
f11df856cbf677eeab0c8deb62ba6d4e3722883c

SHA256
5a650c7107338c0202a997c91682f1ed072ccfa23ec42f721d0a78eb6a25a280

SHA512
be42c91dc2b190647c9fed6201329f4e79678bc3cbb0f60105a363c258f5152abceb5573cc2fb10d79fce8f619ae97fb1b3b6bc9558f8fe4430d74e723177dec

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
329KB

MD5
042732748c5fe607ed86c932dec834be

SHA1
f11df856cbf677eeab0c8deb62ba6d4e3722883c

SHA256
5a650c7107338c0202a997c91682f1ed072ccfa23ec42f721d0a78eb6a25a280

SHA512
be42c91dc2b190647c9fed6201329f4e79678bc3cbb0f60105a363c258f5152abceb5573cc2fb10d79fce8f619ae97fb1b3b6bc9558f8fe4430d74e723177dec

Download Submit
\Windows\SysWOW64\Nplmop32.exe

Filesize
329KB

MD5
7148cfc036fa1852ddb0bf3411b3d5d0

SHA1
1221291c57b68c142b73814caa7b924cb4019957

SHA256
663adc73f9b87bcd721b675b01e0e1087c30d0c85d562607efa01d85f7e3e0c2

SHA512
726151f3f39e0e89d315620458cac1db2b145dffbd0b33069723a954d1bb9c8d3597b1705c23f40a049ff2fe5eba4c0f87f0fb119a3c5cb2791ad9bce7a821c3

Download Submit
\Windows\SysWOW64\Nplmop32.exe

Filesize
329KB

MD5
7148cfc036fa1852ddb0bf3411b3d5d0

SHA1
1221291c57b68c142b73814caa7b924cb4019957

SHA256
663adc73f9b87bcd721b675b01e0e1087c30d0c85d562607efa01d85f7e3e0c2

SHA512
726151f3f39e0e89d315620458cac1db2b145dffbd0b33069723a954d1bb9c8d3597b1705c23f40a049ff2fe5eba4c0f87f0fb119a3c5cb2791ad9bce7a821c3

Download Submit
memory/268-154-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/268-112-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/268-125-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/1156-161-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1476-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1636-149-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1904-35-0x0000000000310000-0x0000000000341000-memory.dmp

Filesize
196KB

Download
memory/1904-41-0x0000000000310000-0x0000000000341000-memory.dmp

Filesize
196KB

Download
memory/1904-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1904-26-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2104-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2104-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2104-6-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2328-106-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/2328-103-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2396-76-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2396-79-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2492-156-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2492-96-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/2684-75-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2684-74-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2684-67-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2820-159-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2820-49-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2820-54-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2916-20-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2916-27-0x0000000000220000-0x0000000000251000-memory.dmp

Filesize
196KB

Download
memory/2916-162-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads