61671dc4208543c665dbde90696ff7c0f13102c44f3e0bdef1653f30c87e7d8e

Analysis

max time kernel
0s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d027265abab3ffabfb54296831ba16f5.exe
Size

60KB
MD5

d027265abab3ffabfb54296831ba16f5
SHA1

7735620de945adfdc61c13dc1b094b5b1366d7a4
SHA256

61671dc4208543c665dbde90696ff7c0f13102c44f3e0bdef1653f30c87e7d8e
SHA512

b431cf356cefcc4f754873cec07bd3db887b01f075d40f7f278dae4e47d64243929ed962c2ee2671e1bb12b7db6e1c7c61e08449d2e5e64242a8b70f1b47d880
SSDEEP

1536:DcRtII+9OWug9h+Dc+P8Pe60XIQiB86l1r:PANo+Ph601iB86l1r

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kibnhjgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgdbkohf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liekmj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lalcng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	d027265abab3ffabfb54296831ba16f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	d027265abab3ffabfb54296831ba16f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kajfig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kckbqpnj.exe

Executes dropped EXE 10 IoCs

pid	Process
684	Kgdbkohf.exe
5080	Kibnhjgj.exe
5032	Kmnjhioc.exe
2704	Kajfig32.exe
224	Kdhbec32.exe
4816	Kckbqpnj.exe
3236	Kkbkamnl.exe
4516	Liekmj32.exe
5016	Lalcng32.exe
2944	Lpocjdld.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fogjfmfe.dll	d027265abab3ffabfb54296831ba16f5.exe
File created	C:\Windows\SysWOW64\Bpcbnd32.dll	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Oimhnoch.dll	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Imppcc32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Kgdbkohf.exe	d027265abab3ffabfb54296831ba16f5.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kckbqpnj.exe
File created	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kajfig32.exe
File created	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Kckbqpnj.exe	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kckbqpnj.exe
File opened for modification	C:\Windows\SysWOW64\Kgdbkohf.exe	d027265abab3ffabfb54296831ba16f5.exe
File opened for modification	C:\Windows\SysWOW64\Kibnhjgj.exe	Kgdbkohf.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kajfig32.exe
File opened for modification	C:\Windows\SysWOW64\Liekmj32.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Efhikhod.dll	Liekmj32.exe
File opened for modification	C:\Windows\SysWOW64\Kajfig32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Jplifcqp.dll	Kdhbec32.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File opened for modification	C:\Windows\SysWOW64\Lpocjdld.exe	Lalcng32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kibnhjgj.exe
File created	C:\Windows\SysWOW64\Lbhnnj32.dll	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lalcng32.exe	Liekmj32.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Lalcng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5456	5356	WerFault.exe	33

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kckbqpnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kckbqpnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d027265abab3ffabfb54296831ba16f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcbnd32.dll"	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kibnhjgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnnj32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplifcqp.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imppcc32.dll"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Liekmj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	d027265abab3ffabfb54296831ba16f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgdbkohf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbak32.dll"	Lalcng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lalcng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d027265abab3ffabfb54296831ba16f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kajfig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	d027265abab3ffabfb54296831ba16f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogjfmfe.dll"	d027265abab3ffabfb54296831ba16f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhikhod.dll"	Liekmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	d027265abab3ffabfb54296831ba16f5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kckbqpnj.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 684	2256	d027265abab3ffabfb54296831ba16f5.exe	97
PID 2256 wrote to memory of 684	2256	d027265abab3ffabfb54296831ba16f5.exe	97
PID 2256 wrote to memory of 684	2256	d027265abab3ffabfb54296831ba16f5.exe	97
PID 684 wrote to memory of 5080	684	Kgdbkohf.exe	96
PID 684 wrote to memory of 5080	684	Kgdbkohf.exe	96
PID 684 wrote to memory of 5080	684	Kgdbkohf.exe	96
PID 5080 wrote to memory of 5032	5080	Kibnhjgj.exe	95
PID 5080 wrote to memory of 5032	5080	Kibnhjgj.exe	95
PID 5080 wrote to memory of 5032	5080	Kibnhjgj.exe	95
PID 5032 wrote to memory of 2704	5032	Kmnjhioc.exe	94
PID 5032 wrote to memory of 2704	5032	Kmnjhioc.exe	94
PID 5032 wrote to memory of 2704	5032	Kmnjhioc.exe	94
PID 2704 wrote to memory of 224	2704	Kajfig32.exe	93
PID 2704 wrote to memory of 224	2704	Kajfig32.exe	93
PID 2704 wrote to memory of 224	2704	Kajfig32.exe	93
PID 224 wrote to memory of 4816	224	Kdhbec32.exe	92
PID 224 wrote to memory of 4816	224	Kdhbec32.exe	92
PID 224 wrote to memory of 4816	224	Kdhbec32.exe	92
PID 4816 wrote to memory of 3236	4816	Kckbqpnj.exe	91
PID 4816 wrote to memory of 3236	4816	Kckbqpnj.exe	91
PID 4816 wrote to memory of 3236	4816	Kckbqpnj.exe	91
PID 3236 wrote to memory of 4516	3236	Kkbkamnl.exe	90
PID 3236 wrote to memory of 4516	3236	Kkbkamnl.exe	90
PID 3236 wrote to memory of 4516	3236	Kkbkamnl.exe	90
PID 4516 wrote to memory of 5016	4516	Liekmj32.exe	88
PID 4516 wrote to memory of 5016	4516	Liekmj32.exe	88
PID 4516 wrote to memory of 5016	4516	Liekmj32.exe	88
PID 5016 wrote to memory of 2944	5016	Lalcng32.exe	87
PID 5016 wrote to memory of 2944	5016	Lalcng32.exe	87
PID 5016 wrote to memory of 2944	5016	Lalcng32.exe	87

C:\Users\Admin\AppData\Local\Temp\d027265abab3ffabfb54296831ba16f5.exe
"C:\Users\Admin\AppData\Local\Temp\d027265abab3ffabfb54296831ba16f5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\Kgdbkohf.exe
  C:\Windows\system32\Kgdbkohf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:684

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
1⤵
PID:1648
- C:\Windows\SysWOW64\Lgneampk.exe
  C:\Windows\system32\Lgneampk.exe
  2⤵
  PID:4332
- - C:\Windows\SysWOW64\Lnhmng32.exe
    C:\Windows\system32\Lnhmng32.exe
    3⤵
    PID:2040

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
1⤵
PID:1512
- C:\Windows\SysWOW64\Laefdf32.exe
  C:\Windows\system32\Laefdf32.exe
  2⤵
  PID:4384

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
1⤵
PID:3756
- C:\Windows\SysWOW64\Mahbje32.exe
  C:\Windows\system32\Mahbje32.exe
  2⤵
  PID:4892

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
1⤵
PID:4136
- C:\Windows\SysWOW64\Mcklgm32.exe
  C:\Windows\system32\Mcklgm32.exe
  2⤵
  PID:628

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
1⤵
PID:3216
- C:\Windows\SysWOW64\Mpolqa32.exe
  C:\Windows\system32\Mpolqa32.exe
  2⤵
  PID:1444

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
PID:4400
- C:\Windows\SysWOW64\Mgidml32.exe
  C:\Windows\system32\Mgidml32.exe
  2⤵
  PID:1328

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
1⤵
PID:1004
- C:\Windows\SysWOW64\Mncmjfmk.exe
  C:\Windows\system32\Mncmjfmk.exe
  2⤵
  PID:1892

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
1⤵
PID:4364
- C:\Windows\SysWOW64\Mpaifalo.exe
  C:\Windows\system32\Mpaifalo.exe
  2⤵
  PID:2300

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
1⤵
PID:1052
- C:\Windows\SysWOW64\Mjjmog32.exe
  C:\Windows\system32\Mjjmog32.exe
  2⤵
  PID:4780

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
1⤵
PID:4588
- C:\Windows\SysWOW64\Nnhfee32.exe
  C:\Windows\system32\Nnhfee32.exe
  2⤵
  PID:692

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
1⤵
PID:2364
- C:\Windows\SysWOW64\Nqfbaq32.exe
  C:\Windows\system32\Nqfbaq32.exe
  2⤵
  PID:320

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
PID:3484
- C:\Windows\SysWOW64\Ngcgcjnc.exe
  C:\Windows\system32\Ngcgcjnc.exe
  2⤵
  PID:4276

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
1⤵
PID:1940
- C:\Windows\SysWOW64\Nnmopdep.exe
  C:\Windows\system32\Nnmopdep.exe
  2⤵
  PID:2348

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
1⤵
PID:2064
- C:\Windows\SysWOW64\Ndghmo32.exe
  C:\Windows\system32\Ndghmo32.exe
  2⤵
  PID:1584

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
1⤵
PID:5160
- C:\Windows\SysWOW64\Njcpee32.exe
  C:\Windows\system32\Njcpee32.exe
  2⤵
  PID:5196

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
1⤵
PID:5236
- C:\Windows\SysWOW64\Nqmhbpba.exe
  C:\Windows\system32\Nqmhbpba.exe
  2⤵
  PID:5280
- - C:\Windows\SysWOW64\Ncldnkae.exe
    C:\Windows\system32\Ncldnkae.exe
    3⤵
    PID:5316

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:5356
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5356 -s 408
  2⤵
  - Program crash
  PID:5456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5356 -ip 5356
1⤵
PID:5432

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
1⤵
PID:1264

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
PID:5052

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
1⤵
PID:4856

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
PID:1864

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
PID:3348

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
PID:2372

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
1⤵
PID:1804

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
1⤵
PID:1948

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
1⤵
PID:3320

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
PID:4100

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
1⤵
PID:1840

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
PID:904

C:\Windows\SysWOW64\Mjcgohig.exe
C:\Windows\system32\Mjcgohig.exe
1⤵
PID:624

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
1⤵
PID:4600

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
1⤵
PID:3192

C:\Windows\SysWOW64\Lknjmkdo.exe
C:\Windows\system32\Lknjmkdo.exe
1⤵
PID:1696

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
1⤵
PID:4308

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
1⤵
PID:1168

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
1⤵
PID:2176

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
1⤵
PID:1548

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
1⤵
PID:1784

C:\Windows\SysWOW64\Lkgdml32.exe
C:\Windows\system32\Lkgdml32.exe
1⤵
PID:1080

C:\Windows\SysWOW64\Ldmlpbbj.exe
C:\Windows\system32\Ldmlpbbj.exe
1⤵
PID:2464

C:\Windows\SysWOW64\Lpappc32.exe
C:\Windows\system32\Lpappc32.exe
1⤵
PID:1324

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
1⤵
PID:3452

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
1⤵
PID:1164

C:\Windows\SysWOW64\Lcmofolg.exe
C:\Windows\system32\Lcmofolg.exe
1⤵
PID:2968

C:\Windows\SysWOW64\Lpocjdld.exe
C:\Windows\system32\Lpocjdld.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\SysWOW64\Lalcng32.exe
C:\Windows\system32\Lalcng32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\SysWOW64\Liekmj32.exe
C:\Windows\system32\Liekmj32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\Kkbkamnl.exe
C:\Windows\system32\Kkbkamnl.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236

C:\Windows\SysWOW64\Kckbqpnj.exe
C:\Windows\system32\Kckbqpnj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\SysWOW64\Kajfig32.exe
C:\Windows\system32\Kajfig32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\Kmnjhioc.exe
C:\Windows\system32\Kmnjhioc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\Kibnhjgj.exe
C:\Windows\system32\Kibnhjgj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kajfig32.exe

Filesize
60KB

MD5
bc9a193036a4045904a5f6fb2e111f29

SHA1
5eeedaac59408bb108dbdb0c509a493f9109330a

SHA256
df925ed1c981cc92215235c4305f46e5b22a2b1f67e3cbf16fc401a203bb3da9

SHA512
5ca7eb7e3c08b19810c96f8bf132e909a45572729dfc5f8ac9d7b4fdf77ab34bee27de25182e76667d3a47dc0b33f669d16342383d140fe6c71f80b9d9815fb3

Download Submit
C:\Windows\SysWOW64\Kckbqpnj.exe

Filesize
60KB

MD5
ee0f33782daf6ea785ce9fb91eb429c2

SHA1
abeb7b0d6097bbd3e7816e93e6b72f0706db508e

SHA256
d370d70ca4bba04a98cd9919f594872b5acedbf90cce0fb41f7291f3c37c7e9c

SHA512
a7b35d0368280e015f5e1002f665381c8edc280c5f720b397a455e9f8b8c9f5890ece5bbfd34bc363e44449a42749db30533983ab723a3c3699d09e1337c91a2

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
60KB

MD5
df10985bc8ba5eee81e1f2c0151cf0dd

SHA1
1a54eb5d8d901cfd1a4d295dd0b85d07b720cc9f

SHA256
e5600df77db45a026e011c7251d150b96b6bdc62a41ff3a2aa358df718b5e3ef

SHA512
636f176dc974a27e169ea8d6ce03a21435df75e720a373007e094b008d9db0c05f1e6f50152a50979c7226767232dd0a243cc5eb7708a8967b18f018365abced

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
60KB

MD5
eff976e0604703e3a519ff3a03173cb5

SHA1
3f065e3baa436f7be436c0c78492d36a4eca0941

SHA256
0b118a7803433eab24607d39d7f020dee6fafdac5bdc949482df513c36871659

SHA512
4483a30271b797abf81d3ddc38fcfaa552647c459a34f9a9ef75a2d3d151113c7cafed3b34392ff5f5317bd48fb573e68649846584eabb1155d1547dff1deffd

Download Submit
C:\Windows\SysWOW64\Kibnhjgj.exe

Filesize
60KB

MD5
6d5f4230a1b5748370a347053aa376f6

SHA1
caeb59dac048aa02472a5904a5db21a1c1ca1e86

SHA256
3dca221e96ebe388e1d5a0e5e3cb2f67c30633c762aaead5a59f39808c16552e

SHA512
2b0465cfd55c2d6f2e2691f6ab6b7c4e160cd512baa179d3c638ce2bf2a9b53e4c50ca0d8b0b18b59a46d24de67251ee42e5a5ac8f38d4ac7280636868c43f5a

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
60KB

MD5
a278ab0aab2fa3dbb36ac43e8d1f6dc4

SHA1
ced8c9fb5f685fa786f77989b220642b58c8c4c6

SHA256
d5b9c2766cfab0abcdb82c6b3b72e052b041aaa8d8e5340d8396d5d8eaa7c515

SHA512
7c74a1ac9b14993925b0d3f33b097753f7672d513a7959652789ff064c0912ea48b40d7a8ac08c5c19598688c1732ce3ca149bc2c8ea3c4de205b33281052dde

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
60KB

MD5
a825c92404487e6e11652b459e1c3253

SHA1
3fae1baeb2972ee41b23374989ce757524c217bf

SHA256
8fb5885ecfd52499ffad84d59673ccaaf825195e9cdbfc205175d6c67835caf6

SHA512
ebca24bd1bea402bee558b891e73ef157fbc11a7ff7731f1bcee1c6b5f65c163ae780bc8e633890c71710a9bc3954debd6be9cb1abe52b7a1fbd57ae894cf9f8

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
60KB

MD5
754594dabdc2387644c1617876b18b1c

SHA1
356775bb3c361198266dbc1692a1426e5f8eb89f

SHA256
d6d03ff59572b237edb2161a9583ab36a78852ce7519365a9274cb213e4df25f

SHA512
2bbc5a1f17406c732bb7c460203d8a2326fc92d6f4ec411fa204508878070376dea78149e054efa6858bb27bcf2b98fbc448c07069ffd46d537323b9d90066d7

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
60KB

MD5
51116c76491997ed99c3b5069eeff8de

SHA1
1bcc0024d3bdb60701c906974ea241151e6c17e7

SHA256
6e47568976c3e29346753783a6828000587a34a22acade82ad18b265a3f2f969

SHA512
3536157b9f2c9e8cfbb4f023410fb32f7f23558da7e42fb6997420ba050ce3293efc8b2ab51a7d95243c8473d81cbe8c4a33498ee7ef9909bb29f23bee803f43

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
60KB

MD5
dbf44fe21ed4a45d484f53f2401ea69e

SHA1
2e8cd5697ac9c09a267eb97b085defb6ec422f25

SHA256
43191d78452bae028ed5bf7bab92387322a646919897ab089910740cd57a87a3

SHA512
bea878d4629fd5d97d0a267fd1d355c6a501635e16339697991f45292fed212bd47de1c551d87ecdb8078636cc9a17019b096e92be8b71b062fd994b2b4c0a1f

Download Submit
C:\Windows\SysWOW64\Lalcng32.exe

Filesize
60KB

MD5
0584970d268652357168465f787d72cd

SHA1
453bfef5f6729c089707319436feb5afaaa12596

SHA256
b748ff39aeec1eb565ae9fd9633c0b82a3b13a730fb15bb6a83cd23678b35601

SHA512
1dfba226e1b680564d634779da82a1c580fe2bfb86f46c1b40b5637f0e0b5c98b26278e4e5384af6ba456292d3f50ba510474449fd6979aa4055592c2dc6c4d8

Download Submit
C:\Windows\SysWOW64\Lcmofolg.exe

Filesize
60KB

MD5
a26eaf5a9618db9e93fd7ed6cae31677

SHA1
482fd80cc67323dc772496dd2f304d7b88e9d230

SHA256
e073e59572ad752cdbacc32a8b48f4dde36349648854c7685788a78fb174c9b3

SHA512
a3a1bc2ac9f4b0f92b42b5eb3a03b3d8ce90085037987f7c17efa1da184b58440bfb8ba170e9b39b64fc105195e22a7df9185a18913d1ddc6206f7780b5818f3

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
60KB

MD5
f4da4463870f21a4c93ca29cd4d5df39

SHA1
68c06f9b403f0a8d88e6b2c97bf9bc390c4a6e63

SHA256
2d4911144ca6d147970153a49a9806cb1e070349cb268be0bc954ee98f3576cf

SHA512
09289b0093ff193ee19b722937d3c3d54eb0de017540b70fd2fff11cd656586299a4795042cd8ccd369c0d62e3d9293bb3853f82be34ed4f3db47410a7eb7730

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
60KB

MD5
db0ca95cab270cc1a626c6dc62744ef0

SHA1
0a8d4a989f7e8abb630a33bfe6f367b8625c593e

SHA256
5ec72f9518ea6c3f0e7000625541b365e08d13d30253a4d040e752a1ca503219

SHA512
6ea8631fd625498f10a50f88cdce203dc107042ca58eaa6361338738cf7089642018d5042c3e2fef264835d2b20e9150ccb090628f70d6af99ae794517e3969e

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
60KB

MD5
f224584bb728a508bbd16463e10c8291

SHA1
cc2b3c1bf44ee8d5a0b1f82c256959884b0b9ac4

SHA256
0f1c5e1c0c925548d1c2b13d0757b6e8bf237decb951d1b1bedf9d8b28ede34b

SHA512
add1bf80e01f9872c4a1b72cb896797ba3c6146454e9c89563f0ab6f4fab4ff8901221ac82b61da7e69bb64702453d1558fa4c548bf04f19038b1cea255fdf98

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
60KB

MD5
b872dbc3df1b8b8d2d100ae0192a7eaf

SHA1
6b824071198126bb0712af55532396c10b978fcf

SHA256
2e79689122fb782bce9bb654d959377c01655db02954f05a572b50dfcd375c4b

SHA512
251bd8f4dab4accc058d4d52b3cf4c5b16daa28bf987386426ebab1ac1e6e79fdee91a48d5575beb4d8146a306929de60e812300b7d87022fd5728033cb15709

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
60KB

MD5
717809fc1f72b5b03dbfa05cacf72e25

SHA1
6c7a9bb8d6b371188e0e440e829376197b3599e2

SHA256
7af5f37aa6b59dd9b5890e5f4afd38d4c941ad207fc02c8b02d5964053ac678c

SHA512
121ad62a0fb85c293149f4454604aa80a5b65a33db9dda753c487e470c8d7900d0efe3c883fe704deb00cb550721b17b6c1da7576001881c3d7a830062ea5260

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
60KB

MD5
1175c4d0d5e6a7ecd26260d9ed40cb99

SHA1
82e6550db394ffa8ca9c987f7471d598764a4c5f

SHA256
8032984a675111253029f5ed3f9e26ef4e1b974f996222269cfefebc379046f5

SHA512
4691fc8838c3dca471f31601d4e7264ba557d265d946f534963610289ed47446d153f990756c931652f4880ffc058f6f9d3e56ce44d74c6289d59f9112c5ff9a

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
60KB

MD5
ce09c90d994eeb758b6ea34f77d95d93

SHA1
8345e85ab1ad3251894c45860721533316076682

SHA256
04a5cc76c778e725b03eea6b6f3ad74b9041b08cf1ca7e89ef70d83e31f8f07f

SHA512
71bd12c4b670f2222f181656c95ec58e1e9f90bae9bd29f2f8175e1bc9208850a26173d0bb445ae29cac1006bf5d40a931d3ae824a735cb01a0caed10e91b5fb

Download Submit
C:\Windows\SysWOW64\Liekmj32.exe

Filesize
60KB

MD5
53df4051f1cf8ac57077593afc98c946

SHA1
02b665cddd9022363a1235b98afe9df6538c16d8

SHA256
330aebf2b9a5fe5699e13611c7823d856733d484984bc6d9fc5261aa45ed1bc4

SHA512
992016293f1084c18adee26904b1016a8f5a99cbef5cec30ae8e846b88e33d9b1875242a7b77ebe6d1596f1ce8cc2655acc32e20b2657546bc7126adf7bd9549

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
60KB

MD5
a00a3c273c8969d4757f4a0098c31474

SHA1
a6bd1cc1e7b4d008c6862b40b2888c7636925268

SHA256
cceb5c9886453369905e2d4bbed3ddf0a45b3f83cfe2101887d9e269328c21e1

SHA512
13bdbdc0b0bc3c1d06a91cbe2170f1f1e2e85a9f6d55db17b59d66617027885176f4d0ca64ae197146b2a4893a908ad44de19c191cb7672732e856f0e8501b26

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
60KB

MD5
68b91d0fa5acfd7872d630beaad0a940

SHA1
3ebbe875a71fb25d14705f32cf4386e9f10c20d0

SHA256
09a8b32f44e8fa0f0dbb8b7e392365a7fba1d8d7b4392850204db531620e67b4

SHA512
57c3aaf2545c1d8a6ebec77d2586d3dfca287aae03242bb89440159427340df83376f638a46f2164c9623a7cce1eb26ef73c8a74d55ab012cdfc5bedf96982a4

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
60KB

MD5
4312ceb734c96cf3728ed7f3923c7d77

SHA1
c76f99845363d67212b767ecceb94aad2e937dde

SHA256
166251fe7155c3831c4c77d3b4272de28ec699607c2c4e219874eb651cfa38b7

SHA512
dd61b8d2a97ca86b96b4f57136c9bb88973f5025c346bbfaa5363a34d9757be4b042fd460faac9ded342788e8013b00b3d312f3a177ceb37c7c3977fad79ba4d

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
60KB

MD5
3b8c34b34fac95671e5b0faeef586626

SHA1
9ed16337d060037485d53414c6940f86912ff75b

SHA256
e6cd13f5288f22c02ccaf4c735d67bcc1efcc6058697a840ca85407d9fe0bad9

SHA512
f7ff91bdb2928b910cf2d73ec9ddb18386be50cc32833f802cd1108ed72b5e40d1c20e8c69479aa992b559d01c00d84d7484e14dbf37b6e8248b41d1913f8878

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
60KB

MD5
ff8ce6f301f494f036bc36ac77fe6ea6

SHA1
915a0e062b25bdd45c287d658f5df213353bcd9a

SHA256
3de0b6f6aaa813c08bfe456cfdce04bcbeaab30e4cba932050166784722d39f5

SHA512
83a11f79923b3aa3881f1e3745f3970f5cf77304fd0c414b799e1f80fbceff68a7c50000004163e4118560bca40909b3dcd1259b3624de22826456232ab8b8a3

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
60KB

MD5
84e5618b4cfd8e87cc3b55c510576091

SHA1
14dfb4bbad6e21b14714e7dd87fac774177be1ff

SHA256
042282e5967e2d83daf20fbab4530fde49d1afcf109a3c35b5a04f1e12da3842

SHA512
e5cc36468a42395aa103fcdc5404c4c1f5d078cdfa2bbf6e72babfa264a089eedf5b46430ae123cb553528738865bcc5ba62cc603e5caa7474d30d014a0f215c

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
60KB

MD5
b53ab95938a0414d65ed68821ab2774f

SHA1
e3e90e22ec705b97bfcef6ba75a58892ce03e2d7

SHA256
cda79998fc3f3070596ccf5e974fd8e78a234bedb0ad806604ea4ddd08154f93

SHA512
e09f1f88d7196d00d7a16797b46d2c3f580bc5bec6fed7ed188878046f82a2a6501bbaf4e568057d561e90cd4fefaf10f4531a6fab48f050691b4cfa5e667fa6

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
60KB

MD5
d064efff7a13dee5ebb2bd64c93a9caa

SHA1
bc5f6adb32990c321312450bbec4ca117bd64d68

SHA256
79ea204433dda2795dd78533d7a51eaa543a05b272df5a325f512b1af1c28336

SHA512
377e4f4638605a3b1f862fd65a2c1a329c4c5e9e11e00d7a16c85c8c846bab921de98ede1989f15bd790eea3998760560d68f07f02fc09639224b1c5f9d8efbe

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
60KB

MD5
4b43e33bbe58750e31499da2736842be

SHA1
fa72f2379b3d6dcf32c06eff44d3f9bbfc7bcf62

SHA256
e023bf287b135d7ef20aad8e1ae8cf6ff5a0735d006d48791be992adeaacb03f

SHA512
9ee4d1cfda25e7b04c486fdf62bfec918fb0a4e0f22b6ea91f7154da73ae8dc1b3f6d22fa659bf1f0427b87822d4f90fb4e8c3605b54403ff9ec17695072461d

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
60KB

MD5
a40be643e5c7c1f8b2d802319e28838e

SHA1
50eee2c23867c60de1de755095645329b4d4ab89

SHA256
058912ca527c1de13eaf180c495272c1d205f4db0d213e469f0e9aa9771d759e

SHA512
7e7af1a1a67244b2f895fa75a80012951dd4b9ff462353a57b782a8ea963c9fe050ee10b85adedc6d32d53f419d266cc43b895bf462508d7abe2c3accbf8951f

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
60KB

MD5
0edd416a3d902db37f826ef46283fe32

SHA1
224297646fdd3a27f77eecf68d27dec5bbb7e41b

SHA256
7ca535f8b6e7cdd1ef7f62545c3c0503f044f70d40686f5c0cb26b2d03d4a4bb

SHA512
698c4454037b52244fd2d3e73df4e42f509d411e3cce38d190bb6ddc9bd7839a874870006d4b1a46e63f1c51309ea55efb68f79a248de2f93f56d903785738f6

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
60KB

MD5
215f0425d21f9f1dc3746c68a65da10a

SHA1
d8e97766c50228661b2755a4e38bfbc8cbbf6581

SHA256
af90238a9ff0ee351f96dfaffd031118c79bc6fc15b19444359cd7ad8ab25813

SHA512
533dfa2eb4c16c94055f955f597c5a90a487f2e9a1b4b8d6e1a183194f06cea9edebfd946f33112e79f1a9299799f97d029d9e66cf0e496a2f1018c5f9eb99dc

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
60KB

MD5
97c1c109e9b21d8bcaf609873ac307f9

SHA1
c56190729ce9ae9ed75ceaa9dfa22dd383362a11

SHA256
c3f38f1be5b05d8a7d9801290ffc26a0509949eea5d6514f5079a0da88ef8e67

SHA512
b1a9454105aad70a130b721b65cfa389fbbae446fdb0e8f3a82b596aa5bee09fcbc58b049ae490997991746c1c11f4bdee506656577a20b1ef17d792e493eac3

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
60KB

MD5
a1a3ec5649690eaa4d99b88ea963a0f3

SHA1
282d02b62c270355127981fd660caeb074d2c862

SHA256
3aa7ed7fd8cca0fc3bdfd42526ad760095918a754cdc5dd93f099a49cd1ea058

SHA512
e271302040d4d8746d25350d6c9186bdd34c5a79d7bd37577d79184593ac464f83e912121920e8ba795c022fc9c5f8286550d579bc09296c23b1559f41c3d764

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
60KB

MD5
cbaa993347b81f15992af4a4ca280f18

SHA1
055f69de163b12671b937c9f9bf221cdab6c40e0

SHA256
cf342d57ee16bd445d540f5445af6cbe4bdf3bd10532fce4ab4893001b430467

SHA512
45d6a9473d9eed8a76947c645fece8a5408e842527d867a2e6b41ad10ba24139d031630a1e6cc4edfafb7e8ddcc9c79d3edd990709afc3aee487a3b6444e621a

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
60KB

MD5
65e5525d1fd177a8e74c8e40f763cea2

SHA1
929055d6c4de742477aac7bbcf6a15860c8707aa

SHA256
b415f17b9c25f5a90a0f5c2849792dcedadefdc97ac190b17f6236e0149a66a8

SHA512
df7188ff284b282f2de54e70736656e63dcfe977e37c1471ded9d4ee31ffb4fc49726e3437806a550a494a61c4eb71a281e71a933ebf9082538c74d51a6761b7

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
60KB

MD5
4955b9ffc1e87784ff6769c3bc974b97

SHA1
a8d27a28b52c7a56f546bb53523004bdf87aed02

SHA256
b254800766e2f9244ca5b627fa224699bedef2892ffb3d97b988b86a4f1d669f

SHA512
b4b72043358d342a71785f05e33773204f5ee68d704003d246998dd0b96ae084787a67e7e90aabb75df914e07884085de83c621e47c7c304b4d8888869c2a503

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
60KB

MD5
725fcd2cebfe4139e0637013cf6b5f67

SHA1
486837a489cce42ac30699d4f971e27bb355d59c

SHA256
abf90688cfb011b5b1897dfb76bd8fdeedfce248eb5781967ee86dba4f687952

SHA512
07c4cf752d5067c0fbe5c3eda8cf0891334d39da34fb332318e4124c0800fe87ffe972fdb8451fce87dda201b1e3db494323fdb49b9b289c6d57a96f9a17ccf0

Download Submit
memory/224-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/224-123-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/320-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/628-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/684-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/684-9-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/692-391-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/904-268-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1052-413-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1080-214-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1164-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1168-189-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1324-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1444-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1512-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1548-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1648-149-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1696-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1784-139-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1804-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1804-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1892-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1892-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2176-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2256-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2256-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2256-77-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2256-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2300-401-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2464-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-33-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3192-247-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3216-292-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-138-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3236-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3320-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3348-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3452-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3452-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3756-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4100-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4100-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4136-274-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4308-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4308-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4364-333-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4384-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4400-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4516-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4516-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4780-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4816-51-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4816-131-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4856-415-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4892-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5032-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5032-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5052-421-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5080-17-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5080-101-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads