775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f

Analysis

max time kernel
151s
max time network
188s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
Size

50KB
MD5

16394a41f8fc229d19c7ff9dbb9b23a0
SHA1

642e66584c53ca3726080b7b328b0ca1ab8bd3e5
SHA256

775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f
SHA512

adc50c2f3455433b58132ed594d564346935fe61ff32b97051362a9c74277c650c1a5a6478d3fad50c9e065b54050e29f0f20233372d83c4e8edbb3c340a6e9f
SSDEEP

768:pb5nSFf+PRv7Wje3MbGHLizoWlW3WL9EWVKLBIE1Pz1B1/1H57X:plSNQvijecbWOzoWmWLXMhv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Mkepnjng.exeMglack32.exeNafokcol.exeNdghmo32.exeMjeddggd.exeMamleegg.exeNbkhfc32.exe775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exeMaohkd32.exeMaaepd32.exeNceonl32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe

Executes dropped EXE 11 IoCs

Processes:

Mjeddggd.exeMamleegg.exeMkepnjng.exeMaohkd32.exeMglack32.exeMaaepd32.exeNceonl32.exeNafokcol.exeNdghmo32.exeNbkhfc32.exeNkcmohbg.exe

pid	process
2244	Mjeddggd.exe
2864	Mamleegg.exe
1932	Mkepnjng.exe
4860	Maohkd32.exe
4188	Mglack32.exe
1060	Maaepd32.exe
4308	Nceonl32.exe
1276	Nafokcol.exe
1668	Ndghmo32.exe
1744	Nbkhfc32.exe
1460	Nkcmohbg.exe

Drops file in System32 directory 33 IoCs

Processes:

775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exeMkepnjng.exeMglack32.exeNafokcol.exeNbkhfc32.exeMaohkd32.exeMaaepd32.exeNceonl32.exeMjeddggd.exeNdghmo32.exeMamleegg.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mjeddggd.exe	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nafokcol.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4304 1460 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
4304	1460	WerFault.exe	Nkcmohbg.exe

Modifies registry class 36 IoCs

Processes:

775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exeMamleegg.exeMkepnjng.exeNdghmo32.exeMaohkd32.exeMaaepd32.exeNceonl32.exeNbkhfc32.exeMglack32.exeNafokcol.exeMjeddggd.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exeMjeddggd.exeMamleegg.exeMkepnjng.exeMaohkd32.exeMglack32.exeMaaepd32.exeNceonl32.exeNafokcol.exeNdghmo32.exeNbkhfc32.exe

description	pid	process	target process
PID 4880 wrote to memory of 2244	4880	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe	Mjeddggd.exe
PID 4880 wrote to memory of 2244	4880	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe	Mjeddggd.exe
PID 4880 wrote to memory of 2244	4880	775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe	Mjeddggd.exe
PID 2244 wrote to memory of 2864	2244	Mjeddggd.exe	Mamleegg.exe
PID 2244 wrote to memory of 2864	2244	Mjeddggd.exe	Mamleegg.exe
PID 2244 wrote to memory of 2864	2244	Mjeddggd.exe	Mamleegg.exe
PID 2864 wrote to memory of 1932	2864	Mamleegg.exe	Mkepnjng.exe
PID 2864 wrote to memory of 1932	2864	Mamleegg.exe	Mkepnjng.exe
PID 2864 wrote to memory of 1932	2864	Mamleegg.exe	Mkepnjng.exe
PID 1932 wrote to memory of 4860	1932	Mkepnjng.exe	Maohkd32.exe
PID 1932 wrote to memory of 4860	1932	Mkepnjng.exe	Maohkd32.exe
PID 1932 wrote to memory of 4860	1932	Mkepnjng.exe	Maohkd32.exe
PID 4860 wrote to memory of 4188	4860	Maohkd32.exe	Mglack32.exe
PID 4860 wrote to memory of 4188	4860	Maohkd32.exe	Mglack32.exe
PID 4860 wrote to memory of 4188	4860	Maohkd32.exe	Mglack32.exe
PID 4188 wrote to memory of 1060	4188	Mglack32.exe	Maaepd32.exe
PID 4188 wrote to memory of 1060	4188	Mglack32.exe	Maaepd32.exe
PID 4188 wrote to memory of 1060	4188	Mglack32.exe	Maaepd32.exe
PID 1060 wrote to memory of 4308	1060	Maaepd32.exe	Nceonl32.exe
PID 1060 wrote to memory of 4308	1060	Maaepd32.exe	Nceonl32.exe
PID 1060 wrote to memory of 4308	1060	Maaepd32.exe	Nceonl32.exe
PID 4308 wrote to memory of 1276	4308	Nceonl32.exe	Nafokcol.exe
PID 4308 wrote to memory of 1276	4308	Nceonl32.exe	Nafokcol.exe
PID 4308 wrote to memory of 1276	4308	Nceonl32.exe	Nafokcol.exe
PID 1276 wrote to memory of 1668	1276	Nafokcol.exe	Ndghmo32.exe
PID 1276 wrote to memory of 1668	1276	Nafokcol.exe	Ndghmo32.exe
PID 1276 wrote to memory of 1668	1276	Nafokcol.exe	Ndghmo32.exe
PID 1668 wrote to memory of 1744	1668	Ndghmo32.exe	Nbkhfc32.exe
PID 1668 wrote to memory of 1744	1668	Ndghmo32.exe	Nbkhfc32.exe
PID 1668 wrote to memory of 1744	1668	Ndghmo32.exe	Nbkhfc32.exe
PID 1744 wrote to memory of 1460	1744	Nbkhfc32.exe	Nkcmohbg.exe
PID 1744 wrote to memory of 1460	1744	Nbkhfc32.exe	Nkcmohbg.exe
PID 1744 wrote to memory of 1460	1744	Nbkhfc32.exe	Nkcmohbg.exe

C:\Users\Admin\AppData\Local\Temp\775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe
"C:\Users\Admin\AppData\Local\Temp\775d3cd2fcc98401c1f3f69342ca963e7a291f436cdabf59ce8bac0b3979403f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
2⤵
- Executes dropped EXE
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 400
3⤵
- Program crash
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1460 -ip 1460
1⤵
PID:5080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe
Filesize
50KB

MD5
081a9af4f02b306d25a1fa88e5997e57

SHA1
2fe6c06a872f753673951583ef7d321e4c431321

SHA256
19372e7f918cd8735547ea306d0b36905d02165db8388e22d3bef1b8f83b85b5

SHA512
7a6c507c89a7d75f2224e09bd602cab7fcab14eafe72bc3a9dd0c4d3abb84d70bcfccbaadde81788b308ac95f41f2db5222c6219aa5961c5d7898f37ef92e3b8

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe
Filesize
50KB

MD5
081a9af4f02b306d25a1fa88e5997e57

SHA1
2fe6c06a872f753673951583ef7d321e4c431321

SHA256
19372e7f918cd8735547ea306d0b36905d02165db8388e22d3bef1b8f83b85b5

SHA512
7a6c507c89a7d75f2224e09bd602cab7fcab14eafe72bc3a9dd0c4d3abb84d70bcfccbaadde81788b308ac95f41f2db5222c6219aa5961c5d7898f37ef92e3b8

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe
Filesize
50KB

MD5
7d231d20a9811f02699f48cf27bc0f1d

SHA1
0f23f4df43de477277f3e08b06bc3a03bbe4e31a

SHA256
29f76a910e22eeda059c0177be884eb7b91dbfcf8683b69afe00931e29d7f3f0

SHA512
3098f02636ce7ee87b3a0dd515a2b11d0efafe173c8cb618f3588f4eea0a2ccca7dd0de3dfcca16dc86435923a50017988f27e5df7ecbd0b2914d25cec26b618

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe
Filesize
50KB

MD5
7d231d20a9811f02699f48cf27bc0f1d

SHA1
0f23f4df43de477277f3e08b06bc3a03bbe4e31a

SHA256
29f76a910e22eeda059c0177be884eb7b91dbfcf8683b69afe00931e29d7f3f0

SHA512
3098f02636ce7ee87b3a0dd515a2b11d0efafe173c8cb618f3588f4eea0a2ccca7dd0de3dfcca16dc86435923a50017988f27e5df7ecbd0b2914d25cec26b618

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe
Filesize
50KB

MD5
981b0813d67d14b5288e71d9d6adebdb

SHA1
b1649225ac66c8e7d65203a33e696da9b25caefc

SHA256
fa6a503b18b51823b6753aea4080bf0d70d22e0f78e7215887afa2556076af51

SHA512
5dccda889f078cdbd3451d3a16c86e9521086bc5b7dbec004b302d4454ff0422bc756bbb6d1cc3e3ac22866b206f28c9c9906e8131ab9bf01c32b61df76ff9ae

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe
Filesize
50KB

MD5
981b0813d67d14b5288e71d9d6adebdb

SHA1
b1649225ac66c8e7d65203a33e696da9b25caefc

SHA256
fa6a503b18b51823b6753aea4080bf0d70d22e0f78e7215887afa2556076af51

SHA512
5dccda889f078cdbd3451d3a16c86e9521086bc5b7dbec004b302d4454ff0422bc756bbb6d1cc3e3ac22866b206f28c9c9906e8131ab9bf01c32b61df76ff9ae

Download Submit
C:\Windows\SysWOW64\Mglack32.exe
Filesize
50KB

MD5
73db98dba4b8318c1bebbeb2ff23526f

SHA1
cd1116e2495b4dc3f22982810817ee4ef1012ecb

SHA256
71868a5f1ee625a09a44a248aad00548469f28125b2ca36b46f361b5f301c924

SHA512
e2d2db2f4e27e16fe62a86db6145c306776d0ab9b9fe7aa095d22b67435b91c9166e0b7da901ae94ca86116db2995dc74f57d68d33d93cfc8f0939d5eef118b6

Download Submit
C:\Windows\SysWOW64\Mglack32.exe
Filesize
50KB

MD5
73db98dba4b8318c1bebbeb2ff23526f

SHA1
cd1116e2495b4dc3f22982810817ee4ef1012ecb

SHA256
71868a5f1ee625a09a44a248aad00548469f28125b2ca36b46f361b5f301c924

SHA512
e2d2db2f4e27e16fe62a86db6145c306776d0ab9b9fe7aa095d22b67435b91c9166e0b7da901ae94ca86116db2995dc74f57d68d33d93cfc8f0939d5eef118b6

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe
Filesize
50KB

MD5
56208badc30bb9879a1daae45535bfd4

SHA1
10126499759e945a727caab893dd5fd3ff587a1a

SHA256
1424554cc5dcbaedc93f06146598233714c6d5da0507eb131549e6fef20902b0

SHA512
918ddaadb0ab07dee35a47d6ad0d3113880e8b973c8246cb9a6af6bd06741839910f0a5db327005754819f8911a37eab9bed6f0eaf526ab5ad5827962754daa4

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe
Filesize
50KB

MD5
56208badc30bb9879a1daae45535bfd4

SHA1
10126499759e945a727caab893dd5fd3ff587a1a

SHA256
1424554cc5dcbaedc93f06146598233714c6d5da0507eb131549e6fef20902b0

SHA512
918ddaadb0ab07dee35a47d6ad0d3113880e8b973c8246cb9a6af6bd06741839910f0a5db327005754819f8911a37eab9bed6f0eaf526ab5ad5827962754daa4

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe
Filesize
50KB

MD5
49df51b94238b73b913d9fdd1a7c8602

SHA1
3fe01866174fb394db19ee7d13f94741c8f0a387

SHA256
9a1dcb312fde5438c1a6b2ecea8ece935778d6ccf58ef7e789ea457f930f9df8

SHA512
b6f9626c1179501232aedddca2cb8be31014fd411705d05f420111b140fcfb6014b6b6c42476e5d7f9605b7f51381ae46db6965e8b7f57b645bf2b1e5fe30a36

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe
Filesize
50KB

MD5
49df51b94238b73b913d9fdd1a7c8602

SHA1
3fe01866174fb394db19ee7d13f94741c8f0a387

SHA256
9a1dcb312fde5438c1a6b2ecea8ece935778d6ccf58ef7e789ea457f930f9df8

SHA512
b6f9626c1179501232aedddca2cb8be31014fd411705d05f420111b140fcfb6014b6b6c42476e5d7f9605b7f51381ae46db6965e8b7f57b645bf2b1e5fe30a36

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe
Filesize
50KB

MD5
20623e2a2b55d6270edd32e491dca746

SHA1
8618e1fd71155099a8f7c0d5e15c4585cfc60ff1

SHA256
e078e3269676203a54ec065a9fbb86c962ccfdc01fec5c0a32ede2e8542b5e49

SHA512
6a4b29afec8cdf02070451b063bfcb59465aeb515fe5bed0cd0cbe501d930a592bdab251a6c87e0a672fb807113a553c825269fd062f5c078778c74515c5fbcc

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe
Filesize
50KB

MD5
20623e2a2b55d6270edd32e491dca746

SHA1
8618e1fd71155099a8f7c0d5e15c4585cfc60ff1

SHA256
e078e3269676203a54ec065a9fbb86c962ccfdc01fec5c0a32ede2e8542b5e49

SHA512
6a4b29afec8cdf02070451b063bfcb59465aeb515fe5bed0cd0cbe501d930a592bdab251a6c87e0a672fb807113a553c825269fd062f5c078778c74515c5fbcc

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe
Filesize
50KB

MD5
64c49dfa00d788795405e4f4eb7c7c66

SHA1
73b7e391489c9911de8edc4c8cdf9a5c36474f33

SHA256
55b1cd74bd06aa0e41009b351ed622e506cb4ba60c08823846e1e65f1053e4e5

SHA512
89b5be0139460d18d0f06c5c5f7d2c1b4a11f00396c4c1b7aac9e62d648dc69d8d32224c1a715369ef4224e0006a1bf6e663a8c0b7b72abe80f4f3c74bf035de

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe
Filesize
50KB

MD5
64c49dfa00d788795405e4f4eb7c7c66

SHA1
73b7e391489c9911de8edc4c8cdf9a5c36474f33

SHA256
55b1cd74bd06aa0e41009b351ed622e506cb4ba60c08823846e1e65f1053e4e5

SHA512
89b5be0139460d18d0f06c5c5f7d2c1b4a11f00396c4c1b7aac9e62d648dc69d8d32224c1a715369ef4224e0006a1bf6e663a8c0b7b72abe80f4f3c74bf035de

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe
Filesize
50KB

MD5
6fa829c22a89bc19bcc661233934f8d2

SHA1
620dbe8e3e0a734984b91b27713da495bc59eda8

SHA256
a8bfb380b8c40ffc46f2d390929fe9f40be95175634be3b693331ed1068b2424

SHA512
206af4bf4c12290e0dac1a648d239127cfdaea9239b3c520a32d8ef9b7977b7a83c78e34e598d4b325fe6ea2a38e07e1356cdbeb062fd40cdc043614d444287d

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe
Filesize
50KB

MD5
6fa829c22a89bc19bcc661233934f8d2

SHA1
620dbe8e3e0a734984b91b27713da495bc59eda8

SHA256
a8bfb380b8c40ffc46f2d390929fe9f40be95175634be3b693331ed1068b2424

SHA512
206af4bf4c12290e0dac1a648d239127cfdaea9239b3c520a32d8ef9b7977b7a83c78e34e598d4b325fe6ea2a38e07e1356cdbeb062fd40cdc043614d444287d

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe
Filesize
50KB

MD5
08a226f060a66f267c02ec22972ddeb2

SHA1
55fb83a39c8479bccdda80809d70dfd51369e22d

SHA256
897b33f8b8713e760d1717bfb338e546e009a2d29c833f402c2436b9c024067f

SHA512
356607cc06e9b583dc63c11c15c8f97fc1b216fb83c2db9afd3d81c9ff2efcf6abebdeb78128f1b9099ac85b860e6c11fb363e825e68d4367611bc2c86a8ad18

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe
Filesize
50KB

MD5
08a226f060a66f267c02ec22972ddeb2

SHA1
55fb83a39c8479bccdda80809d70dfd51369e22d

SHA256
897b33f8b8713e760d1717bfb338e546e009a2d29c833f402c2436b9c024067f

SHA512
356607cc06e9b583dc63c11c15c8f97fc1b216fb83c2db9afd3d81c9ff2efcf6abebdeb78128f1b9099ac85b860e6c11fb363e825e68d4367611bc2c86a8ad18

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe
Filesize
50KB

MD5
64e7cfa0867ccce5d7824b2327fe4558

SHA1
4618193524005b5e743dc8fd703d378e78262775

SHA256
80203be175383e33f5f8ba453c11b38885ebcd5c34f90efacb5dc682576b41a9

SHA512
0afc05cfd7686617aebafb747babd38054a53afcf4ce6b6697fed0c86d39fa8b8fd95eac28dff8992e1c6f43a27725528619fb1b8ea6eec31a1f96f859b40845

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe
Filesize
50KB

MD5
64e7cfa0867ccce5d7824b2327fe4558

SHA1
4618193524005b5e743dc8fd703d378e78262775

SHA256
80203be175383e33f5f8ba453c11b38885ebcd5c34f90efacb5dc682576b41a9

SHA512
0afc05cfd7686617aebafb747babd38054a53afcf4ce6b6697fed0c86d39fa8b8fd95eac28dff8992e1c6f43a27725528619fb1b8ea6eec31a1f96f859b40845

Download Submit
memory/1060-147-0x0000000000000000-mapping.dmp

Download
memory/1060-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1276-156-0x0000000000000000-mapping.dmp

Download
memory/1276-173-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1460-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1460-169-0x0000000000000000-mapping.dmp

Download
memory/1668-162-0x0000000000000000-mapping.dmp

Download
memory/1668-174-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1744-175-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1744-166-0x0000000000000000-mapping.dmp

Download
memory/1932-157-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1932-138-0x0000000000000000-mapping.dmp

Download
memory/2244-132-0x0000000000000000-mapping.dmp

Download
memory/2244-152-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2864-135-0x0000000000000000-mapping.dmp

Download
memory/2864-155-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4188-161-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4188-144-0x0000000000000000-mapping.dmp

Download
memory/4308-150-0x0000000000000000-mapping.dmp

Download
memory/4308-172-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4860-158-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4860-141-0x0000000000000000-mapping.dmp

Download
memory/4880-151-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download