7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee

Analysis

max time kernel
92s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 02:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee.exe
Size

125KB
MD5

2846100db61a3b83c133ade18f382d50
SHA1

bd9fee4856bddc1efd9ae43326f7d1f12c0226b6
SHA256

7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee
SHA512

fb8ed3a1cfdbd565a4dfae214d18bd87a632b72d7ffe547ff39ea0b91bcc51961ee84d5558d3ed1ce2d03451b846b69d75eaa69d7de715e5c684f74cf08b9eb5
SSDEEP

3072:GhlIF3C4hxu87pxEzhicr1WdTCn93OGey/ZhJakrPF:WJ4hxuSS0cUTCndOGeKTaG

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmlnbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmqgnhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgphpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmjqmi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgneampk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/4876-0-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x000500000002326f-7.dat	family_berbew
behavioral2/memory/1500-11-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233cb-14.dat	family_berbew
behavioral2/memory/1680-16-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233cd-23.dat	family_berbew
behavioral2/memory/1992-24-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233cf-30.dat	family_berbew
behavioral2/memory/4528-32-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233d1-39.dat	family_berbew
behavioral2/memory/2852-40-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233d3-46.dat	family_berbew
behavioral2/memory/2212-47-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233d5-54.dat	family_berbew
behavioral2/memory/2824-56-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233d7-62.dat	family_berbew
behavioral2/memory/4276-63-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233d9-65.dat	family_berbew
behavioral2/memory/1020-72-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233db-78.dat	family_berbew
behavioral2/memory/5100-79-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233dd-86.dat	family_berbew
behavioral2/memory/4176-87-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233df-89.dat	family_berbew
behavioral2/memory/4768-95-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233e1-102.dat	family_berbew
behavioral2/memory/2160-108-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233e3-110.dat	family_berbew
behavioral2/memory/2976-112-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233e5-118.dat	family_berbew
behavioral2/memory/4036-120-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00080000000233c7-126.dat	family_berbew
behavioral2/memory/4008-127-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233e9-134.dat	family_berbew
behavioral2/memory/4080-136-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233eb-143.dat	family_berbew
behavioral2/memory/4968-144-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/948-151-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233ed-150.dat	family_berbew
behavioral2/files/0x00070000000233ef-158.dat	family_berbew
behavioral2/memory/2756-159-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f1-166.dat	family_berbew
behavioral2/memory/3932-167-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f3-174.dat	family_berbew
behavioral2/memory/4460-180-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f5-182.dat	family_berbew
behavioral2/memory/1324-183-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f7-190.dat	family_berbew
behavioral2/memory/4040-196-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233f9-198.dat	family_berbew
behavioral2/memory/4732-199-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233fb-206.dat	family_berbew
behavioral2/memory/1432-207-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233fd-214.dat	family_berbew
behavioral2/memory/3036-216-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x00070000000233ff-222.dat	family_berbew
behavioral2/memory/2916-223-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023401-230.dat	family_berbew
behavioral2/memory/3664-231-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023403-238.dat	family_berbew
behavioral2/memory/1328-240-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/files/0x0007000000023405-246.dat	family_berbew
behavioral2/memory/2956-247-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew
behavioral2/memory/1328-250-0x0000000000400000-0x0000000000447000-memory.dmp	family_berbew

Executes dropped EXE 31 IoCs

pid	Process
1500	Kkihknfg.exe
1680	Kacphh32.exe
1992	Kgphpo32.exe
4528	Kmjqmi32.exe
2852	Kmlnbi32.exe
2212	Kcifkp32.exe
2824	Kmnjhioc.exe
4276	Kdhbec32.exe
1020	Lmqgnhmp.exe
5100	Lgikfn32.exe
4176	Liggbi32.exe
4768	Lgkhlnbn.exe
2160	Lpcmec32.exe
2976	Lgneampk.exe
4036	Laciofpa.exe
4008	Lgpagm32.exe
4080	Lphfpbdi.exe
4968	Lcgblncm.exe
948	Mnlfigcc.exe
2756	Majopeii.exe
3932	Mgghhlhq.exe
4460	Mamleegg.exe
1324	Mdkhapfj.exe
4040	Maohkd32.exe
4732	Mdmegp32.exe
1432	Mjjmog32.exe
3036	Nceonl32.exe
2916	Ngcgcjnc.exe
3664	Ncihikcg.exe
1328	Nqmhbpba.exe
2956	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lphfpbdi.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lphfpbdi.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ogdimilg.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Hbocda32.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Laciofpa.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lgneampk.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Jjblgaie.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kmjqmi32.exe	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Liggbi32.exe
File created	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Kcifkp32.exe	Kmlnbi32.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File opened for modification	C:\Windows\SysWOW64\Lmqgnhmp.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Kmlnbi32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ofdhdf32.dll	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Bidjkmlh.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Kacphh32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kacphh32.exe
File opened for modification	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Baefid32.dll	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	Lgikfn32.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lphfpbdi.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lgneampk.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ajgblndm.dll	Kgphpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kmlnbi32.exe	Kmjqmi32.exe
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Liggbi32.exe
File opened for modification	C:\Windows\SysWOW64\Lgneampk.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Kmnjhioc.exe	Kcifkp32.exe
File created	C:\Windows\SysWOW64\Dnkdikig.dll	Lmqgnhmp.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Kgphpo32.exe	Kacphh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4600	2956	WerFault.exe	112

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglppmnd.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgqhjop.dll"	Lgikfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lmqgnhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Liggbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghiqbiae.dll"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lcgblncm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khehmdgi.dll"	Lgneampk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdhdf32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akanejnd.dll"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmlnbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgikfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgneampk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjfoc32.dll"	Kacphh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kmjqmi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plilol32.dll"	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimhnoch.dll"	Kcifkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocda32.dll"	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblgaie.dll"	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Laciofpa.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 1500	4876	7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee.exe	82
PID 4876 wrote to memory of 1500	4876	7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee.exe	82
PID 4876 wrote to memory of 1500	4876	7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee.exe	82
PID 1500 wrote to memory of 1680	1500	Kkihknfg.exe	83
PID 1500 wrote to memory of 1680	1500	Kkihknfg.exe	83
PID 1500 wrote to memory of 1680	1500	Kkihknfg.exe	83
PID 1680 wrote to memory of 1992	1680	Kacphh32.exe	84
PID 1680 wrote to memory of 1992	1680	Kacphh32.exe	84
PID 1680 wrote to memory of 1992	1680	Kacphh32.exe	84
PID 1992 wrote to memory of 4528	1992	Kgphpo32.exe	85
PID 1992 wrote to memory of 4528	1992	Kgphpo32.exe	85
PID 1992 wrote to memory of 4528	1992	Kgphpo32.exe	85
PID 4528 wrote to memory of 2852	4528	Kmjqmi32.exe	86
PID 4528 wrote to memory of 2852	4528	Kmjqmi32.exe	86
PID 4528 wrote to memory of 2852	4528	Kmjqmi32.exe	86
PID 2852 wrote to memory of 2212	2852	Kmlnbi32.exe	87
PID 2852 wrote to memory of 2212	2852	Kmlnbi32.exe	87
PID 2852 wrote to memory of 2212	2852	Kmlnbi32.exe	87
PID 2212 wrote to memory of 2824	2212	Kcifkp32.exe	88
PID 2212 wrote to memory of 2824	2212	Kcifkp32.exe	88
PID 2212 wrote to memory of 2824	2212	Kcifkp32.exe	88
PID 2824 wrote to memory of 4276	2824	Kmnjhioc.exe	89
PID 2824 wrote to memory of 4276	2824	Kmnjhioc.exe	89
PID 2824 wrote to memory of 4276	2824	Kmnjhioc.exe	89
PID 4276 wrote to memory of 1020	4276	Kdhbec32.exe	90
PID 4276 wrote to memory of 1020	4276	Kdhbec32.exe	90
PID 4276 wrote to memory of 1020	4276	Kdhbec32.exe	90
PID 1020 wrote to memory of 5100	1020	Lmqgnhmp.exe	91
PID 1020 wrote to memory of 5100	1020	Lmqgnhmp.exe	91
PID 1020 wrote to memory of 5100	1020	Lmqgnhmp.exe	91
PID 5100 wrote to memory of 4176	5100	Lgikfn32.exe	92
PID 5100 wrote to memory of 4176	5100	Lgikfn32.exe	92
PID 5100 wrote to memory of 4176	5100	Lgikfn32.exe	92
PID 4176 wrote to memory of 4768	4176	Liggbi32.exe	93
PID 4176 wrote to memory of 4768	4176	Liggbi32.exe	93
PID 4176 wrote to memory of 4768	4176	Liggbi32.exe	93
PID 4768 wrote to memory of 2160	4768	Lgkhlnbn.exe	94
PID 4768 wrote to memory of 2160	4768	Lgkhlnbn.exe	94
PID 4768 wrote to memory of 2160	4768	Lgkhlnbn.exe	94
PID 2160 wrote to memory of 2976	2160	Lpcmec32.exe	95
PID 2160 wrote to memory of 2976	2160	Lpcmec32.exe	95
PID 2160 wrote to memory of 2976	2160	Lpcmec32.exe	95
PID 2976 wrote to memory of 4036	2976	Lgneampk.exe	96
PID 2976 wrote to memory of 4036	2976	Lgneampk.exe	96
PID 2976 wrote to memory of 4036	2976	Lgneampk.exe	96
PID 4036 wrote to memory of 4008	4036	Laciofpa.exe	97
PID 4036 wrote to memory of 4008	4036	Laciofpa.exe	97
PID 4036 wrote to memory of 4008	4036	Laciofpa.exe	97
PID 4008 wrote to memory of 4080	4008	Lgpagm32.exe	98
PID 4008 wrote to memory of 4080	4008	Lgpagm32.exe	98
PID 4008 wrote to memory of 4080	4008	Lgpagm32.exe	98
PID 4080 wrote to memory of 4968	4080	Lphfpbdi.exe	99
PID 4080 wrote to memory of 4968	4080	Lphfpbdi.exe	99
PID 4080 wrote to memory of 4968	4080	Lphfpbdi.exe	99
PID 4968 wrote to memory of 948	4968	Lcgblncm.exe	100
PID 4968 wrote to memory of 948	4968	Lcgblncm.exe	100
PID 4968 wrote to memory of 948	4968	Lcgblncm.exe	100
PID 948 wrote to memory of 2756	948	Mnlfigcc.exe	101
PID 948 wrote to memory of 2756	948	Mnlfigcc.exe	101
PID 948 wrote to memory of 2756	948	Mnlfigcc.exe	101
PID 2756 wrote to memory of 3932	2756	Majopeii.exe	102
PID 2756 wrote to memory of 3932	2756	Majopeii.exe	102
PID 2756 wrote to memory of 3932	2756	Majopeii.exe	102
PID 3932 wrote to memory of 4460	3932	Mgghhlhq.exe	103

C:\Users\Admin\AppData\Local\Temp\7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee.exe
"C:\Users\Admin\AppData\Local\Temp\7bc56d5f7fab1d9dee71682bbc264257040daef3831ee9f0c84aafff2e3da3ee.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Windows\SysWOW64\Kkihknfg.exe
  C:\Windows\system32\Kkihknfg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\SysWOW64\Kacphh32.exe
    C:\Windows\system32\Kacphh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\Kgphpo32.exe
      C:\Windows\system32\Kgphpo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\Kmjqmi32.exe
        
        C:\Windows\system32\Kmjqmi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
      - C:\Windows\SysWOW64\Kmlnbi32.exe
        
        C:\Windows\system32\Kmlnbi32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Kcifkp32.exe
        
        C:\Windows\system32\Kcifkp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Lmqgnhmp.exe
        
        C:\Windows\system32\Lmqgnhmp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Lgikfn32.exe
        
        C:\Windows\system32\Lgikfn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Liggbi32.exe
        
        C:\Windows\system32\Liggbi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Lgneampk.exe
        
        C:\Windows\system32\Lgneampk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3036
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2916
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        32⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 412
        33⤵
        Program crash
        
        PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2956 -ip 2956
1⤵
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akanejnd.dll

Filesize
7KB

MD5
6817691359acb1c54507cc367b727476

SHA1
f039cbf87686929f32f4a063f896dcea08cfd69a

SHA256
763ef70106dc44b60b68e6559ab68fbc178d6d30ba016ad5b72ee0d0d1e87337

SHA512
906d539e151b5c0e50dcb5c21dc8457e128e367f5f42b14df9b06cee30076220e0b4fdf7189c2f1403b48d9cb63279482a0c4d61d86c9eb3b459bb980f43a954

Download Submit
C:\Windows\SysWOW64\Kacphh32.exe

Filesize
125KB

MD5
60c6a70e37206fe2800f02748a46595f

SHA1
ee76d6c475c56afcc5ef7008a470aa97cfb5fe5f

SHA256
9415dc3789f0230ce5a2e85555c29827df6355c585d29ad9a982d225bb561f30

SHA512
54206822728d4e1747ae1cbd99169016094d45d4c7536ffe765649f600315e31b2f58cb14962f0ec47b651c43c8266f2ee94a3274b55452fc59989dcaa8c3c53

Download Submit
C:\Windows\SysWOW64\Kcifkp32.exe

Filesize
125KB

MD5
63112082cd077a52966a9e0ae37dea88

SHA1
6e22787f82d241c3a38de6caeb4d4e97c5659e26

SHA256
85303d0a20a38b9ecf1eabe5a988c84262b139728dec31a5f129549514126973

SHA512
10a4b6b531129d0bfea717a48645ae3463d375c76bc63a91bcaabf720917ca74bf78d5d7237a2443be43524c9505e298c8324c45aa982174ff1381a2af6ee613

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
125KB

MD5
676bd9e858ab4d58e6acd36611c5b4c3

SHA1
96388f01f86cbaca49d6a42071d18dbf346d1287

SHA256
0cd8a159ee4776b4ceac31aa0d1179080ea6631be7cd8935099faaf42a0d20e9

SHA512
09704085a04c2fe46894b7eb2cf2a1aaa5426ef1b18b26e449d50f55ca894f9f0daa7a7da23842c168ac9b3dc7420ac8024ca8d956b35c940f423ab8ddbaef2a

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
125KB

MD5
41cf8210bcfb866a89bf1f60847c795b

SHA1
7478d7dc858c95aec2d9dc5a63411975de8c623a

SHA256
a410c536ebdc4d63851a9f943a4e93ec07533120d19d121fd9b181fc3e7bf98b

SHA512
e1352cbff139c220fdd72094a659cac46658e2fff5292f1dd447ee4d445192247cfd39aac2acfc74dab217f7c56828eef5c9fc00df87f73f94954a23bc922063

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
125KB

MD5
9b9e6940048252a56025afd3efed9fd5

SHA1
e428786df42516d883379dceff473441d3860ef5

SHA256
5bc9352d32205d51552268c128b002bbd63815493784a15b3f17fafacdfa1882

SHA512
b338b351f22443ef2d07d67482872937aaeafa375bcd78c33c918a50aa4de42ccc748961c71ca0c9fda8fdb00ff74b7914238332d8c2049eaf9863c92747069e

Download Submit
C:\Windows\SysWOW64\Kmjqmi32.exe

Filesize
125KB

MD5
4d7baad82f248b93216552b6e637163f

SHA1
9cfb0ac5d21b9c22e222a23d546594ce5d2b2074

SHA256
68f5e0ea981d194aea87468a699916bac98a68eb4c0e2e23c68eb3dc44876509

SHA512
929785ab70d7cf836f083a92d1d4b2486db6db51fdf693e5efc92ba01257b9ed51df20de2dda918933c16d70d156ff93f521579ec74685bfa0c5b4c9d1240c01

Download Submit
C:\Windows\SysWOW64\Kmlnbi32.exe

Filesize
125KB

MD5
6b71a7c517bc369634f4fd2bda9d63e0

SHA1
f4493cca33b1350f3b0e7f7545588adaf40f282e

SHA256
0f3aa6215b2444fd190e433f18185f9ae48c03c6498243491e4260952675f67d

SHA512
791bf7778e25c02ad3196711630e0173e33bb1fde350980a4b464d2d337389e30339d188acf31abb8d17b3661babe3db5bed374f51e4714fa0eab0dc733dd5e6

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
125KB

MD5
fe2580e9d7a786f9f6494db580529deb

SHA1
b995aa6ac45c6e0248f3818fb884f86326c57a6e

SHA256
ffdec334758d6ed39db268305bffe6c95aa3a29a0714bfe1c8a370edaae18954

SHA512
22d3fc52a13ad48a882d38ec82d0463d083e5f821af8d185038cc3c0043b103691c4503f8a790fa7acc4f00103863f848023dd9fd446e0bce1e207101dd91522

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
125KB

MD5
749bffd59ecbfd6ed47f902ee32e9484

SHA1
bbda0b71da3bd2f5956fb2aa73e2786a91f5619d

SHA256
ee7a4d8cba65ba7e50c657abd2b683a556f1042d2cb4f701ccc3b9abf8254fc6

SHA512
07c1aeeb390d0e24c7910946b6f72ae6ce9eacb4f93aa43ab7fe1630028f48eb1996ce29e7772f5f75329ca81c9210befd627c68850e5f585ba0dd3827ad707c

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
125KB

MD5
85f96cf50defb1b6c37c440b87c9863e

SHA1
a8e6ee8a5994098a9b756ba39677a807e183bc49

SHA256
513d5ac6156575be0c65ef1f938902e1aa7a2af2c4ed0f006dcaa647559f4e70

SHA512
aba4c63bd19e0fee9216e1272b30f3b7a9c27885ec93b7c0ac8c629e02ffc14d8407f903cb4f1f846a32221796f5667051486480895e8c7713b92105afac38d8

Download Submit
C:\Windows\SysWOW64\Lgikfn32.exe

Filesize
125KB

MD5
0dee9215ab338f2ec6e6d9ef65f43e6c

SHA1
9f83a0bb7bb3ed0d2c38bd914d301b7fc607ee73

SHA256
11f0495b418dcad5adcfded01d06d46bccf6aa6f336ea78aa1b4afe4035bb164

SHA512
13ad49030bad217349ed88c78301dc5144c1818f679f6f257f772de80da89117833dcbc5e7a401d2a59aff9c67678bedbab90bc70ab7aec113417af629eeb68d

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
125KB

MD5
f0cbc7e6641c65c9f74c5cf4b6fdf7db

SHA1
ba65541a831c8dde83e5e0577ab56f73089b45b9

SHA256
5ff9b992b6feed5ab6ab4608c370ae37928825e8af8372af78485e1165751043

SHA512
3192b825f0e615b025ba61e12ead4393ce4093f245c4c9e74ef2551be20a45df5830b98cef702570a1c7440bf41dcfbadcf2c8e918b508fed9956d18332ef3e5

Download Submit
C:\Windows\SysWOW64\Lgneampk.exe

Filesize
125KB

MD5
1b9085a711490d62820f97477c65275c

SHA1
872664ad60f65cdc0e346a68d7251d89768f5b27

SHA256
f88fe8b415842631a140246d45ceae8dbbdce0b132b4861e5c3a00eed570992d

SHA512
41d944c0b706c3da8096ff972b211f925b5f7caf2215ae31ea2279581c2f0b0a931ec5a519316e514a6d332c27da75accf29b967e152d89e28d6f255d75762ca

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
125KB

MD5
b607cf03e3afaef4c6a8cc3c326cb29a

SHA1
73af664d819b991540c508cae941d6830023bcfc

SHA256
a0fcd6edf9b5626c8acb52a2eace1dab8a65580a7b028807e7e4da9664d2f5ca

SHA512
d2c67892012850a5b8abb107ebfdf25fcc3c6ac53b56298d2a53d9e23a91013681bf8d3ea2b366c22e844d296cb2b8d84aa3ef2e73ff024f5ae3ccebef004461

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
125KB

MD5
cd852f9f91f7f3cc251942146c36bf89

SHA1
02f2fef4263d2d3290a50993d57a8b47425bd073

SHA256
12d9247786c952a00705a908ff99c9faa35d7bd8fccaf43f9b1f37ccc69970c3

SHA512
e53c22501923c09171ce9a234f1620e2250b62ae9465dee524d6b74b22488c9806aa657d75a3e8ba743a510ff5e164b31cae9808bc5af9ece4cbae58071955c8

Download Submit
C:\Windows\SysWOW64\Lmqgnhmp.exe

Filesize
125KB

MD5
c4649d8aa9991addf7802d78565b645d

SHA1
c877df0b42135a46fdea1b63e83bee5bca551b27

SHA256
c79384942b9d7f069ffa45f65a35c9b0d24d7085d24e8f5bffa99affe0e2b33d

SHA512
46e4891692eb7548720cf53e1752be3c740dfaee9ad65f80f36d4ca9b6e95aa8ee06bf12784862355f6f1e43f85b2d0f7749a350e206bf6fb1421a094f60c84a

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
125KB

MD5
b2c55ee2f938e1000895c01600d13079

SHA1
80ff8f9103c3d3d19fe68866f915bbe481140f46

SHA256
24c717984ef3232d07a2e5e4e9d796ff5fa48e88b13cc7f3cc0c2235347b6a46

SHA512
c039e2ba91f7d591a9b8eb063e4e7907b9c3a4b577b5603a27311d700af8ca90890c10173a71bb078f2a036f7edd39cd3f5c1d274b43ad9a42ef0f7eb8576aa7

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
125KB

MD5
8fcb84b0fc9612e0e5c6d8cd30e73159

SHA1
2f4a293c5b332dfdd8d7919fc8ef1ab90bbfe54a

SHA256
8a101a502ae71c9265ed678e5494a81f2590b2c8a133ad9f4c392178857fc3ce

SHA512
5199a5e9123b72420590d124a0077bc2d7f42d4d35968a5143282b24d2021a12ba00561fcf25b7650a6eb4336ae72a8b680f0a4b8c1531ccb2e704adc116273c

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
125KB

MD5
018b4ea91197b0a5adcbf1ed1ae6b4ba

SHA1
2e9156bc61ae7847a0103015839a5d09a5b40601

SHA256
859094be0b7f583217ee4f5d503007146131e3d3aabfcc7225be5a3259bf0354

SHA512
e3b2222b22e8f7bf9f684d22b3b1f7c5130ffd571e92c185812f56b7b07b7062024134cec85ea3d772bcc41134f4afca231a82f2f6163e258c8f119a4b5475d2

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
125KB

MD5
b06bef9e66a71bc308853d58c9ee0a21

SHA1
c84c53800b57bd6cd3fd822a7dfea68541439d9d

SHA256
418d6802cc0a5524a1769c6c353ac4aaf881402ea89b8858e7c1d011882ef716

SHA512
c5ca1ad0f91876e5b03f82ea718b82394ded866bbf9ce15b243f7160f183d6dd683c244b00e30152c65994ec078847aad6fab37470dbbc8ba4e8885ffb46241a

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
125KB

MD5
092b98e7915887c5d0a1868078d07047

SHA1
a59d72563c47f5a44e866cf1a731e729a0a56f54

SHA256
00bd12e5d5786733214f413bb4b3f9bff08aae58b1ae59e3ef2dcf96d3c42445

SHA512
503007e7cee37e8a242f9ecc111eb16b84a30cd3466155b422f720bfaf99e8eba90d3072df14bd6e55529c4ac1bc300fe369e229e3b06d2ba45104435a6abd43

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
125KB

MD5
c09b209bbea905145002d1d23edded53

SHA1
be0301a09640461b015619001dd1ba9421d54340

SHA256
dceba04ee615b4298b1393600fd3c116ee594ddc20af06022dc495759478d1cb

SHA512
efc14a9e62f683713b709cf161bf7e109075e84094356a14df77082bdd0a7a034514e685cd9b3256f246a299a57faa6e630ac497964ba8f5644c27e38674e782

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
125KB

MD5
7b2ff9759eb0be6b27b1e1460239b8ba

SHA1
c5e90ca33928cf73e20e98152236990c0e6e3a0c

SHA256
96be707f2a2b1e8c517113f9b42b09301e6a8c1c94232d1407f598e6ad887a53

SHA512
c123ee801aa40835c1c85abc107c63e88fcae63df64b4c51da68deca2dbfa1d59ffa7ac189be2b6d7d868c053622666a9639aae18918ff564a4ee46d458fd879

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
125KB

MD5
6a5af35e510b6019232ab15dbe05edda

SHA1
1b23dc627ab921ac494d0e32daf6f10e247678b1

SHA256
271523dbb86598ac09b9bc3427796b0a7d1483cb4710f820f0bb8e033eaf256a

SHA512
d357290171d0724d9ebd9e8e88ff8459b664b422120b3a46e6daa673b25622a63673eafe61eeba048777184351f4665f2290c84a347be91c2ba507aec4688f67

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
125KB

MD5
1b102bda1a1d692413ff7a3635fa660d

SHA1
4e3f5413b51377a83bd36839a82ac03a7f65b730

SHA256
08d90445bfc7f3cb2fc3deb2bcf74517e0f57155eed04fbb14b7b29061dc7c51

SHA512
8cbdd4ed9ac9d8a1b5b41ec5826378b83f72e9c1f635f0abfe371b948ae7317ecd8d3c281d85156d05f7e1f310f74cc31d80a2596a31b35e508006b039c81d8a

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
125KB

MD5
e4f453a8ba1cea1c118199666565584b

SHA1
8be4b523c7832ffd52983ace28834b6a410af5d7

SHA256
462e6b641769d6bab62c61289c8123a1d6c0a2416d08fa62a6a0fca26dabba2d

SHA512
f1ee69bb3dda5cfa21cad31e7608af9f02dac8a06e899eb858e6660b02bf16ff4a48ae06d621449b75be1f01643aa8976cddaefb633f5fcf2e3dbacf7b0fb0fd

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
125KB

MD5
d58233f53c19e5e46f024c912b86717b

SHA1
8cb31334d7cc05675f2811ef958b8ba03cbb9d67

SHA256
fd32e00068df41885c7e23b79199dd7680fc4b9e5f3453385665d974d21af96b

SHA512
ded64ccbd04ab1035c19cfb9c2fba4ff13debeb59361b30e459d6a8657b1c8b8034ad2ddae4c2465085b3ab6a70ec8eb2e6c9ab7583d027ea90977647e7e36cb

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
125KB

MD5
7dd2595a165238e55d8bf0048ab6088e

SHA1
9d614150fc41b89b935089ca93457e60a3b85332

SHA256
5403aeaae67e0350f483171dcd8088ab135ba70c925a959a948f6f9af9d3a4c9

SHA512
26306261c6ccbbefe3456f094cf23fc8390db5edb340f374d94d95b789422be1033279a9c453f802f2ff4773d0257fd656a35a70fcc1bc8114864a4ef27acc58

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
125KB

MD5
93b4e3b236057f409a8182cd71ac1107

SHA1
3602cf944d535da84cd4b93d56eda1b7e5d71a63

SHA256
38fecca12f27373f2dee0362fe65adf35b8596e3625852c3623e5824c3f14a9e

SHA512
f395442f4be07f3049e0fffb02e47dacfa25b42766bd8fc4f35aa5864c7c368fe574f9292c3e43b2da38fa88489ba9435e8dfafe6845970db18a51829e306ef1

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
125KB

MD5
643277c04b2750986408f41d03d4d619

SHA1
a16f316dbaa766db112b6cee7ec16503aece5227

SHA256
ee5983e0e56fa4bf179d6b43ea95c3366a1a15d1c2501f26abf99f38a31c664b

SHA512
bf167e599c0383371bff106258d4025455afcbf9f42e79d99857ed3d8a6ff9e168e1839abddd66b30e684d8e8107a72c637f7aa0fb1de797a60d4a32032fd916

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
125KB

MD5
8f7017077dbfddc27f685347ef1861c9

SHA1
84259e3e71dbf1f0c05fd78c934354d9bc84ae31

SHA256
1e869284cdf3a1fa4e3668ae32d15244b670f5e87014afa57b20268fd18c9abb

SHA512
f5b248a04654e9961521a8c44441aa49f24203b3053e3eaa39393175a9236e4bc4027914331525c5f69d0570b7706e60b002c3afc846376b079e9d80abbed633

Download Submit
memory/948-151-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/948-260-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1020-268-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1020-72-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1324-183-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1324-256-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1328-240-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1328-250-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1432-207-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1432-253-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1500-276-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1500-11-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1680-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1680-275-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1992-274-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1992-24-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2160-108-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2212-271-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2212-47-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2756-159-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2756-259-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2824-270-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2824-56-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2852-272-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2852-40-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2916-252-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2916-223-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2956-247-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2956-249-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2976-112-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2976-278-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3036-216-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3036-255-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3664-251-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3664-231-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3932-167-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/3932-258-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4008-127-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4008-262-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4036-264-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4036-120-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4040-196-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4080-136-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4080-261-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4176-87-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4176-266-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4276-269-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4276-63-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4460-180-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4460-257-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4528-273-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4528-32-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4732-199-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4732-254-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4768-265-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4768-95-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4876-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4876-277-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4968-263-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4968-144-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5100-267-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/5100-79-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads