6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867.exe
Size

314KB
MD5

cf45bc457f376e7b7c2a00b1bc8ba7bf
SHA1

49426cf93aa190e567aa1fabf0d865d6ac076ee8
SHA256

6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867
SHA512

f36359f53d379e1628d62bf5bc9bfb68171c84f4e3c8b402dfdcb0a00fef591d54858651c77320032768ba0b619b992769e20da048d4cb39ecefcb9271ed1400
SSDEEP

6144:RM6W58cj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:RM6W576Najb87gP3C

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkiqbl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lklnhlfb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liggbi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe

Executes dropped EXE 53 IoCs

pid	Process
4384	Liggbi32.exe
208	Laopdgcg.exe
4796	Ldmlpbbj.exe
2352	Lgkhlnbn.exe
3968	Lkgdml32.exe
1348	Lnepih32.exe
3036	Lpcmec32.exe
4912	Lcbiao32.exe
1132	Lkiqbl32.exe
672	Lnhmng32.exe
2492	Lpfijcfl.exe
2568	Ldaeka32.exe
3064	Lgpagm32.exe
1976	Lklnhlfb.exe
2236	Ljnnch32.exe
3296	Laefdf32.exe
3648	Lgbnmm32.exe
1224	Mjqjih32.exe
1436	Mciobn32.exe
1632	Mkpgck32.exe
4900	Mnocof32.exe
904	Mdiklqhm.exe
3096	Mcklgm32.exe
2772	Mjeddggd.exe
544	Mnapdf32.exe
2148	Mamleegg.exe
3192	Mcnhmm32.exe
1764	Mkepnjng.exe
456	Maohkd32.exe
636	Mdmegp32.exe
868	Mglack32.exe
696	Mjjmog32.exe
4072	Mcbahlip.exe
2340	Nkjjij32.exe
632	Njljefql.exe
3408	Ndbnboqb.exe
1712	Ngpjnkpf.exe
2592	Nklfoi32.exe
444	Nnjbke32.exe
3448	Nafokcol.exe
836	Ncgkcl32.exe
1488	Ngcgcjnc.exe
340	Njacpf32.exe
1948	Nnmopdep.exe
2488	Nqklmpdd.exe
1340	Ndghmo32.exe
1588	Ngedij32.exe
736	Njcpee32.exe
3300	Nnolfdcn.exe
3752	Nbkhfc32.exe
4496	Ndidbn32.exe
4364	Ncldnkae.exe
1452	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lkgdml32.exe	Lgkhlnbn.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Liggbi32.exe	6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867.exe
File opened for modification	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lnepih32.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Lklnhlfb.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ekiidlll.dll	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Gcgqhjop.dll	6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867.exe
File opened for modification	C:\Windows\SysWOW64\Lnhmng32.exe	Lkiqbl32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Lnepih32.exe	Lkgdml32.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Lgkhlnbn.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3980	1452	WerFault.exe	138

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkiqbl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nngcpm32.dll"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndclfb32.dll"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liggbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laopdgcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdgf32.dll"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpcmec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lkgdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqbmje32.dll"	Laopdgcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnepih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4376 wrote to memory of 4384	4376	6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867.exe	83
PID 4376 wrote to memory of 4384	4376	6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867.exe	83
PID 4376 wrote to memory of 4384	4376	6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867.exe	83
PID 4384 wrote to memory of 208	4384	Liggbi32.exe	84
PID 4384 wrote to memory of 208	4384	Liggbi32.exe	84
PID 4384 wrote to memory of 208	4384	Liggbi32.exe	84
PID 208 wrote to memory of 4796	208	Laopdgcg.exe	85
PID 208 wrote to memory of 4796	208	Laopdgcg.exe	85
PID 208 wrote to memory of 4796	208	Laopdgcg.exe	85
PID 4796 wrote to memory of 2352	4796	Ldmlpbbj.exe	86
PID 4796 wrote to memory of 2352	4796	Ldmlpbbj.exe	86
PID 4796 wrote to memory of 2352	4796	Ldmlpbbj.exe	86
PID 2352 wrote to memory of 3968	2352	Lgkhlnbn.exe	87
PID 2352 wrote to memory of 3968	2352	Lgkhlnbn.exe	87
PID 2352 wrote to memory of 3968	2352	Lgkhlnbn.exe	87
PID 3968 wrote to memory of 1348	3968	Lkgdml32.exe	89
PID 3968 wrote to memory of 1348	3968	Lkgdml32.exe	89
PID 3968 wrote to memory of 1348	3968	Lkgdml32.exe	89
PID 1348 wrote to memory of 3036	1348	Lnepih32.exe	90
PID 1348 wrote to memory of 3036	1348	Lnepih32.exe	90
PID 1348 wrote to memory of 3036	1348	Lnepih32.exe	90
PID 3036 wrote to memory of 4912	3036	Lpcmec32.exe	91
PID 3036 wrote to memory of 4912	3036	Lpcmec32.exe	91
PID 3036 wrote to memory of 4912	3036	Lpcmec32.exe	91
PID 4912 wrote to memory of 1132	4912	Lcbiao32.exe	92
PID 4912 wrote to memory of 1132	4912	Lcbiao32.exe	92
PID 4912 wrote to memory of 1132	4912	Lcbiao32.exe	92
PID 1132 wrote to memory of 672	1132	Lkiqbl32.exe	93
PID 1132 wrote to memory of 672	1132	Lkiqbl32.exe	93
PID 1132 wrote to memory of 672	1132	Lkiqbl32.exe	93
PID 672 wrote to memory of 2492	672	Lnhmng32.exe	95
PID 672 wrote to memory of 2492	672	Lnhmng32.exe	95
PID 672 wrote to memory of 2492	672	Lnhmng32.exe	95
PID 2492 wrote to memory of 2568	2492	Lpfijcfl.exe	96
PID 2492 wrote to memory of 2568	2492	Lpfijcfl.exe	96
PID 2492 wrote to memory of 2568	2492	Lpfijcfl.exe	96
PID 2568 wrote to memory of 3064	2568	Ldaeka32.exe	97
PID 2568 wrote to memory of 3064	2568	Ldaeka32.exe	97
PID 2568 wrote to memory of 3064	2568	Ldaeka32.exe	97
PID 3064 wrote to memory of 1976	3064	Lgpagm32.exe	98
PID 3064 wrote to memory of 1976	3064	Lgpagm32.exe	98
PID 3064 wrote to memory of 1976	3064	Lgpagm32.exe	98
PID 1976 wrote to memory of 2236	1976	Lklnhlfb.exe	99
PID 1976 wrote to memory of 2236	1976	Lklnhlfb.exe	99
PID 1976 wrote to memory of 2236	1976	Lklnhlfb.exe	99
PID 2236 wrote to memory of 3296	2236	Ljnnch32.exe	100
PID 2236 wrote to memory of 3296	2236	Ljnnch32.exe	100
PID 2236 wrote to memory of 3296	2236	Ljnnch32.exe	100
PID 3296 wrote to memory of 3648	3296	Laefdf32.exe	101
PID 3296 wrote to memory of 3648	3296	Laefdf32.exe	101
PID 3296 wrote to memory of 3648	3296	Laefdf32.exe	101
PID 3648 wrote to memory of 1224	3648	Lgbnmm32.exe	102
PID 3648 wrote to memory of 1224	3648	Lgbnmm32.exe	102
PID 3648 wrote to memory of 1224	3648	Lgbnmm32.exe	102
PID 1224 wrote to memory of 1436	1224	Mjqjih32.exe	103
PID 1224 wrote to memory of 1436	1224	Mjqjih32.exe	103
PID 1224 wrote to memory of 1436	1224	Mjqjih32.exe	103
PID 1436 wrote to memory of 1632	1436	Mciobn32.exe	104
PID 1436 wrote to memory of 1632	1436	Mciobn32.exe	104
PID 1436 wrote to memory of 1632	1436	Mciobn32.exe	104
PID 1632 wrote to memory of 4900	1632	Mkpgck32.exe	105
PID 1632 wrote to memory of 4900	1632	Mkpgck32.exe	105
PID 1632 wrote to memory of 4900	1632	Mkpgck32.exe	105
PID 4900 wrote to memory of 904	4900	Mnocof32.exe	106

C:\Users\Admin\AppData\Local\Temp\3078349721\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\3078349721\zmstage.exe
1⤵
PID:696

C:\Users\Admin\AppData\Local\Temp\6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867.exe
"C:\Users\Admin\AppData\Local\Temp\6f5620c9a401355138c8936611231a48c20520b2d9671ea9f99d942b03ab5867.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4376
- C:\Windows\SysWOW64\Liggbi32.exe
  C:\Windows\system32\Liggbi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Windows\SysWOW64\Laopdgcg.exe
    C:\Windows\system32\Laopdgcg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\Ldmlpbbj.exe
      C:\Windows\system32\Ldmlpbbj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
      - C:\Windows\SysWOW64\Lkgdml32.exe
        
        C:\Windows\system32\Lkgdml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Lnepih32.exe
        
        C:\Windows\system32\Lnepih32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Lkiqbl32.exe
        
        C:\Windows\system32\Lkiqbl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Lnhmng32.exe
        
        C:\Windows\system32\Lnhmng32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Lpfijcfl.exe
        
        C:\Windows\system32\Lpfijcfl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Ldaeka32.exe
        
        C:\Windows\system32\Ldaeka32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Lgpagm32.exe
        
        C:\Windows\system32\Lgpagm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Lklnhlfb.exe
        
        C:\Windows\system32\Lklnhlfb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2772
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        28⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        30⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:696
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2592
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:444
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:836
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:340
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:736
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3300
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        55⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 400
        56⤵
        Program crash
        
        PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1452 -ip 1452
1⤵
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Laefdf32.exe

Filesize
314KB

MD5
a1b8bf7edd1b0d2c0185c21c33d9d918

SHA1
928be8f7c2c7d5142c5d387e5a67e1a552e164a9

SHA256
af661384f79ec87103f150d6b2a7a8b31d57d388ef5735b44ed3ba0bdfd7d485

SHA512
379344a6931dbd4396672dcca12e0eac1759104a0e06774101945949ad407886cf09eff5d0d5814a67ceaf235ae54ec1c91442b05d8fea39ba690cbcfe6a2710

Download Submit
C:\Windows\SysWOW64\Laopdgcg.exe

Filesize
314KB

MD5
9902b7b3baf65c2ac6c19d8f00fff627

SHA1
bd04ad23b4fbda79922c807d8ef9e31092cfe131

SHA256
af96fea55f54b1a90496da0c232a1e6405ed233f8d8d0a632a477c5efb3d3995

SHA512
b6d720b4a5bbe91711e6fe84074c321ff549eeb6b9887d1152587062b9c9a99594222e507be3bea5b8817550687dcf0b7306766ef648da84a520ac74ff91f880

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
314KB

MD5
748e2518a0365992800b92fc9a90b31d

SHA1
de9f3a4d0bc2c5020ad8d6090611e99ecea6ecb4

SHA256
906c4151123459b8ed9eb9ed40378a376b78c3cc1365755346052483770d3ff9

SHA512
0ed5ffb9a6d2acb281b4aded561b6d49be7f419f064b13fe4d8874288dd81fb0bccda4395aa3b3e1b8316c934ef06aafd06d6ef3226ce8a73c3ed886fb74e578

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
314KB

MD5
05b4ff226449a36620870fdd1b6e3a64

SHA1
5bfdbf74805db084624545e069d5bf2b4c87494c

SHA256
0c6b80ced9aff172fee0a95781d1fb7af72c7e4fad4782d9021f285ba703176b

SHA512
66f95ac7c24594e18a0c428eb6609cc2f2e710c44e8af09117ed9b65c591989eb6432146e37787f1f3c87db6100bba92977006c01e589c43385f793c626ae828

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
314KB

MD5
2ce5485590d65ebdee3546b13750aa23

SHA1
31636ca4aa41bc3aa0e6b1c665becd15e8ad23a7

SHA256
00e74155b76bb5a1b0ce76d44eccb88a4d23453fbf861e2ac163a4812ef2fef3

SHA512
8a8a4aba46e32a6e76dd31f391f18c3c64287e8e0b989b09d4484f4f904eff93e12dcef084c35b1b83a01fbf497b837d519a16692a4f0189f66510b150ed060d

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
314KB

MD5
f7a9d39bd2053b805babc8fabd677906

SHA1
cf000625edbfb47ac598c1e269fbbee7298f4779

SHA256
a65a4b204df87d9d9e3fa6556fa5575a9af6dfb56191ba154beb06f0c758a33a

SHA512
b21ab50a8421ed142fca3e338701b81362e3d63df76aa3aa79700617fbab1907b5d5b362545d258bdb0784e6551c43a6166b0213ea9aad1b477e859c81e53b41

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
314KB

MD5
ea6200bcf3569bac8eba895d7aa5d586

SHA1
5153ad0d34234ebfe9378ea39221b7369252cd7c

SHA256
c4f013a3f4f9353f51091d155bdf411d04bffd8c2d39ea42934cf24947188869

SHA512
caf7f0afb9c0ec6f5f02566780231dbae77165d5752d732fdc25aceda5b11fa390be1fcfd4bf7129f1793356cc0b4a318578e82ccd7ffa99cb1ac17005b9e49d

Download Submit
C:\Windows\SysWOW64\Liggbi32.exe

Filesize
314KB

MD5
7cd3d27a35ae4936a4d2bba4ec337de9

SHA1
fe76b681f6e805d1710953f09287a0e58ffdb598

SHA256
13cb2803e51616a760dcfd517fba32b05443aa9200a7805875e5288e817e541b

SHA512
491956954b4078fbf640747d5d05e477ddbb0810783d7510470ced5dfb7abc12f3965d6a6eba596cc8ed2114036ff7853fefb4e45413b78a0d461119866c3858

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
314KB

MD5
5f3f34304d472c9d25e11bcbde44531c

SHA1
3cd91ce3bb169928b69513b7a50dcb90cb39e773

SHA256
3b2469cb5e9c71583ebf36a9428e0217f5eebc15073cb18ec60b6c76704ad1a0

SHA512
53c40498ead918b6db1f7912ee2848f0fb12807e7c2eb948239d773d858db0214db9d2fd828df04749c8c8fcfcf7ac14bcb6034804d1995afa6dc3bc1250d5df

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
314KB

MD5
23fce28a3c272080e89a9845020ba0b5

SHA1
97f2e62e2413411ef8f66f797c0b8f6283f2ecc3

SHA256
3094681055178f2010e867e75516ad2eeae2bce7bbc587b5dcc0c7435eea40ee

SHA512
55e036556dd05b6e98a0a25e643dbcccb3af873c7ecdf5f45781ec385afb3419d0e6bf927b59af75ab4984917b01c08a92ae4bf434ef65cef01920a0b7d4036b

Download Submit
C:\Windows\SysWOW64\Lkgdml32.exe

Filesize
314KB

MD5
92893b08bbb594f9f9002068b12bd798

SHA1
da2656905dea37602822370ce31352b05dff5791

SHA256
ff0664239f4c44b14e2eef4b59aad298aa32abf3ef4c611c8bbc3857384875b1

SHA512
5fb1e8a3a689642981655eb4b428dc17e5e290bb5b71370888976b9b823febae8450dea1b4b80be32c0f9e17d6998819724c1071de93a883e8dde12db4d33582

Download Submit
C:\Windows\SysWOW64\Lkiqbl32.exe

Filesize
314KB

MD5
e260a6ee9cfb67bed310eb04ad4c024c

SHA1
8b71af945e63aec1c354c2c658f0410488a048c1

SHA256
5f232cc3827d158a5e12c13d80c8fa3c456fc26b83c0fadb633c4109d5482597

SHA512
44cf146492b2b6c1f660de7b6a0327d83e52a576bc98ee275a8d7d0bb08a5c44ac914a11a471166a797d861773fad099f0cf23030864e7d09b5587520ce270dd

Download Submit
C:\Windows\SysWOW64\Lklnhlfb.exe

Filesize
314KB

MD5
a1b26fafa1ed052cd9f6e7a03d120376

SHA1
c4c773b2beae9b28b91ffafa41624478a7a5285b

SHA256
9a36416fb7eba5309ce9a17084e4df938b35e68e2776827db9f258c0db605cab

SHA512
d0e4eec9789d7a176d36e53d46bb1e797d313138e7839c67ac3cfddde2a273ec0d0617e16efd8cd21216c05777807ec9527e313d3e04d2a32c1fc7a4dd237379

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
314KB

MD5
c5da3c74bfdd6a57181cbccead92e319

SHA1
f3c094ef324548eb9c077f3fc7eec3081fedae91

SHA256
a47c83e7749a1a9244da56f774daf9170822f26738bd009c082b383a4fdaabd2

SHA512
099918c27d11aa3ef5b4ee7b979ca68909c484f8a90ef234c9cf9a3417b48a0ccd82114f852b22ceefda978b85b7278e4308d782a942f23a42279e83c4a5936a

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
314KB

MD5
2a6ed9fc90e29d433fd8703f4c94fdf8

SHA1
03ddce7ce72e0fe75c75ed3d57e11bf240d81918

SHA256
1cf33d2e271959544b22777218b832ebcccbafbdbdd5663191ec78a13bf57d22

SHA512
178cbb2b7027fd648adc61edb84d232133f1b1ce5acfd87cba749a14ebe4fc7fc8de1086713970aee001dede3e3aa0de2d213edb3791cadfb17b462bc90ea7d1

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
314KB

MD5
c17fc7077a366324ed431577c7fc1ecf

SHA1
0b0ac6ae3a4bcf80bbfbd932f5116c686b4389b9

SHA256
bae8f77c71e5b571c589dcdc0b75bfc580a71c89712af0431e3a4144bb5b081f

SHA512
9410dd7f5b2a00d3b7075e3119518a94d476668584d0ddd12c09ab11342b0ed3826883b7f8b9a2a2dc4ba1ba4deaf1e8b4cc6b5a2466861e72076aa3f4abe138

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
314KB

MD5
7a6b947a32d12bd40cb5a6572c894173

SHA1
7973dc631c899d1e4b9c5fc24136c571dbd02f54

SHA256
0882b8411cd9851da8a81153d5a0fe96dddebfb81747bfa82ebf600191260e3c

SHA512
3bb049da2eeaf7db396bcf853e3a4ee96b7781b54a018f96f51fd4959a897b3665d0ac4bb10bb409d9404be69d9fcc7bbedcf39f8d9eb4b1f1aec2de6f5b7170

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
314KB

MD5
d17a4a422e65ac787e92fd2ad6bac0ea

SHA1
9d2cb85f17db1bd4253938b3ab56aef0e10b951c

SHA256
49378f48f85147e32883dce1bc5974433ec1d208aad0927f70b836b098319d43

SHA512
2e2034b29d2f7e71f2cdef19e21afec5f8dbfa5c3b269d4fff3bb87fbf31f206e179f98585f738258e481ea7cfbfe1980a684b62bc083b4d2bbccbe6c0980a5e

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
314KB

MD5
297c8b2452a9ac85acf110725e820b81

SHA1
a6514918ecbb44bc8c99b9b8742d7e807554e276

SHA256
a3993a5e5311e5fda3ffdf714f8410442f476c7ab4fe42378ac1c3ed2a09fed2

SHA512
e67a84f4fc55fea3eb2de3a416d782d30088a1357cc8fdd00d89fb303063576afa2a6e41dfe23f0d0f5ee5370d6ba077d11cceeeee7643df7bdbd268464881df

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
314KB

MD5
bff140ffd97d65af08b8acdb40b6790c

SHA1
b3e8f9bb343854f319554b527b5a2d792ab484be

SHA256
e6b2e82a8f4f03b20a0493b21554852093d4916106abfbf3af787bd31f720d37

SHA512
1769a893bde8ca956ba9782ead28ac7328d4e7815aa98070ea4ef2193d75f32e54def5ddada0b6d76136a4a28ab1e8f59fa80ae08859bbd0d728e1e02609d63d

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
314KB

MD5
7eea4d1fe1f00f650b8037ee4efc47c7

SHA1
5eb57f2970721bd27a677da17b5cb3e9e0cc3f0f

SHA256
eb222b2a245623f6ae91c6b3da876020e4138572fa4f5b94124ebabd273ee5b6

SHA512
4b697b2b548dd04389b78ebc1d0155e60678370e2485bc1035209c999f0739381e2e2e288b855084c42edaa09d43ad1191749098d11de4a089c7105a5ca4130b

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
314KB

MD5
4ad26b278883d3dfcebdc367c8e46b57

SHA1
fbbc6f59c80bc11dbf1a7312a325910cde9a6da2

SHA256
84262195e2db5bb97f65d1f0a2d57d5722e8f1d4d4874ea20662e0aa6831b437

SHA512
902f0c67563a75169fa70a75e6228ba36ad86033b050aef01f69c8d2a4bdcaff5c907bceb6a753f468c45d30d63fb0fef80b32002a4c85a0f428804c8085e742

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
314KB

MD5
42fb1c7895411ba906eb91b783a5fe19

SHA1
7a9761c250516bf920ffa6fa69b4379ac66c99c7

SHA256
e5a15d6736a1095a777796cd4d9f6b4aecc31e2de373299291428140d5311096

SHA512
65fa808eed99fb65a5363f2eaedc1db33ce341bfc5bdb0e8fe4e846fc96e9f0821d054b37eaae7e637b3aa6d1c7c3f9f2bb1fd50202854ea702f5a4ab13c4b9f

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
314KB

MD5
a6efecbb2a9e40725a2585e794343409

SHA1
446f9c522be9c701a0fb397bf0f3de559090f4b8

SHA256
6801eb9a08cc36a986b590ca03d54b49c0665c02664fbd8e20ae5200558814d8

SHA512
9cffb76d27b534e8fb7b54bc61f3f1838ac89dea1cee168c984998ef42aa31a2569b20301800d049a9eb3d792c9585c083c2fcaa7ebc1fc0080cf119ef5d7855

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
314KB

MD5
1cef8826f0d6a9f82218d1cc2a60b107

SHA1
19b923e62f842c039233c34d33cd2d5b297c8508

SHA256
26f9121edecd135472b44ed050bdd84e2350b3dad4640ec1310268a850f0203a

SHA512
d361de2eeee6fd43b1c3e9e83552d24bdc9fcc9222eb9434b79f771f029c861e9ff23e7a74544431e6515c3e3804f8c66eeb11b1d206d228eb7be849017573a8

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
314KB

MD5
d4445f9dbb656e6af9df779193d84830

SHA1
1c0a17a659004095d7359687a77c14edc660bd46

SHA256
40d8475d13c1c5d10e7ba48b78fe7e4fd5b5ee8b17dbabebefca47b423b47720

SHA512
72cb03f4865a7d3289bc3fcd79789b7ba48111805303fc00cf38c6d1570cc788197ec7fb79f020507ed453880d1e3693cbd52bf9134aac384e6d1e571eaf5ddd

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
314KB

MD5
3b0f49bdb9a591b914c30075c4ec138f

SHA1
b0668ada90680d2cc3be424d2db32e6e4d58effc

SHA256
9f6a44bd632a1011f2be374030e26da303b09196412c071597e3d4b7d457533d

SHA512
da6045ea33f2d16d9a2d2d949d28694f577ddb0804de768b5eef7606a2914d72f0a7fa92252899b11c0494c9ff256e88bd08074c2bee931aa2fc99f40bd7fefa

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
314KB

MD5
5f8004f624b7d161c0c9ee3214427a5b

SHA1
b7b963a2f886d1f747d3e3afae11a7561408166c

SHA256
ed858313b9a665d100f1bcb474ad9823d8cd66ab9b60b18031a0e360c989e288

SHA512
c172becadb400ee6660d0841c92b677c93b79e1116a706753e0f3ab48e461631eaf3b5ee4a0e154c4e8fe39dbc5c7b33067d01dd287de463bbf5df046af8b14c

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
314KB

MD5
e2d8618b6d2185c3c5bd741a69faa690

SHA1
76942129e52c6fff44c5d92157f2af9e617b970d

SHA256
b6dcb7b81a2aa2417f5c4ff04da4cb6a24d6947dc6933e22368a0f580f941568

SHA512
b259c8fadfa3e9fbe236c3e06c88cd362786264173e5ef7b8128140b44c4b87a17d1a6254d2a9388bc87de61efdef1f7a95e226d9f8bed3b44938786cb0b8b12

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
314KB

MD5
8f41062bffc940ad89982af404de4f9a

SHA1
fcce98cae76bbc2f9a606dbddd7c0689803b8be8

SHA256
7024103de1b3f6f6b7438aa218e8247d4caa7ac4f5c7af8a7d835d9c256eab47

SHA512
a11f13d3cdfeb90c21323a75f8715ad63890180f60d58626568c48f2df87f0693eef8f20e3d68c5dfafac5bf4f03e7c5c4f4376ab14859a97a0ac84759c0efa8

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
314KB

MD5
0ee50a3a2097ea2569860430d2d3c393

SHA1
133efe65d545468552d3aa56d920868ec9b6344c

SHA256
141c397a43d6c09f878a3d4030bc5c50cc911dd772dbaa04345b78883c1b12be

SHA512
d36e8c73031794476e9bc59dada20040a9d4b54124e92b2b0f9b22084e5e4b165bfa74a2acf30f2a8b7bbc000fedcc0ceb3519fbd291d3eb434655b2bc324e9e

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
314KB

MD5
12793aff644b4cb087981baee78a9d5d

SHA1
d48fa687d53e1b5ddddb8a2203eb0859f7505f8a

SHA256
a86db2f7ff875024b626ebf4108bce1bd602f473ad821c5dc3a4aba6880986e9

SHA512
7bfbcb5fac21a4cdde7535dd36d1f7ef3736e55afd06ffd0dc80befe747d08c22780745dc8f18af76f0d15b73278729bce4a13cd12c4d8a426c2e7cfcf7be6ff

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
314KB

MD5
a1e156dba0d5e870ec798c07b8b7540b

SHA1
da9ba016e039fb3a8bcba26622f1a2c51286ed90

SHA256
e448dce5e807d8aa917d2f4b0a8d25647eaffb75a83881f964d479cf116b7e94

SHA512
db3c29f95aad44a44be8330f1bf3278cdb9c30a7f43ed31e603b2570b5df2bc5060532f61256c7ce3b75c4f82e2907a3b0efc02cc991c6032e033c178f658d2b

Download Submit
memory/208-17-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/208-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/340-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/340-391-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/444-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-233-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/456-400-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/544-205-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/632-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/632-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/636-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/672-80-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/672-412-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-398-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/696-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/736-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/736-387-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/836-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-249-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-399-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/904-177-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/904-406-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-409-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1340-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1348-416-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1348-49-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1436-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1452-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1456-397-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1456-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-392-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1488-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1588-388-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1632-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1632-407-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1712-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1764-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1764-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1948-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1948-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1976-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2148-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2236-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-417-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2488-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2492-122-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-123-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2592-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2592-394-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-403-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2772-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3036-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3036-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3064-124-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3096-189-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3096-404-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3296-411-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3300-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3408-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3448-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3448-393-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3648-410-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3648-139-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3752-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3752-386-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-415-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3968-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4072-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-385-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4364-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-421-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4376-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4384-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4384-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4496-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-418-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4900-405-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4900-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4912-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads