a8e93791f7d3616e97ab1979fa72a4a9d068d6cecb6c149791cdb881e04e1cb4

Analysis

max time kernel
0s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e53db750c29474d04ea86bb558f9ca81.exe
Size

376KB
MD5

e53db750c29474d04ea86bb558f9ca81
SHA1

b7d42ce130e0f927d69230ef22f414b4d09d44a0
SHA256

a8e93791f7d3616e97ab1979fa72a4a9d068d6cecb6c149791cdb881e04e1cb4
SHA512

f0e44ff006ad3e46552a095075b271340adff5ad55ed0fc7af4fc9b42f35ccaf1cf9f699ba7c50de9507652bc84020600e93f32f525276ddcb7e8a0e28e219e5
SSDEEP

6144:PT0Ffukfh8bC7oQ0IV/Atl/AtW1OE43V1+25CzRoQ0Ibl4HdE43V1+2:E2mh350I2mi4lCzb0IF4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e53db750c29474d04ea86bb558f9ca81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgmlkp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e53db750c29474d04ea86bb558f9ca81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmegbjgn.exe

Executes dropped EXE 10 IoCs

pid	Process
4912	Jpaghf32.exe
3628	Jkfkfohj.exe
2832	Kmegbjgn.exe
4844	Kbapjafe.exe
4404	Kgmlkp32.exe
3220	Kacphh32.exe
3304	Kdaldd32.exe
4496	Kkkdan32.exe
3272	Kmjqmi32.exe
3880	Kdcijcke.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jpaghf32.exe	e53db750c29474d04ea86bb558f9ca81.exe
File created	C:\Windows\SysWOW64\Jkfkfohj.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kbapjafe.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Kacphh32.exe	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Kmegbjgn.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Kmegbjgn.exe
File opened for modification	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Jpaghf32.exe	e53db750c29474d04ea86bb558f9ca81.exe
File created	C:\Windows\SysWOW64\Eilljncf.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Hehifldd.dll	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kgmlkp32.exe	Kbapjafe.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kgmlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Kkkdan32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Mghpbg32.dll	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Kdcijcke.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	e53db750c29474d04ea86bb558f9ca81.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File created	C:\Windows\SysWOW64\Kkkdan32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Jcpkbc32.dll	Kmjqmi32.exe
File opened for modification	C:\Windows\SysWOW64\Jkfkfohj.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Iljnde32.dll	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kgmlkp32.exe
File created	C:\Windows\SysWOW64\Kdaldd32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kkkdan32.exe
File created	C:\Windows\SysWOW64\Kmegbjgn.exe	Jkfkfohj.exe
File created	C:\Windows\SysWOW64\Kmjqmi32.exe	Kkkdan32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5488	5372	WerFault.exe	40

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e53db750c29474d04ea86bb558f9ca81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilljncf.dll"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdaldd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehifldd.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kacphh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgblndm.dll"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e53db750c29474d04ea86bb558f9ca81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmegbjgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghpbg32.dll"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nilhco32.dll"	e53db750c29474d04ea86bb558f9ca81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kgmlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkkdan32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e53db750c29474d04ea86bb558f9ca81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkfkfohj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e53db750c29474d04ea86bb558f9ca81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e53db750c29474d04ea86bb558f9ca81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljnde32.dll"	Jkfkfohj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmcfa32.dll"	Kmegbjgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkkdan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcpkbc32.dll"	Kmjqmi32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 4912	3064	e53db750c29474d04ea86bb558f9ca81.exe	89
PID 3064 wrote to memory of 4912	3064	e53db750c29474d04ea86bb558f9ca81.exe	89
PID 3064 wrote to memory of 4912	3064	e53db750c29474d04ea86bb558f9ca81.exe	89
PID 4912 wrote to memory of 3628	4912	Jpaghf32.exe	88
PID 4912 wrote to memory of 3628	4912	Jpaghf32.exe	88
PID 4912 wrote to memory of 3628	4912	Jpaghf32.exe	88
PID 3628 wrote to memory of 2832	3628	Jkfkfohj.exe	87
PID 3628 wrote to memory of 2832	3628	Jkfkfohj.exe	87
PID 3628 wrote to memory of 2832	3628	Jkfkfohj.exe	87
PID 2832 wrote to memory of 4844	2832	Kmegbjgn.exe	86
PID 2832 wrote to memory of 4844	2832	Kmegbjgn.exe	86
PID 2832 wrote to memory of 4844	2832	Kmegbjgn.exe	86
PID 4844 wrote to memory of 4404	4844	Kbapjafe.exe	85
PID 4844 wrote to memory of 4404	4844	Kbapjafe.exe	85
PID 4844 wrote to memory of 4404	4844	Kbapjafe.exe	85
PID 4404 wrote to memory of 3220	4404	Kgmlkp32.exe	84
PID 4404 wrote to memory of 3220	4404	Kgmlkp32.exe	84
PID 4404 wrote to memory of 3220	4404	Kgmlkp32.exe	84
PID 3220 wrote to memory of 3304	3220	Kacphh32.exe	83
PID 3220 wrote to memory of 3304	3220	Kacphh32.exe	83
PID 3220 wrote to memory of 3304	3220	Kacphh32.exe	83
PID 3304 wrote to memory of 4496	3304	Kdaldd32.exe	82
PID 3304 wrote to memory of 4496	3304	Kdaldd32.exe	82
PID 3304 wrote to memory of 4496	3304	Kdaldd32.exe	82
PID 4496 wrote to memory of 3272	4496	Kkkdan32.exe	81
PID 4496 wrote to memory of 3272	4496	Kkkdan32.exe	81
PID 4496 wrote to memory of 3272	4496	Kkkdan32.exe	81
PID 3272 wrote to memory of 3880	3272	Kmjqmi32.exe	17
PID 3272 wrote to memory of 3880	3272	Kmjqmi32.exe	17
PID 3272 wrote to memory of 3880	3272	Kmjqmi32.exe	17

C:\Users\Admin\AppData\Local\Temp\e53db750c29474d04ea86bb558f9ca81.exe
"C:\Users\Admin\AppData\Local\Temp\e53db750c29474d04ea86bb558f9ca81.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\Jpaghf32.exe
  C:\Windows\system32\Jpaghf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4912

C:\Windows\SysWOW64\Kdcijcke.exe
C:\Windows\system32\Kdcijcke.exe
1⤵
- Executes dropped EXE
PID:3880
- C:\Windows\SysWOW64\Kgbefoji.exe
  C:\Windows\system32\Kgbefoji.exe
  2⤵
  PID:408

C:\Windows\SysWOW64\Kmlnbi32.exe
C:\Windows\system32\Kmlnbi32.exe
1⤵
PID:4944
- C:\Windows\SysWOW64\Kdffocib.exe
  C:\Windows\system32\Kdffocib.exe
  2⤵
  PID:2000

C:\Windows\SysWOW64\Kgdbkohf.exe
C:\Windows\system32\Kgdbkohf.exe
1⤵
PID:5040
- C:\Windows\SysWOW64\Kmnjhioc.exe
  C:\Windows\system32\Kmnjhioc.exe
  2⤵
  PID:1532

C:\Windows\SysWOW64\Liggbi32.exe
C:\Windows\system32\Liggbi32.exe
1⤵
PID:1224
- C:\Windows\SysWOW64\Laopdgcg.exe
  C:\Windows\system32\Laopdgcg.exe
  2⤵
  PID:3560
- - C:\Windows\SysWOW64\Ldmlpbbj.exe
    C:\Windows\system32\Ldmlpbbj.exe
    3⤵
    PID:2912

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
1⤵
PID:1960
- C:\Windows\SysWOW64\Lgbnmm32.exe
  C:\Windows\system32\Lgbnmm32.exe
  2⤵
  PID:1548
- - C:\Windows\SysWOW64\Mahbje32.exe
    C:\Windows\system32\Mahbje32.exe
    3⤵
    PID:1684

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
PID:3028
- C:\Windows\SysWOW64\Mjcgohig.exe
  C:\Windows\system32\Mjcgohig.exe
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\Majopeii.exe
    C:\Windows\system32\Majopeii.exe
    3⤵
    PID:1688

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
1⤵
PID:4820
- C:\Windows\SysWOW64\Mnapdf32.exe
  C:\Windows\system32\Mnapdf32.exe
  2⤵
  PID:1932
- - C:\Windows\SysWOW64\Mpolqa32.exe
    C:\Windows\system32\Mpolqa32.exe
    3⤵
    PID:2792
  - - C:\Windows\SysWOW64\Mcnhmm32.exe
      C:\Windows\system32\Mcnhmm32.exe
      4⤵
      PID:5068

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
1⤵
PID:2076
- C:\Windows\SysWOW64\Maaepd32.exe
  C:\Windows\system32\Maaepd32.exe
  2⤵
  PID:1184
- - C:\Windows\SysWOW64\Mcbahlip.exe
    C:\Windows\system32\Mcbahlip.exe
    3⤵
    PID:2940
  - - C:\Windows\SysWOW64\Njljefql.exe
      C:\Windows\system32\Njljefql.exe
      4⤵
      PID:3036
    - - C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        5⤵
        
        PID:388

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
1⤵
PID:2028
- C:\Windows\SysWOW64\Nnjbke32.exe
  C:\Windows\system32\Nnjbke32.exe
  2⤵
  PID:4520
- - C:\Windows\SysWOW64\Ncgkcl32.exe
    C:\Windows\system32\Ncgkcl32.exe
    3⤵
    PID:2024

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
PID:5132
- C:\Windows\SysWOW64\Nbhkac32.exe
  C:\Windows\system32\Nbhkac32.exe
  2⤵
  PID:5172

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
PID:5292
- C:\Windows\SysWOW64\Ndidbn32.exe
  C:\Windows\system32\Ndidbn32.exe
  2⤵
  PID:5336
- - C:\Windows\SysWOW64\Nkcmohbg.exe
    C:\Windows\system32\Nkcmohbg.exe
    3⤵
    PID:5372
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5372 -s 400
      4⤵
      Program crash
      PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5372 -ip 5372
1⤵
PID:5464

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
PID:5252

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:5212

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
PID:4772

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
1⤵
PID:2212

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
PID:5016

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
PID:4928

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
PID:5076

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
PID:940

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
1⤵
PID:2376

C:\Windows\SysWOW64\Laciofpa.exe
C:\Windows\system32\Laciofpa.exe
1⤵
PID:4340

C:\Windows\SysWOW64\Lgneampk.exe
C:\Windows\system32\Lgneampk.exe
1⤵
PID:4548

C:\Windows\SysWOW64\Ldohebqh.exe
C:\Windows\system32\Ldohebqh.exe
1⤵
PID:448

C:\Windows\SysWOW64\Lnepih32.exe
C:\Windows\system32\Lnepih32.exe
1⤵
PID:4668

C:\Windows\SysWOW64\Lgkhlnbn.exe
C:\Windows\system32\Lgkhlnbn.exe
1⤵
PID:4332

C:\Windows\SysWOW64\Lgikfn32.exe
C:\Windows\system32\Lgikfn32.exe
1⤵
PID:2260

C:\Windows\SysWOW64\Ldkojb32.exe
C:\Windows\system32\Ldkojb32.exe
1⤵
PID:2444

C:\Windows\SysWOW64\Lmqgnhmp.exe
C:\Windows\system32\Lmqgnhmp.exe
1⤵
PID:1784

C:\Windows\SysWOW64\Kgfoan32.exe
C:\Windows\system32\Kgfoan32.exe
1⤵
PID:1940

C:\Windows\SysWOW64\Kdhbec32.exe
C:\Windows\system32\Kdhbec32.exe
1⤵
PID:1520

C:\Windows\SysWOW64\Kmjqmi32.exe
C:\Windows\system32\Kmjqmi32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\Kkkdan32.exe
C:\Windows\system32\Kkkdan32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4496

C:\Windows\SysWOW64\Kdaldd32.exe
C:\Windows\system32\Kdaldd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3304

C:\Windows\SysWOW64\Kacphh32.exe
C:\Windows\system32\Kacphh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\SysWOW64\Kgmlkp32.exe
C:\Windows\system32\Kgmlkp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\Kbapjafe.exe
C:\Windows\system32\Kbapjafe.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\Kmegbjgn.exe
C:\Windows\system32\Kmegbjgn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\Jkfkfohj.exe
C:\Windows\system32\Jkfkfohj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Jkfkfohj.exe

Filesize
376KB

MD5
ed947afad7dfbabb9d923c6a2503f488

SHA1
daaafc6a79592323eb61c9da081e12c562d83c0d

SHA256
9f0cfe66f68aa9dde546ddca6b1774d584ce61b0137a9864ca0ce89338c8797a

SHA512
659ca465968885e44812db0f75da39e4d5801150d91e6481aa17da2e38065d3cb817f6401a68c1f19dcc7792877bf00beb501472ac30fa9b8401662175194b62

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
376KB

MD5
bba232ea8a951a2ae4accea3f8e1f879

SHA1
125236985f4f6956067375c5527f4b6b328fd4b4

SHA256
0e78f943e586665fd1e2d8d5a80d0dc5880fc3f580db9de8df283aafd64f2974

SHA512
1f9c05174ada630aebe10a14d890cd5c01c0e6c1169bbc509339fa3abddc4f02e80e4a0043fa15a9a521091ba2bc1e9c0cb63696d19a9dae0a6db84ddc055aa9

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
376KB

MD5
77914a0043192bcc7252edef31fab731

SHA1
777631a898157d5e9cb792e4bf90f8f59c74502b

SHA256
7b1268c27b1858e42849cecdbd6805359d8d775b7474317ee4bcad9db7105401

SHA512
3d590dac63e4eb24689b3764e2b49abc65f8f6badb9a1e74c5c2b3a4001c88cd4cfcfbc8ebfb96496f27dd1e4c3c9fdb988892553c32a9720b749dd72910b7f7

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
376KB

MD5
aed5af2a1296880b207644735be16c76

SHA1
ca111fc170abb61f9c02950c3dec783b66f735b3

SHA256
7c42485ee821d3c24a0b81eb5d6363e1ad58dae0b5baf64ae95ffaca89cb6732

SHA512
a07680d8f88499f588f76e3c2b71a04a974414c673613b504cb7e693a291014cab97a4f06da2e9e7a489180a58a2fac903eb29bbb081f9c1789aef939ed4cc3b

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
376KB

MD5
7403428ce15d6348db2750f98ed62f22

SHA1
362a44b502076522e434168ffa4113a2b460c354

SHA256
7ff5484096d2fb2c55bcf697e47606af72429deedd7cde1a614b781fc64c4438

SHA512
e2d4b46ed5f885b8305626bed4af681e7ceb0f5dc6892b9d22cae334db02ee0405f72c1bff1639b6881400a3cf8fa4457601f45e509038e750a63022d2ea1dfd

Download Submit
C:\Windows\SysWOW64\Kdcijcke.exe

Filesize
376KB

MD5
bc8d285bc33fcb128ee156a2b6480a0e

SHA1
4e7a531ca749c2fbda591d9cfcfd70af22d33d29

SHA256
c7ce4a8dea32287c0ee78b28948d18821e551dc60a8ed6dbb8c68bcb9e8c2a6a

SHA512
c269c3a87d387f01eb1774a6aed88f4264a0d44c0cdbb6556098f6100e972bff44256cda62e252700c6da5d7f4a4b2e7d9ce517327c6c262c354336f196f29a4

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
376KB

MD5
d799e222c6e969158a35a4f26c166009

SHA1
3381dfb8736ec259bb962e428d3021993fadae13

SHA256
2c80a9be0681b6f9c014f4fb67485e9999dc51fe4237a2cd83cac14ee3530026

SHA512
b77a3e4b000721b3b65c012b68c1dd88a936fead645a922a5551847e45ce664e19b0c41a464e201acadea6da2dd72ad456d4a94c76faae90e407bb78322a71a1

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
376KB

MD5
4edc944ff98d271bc89fe3caf96f6cf9

SHA1
1b742ac9728122ee2bc5f67aa09d43107b150da6

SHA256
8a4a44486c92e0ffb84298ee63fb8fafb6b4a525d4f10732fdd0bd7fe510858d

SHA512
2a6017a6ff5bd7309cdad0604e8a60f962770720a43f8938c44e152783b0c28b15dc5a90583fffc334411b32cc8f8318a36fbf3975ae8f8d92a96543e0963c46

Download Submit
C:\Windows\SysWOW64\Kgdbkohf.exe

Filesize
376KB

MD5
f76f86c8b9f7d448951990af2974c69a

SHA1
a22473588e5dcfb1523b9385cd208ecd5116a560

SHA256
33b80b638ef04880a47d7dd33e0d29b1c053f5facd1d668a90ea8e71a9f0d719

SHA512
f02386e78683969a9034712f7bdd3e8c22b7170d2398daf4a841442f3a170c3ce4b410b06b426577e806d76b63ccea3a7c846161b18906904ccc12728c7b7149

Download Submit
C:\Windows\SysWOW64\Kgfoan32.exe

Filesize
376KB

MD5
22ccc4a8eeb023b31169de2d55b48ff7

SHA1
ca7474464bd4d72f4fd7241d8fb245f17f9ebef7

SHA256
41f9e84e98bb2a8af0f452cc12f87bd672b0d51598c45f1d6878ff1428b38daf

SHA512
f97e3716151124e5fbeaf7cfdc997ff8d31ba136cf11710ba3705d986687ecc51a8174377d1aafd1589f9f9c9188fc5b17aa10ad2fdd0617c18b223572afb9d1

Download Submit
C:\Windows\SysWOW64\Kgmlkp32.exe

Filesize
376KB

MD5
24209c1a9ea178d919675f1e8d1acfc5

SHA1
d5ad8dfa523e11e1600cb1fe8f8d6b20855259e5

SHA256
4f6732cb3c3c574058fbc95a65fb585bf12b9a495568e6d2f5879435275686c7

SHA512
7523bf073fe82714445e8214803d8b3264d0687d9387a7983eb51abc668cdb6cadb9fe244d491a4a76e7ea0deb61abee680ffb7fd0fd7c3838055479fc134061

Download Submit
C:\Windows\SysWOW64\Kkkdan32.exe

Filesize
376KB

MD5
47ce3b2f99f9dc60347c5c4776de0ec7

SHA1
f7ddc49114b833484e1d064a02d2fadb967a41c7

SHA256
3af4859a9f9b4b87a4ac50cea9e33d21a2f35227df163918fea8910f99cb43ad

SHA512
99ffa210ad1b48de492961b029b31f852f0239524ff9d79582e3442e101380c93259d15bd29af2a1b5fcb6ec6bf9f0c68930955225c05a0f97ee9bc10c094779

Download Submit
C:\Windows\SysWOW64\Kmegbjgn.exe

Filesize
376KB

MD5
41c50626e79d3aa994d48555f70e733a

SHA1
30d7e68977cd3d26bc4756ee63ad4478e39a9ecb

SHA256
72ee8152224c54fd5c4cc3086c4d6f1fb44e076dba9c012352d6d70ec37d729f

SHA512
b7776309500ac1dc032485ab344b9b7d816a8f800e7357b17ddce416a49b7688f1c6d42592374f3787d1ea182ce7edeb79ece8778c3d059e4f6a7a59aa7a4ffa

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
376KB

MD5
459b52f2005c0336a9e2924ba906a675

SHA1
08fde70ceb99394474498806f16f1cc40c856ac3

SHA256
6573590e12953ea6c759a8b489a782248887a3765e8fa4a2d32856005a9240e2

SHA512
1cb5b9b52012d5c81b28d37bbe185aea194cac8a49fe7e6709b35607c5277edb44b41d22d776d18fa31389b48ba81236a4881b50f6ad01e536898e4fc4c30aa2

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
376KB

MD5
5745e00fdb102353c6e8a18f92c69f01

SHA1
7f9c1889c6f270d2acfb786d7ced70b7ca717722

SHA256
e672d62ef09503cb08df6293a99902523896c4bad3e98d5c5c950a42fe8c3628

SHA512
2b03c436596fb48e64341621c7ca6b92ee2a15dffcc5d44e05117da7866b9a2436e4ffc27ece09fb334b450ebee7bcd99cca41d5df0b3f2de424c955c04b1c04

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
376KB

MD5
977f429826d5987cdb46e2a80ab124b1

SHA1
9e01d3ad4fc1200b37ec7c35616466ef68661afa

SHA256
918132ee94a3676ca22fefb5178c360a7210d625bf21b9c59b521c5ce1d7d1b0

SHA512
9ee473afea5222d0cfb7063e55963735a119d457ac335d63adcf271b8a51d4395e3a43d941c18d38f74ce0e172211156868e7f1ef8f6482a7373c52795ee1d32

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
376KB

MD5
04c138e7d6a518b1ce331f958e75746a

SHA1
4746840b5d1716c8d7c4bfc8b7286f218090785b

SHA256
0e02be0f4c7f7595582fedae0fa2c08dcca1d02e67eb6bf4943a0039e7918594

SHA512
3fefac7ec90588d6346820615da41c7e5aec1242654a0c31ed53228f33252162a46eb28d44f390886588755c635753c3c029928e8e3170f3efaea3d5c42b3cf3

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
376KB

MD5
7fb85f509540f5c3b3f62edabc68dd36

SHA1
0d31a25b5a76e6165710ec9caccb3335a24766ce

SHA256
daa43371fab8960fbb7e06ceee2d8ceeebb2f9b09cedf32e0d727882a7a17f46

SHA512
294bbc44e3f2ac95360926d4a2e625e59284b3188da7a61c7b884b96734ff6287064bfab895dcc4db4853c5c66b8bc899516e2c26dc1adc98466463193450020

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
376KB

MD5
ae9d75e4ab41e45d8262d5a73045e4de

SHA1
0aa2d25ce652f415375ebeba6eaa7c3aabfeef85

SHA256
0d0f8868a23bcbf476a404a9a7d521bb05999683575a5dc1204f4f011d7fd7b2

SHA512
cf4725b52bfbe3aec8bb64b22ed201bf25ecee4ad5834aa95ab0681a9c6a33e77c5dc6add0a8acb6c962d9bfb79fb44f0228d6b73dce2bdb3ad8376b5e4415b9

Download Submit
C:\Windows\SysWOW64\Ldkojb32.exe

Filesize
376KB

MD5
771a01167220429feaf21908a3c7ec60

SHA1
ae973530a838aca9cef4f974cfc945e4bdce643d

SHA256
e592aac1251668687c21470dcce0cf60a6d14d6c02e595c9432e28579ed3ee15

SHA512
9c01ce255821fce5e0d618b8346b21aad4ccc20bf3cd26108182cbcbc6611e8ec3d5770ae8645b5a5ed85ba4cb0c644894b2cf4ac9f5777acd3a7ac8721607b8

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
376KB

MD5
c6481d4a835940a0693af9a332e37236

SHA1
c3461fd1d872b3100ac81db1fde20786db1f1118

SHA256
974e092c0c8c47b61942bf08c61faef572c9c9c67df9dd076288e54c2e77fc28

SHA512
3efdb0860cf9bb096c9794d854d85a48e6bf055af24d76e61a7babfec844e22124a9238a24c3faf1c1ed8646c69d916fd7ef326799c6e871ad80056668b509d2

Download Submit
C:\Windows\SysWOW64\Ldohebqh.exe

Filesize
376KB

MD5
8eab4c95b43afe7da57947609ef1edf8

SHA1
8586244ecfdb2a6e9f46f01fd4065b0b7a48c01c

SHA256
f80716b0fb66aa7c83c4ff39ec434b2f8a793bee726e858ec0febb1ce1e8f062

SHA512
1dadada508eda5cfccab060a1f1238d5d8fabf3e0f62c993dbb2630de42904f1662b06fb3ca77982e1eecddfd433a3c7e0ea1cb76b4d35008415c0e376db4c35

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
376KB

MD5
a31467bbbf86d4d7ff3d0e674ed1ac16

SHA1
137a83f8ed046075d6ecf1cccb54ff710056ad44

SHA256
c2a15696111d6477b09296197a07ee1925773fc894ae1ec81a487dcc822735c6

SHA512
195add0b6193257c1aa87e17029abcfe7bd2cfc1865b6f7d36b45862c52b38c35b52c5a74baf1b3680ae1bcf113d05ee63460705004194670d179e3954d0caef

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
376KB

MD5
7cd775179c0c3c02ecded5666b77c832

SHA1
7361137756a7387280627a46921421032b2a0957

SHA256
926d22436a9e54a8d69cd7cb6eb572458dbf193235a3e9183c6094c793c8da36

SHA512
1385bea806d39318ac377e0e037c4b1a3f3a333230c7dbb0b60b39954c82803e6aba758bfeb868a6c5c5f709e278ac9c3327ca444a3193b832c8c25c09ea95aa

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
376KB

MD5
bd48257b60405deeeec78b5452bab9be

SHA1
c64f0cf47bbda1aaa0d7a9833f5b8489c699ce59

SHA256
7ab45751775bc60e20aced45c0e5b43e1a457e6912caf48b234142c32570dd43

SHA512
cb84a9c3af0a8c1b7909b0b25df4fe09b0b22e51ead24d50e6c39fdaef5f70bcbd2cfa238b34bddf763aef4fc5021bd644b24eca896b8a80fa733dc2026c4bf8

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
376KB

MD5
2ab4966b4770c338191dca82a143efb3

SHA1
e1fe7e435f52a2473a67c79f39cac1c6ac812770

SHA256
c4269b525ba1d83b605f0bf31e32bf57dc7f3ce2ace651ab6ec7ade45718f273

SHA512
2e43887e2d1ce1237c145a9ce365c598a46ec39bc5fe99cc4e12ced21b0456760541ba75e666a4d3744d7e4308572221abee2743cae54b1d679056ed2cab0c20

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
376KB

MD5
b0f31c49cd8898bfda40751e2f9bf58a

SHA1
ae878606d2e1824b91e9383042fe5fb5f82456fb

SHA256
39072b26110e7904df668622bbd287044698ec29a34df587ddf4c5c6e373dc4c

SHA512
b249717658333aec492a39ecc547db6efc5fe8016310c9d7fa805bafecc6bbca5dc9d6795f4e6f05c87bacca3b00b77c18b69dc202dae4749fea0d34b405ecb2

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
376KB

MD5
61d1e98de384c9e91df85761e2149934

SHA1
084a02f040b95bd7114708eff1e7fe681c6098bd

SHA256
4e88dfe2410f215513971f1770aff580aff3c0e8cff30b5801fb9c4d4e749073

SHA512
105949bf9aa1733a0b1c1c52f13dfac9809c9ea9c738370b00a1d86a3a2f2a84ccefed244a3f5b7bf4ca195225fd5b7ab1bf74a3dde15507a6c8188d82a36980

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
376KB

MD5
4bd5bcde1cbe2e4dd4dbf44655113358

SHA1
502e3bd952df1152811a33b8eccbece60044906c

SHA256
22536d2b6007d16fcb8f8451c4edc2943389cb5e1d2b61e27b3b22fa2c7c996b

SHA512
3552c0591262c9233ff05e431d0c87f25312f4e883aa5d6fff0cb662fcf3497a3b79c69db8f82a5d492047e385ce214849e4ff62e0c3c35c461ef66e2a4f3995

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
376KB

MD5
c7774aa8f62cdec4e8688789827da31a

SHA1
ee4ff752f743963556e91fe789c7af5ee9af21ef

SHA256
4225480ae13c7d9a7a72cfe6635bdf3f5472793951da7a08fff669d24db20827

SHA512
8cd7b624f89f887910b95497bec6716f504b0d78bfe258e937168a8fb18cc4e4728a4b704f89e684158acbd38c97366dacc1941e439a6e83ed6d81329c678b8d

Download Submit
C:\Windows\SysWOW64\Lnepih32.exe

Filesize
376KB

MD5
ad4afe60426160a0985f1f63555c3c19

SHA1
dace1fa13711004f6d59587d6cd40ab536415684

SHA256
d7b8e50a709a4013da8993966679f29e2e007cccd737ac52997ba753fc0326cf

SHA512
79f244cafd7314270053c2d576a2d01c11f1c6c1fdf85a71ae574377231e4919907d98315017f8c718922fbe9c24ff164be81169b96d6f3e2aa7d7551459c831

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
376KB

MD5
de68fbbd7b7e47ded6f8817bb1fbc1ba

SHA1
595efc2df55e814e7939ccc980699836c6559e10

SHA256
fbc9d5f6e0825921f31341a8b4817c8a4e597fb6e41b1e4644a4e45cb9539333

SHA512
5d48ef216444fbe4f694eca1995bf02fb52c48239c688aff4d08f1f6145792be26bc1bc0a9d841be2e58ccf6c273a132a27671d2d9fe244a8bf4e7a0cf18ba1f

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
376KB

MD5
bb93c66acb08e7a95d84bc1936c0a669

SHA1
beaf4d2e9554d3573a9ee2af9f5a60e1a3f2c2e7

SHA256
ea7a866ee3ba4ab6df2ddf9e70bebd5293a7d77cd750d10b62a5b053dcb37b86

SHA512
4b430e55c4baa96690d5dd31bb3c8e03d096bb747b4e2e139393a22ad41f896a32aef977650c694155337dda3ba08ecb2571c2b2b0097b807a2096a2af05e0e9

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
376KB

MD5
40deb9257d46f367c35ced97af9c939b

SHA1
df1e75037c6a898852e7f685c42310ba67b1f7db

SHA256
120913a4d85cb4cc670448051cc6272fec35d14353fcb82fbaf7f5d86f65e609

SHA512
6e674f11f9b14f71a4d59a1237601b825d780e1fc8a938d150787561c96c204f6bfa10b572378c26f83433bd5d7e7ff68544094a04bef9998e51e1bef54b4ff6

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
376KB

MD5
b843314e054693ea6768abf5ae5521d3

SHA1
7802e50f18833e561239b4eb4e5d906e4ac1e5da

SHA256
3bc2b7901630eb7676f8ab88f4110195aa4a8b2ece752a0a8c9a6374bd30365d

SHA512
66463f4a6e8922692749770324d545eb5d2895365642ba7531149621d143c67964c301c610f9d6a789f63951e43f8712cf283024a001e25df80541be65a744b6

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
376KB

MD5
cd1414d5a946898d31332554bba6668d

SHA1
2bc97701b3bd58c56bfeae52c265d5b7d340160d

SHA256
6f2b673966773a4049af3a1d6ab3df50fc451ee5aabec36d6cfd8a21e2a33f9c

SHA512
dad898e7a6b4cfa3539c7761ac674985c059b7691d6f94793ab42288f062a57f720b7ac6121ecc8ec540f8b2464c4d4a2a4cb63202bd7311677428ca43f523fb

Download Submit
memory/388-361-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/408-89-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/448-213-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/940-284-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1184-339-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1224-168-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1520-128-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1548-248-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1684-256-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1688-274-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1784-144-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1932-292-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1940-136-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1960-244-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2000-105-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2024-381-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2028-369-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2212-328-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2260-160-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2376-235-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2444-152-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2792-302-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2832-24-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2912-188-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2940-345-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3028-266-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3036-355-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3064-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3064-81-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3064-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3220-49-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3272-73-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3304-57-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3560-176-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3628-21-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4332-197-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4340-225-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4404-41-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4496-65-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4520-375-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4532-272-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4548-220-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4668-199-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4772-363-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4820-286-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4844-33-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4912-9-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4928-320-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4944-98-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5016-326-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5040-113-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5068-308-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5076-314-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5132-391-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5172-396-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5212-399-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5252-410-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5252-432-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5292-430-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5292-411-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5336-428-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5336-421-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5372-426-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/5372-423-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads