6da17e5ffc11b1033ca97561d897608a97f9896295597aac2b2428ce9c985af9

Analysis

max time kernel
240s
max time network
273s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 19:43 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
Size

95KB
MD5

eb297a0739c035643d46b293dbb11070
SHA1

77b84d4db412ce5bc281ac329d882f66cd767c4d
SHA256

6da17e5ffc11b1033ca97561d897608a97f9896295597aac2b2428ce9c985af9
SHA512

2715faf39aed82a6fec047bbeff4194c7fc7c993f619ab628da3546233c3669dfdf15fb79ab3945061e6b6bf76c96674275cca3bfdbbb51ce5fda906e7e68b89
SSDEEP

1536:6LKDCLniaC3f75QWJb6BkN/eIlrqBrqdFw8TOM6bOLXi8PmCofGV:6uD3vGYHeMqBrqdlTDrLXfzoeV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkhocj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hopgikop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojnhdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ojnhdn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Legmpdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpcjfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkcehkeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgjfmlkm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpcjfa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hopgikop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Legmpdga.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkcehkeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcdmikma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gcdmikma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkhocj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dimfmeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dimfmeef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjfmlkm.exe

Executes dropped EXE 10 IoCs

pid	Process
3012	Dimfmeef.exe
2748	Gcdmikma.exe
2896	Hopgikop.exe
2980	Ojnhdn32.exe
2908	Legmpdga.exe
1064	Lkcehkeh.exe
836	Lgjfmlkm.exe
1324	Mpcjfa32.exe
2924	Mkhocj32.exe
1076	Mllhpb32.exe

Loads dropped DLL 24 IoCs

pid	Process
2832	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
2832	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
3012	Dimfmeef.exe
3012	Dimfmeef.exe
2748	Gcdmikma.exe
2748	Gcdmikma.exe
2896	Hopgikop.exe
2896	Hopgikop.exe
2980	Ojnhdn32.exe
2980	Ojnhdn32.exe
2908	Legmpdga.exe
2908	Legmpdga.exe
1064	Lkcehkeh.exe
1064	Lkcehkeh.exe
836	Lgjfmlkm.exe
836	Lgjfmlkm.exe
1324	Mpcjfa32.exe
1324	Mpcjfa32.exe
2924	Mkhocj32.exe
2924	Mkhocj32.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qogcek32.dll	Legmpdga.exe
File created	C:\Windows\SysWOW64\Ihphlqal.dll	Lkcehkeh.exe
File created	C:\Windows\SysWOW64\Gcdmikma.exe	Dimfmeef.exe
File created	C:\Windows\SysWOW64\Oodcogfd.dll	Ojnhdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ojnhdn32.exe	Hopgikop.exe
File opened for modification	C:\Windows\SysWOW64\Lkcehkeh.exe	Legmpdga.exe
File created	C:\Windows\SysWOW64\Hopgikop.exe	Gcdmikma.exe
File created	C:\Windows\SysWOW64\Gnaaicgh.dll	Gcdmikma.exe
File created	C:\Windows\SysWOW64\Mccfioml.dll	Lgjfmlkm.exe
File created	C:\Windows\SysWOW64\Mjhlcioh.dll	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
File opened for modification	C:\Windows\SysWOW64\Hopgikop.exe	Gcdmikma.exe
File created	C:\Windows\SysWOW64\Lgjfmlkm.exe	Lkcehkeh.exe
File created	C:\Windows\SysWOW64\Fkbqmd32.dll	Mkhocj32.exe
File opened for modification	C:\Windows\SysWOW64\Dimfmeef.exe	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
File created	C:\Windows\SysWOW64\Ajgegnce.dll	Hopgikop.exe
File created	C:\Windows\SysWOW64\Legmpdga.exe	Ojnhdn32.exe
File created	C:\Windows\SysWOW64\Lkcehkeh.exe	Legmpdga.exe
File opened for modification	C:\Windows\SysWOW64\Mpcjfa32.exe	Lgjfmlkm.exe
File opened for modification	C:\Windows\SysWOW64\Mllhpb32.exe	Mkhocj32.exe
File created	C:\Windows\SysWOW64\Dimfmeef.exe	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
File opened for modification	C:\Windows\SysWOW64\Gcdmikma.exe	Dimfmeef.exe
File opened for modification	C:\Windows\SysWOW64\Lgjfmlkm.exe	Lkcehkeh.exe
File created	C:\Windows\SysWOW64\Mpcjfa32.exe	Lgjfmlkm.exe
File created	C:\Windows\SysWOW64\Jelcgfbk.dll	Dimfmeef.exe
File created	C:\Windows\SysWOW64\Ojnhdn32.exe	Hopgikop.exe
File opened for modification	C:\Windows\SysWOW64\Legmpdga.exe	Ojnhdn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkhocj32.exe	Mpcjfa32.exe
File created	C:\Windows\SysWOW64\Mllhpb32.exe	Mkhocj32.exe
File created	C:\Windows\SysWOW64\Mkhocj32.exe	Mpcjfa32.exe
File created	C:\Windows\SysWOW64\Ebkbpapg.dll	Mpcjfa32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1828	1076	WerFault.exe	37

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ojnhdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgjfmlkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkhocj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgjfmlkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpcjfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gcdmikma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnaaicgh.dll"	Gcdmikma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mccfioml.dll"	Lgjfmlkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihphlqal.dll"	Lkcehkeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jelcgfbk.dll"	Dimfmeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgegnce.dll"	Hopgikop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Legmpdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dimfmeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qogcek32.dll"	Legmpdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbqmd32.dll"	Mkhocj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhlcioh.dll"	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lkcehkeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lkcehkeh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gcdmikma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodcogfd.dll"	Ojnhdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Legmpdga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkhocj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hopgikop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hopgikop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ojnhdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebkbpapg.dll"	Mpcjfa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpcjfa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dimfmeef.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2832 wrote to memory of 3012	2832	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe	28
PID 2832 wrote to memory of 3012	2832	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe	28
PID 2832 wrote to memory of 3012	2832	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe	28
PID 2832 wrote to memory of 3012	2832	NEAS.eb297a0739c035643d46b293dbb11070_JC.exe	28
PID 3012 wrote to memory of 2748	3012	Dimfmeef.exe	29
PID 3012 wrote to memory of 2748	3012	Dimfmeef.exe	29
PID 3012 wrote to memory of 2748	3012	Dimfmeef.exe	29
PID 3012 wrote to memory of 2748	3012	Dimfmeef.exe	29
PID 2748 wrote to memory of 2896	2748	Gcdmikma.exe	30
PID 2748 wrote to memory of 2896	2748	Gcdmikma.exe	30
PID 2748 wrote to memory of 2896	2748	Gcdmikma.exe	30
PID 2748 wrote to memory of 2896	2748	Gcdmikma.exe	30
PID 2896 wrote to memory of 2980	2896	Hopgikop.exe	31
PID 2896 wrote to memory of 2980	2896	Hopgikop.exe	31
PID 2896 wrote to memory of 2980	2896	Hopgikop.exe	31
PID 2896 wrote to memory of 2980	2896	Hopgikop.exe	31
PID 2980 wrote to memory of 2908	2980	Ojnhdn32.exe	32
PID 2980 wrote to memory of 2908	2980	Ojnhdn32.exe	32
PID 2980 wrote to memory of 2908	2980	Ojnhdn32.exe	32
PID 2980 wrote to memory of 2908	2980	Ojnhdn32.exe	32
PID 2908 wrote to memory of 1064	2908	Legmpdga.exe	33
PID 2908 wrote to memory of 1064	2908	Legmpdga.exe	33
PID 2908 wrote to memory of 1064	2908	Legmpdga.exe	33
PID 2908 wrote to memory of 1064	2908	Legmpdga.exe	33
PID 1064 wrote to memory of 836	1064	Lkcehkeh.exe	34
PID 1064 wrote to memory of 836	1064	Lkcehkeh.exe	34
PID 1064 wrote to memory of 836	1064	Lkcehkeh.exe	34
PID 1064 wrote to memory of 836	1064	Lkcehkeh.exe	34
PID 836 wrote to memory of 1324	836	Lgjfmlkm.exe	35
PID 836 wrote to memory of 1324	836	Lgjfmlkm.exe	35
PID 836 wrote to memory of 1324	836	Lgjfmlkm.exe	35
PID 836 wrote to memory of 1324	836	Lgjfmlkm.exe	35
PID 1324 wrote to memory of 2924	1324	Mpcjfa32.exe	36
PID 1324 wrote to memory of 2924	1324	Mpcjfa32.exe	36
PID 1324 wrote to memory of 2924	1324	Mpcjfa32.exe	36
PID 1324 wrote to memory of 2924	1324	Mpcjfa32.exe	36
PID 2924 wrote to memory of 1076	2924	Mkhocj32.exe	37
PID 2924 wrote to memory of 1076	2924	Mkhocj32.exe	37
PID 2924 wrote to memory of 1076	2924	Mkhocj32.exe	37
PID 2924 wrote to memory of 1076	2924	Mkhocj32.exe	37
PID 1076 wrote to memory of 1828	1076	Mllhpb32.exe	38
PID 1076 wrote to memory of 1828	1076	Mllhpb32.exe	38
PID 1076 wrote to memory of 1828	1076	Mllhpb32.exe	38
PID 1076 wrote to memory of 1828	1076	Mllhpb32.exe	38

C:\Users\Admin\AppData\Local\Temp\NEAS.eb297a0739c035643d46b293dbb11070_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.eb297a0739c035643d46b293dbb11070_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Windows\SysWOW64\Dimfmeef.exe
  C:\Windows\system32\Dimfmeef.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\Gcdmikma.exe
    C:\Windows\system32\Gcdmikma.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\Hopgikop.exe
      C:\Windows\system32\Hopgikop.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\SysWOW64\Ojnhdn32.exe
        
        C:\Windows\system32\Ojnhdn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\SysWOW64\Legmpdga.exe
        
        C:\Windows\system32\Legmpdga.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Lkcehkeh.exe
        
        C:\Windows\system32\Lkcehkeh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Lgjfmlkm.exe
        
        C:\Windows\system32\Lgjfmlkm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\Mpcjfa32.exe
        
        C:\Windows\system32\Mpcjfa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\Mkhocj32.exe
        
        C:\Windows\system32\Mkhocj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Mllhpb32.exe
        
        C:\Windows\system32\Mllhpb32.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1076 -s 140
        12⤵
        Loads dropped DLL
        Program crash
        
        PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dimfmeef.exe

Filesize
95KB

MD5
741ec2f9f36c69a0df3b96de04bcebaf

SHA1
6626446921cae9a8f026df7d51732ad1948c98b0

SHA256
7d161417818c90c937ef18388902c3fcda4c1316692f3370c5dec34d0f9c780e

SHA512
9defaa1fc3b74407a31f8053b2ac2734be2634f8319f420870a40d3de6e4ed626218966b62dd3fd0a7b66691e626addd20ae4748c4668dfa620f9b2da3a2f2d0

Download Submit
C:\Windows\SysWOW64\Dimfmeef.exe

Filesize
95KB

MD5
741ec2f9f36c69a0df3b96de04bcebaf

SHA1
6626446921cae9a8f026df7d51732ad1948c98b0

SHA256
7d161417818c90c937ef18388902c3fcda4c1316692f3370c5dec34d0f9c780e

SHA512
9defaa1fc3b74407a31f8053b2ac2734be2634f8319f420870a40d3de6e4ed626218966b62dd3fd0a7b66691e626addd20ae4748c4668dfa620f9b2da3a2f2d0

Download Submit
C:\Windows\SysWOW64\Dimfmeef.exe

Filesize
95KB

MD5
741ec2f9f36c69a0df3b96de04bcebaf

SHA1
6626446921cae9a8f026df7d51732ad1948c98b0

SHA256
7d161417818c90c937ef18388902c3fcda4c1316692f3370c5dec34d0f9c780e

SHA512
9defaa1fc3b74407a31f8053b2ac2734be2634f8319f420870a40d3de6e4ed626218966b62dd3fd0a7b66691e626addd20ae4748c4668dfa620f9b2da3a2f2d0

Download Submit
C:\Windows\SysWOW64\Gcdmikma.exe

Filesize
95KB

MD5
f7296fef963a1586e61a2ebf1d20987b

SHA1
000cd4129b895bf112a41ff94e5be6140bc13568

SHA256
8c2d593fb4c859d9c299b871e1d0cfdd16793bd516a71a7bbb187e331838b0c3

SHA512
f239603220fb0ba99ddfbc9cddd7220382bb1233c6b84a2acc7a6a9604de5b59486866a77f96f3ec4084d57b4f6f7cbf1b19ada606c8a791fa96cce8fcac3055

Download Submit
C:\Windows\SysWOW64\Gcdmikma.exe

Filesize
95KB

MD5
f7296fef963a1586e61a2ebf1d20987b

SHA1
000cd4129b895bf112a41ff94e5be6140bc13568

SHA256
8c2d593fb4c859d9c299b871e1d0cfdd16793bd516a71a7bbb187e331838b0c3

SHA512
f239603220fb0ba99ddfbc9cddd7220382bb1233c6b84a2acc7a6a9604de5b59486866a77f96f3ec4084d57b4f6f7cbf1b19ada606c8a791fa96cce8fcac3055

Download Submit
C:\Windows\SysWOW64\Gcdmikma.exe

Filesize
95KB

MD5
f7296fef963a1586e61a2ebf1d20987b

SHA1
000cd4129b895bf112a41ff94e5be6140bc13568

SHA256
8c2d593fb4c859d9c299b871e1d0cfdd16793bd516a71a7bbb187e331838b0c3

SHA512
f239603220fb0ba99ddfbc9cddd7220382bb1233c6b84a2acc7a6a9604de5b59486866a77f96f3ec4084d57b4f6f7cbf1b19ada606c8a791fa96cce8fcac3055

Download Submit
C:\Windows\SysWOW64\Hopgikop.exe

Filesize
95KB

MD5
f7e97a48e9e5c29a83b73da99d526ca2

SHA1
aa0f12ef2e0e5d84adcc766b85b6f8f8c27839b3

SHA256
3fd92c180e754c86d5e3b1be302995902dd6ab234c69b1c1ae0a5b2985f59001

SHA512
845291e060a93004806a4ed2fcb6576186405c2026898728b7c2500904c6cfc15794dd4b6a3a67281fa99ed2f0dd6931a507dd7c7c49e2ed5fc02ca3685e1c31

Download Submit
C:\Windows\SysWOW64\Hopgikop.exe

Filesize
95KB

MD5
f7e97a48e9e5c29a83b73da99d526ca2

SHA1
aa0f12ef2e0e5d84adcc766b85b6f8f8c27839b3

SHA256
3fd92c180e754c86d5e3b1be302995902dd6ab234c69b1c1ae0a5b2985f59001

SHA512
845291e060a93004806a4ed2fcb6576186405c2026898728b7c2500904c6cfc15794dd4b6a3a67281fa99ed2f0dd6931a507dd7c7c49e2ed5fc02ca3685e1c31

Download Submit
C:\Windows\SysWOW64\Hopgikop.exe

Filesize
95KB

MD5
f7e97a48e9e5c29a83b73da99d526ca2

SHA1
aa0f12ef2e0e5d84adcc766b85b6f8f8c27839b3

SHA256
3fd92c180e754c86d5e3b1be302995902dd6ab234c69b1c1ae0a5b2985f59001

SHA512
845291e060a93004806a4ed2fcb6576186405c2026898728b7c2500904c6cfc15794dd4b6a3a67281fa99ed2f0dd6931a507dd7c7c49e2ed5fc02ca3685e1c31

Download Submit
C:\Windows\SysWOW64\Legmpdga.exe

Filesize
95KB

MD5
721080680fb71762fb77ea7d93844cff

SHA1
f787f19af4fbf75a7176a8dc4b96bc198f55c6b2

SHA256
fcdd23c06efb07f7beafa87308a2dd31e58ac9876fd30cc1d46c92339ac6b14e

SHA512
669853bd3e2bccf7649f0aa55957ae70b65dde2617cd7b3868f1c93b9ad658f90809b7dc9bf22f58b1cf203045166d7e9c358b503f90f7d94b16235f080005a3

Download Submit
C:\Windows\SysWOW64\Legmpdga.exe

Filesize
95KB

MD5
721080680fb71762fb77ea7d93844cff

SHA1
f787f19af4fbf75a7176a8dc4b96bc198f55c6b2

SHA256
fcdd23c06efb07f7beafa87308a2dd31e58ac9876fd30cc1d46c92339ac6b14e

SHA512
669853bd3e2bccf7649f0aa55957ae70b65dde2617cd7b3868f1c93b9ad658f90809b7dc9bf22f58b1cf203045166d7e9c358b503f90f7d94b16235f080005a3

Download Submit
C:\Windows\SysWOW64\Legmpdga.exe

Filesize
95KB

MD5
721080680fb71762fb77ea7d93844cff

SHA1
f787f19af4fbf75a7176a8dc4b96bc198f55c6b2

SHA256
fcdd23c06efb07f7beafa87308a2dd31e58ac9876fd30cc1d46c92339ac6b14e

SHA512
669853bd3e2bccf7649f0aa55957ae70b65dde2617cd7b3868f1c93b9ad658f90809b7dc9bf22f58b1cf203045166d7e9c358b503f90f7d94b16235f080005a3

Download Submit
C:\Windows\SysWOW64\Lgjfmlkm.exe

Filesize
95KB

MD5
563b31f401db3028e689340687a59174

SHA1
55b4a708d5481c80f13ac211c6cb08396d3c8b65

SHA256
94b528b4db517f2bc64373a73860a1adf4a1dc3b49dd9a3ec218b9f307309bd2

SHA512
43cc5e15728e1c12fc90a12a970854215907965324a5c910cca71cb33a601a958b1604139cf47910252f5be3a8ceef8cb8e2deac13c011455703b1e26c24d030

Download Submit
C:\Windows\SysWOW64\Lgjfmlkm.exe

Filesize
95KB

MD5
563b31f401db3028e689340687a59174

SHA1
55b4a708d5481c80f13ac211c6cb08396d3c8b65

SHA256
94b528b4db517f2bc64373a73860a1adf4a1dc3b49dd9a3ec218b9f307309bd2

SHA512
43cc5e15728e1c12fc90a12a970854215907965324a5c910cca71cb33a601a958b1604139cf47910252f5be3a8ceef8cb8e2deac13c011455703b1e26c24d030

Download Submit
C:\Windows\SysWOW64\Lgjfmlkm.exe

Filesize
95KB

MD5
563b31f401db3028e689340687a59174

SHA1
55b4a708d5481c80f13ac211c6cb08396d3c8b65

SHA256
94b528b4db517f2bc64373a73860a1adf4a1dc3b49dd9a3ec218b9f307309bd2

SHA512
43cc5e15728e1c12fc90a12a970854215907965324a5c910cca71cb33a601a958b1604139cf47910252f5be3a8ceef8cb8e2deac13c011455703b1e26c24d030

Download Submit
C:\Windows\SysWOW64\Lkcehkeh.exe

Filesize
95KB

MD5
9148fd132c5a142c4da397891f523a9c

SHA1
6e93765e1cdca12c62a1445b57bfea484e59e5c6

SHA256
5b85756b98e2e73e6db131e19a1988ba99682e136444ac659653acf83482b15c

SHA512
a67c31dc363ef027ad5d78a5bd6e4599bde16b1664ac685f553291111d15800226ce5e523a4c09e6a5f70508871e6757199920f7c08fc8c129fea2985c698ef4

Download Submit
C:\Windows\SysWOW64\Lkcehkeh.exe

Filesize
95KB

MD5
9148fd132c5a142c4da397891f523a9c

SHA1
6e93765e1cdca12c62a1445b57bfea484e59e5c6

SHA256
5b85756b98e2e73e6db131e19a1988ba99682e136444ac659653acf83482b15c

SHA512
a67c31dc363ef027ad5d78a5bd6e4599bde16b1664ac685f553291111d15800226ce5e523a4c09e6a5f70508871e6757199920f7c08fc8c129fea2985c698ef4

Download Submit
C:\Windows\SysWOW64\Lkcehkeh.exe

Filesize
95KB

MD5
9148fd132c5a142c4da397891f523a9c

SHA1
6e93765e1cdca12c62a1445b57bfea484e59e5c6

SHA256
5b85756b98e2e73e6db131e19a1988ba99682e136444ac659653acf83482b15c

SHA512
a67c31dc363ef027ad5d78a5bd6e4599bde16b1664ac685f553291111d15800226ce5e523a4c09e6a5f70508871e6757199920f7c08fc8c129fea2985c698ef4

Download Submit
C:\Windows\SysWOW64\Mkhocj32.exe

Filesize
95KB

MD5
a95943b9ec0c46f1123a83f8b6c1cdda

SHA1
366f8ea88e92a2e9fef152f130fc4da617f6e3f7

SHA256
46fef08aaaa5f970543ee9952074112edd0f00744fbe29d6e5ba72b2d301af0d

SHA512
6294021cfdefb19c09e2b892fd22890584d02db8098b49d342b5a6144fe633c542653365119d215b651a734efd94e4ce045478d40b0acceff929cfee414014fc

Download Submit
C:\Windows\SysWOW64\Mkhocj32.exe

Filesize
95KB

MD5
a95943b9ec0c46f1123a83f8b6c1cdda

SHA1
366f8ea88e92a2e9fef152f130fc4da617f6e3f7

SHA256
46fef08aaaa5f970543ee9952074112edd0f00744fbe29d6e5ba72b2d301af0d

SHA512
6294021cfdefb19c09e2b892fd22890584d02db8098b49d342b5a6144fe633c542653365119d215b651a734efd94e4ce045478d40b0acceff929cfee414014fc

Download Submit
C:\Windows\SysWOW64\Mkhocj32.exe

Filesize
95KB

MD5
a95943b9ec0c46f1123a83f8b6c1cdda

SHA1
366f8ea88e92a2e9fef152f130fc4da617f6e3f7

SHA256
46fef08aaaa5f970543ee9952074112edd0f00744fbe29d6e5ba72b2d301af0d

SHA512
6294021cfdefb19c09e2b892fd22890584d02db8098b49d342b5a6144fe633c542653365119d215b651a734efd94e4ce045478d40b0acceff929cfee414014fc

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
95KB

MD5
82f5563f329c684e9a2696743cf86109

SHA1
cacdd5a03fd7b2f5f919b6dd0e6713048c35285f

SHA256
378a8786709bb4b85b80d6f1d801162654c7319258b2a937d981ad818979f279

SHA512
868eb1523cf36ba1c9980efaf6cbf11f07f88545c2a73e73d33ec81263dd240a22dbe218630418316a0209203367664a8ea744585e1fea22ee43cb7b47a2f7d3

Download Submit
C:\Windows\SysWOW64\Mllhpb32.exe

Filesize
95KB

MD5
82f5563f329c684e9a2696743cf86109

SHA1
cacdd5a03fd7b2f5f919b6dd0e6713048c35285f

SHA256
378a8786709bb4b85b80d6f1d801162654c7319258b2a937d981ad818979f279

SHA512
868eb1523cf36ba1c9980efaf6cbf11f07f88545c2a73e73d33ec81263dd240a22dbe218630418316a0209203367664a8ea744585e1fea22ee43cb7b47a2f7d3

Download Submit
C:\Windows\SysWOW64\Mpcjfa32.exe

Filesize
95KB

MD5
7056faf640743d9ad17ee52079f9675d

SHA1
a4f72bc0dd81660e681e46ed377cf8209eb297d0

SHA256
60535af91b6aa7e36063cf3115bf91580a98ab876681687ff76c946faa4e4c0c

SHA512
9de1a3f0f1cea170c4fa9301d0d2a89e92ba1a82a821ac6494de1f64c21de51ac7fdca03ca8d08a2b823d9be815914d2378fc34886382475ed322fa97c264ecc

Download Submit
C:\Windows\SysWOW64\Mpcjfa32.exe

Filesize
95KB

MD5
7056faf640743d9ad17ee52079f9675d

SHA1
a4f72bc0dd81660e681e46ed377cf8209eb297d0

SHA256
60535af91b6aa7e36063cf3115bf91580a98ab876681687ff76c946faa4e4c0c

SHA512
9de1a3f0f1cea170c4fa9301d0d2a89e92ba1a82a821ac6494de1f64c21de51ac7fdca03ca8d08a2b823d9be815914d2378fc34886382475ed322fa97c264ecc

Download Submit
C:\Windows\SysWOW64\Mpcjfa32.exe

Filesize
95KB

MD5
7056faf640743d9ad17ee52079f9675d

SHA1
a4f72bc0dd81660e681e46ed377cf8209eb297d0

SHA256
60535af91b6aa7e36063cf3115bf91580a98ab876681687ff76c946faa4e4c0c

SHA512
9de1a3f0f1cea170c4fa9301d0d2a89e92ba1a82a821ac6494de1f64c21de51ac7fdca03ca8d08a2b823d9be815914d2378fc34886382475ed322fa97c264ecc

Download Submit
C:\Windows\SysWOW64\Ojnhdn32.exe

Filesize
95KB

MD5
008fa35e5192467630869a26cac7bf08

SHA1
7f80ea8d13fdb74ee27176725f65e0132dbd4034

SHA256
34c30bfdb8ffaac215c81fec218bd23f53c30d84c94fe2681c5b19d66bb904bc

SHA512
85ed24c1a32aaa396d2184ac7650acfdd6122b634d32e0e8a0185e38c454ceeabd2de5700f928a2444233cccf479f1d991aea6468f3e6be59570a84c95195e0d

Download Submit
C:\Windows\SysWOW64\Ojnhdn32.exe

Filesize
95KB

MD5
008fa35e5192467630869a26cac7bf08

SHA1
7f80ea8d13fdb74ee27176725f65e0132dbd4034

SHA256
34c30bfdb8ffaac215c81fec218bd23f53c30d84c94fe2681c5b19d66bb904bc

SHA512
85ed24c1a32aaa396d2184ac7650acfdd6122b634d32e0e8a0185e38c454ceeabd2de5700f928a2444233cccf479f1d991aea6468f3e6be59570a84c95195e0d

Download Submit
C:\Windows\SysWOW64\Ojnhdn32.exe

Filesize
95KB

MD5
008fa35e5192467630869a26cac7bf08

SHA1
7f80ea8d13fdb74ee27176725f65e0132dbd4034

SHA256
34c30bfdb8ffaac215c81fec218bd23f53c30d84c94fe2681c5b19d66bb904bc

SHA512
85ed24c1a32aaa396d2184ac7650acfdd6122b634d32e0e8a0185e38c454ceeabd2de5700f928a2444233cccf479f1d991aea6468f3e6be59570a84c95195e0d

Download Submit
C:\Windows\SysWOW64\Oodcogfd.dll

Filesize
7KB

MD5
a66269eead8b756b96eab0fe7db390b2

SHA1
25102d95f1d9dc82db37fb466e858c975f98ee5d

SHA256
e274c12f372bad808919df4e77c1aed33b9672787a6ae47830fa252e9a472cbd

SHA512
c30b0137f5af388a00fcbaf819198605ce68cb94881b63145ce48db9f55a437c1d22d8aea46451477e27d2efa5746179e4ef40bd7f99ce4b1d4c380fc2acbc0e

Download Submit
\Windows\SysWOW64\Dimfmeef.exe

Filesize
95KB

MD5
741ec2f9f36c69a0df3b96de04bcebaf

SHA1
6626446921cae9a8f026df7d51732ad1948c98b0

SHA256
7d161417818c90c937ef18388902c3fcda4c1316692f3370c5dec34d0f9c780e

SHA512
9defaa1fc3b74407a31f8053b2ac2734be2634f8319f420870a40d3de6e4ed626218966b62dd3fd0a7b66691e626addd20ae4748c4668dfa620f9b2da3a2f2d0

Download Submit
\Windows\SysWOW64\Dimfmeef.exe

Filesize
95KB

MD5
741ec2f9f36c69a0df3b96de04bcebaf

SHA1
6626446921cae9a8f026df7d51732ad1948c98b0

SHA256
7d161417818c90c937ef18388902c3fcda4c1316692f3370c5dec34d0f9c780e

SHA512
9defaa1fc3b74407a31f8053b2ac2734be2634f8319f420870a40d3de6e4ed626218966b62dd3fd0a7b66691e626addd20ae4748c4668dfa620f9b2da3a2f2d0

Download Submit
\Windows\SysWOW64\Gcdmikma.exe

Filesize
95KB

MD5
f7296fef963a1586e61a2ebf1d20987b

SHA1
000cd4129b895bf112a41ff94e5be6140bc13568

SHA256
8c2d593fb4c859d9c299b871e1d0cfdd16793bd516a71a7bbb187e331838b0c3

SHA512
f239603220fb0ba99ddfbc9cddd7220382bb1233c6b84a2acc7a6a9604de5b59486866a77f96f3ec4084d57b4f6f7cbf1b19ada606c8a791fa96cce8fcac3055

Download Submit
\Windows\SysWOW64\Gcdmikma.exe

Filesize
95KB

MD5
f7296fef963a1586e61a2ebf1d20987b

SHA1
000cd4129b895bf112a41ff94e5be6140bc13568

SHA256
8c2d593fb4c859d9c299b871e1d0cfdd16793bd516a71a7bbb187e331838b0c3

SHA512
f239603220fb0ba99ddfbc9cddd7220382bb1233c6b84a2acc7a6a9604de5b59486866a77f96f3ec4084d57b4f6f7cbf1b19ada606c8a791fa96cce8fcac3055

Download Submit
\Windows\SysWOW64\Hopgikop.exe

Filesize
95KB

MD5
f7e97a48e9e5c29a83b73da99d526ca2

SHA1
aa0f12ef2e0e5d84adcc766b85b6f8f8c27839b3

SHA256
3fd92c180e754c86d5e3b1be302995902dd6ab234c69b1c1ae0a5b2985f59001

SHA512
845291e060a93004806a4ed2fcb6576186405c2026898728b7c2500904c6cfc15794dd4b6a3a67281fa99ed2f0dd6931a507dd7c7c49e2ed5fc02ca3685e1c31

Download Submit
\Windows\SysWOW64\Hopgikop.exe

Filesize
95KB

MD5
f7e97a48e9e5c29a83b73da99d526ca2

SHA1
aa0f12ef2e0e5d84adcc766b85b6f8f8c27839b3

SHA256
3fd92c180e754c86d5e3b1be302995902dd6ab234c69b1c1ae0a5b2985f59001

SHA512
845291e060a93004806a4ed2fcb6576186405c2026898728b7c2500904c6cfc15794dd4b6a3a67281fa99ed2f0dd6931a507dd7c7c49e2ed5fc02ca3685e1c31

Download Submit
\Windows\SysWOW64\Legmpdga.exe

Filesize
95KB

MD5
721080680fb71762fb77ea7d93844cff

SHA1
f787f19af4fbf75a7176a8dc4b96bc198f55c6b2

SHA256
fcdd23c06efb07f7beafa87308a2dd31e58ac9876fd30cc1d46c92339ac6b14e

SHA512
669853bd3e2bccf7649f0aa55957ae70b65dde2617cd7b3868f1c93b9ad658f90809b7dc9bf22f58b1cf203045166d7e9c358b503f90f7d94b16235f080005a3

Download Submit
\Windows\SysWOW64\Legmpdga.exe

Filesize
95KB

MD5
721080680fb71762fb77ea7d93844cff

SHA1
f787f19af4fbf75a7176a8dc4b96bc198f55c6b2

SHA256
fcdd23c06efb07f7beafa87308a2dd31e58ac9876fd30cc1d46c92339ac6b14e

SHA512
669853bd3e2bccf7649f0aa55957ae70b65dde2617cd7b3868f1c93b9ad658f90809b7dc9bf22f58b1cf203045166d7e9c358b503f90f7d94b16235f080005a3

Download Submit
\Windows\SysWOW64\Lgjfmlkm.exe

Filesize
95KB

MD5
563b31f401db3028e689340687a59174

SHA1
55b4a708d5481c80f13ac211c6cb08396d3c8b65

SHA256
94b528b4db517f2bc64373a73860a1adf4a1dc3b49dd9a3ec218b9f307309bd2

SHA512
43cc5e15728e1c12fc90a12a970854215907965324a5c910cca71cb33a601a958b1604139cf47910252f5be3a8ceef8cb8e2deac13c011455703b1e26c24d030

Download Submit
\Windows\SysWOW64\Lgjfmlkm.exe

Filesize
95KB

MD5
563b31f401db3028e689340687a59174

SHA1
55b4a708d5481c80f13ac211c6cb08396d3c8b65

SHA256
94b528b4db517f2bc64373a73860a1adf4a1dc3b49dd9a3ec218b9f307309bd2

SHA512
43cc5e15728e1c12fc90a12a970854215907965324a5c910cca71cb33a601a958b1604139cf47910252f5be3a8ceef8cb8e2deac13c011455703b1e26c24d030

Download Submit
\Windows\SysWOW64\Lkcehkeh.exe

Filesize
95KB

MD5
9148fd132c5a142c4da397891f523a9c

SHA1
6e93765e1cdca12c62a1445b57bfea484e59e5c6

SHA256
5b85756b98e2e73e6db131e19a1988ba99682e136444ac659653acf83482b15c

SHA512
a67c31dc363ef027ad5d78a5bd6e4599bde16b1664ac685f553291111d15800226ce5e523a4c09e6a5f70508871e6757199920f7c08fc8c129fea2985c698ef4

Download Submit
\Windows\SysWOW64\Lkcehkeh.exe

Filesize
95KB

MD5
9148fd132c5a142c4da397891f523a9c

SHA1
6e93765e1cdca12c62a1445b57bfea484e59e5c6

SHA256
5b85756b98e2e73e6db131e19a1988ba99682e136444ac659653acf83482b15c

SHA512
a67c31dc363ef027ad5d78a5bd6e4599bde16b1664ac685f553291111d15800226ce5e523a4c09e6a5f70508871e6757199920f7c08fc8c129fea2985c698ef4

Download Submit
\Windows\SysWOW64\Mkhocj32.exe

Filesize
95KB

MD5
a95943b9ec0c46f1123a83f8b6c1cdda

SHA1
366f8ea88e92a2e9fef152f130fc4da617f6e3f7

SHA256
46fef08aaaa5f970543ee9952074112edd0f00744fbe29d6e5ba72b2d301af0d

SHA512
6294021cfdefb19c09e2b892fd22890584d02db8098b49d342b5a6144fe633c542653365119d215b651a734efd94e4ce045478d40b0acceff929cfee414014fc

Download Submit
\Windows\SysWOW64\Mkhocj32.exe

Filesize
95KB

MD5
a95943b9ec0c46f1123a83f8b6c1cdda

SHA1
366f8ea88e92a2e9fef152f130fc4da617f6e3f7

SHA256
46fef08aaaa5f970543ee9952074112edd0f00744fbe29d6e5ba72b2d301af0d

SHA512
6294021cfdefb19c09e2b892fd22890584d02db8098b49d342b5a6144fe633c542653365119d215b651a734efd94e4ce045478d40b0acceff929cfee414014fc

Download Submit
\Windows\SysWOW64\Mllhpb32.exe

Filesize
95KB

MD5
82f5563f329c684e9a2696743cf86109

SHA1
cacdd5a03fd7b2f5f919b6dd0e6713048c35285f

SHA256
378a8786709bb4b85b80d6f1d801162654c7319258b2a937d981ad818979f279

SHA512
868eb1523cf36ba1c9980efaf6cbf11f07f88545c2a73e73d33ec81263dd240a22dbe218630418316a0209203367664a8ea744585e1fea22ee43cb7b47a2f7d3

Download Submit
\Windows\SysWOW64\Mllhpb32.exe

Filesize
95KB

MD5
82f5563f329c684e9a2696743cf86109

SHA1
cacdd5a03fd7b2f5f919b6dd0e6713048c35285f

SHA256
378a8786709bb4b85b80d6f1d801162654c7319258b2a937d981ad818979f279

SHA512
868eb1523cf36ba1c9980efaf6cbf11f07f88545c2a73e73d33ec81263dd240a22dbe218630418316a0209203367664a8ea744585e1fea22ee43cb7b47a2f7d3

Download Submit
\Windows\SysWOW64\Mllhpb32.exe

Filesize
95KB

MD5
82f5563f329c684e9a2696743cf86109

SHA1
cacdd5a03fd7b2f5f919b6dd0e6713048c35285f

SHA256
378a8786709bb4b85b80d6f1d801162654c7319258b2a937d981ad818979f279

SHA512
868eb1523cf36ba1c9980efaf6cbf11f07f88545c2a73e73d33ec81263dd240a22dbe218630418316a0209203367664a8ea744585e1fea22ee43cb7b47a2f7d3

Download Submit
\Windows\SysWOW64\Mllhpb32.exe

Filesize
95KB

MD5
82f5563f329c684e9a2696743cf86109

SHA1
cacdd5a03fd7b2f5f919b6dd0e6713048c35285f

SHA256
378a8786709bb4b85b80d6f1d801162654c7319258b2a937d981ad818979f279

SHA512
868eb1523cf36ba1c9980efaf6cbf11f07f88545c2a73e73d33ec81263dd240a22dbe218630418316a0209203367664a8ea744585e1fea22ee43cb7b47a2f7d3

Download Submit
\Windows\SysWOW64\Mllhpb32.exe

Filesize
95KB

MD5
82f5563f329c684e9a2696743cf86109

SHA1
cacdd5a03fd7b2f5f919b6dd0e6713048c35285f

SHA256
378a8786709bb4b85b80d6f1d801162654c7319258b2a937d981ad818979f279

SHA512
868eb1523cf36ba1c9980efaf6cbf11f07f88545c2a73e73d33ec81263dd240a22dbe218630418316a0209203367664a8ea744585e1fea22ee43cb7b47a2f7d3

Download Submit
\Windows\SysWOW64\Mllhpb32.exe

Filesize
95KB

MD5
82f5563f329c684e9a2696743cf86109

SHA1
cacdd5a03fd7b2f5f919b6dd0e6713048c35285f

SHA256
378a8786709bb4b85b80d6f1d801162654c7319258b2a937d981ad818979f279

SHA512
868eb1523cf36ba1c9980efaf6cbf11f07f88545c2a73e73d33ec81263dd240a22dbe218630418316a0209203367664a8ea744585e1fea22ee43cb7b47a2f7d3

Download Submit
\Windows\SysWOW64\Mpcjfa32.exe

Filesize
95KB

MD5
7056faf640743d9ad17ee52079f9675d

SHA1
a4f72bc0dd81660e681e46ed377cf8209eb297d0

SHA256
60535af91b6aa7e36063cf3115bf91580a98ab876681687ff76c946faa4e4c0c

SHA512
9de1a3f0f1cea170c4fa9301d0d2a89e92ba1a82a821ac6494de1f64c21de51ac7fdca03ca8d08a2b823d9be815914d2378fc34886382475ed322fa97c264ecc

Download Submit
\Windows\SysWOW64\Mpcjfa32.exe

Filesize
95KB

MD5
7056faf640743d9ad17ee52079f9675d

SHA1
a4f72bc0dd81660e681e46ed377cf8209eb297d0

SHA256
60535af91b6aa7e36063cf3115bf91580a98ab876681687ff76c946faa4e4c0c

SHA512
9de1a3f0f1cea170c4fa9301d0d2a89e92ba1a82a821ac6494de1f64c21de51ac7fdca03ca8d08a2b823d9be815914d2378fc34886382475ed322fa97c264ecc

Download Submit
\Windows\SysWOW64\Ojnhdn32.exe

Filesize
95KB

MD5
008fa35e5192467630869a26cac7bf08

SHA1
7f80ea8d13fdb74ee27176725f65e0132dbd4034

SHA256
34c30bfdb8ffaac215c81fec218bd23f53c30d84c94fe2681c5b19d66bb904bc

SHA512
85ed24c1a32aaa396d2184ac7650acfdd6122b634d32e0e8a0185e38c454ceeabd2de5700f928a2444233cccf479f1d991aea6468f3e6be59570a84c95195e0d

Download Submit
\Windows\SysWOW64\Ojnhdn32.exe

Filesize
95KB

MD5
008fa35e5192467630869a26cac7bf08

SHA1
7f80ea8d13fdb74ee27176725f65e0132dbd4034

SHA256
34c30bfdb8ffaac215c81fec218bd23f53c30d84c94fe2681c5b19d66bb904bc

SHA512
85ed24c1a32aaa396d2184ac7650acfdd6122b634d32e0e8a0185e38c454ceeabd2de5700f928a2444233cccf479f1d991aea6468f3e6be59570a84c95195e0d

Download Submit
memory/836-101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1064-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1064-94-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1076-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1324-110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1324-122-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/1324-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1324-116-0x00000000002B0000-0x00000000002F1000-memory.dmp

Filesize
260KB

Download
memory/2748-41-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2748-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-39-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2832-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-6-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2896-55-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2896-47-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2896-50-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2908-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2908-76-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2908-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2924-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2980-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3012-26-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download
memory/3012-20-0x0000000000230000-0x0000000000271000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.