c5d46a272f8770ce84ce4130d838bbe806d28d54f21701d2fe0c79d55ccc09f0

Analysis

max time kernel
143s
max time network
129s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11/10/2023, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5351bc19c4aa15cb502002018ea8fcc_JC.exe
Size

45KB
MD5

f5351bc19c4aa15cb502002018ea8fcc
SHA1

334585427a79f94893a25cc5b6f28cc3040fee0d
SHA256

c5d46a272f8770ce84ce4130d838bbe806d28d54f21701d2fe0c79d55ccc09f0
SHA512

3bec74c907dd418f389b7224ab16e6bdc43d43eb4d01dcfaaacb04dcc83e168dc47226089a2338871475946ce375dd05a499d35083255bd69cfcea6c92c82336
SSDEEP

768:VIuIe0tMBnel5oWth2t1EVjEK9iyf77V42eHtmknEru8TW/1H5P:muIFMBeuGAK9ff9PONoT8Z

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkogj32.exe

Executes dropped EXE 5 IoCs

pid	Process
2084	Ngfflj32.exe
2620	Nigome32.exe
2752	Nodgel32.exe
3040	Ngkogj32.exe
2528	Nlhgoqhh.exe

Loads dropped DLL 14 IoCs

pid	Process
3016	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
3016	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
2084	Ngfflj32.exe
2084	Ngfflj32.exe
2620	Nigome32.exe
2620	Nigome32.exe
2752	Nodgel32.exe
2752	Nodgel32.exe
3040	Ngkogj32.exe
3040	Ngkogj32.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe
2532	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hljdna32.dll	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Nodgel32.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Nigome32.exe
File created	C:\Windows\SysWOW64\Ngkogj32.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	f5351bc19c4aa15cb502002018ea8fcc_JC.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2532	2528	WerFault.exe	32

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f5351bc19c4aa15cb502002018ea8fcc_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodgel32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 2084	3016	f5351bc19c4aa15cb502002018ea8fcc_JC.exe	28
PID 3016 wrote to memory of 2084	3016	f5351bc19c4aa15cb502002018ea8fcc_JC.exe	28
PID 3016 wrote to memory of 2084	3016	f5351bc19c4aa15cb502002018ea8fcc_JC.exe	28
PID 3016 wrote to memory of 2084	3016	f5351bc19c4aa15cb502002018ea8fcc_JC.exe	28
PID 2084 wrote to memory of 2620	2084	Ngfflj32.exe	29
PID 2084 wrote to memory of 2620	2084	Ngfflj32.exe	29
PID 2084 wrote to memory of 2620	2084	Ngfflj32.exe	29
PID 2084 wrote to memory of 2620	2084	Ngfflj32.exe	29
PID 2620 wrote to memory of 2752	2620	Nigome32.exe	30
PID 2620 wrote to memory of 2752	2620	Nigome32.exe	30
PID 2620 wrote to memory of 2752	2620	Nigome32.exe	30
PID 2620 wrote to memory of 2752	2620	Nigome32.exe	30
PID 2752 wrote to memory of 3040	2752	Nodgel32.exe	31
PID 2752 wrote to memory of 3040	2752	Nodgel32.exe	31
PID 2752 wrote to memory of 3040	2752	Nodgel32.exe	31
PID 2752 wrote to memory of 3040	2752	Nodgel32.exe	31
PID 3040 wrote to memory of 2528	3040	Ngkogj32.exe	32
PID 3040 wrote to memory of 2528	3040	Ngkogj32.exe	32
PID 3040 wrote to memory of 2528	3040	Ngkogj32.exe	32
PID 3040 wrote to memory of 2528	3040	Ngkogj32.exe	32
PID 2528 wrote to memory of 2532	2528	Nlhgoqhh.exe	33
PID 2528 wrote to memory of 2532	2528	Nlhgoqhh.exe	33
PID 2528 wrote to memory of 2532	2528	Nlhgoqhh.exe	33
PID 2528 wrote to memory of 2532	2528	Nlhgoqhh.exe	33

C:\Users\Admin\AppData\Local\Temp\f5351bc19c4aa15cb502002018ea8fcc_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f5351bc19c4aa15cb502002018ea8fcc_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Windows\SysWOW64\Ngfflj32.exe
  C:\Windows\system32\Ngfflj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\Nigome32.exe
    C:\Windows\system32\Nigome32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\Nodgel32.exe
      C:\Windows\system32\Nodgel32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 140
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
45KB

MD5
57c9bf0182ce9de85204f466f2a0c92d

SHA1
03f74d9532182d66b82c8878ab9d1fd5b8c16089

SHA256
9970f688ab01461a9a0c1daed9752a84b3a6e6cae2f18b8c2e8a970142a77796

SHA512
b9951fbea8b91692703227ddac0727eba7d57719b6a5c48019b46a11b82bf3377df722424e9ae4ad457b42079cf15f0a0f9fc59b0808b19b2048d9240f69bd34

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
45KB

MD5
57c9bf0182ce9de85204f466f2a0c92d

SHA1
03f74d9532182d66b82c8878ab9d1fd5b8c16089

SHA256
9970f688ab01461a9a0c1daed9752a84b3a6e6cae2f18b8c2e8a970142a77796

SHA512
b9951fbea8b91692703227ddac0727eba7d57719b6a5c48019b46a11b82bf3377df722424e9ae4ad457b42079cf15f0a0f9fc59b0808b19b2048d9240f69bd34

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
45KB

MD5
57c9bf0182ce9de85204f466f2a0c92d

SHA1
03f74d9532182d66b82c8878ab9d1fd5b8c16089

SHA256
9970f688ab01461a9a0c1daed9752a84b3a6e6cae2f18b8c2e8a970142a77796

SHA512
b9951fbea8b91692703227ddac0727eba7d57719b6a5c48019b46a11b82bf3377df722424e9ae4ad457b42079cf15f0a0f9fc59b0808b19b2048d9240f69bd34

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
45KB

MD5
8b18f56e0aa3708a0ea5cbc54784c92a

SHA1
66a1fdf2f6312c3fdc1fb544dadadaac966163f2

SHA256
98ac8c0d79e7b1d87f4ef7f5e4f0a8f0f6695a28afe3e606780bc7d13c23ac7d

SHA512
405fd1dbb921b1085b1d262eeeac0be8b948e9bf6d5a29dc1c6e7ad114f4b5f541db9373133c07bbaf9cbea1f6f13d3c2bfdf47ee6c433f1070c3abd169e7999

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
45KB

MD5
8b18f56e0aa3708a0ea5cbc54784c92a

SHA1
66a1fdf2f6312c3fdc1fb544dadadaac966163f2

SHA256
98ac8c0d79e7b1d87f4ef7f5e4f0a8f0f6695a28afe3e606780bc7d13c23ac7d

SHA512
405fd1dbb921b1085b1d262eeeac0be8b948e9bf6d5a29dc1c6e7ad114f4b5f541db9373133c07bbaf9cbea1f6f13d3c2bfdf47ee6c433f1070c3abd169e7999

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
45KB

MD5
8b18f56e0aa3708a0ea5cbc54784c92a

SHA1
66a1fdf2f6312c3fdc1fb544dadadaac966163f2

SHA256
98ac8c0d79e7b1d87f4ef7f5e4f0a8f0f6695a28afe3e606780bc7d13c23ac7d

SHA512
405fd1dbb921b1085b1d262eeeac0be8b948e9bf6d5a29dc1c6e7ad114f4b5f541db9373133c07bbaf9cbea1f6f13d3c2bfdf47ee6c433f1070c3abd169e7999

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
45KB

MD5
b7c175c1b1c17c6e7cd1bc152b93be57

SHA1
1a3988f223ff6b26a7ba0772a6e4c9f37323ecd8

SHA256
432f062ca8c32e36fb3a2d37c1f06bb790670c6e5ae373833d668f37ee4fbb91

SHA512
3fb423ee2ad4d2cb7b46a4e9e81c38c62743cf67f849649822804f9b817c8c0a12d3488b2dca13949db33c07682fba1387da1cd6c848498a052ae36123ae3d05

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
45KB

MD5
b7c175c1b1c17c6e7cd1bc152b93be57

SHA1
1a3988f223ff6b26a7ba0772a6e4c9f37323ecd8

SHA256
432f062ca8c32e36fb3a2d37c1f06bb790670c6e5ae373833d668f37ee4fbb91

SHA512
3fb423ee2ad4d2cb7b46a4e9e81c38c62743cf67f849649822804f9b817c8c0a12d3488b2dca13949db33c07682fba1387da1cd6c848498a052ae36123ae3d05

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
45KB

MD5
b7c175c1b1c17c6e7cd1bc152b93be57

SHA1
1a3988f223ff6b26a7ba0772a6e4c9f37323ecd8

SHA256
432f062ca8c32e36fb3a2d37c1f06bb790670c6e5ae373833d668f37ee4fbb91

SHA512
3fb423ee2ad4d2cb7b46a4e9e81c38c62743cf67f849649822804f9b817c8c0a12d3488b2dca13949db33c07682fba1387da1cd6c848498a052ae36123ae3d05

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
45KB

MD5
fe03f5d3231799ea4ffd45e604d6f0c4

SHA1
e58b565e72ea096233fb57ca4364b90b33ce1d90

SHA256
4139129027932c12cf8fbe1d31b8b2c3d688d537c04454f4cb191d6b94759c5a

SHA512
5fbb0d485f762351eabaa6f50f2db8d0c86ca27e218167e55e3fa52d7111bea5094293300ff4fc8d33ff4a1e22e0fa40079ec279db569e900f54586c8bf4aa80

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
45KB

MD5
fe03f5d3231799ea4ffd45e604d6f0c4

SHA1
e58b565e72ea096233fb57ca4364b90b33ce1d90

SHA256
4139129027932c12cf8fbe1d31b8b2c3d688d537c04454f4cb191d6b94759c5a

SHA512
5fbb0d485f762351eabaa6f50f2db8d0c86ca27e218167e55e3fa52d7111bea5094293300ff4fc8d33ff4a1e22e0fa40079ec279db569e900f54586c8bf4aa80

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
45KB

MD5
3ece400ce900ec3d0a6d57ea51d46975

SHA1
12f19efc867b6710ca45cea192566cced477dad9

SHA256
bc04cf81ff22a0aebe2d43c14fbeb594710e9975e993ff24e929b25db9aea9a7

SHA512
3c4e46cc83447448dc0a7e1911c183c7cd4a20d33151bec3aac5311919c711924af4bc1ec00629d52aca6db93a6623a55d409c84feb0712e8b6c0ef6af80621a

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
45KB

MD5
3ece400ce900ec3d0a6d57ea51d46975

SHA1
12f19efc867b6710ca45cea192566cced477dad9

SHA256
bc04cf81ff22a0aebe2d43c14fbeb594710e9975e993ff24e929b25db9aea9a7

SHA512
3c4e46cc83447448dc0a7e1911c183c7cd4a20d33151bec3aac5311919c711924af4bc1ec00629d52aca6db93a6623a55d409c84feb0712e8b6c0ef6af80621a

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
45KB

MD5
3ece400ce900ec3d0a6d57ea51d46975

SHA1
12f19efc867b6710ca45cea192566cced477dad9

SHA256
bc04cf81ff22a0aebe2d43c14fbeb594710e9975e993ff24e929b25db9aea9a7

SHA512
3c4e46cc83447448dc0a7e1911c183c7cd4a20d33151bec3aac5311919c711924af4bc1ec00629d52aca6db93a6623a55d409c84feb0712e8b6c0ef6af80621a

Download Submit
\Windows\SysWOW64\Ngfflj32.exe

Filesize
45KB

MD5
57c9bf0182ce9de85204f466f2a0c92d

SHA1
03f74d9532182d66b82c8878ab9d1fd5b8c16089

SHA256
9970f688ab01461a9a0c1daed9752a84b3a6e6cae2f18b8c2e8a970142a77796

SHA512
b9951fbea8b91692703227ddac0727eba7d57719b6a5c48019b46a11b82bf3377df722424e9ae4ad457b42079cf15f0a0f9fc59b0808b19b2048d9240f69bd34

Download Submit
\Windows\SysWOW64\Ngfflj32.exe

Filesize
45KB

MD5
57c9bf0182ce9de85204f466f2a0c92d

SHA1
03f74d9532182d66b82c8878ab9d1fd5b8c16089

SHA256
9970f688ab01461a9a0c1daed9752a84b3a6e6cae2f18b8c2e8a970142a77796

SHA512
b9951fbea8b91692703227ddac0727eba7d57719b6a5c48019b46a11b82bf3377df722424e9ae4ad457b42079cf15f0a0f9fc59b0808b19b2048d9240f69bd34

Download Submit
\Windows\SysWOW64\Ngkogj32.exe

Filesize
45KB

MD5
8b18f56e0aa3708a0ea5cbc54784c92a

SHA1
66a1fdf2f6312c3fdc1fb544dadadaac966163f2

SHA256
98ac8c0d79e7b1d87f4ef7f5e4f0a8f0f6695a28afe3e606780bc7d13c23ac7d

SHA512
405fd1dbb921b1085b1d262eeeac0be8b948e9bf6d5a29dc1c6e7ad114f4b5f541db9373133c07bbaf9cbea1f6f13d3c2bfdf47ee6c433f1070c3abd169e7999

Download Submit
\Windows\SysWOW64\Ngkogj32.exe

Filesize
45KB

MD5
8b18f56e0aa3708a0ea5cbc54784c92a

SHA1
66a1fdf2f6312c3fdc1fb544dadadaac966163f2

SHA256
98ac8c0d79e7b1d87f4ef7f5e4f0a8f0f6695a28afe3e606780bc7d13c23ac7d

SHA512
405fd1dbb921b1085b1d262eeeac0be8b948e9bf6d5a29dc1c6e7ad114f4b5f541db9373133c07bbaf9cbea1f6f13d3c2bfdf47ee6c433f1070c3abd169e7999

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
45KB

MD5
b7c175c1b1c17c6e7cd1bc152b93be57

SHA1
1a3988f223ff6b26a7ba0772a6e4c9f37323ecd8

SHA256
432f062ca8c32e36fb3a2d37c1f06bb790670c6e5ae373833d668f37ee4fbb91

SHA512
3fb423ee2ad4d2cb7b46a4e9e81c38c62743cf67f849649822804f9b817c8c0a12d3488b2dca13949db33c07682fba1387da1cd6c848498a052ae36123ae3d05

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
45KB

MD5
b7c175c1b1c17c6e7cd1bc152b93be57

SHA1
1a3988f223ff6b26a7ba0772a6e4c9f37323ecd8

SHA256
432f062ca8c32e36fb3a2d37c1f06bb790670c6e5ae373833d668f37ee4fbb91

SHA512
3fb423ee2ad4d2cb7b46a4e9e81c38c62743cf67f849649822804f9b817c8c0a12d3488b2dca13949db33c07682fba1387da1cd6c848498a052ae36123ae3d05

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
45KB

MD5
fe03f5d3231799ea4ffd45e604d6f0c4

SHA1
e58b565e72ea096233fb57ca4364b90b33ce1d90

SHA256
4139129027932c12cf8fbe1d31b8b2c3d688d537c04454f4cb191d6b94759c5a

SHA512
5fbb0d485f762351eabaa6f50f2db8d0c86ca27e218167e55e3fa52d7111bea5094293300ff4fc8d33ff4a1e22e0fa40079ec279db569e900f54586c8bf4aa80

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
45KB

MD5
fe03f5d3231799ea4ffd45e604d6f0c4

SHA1
e58b565e72ea096233fb57ca4364b90b33ce1d90

SHA256
4139129027932c12cf8fbe1d31b8b2c3d688d537c04454f4cb191d6b94759c5a

SHA512
5fbb0d485f762351eabaa6f50f2db8d0c86ca27e218167e55e3fa52d7111bea5094293300ff4fc8d33ff4a1e22e0fa40079ec279db569e900f54586c8bf4aa80

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
45KB

MD5
fe03f5d3231799ea4ffd45e604d6f0c4

SHA1
e58b565e72ea096233fb57ca4364b90b33ce1d90

SHA256
4139129027932c12cf8fbe1d31b8b2c3d688d537c04454f4cb191d6b94759c5a

SHA512
5fbb0d485f762351eabaa6f50f2db8d0c86ca27e218167e55e3fa52d7111bea5094293300ff4fc8d33ff4a1e22e0fa40079ec279db569e900f54586c8bf4aa80

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
45KB

MD5
fe03f5d3231799ea4ffd45e604d6f0c4

SHA1
e58b565e72ea096233fb57ca4364b90b33ce1d90

SHA256
4139129027932c12cf8fbe1d31b8b2c3d688d537c04454f4cb191d6b94759c5a

SHA512
5fbb0d485f762351eabaa6f50f2db8d0c86ca27e218167e55e3fa52d7111bea5094293300ff4fc8d33ff4a1e22e0fa40079ec279db569e900f54586c8bf4aa80

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
45KB

MD5
fe03f5d3231799ea4ffd45e604d6f0c4

SHA1
e58b565e72ea096233fb57ca4364b90b33ce1d90

SHA256
4139129027932c12cf8fbe1d31b8b2c3d688d537c04454f4cb191d6b94759c5a

SHA512
5fbb0d485f762351eabaa6f50f2db8d0c86ca27e218167e55e3fa52d7111bea5094293300ff4fc8d33ff4a1e22e0fa40079ec279db569e900f54586c8bf4aa80

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
45KB

MD5
fe03f5d3231799ea4ffd45e604d6f0c4

SHA1
e58b565e72ea096233fb57ca4364b90b33ce1d90

SHA256
4139129027932c12cf8fbe1d31b8b2c3d688d537c04454f4cb191d6b94759c5a

SHA512
5fbb0d485f762351eabaa6f50f2db8d0c86ca27e218167e55e3fa52d7111bea5094293300ff4fc8d33ff4a1e22e0fa40079ec279db569e900f54586c8bf4aa80

Download Submit
\Windows\SysWOW64\Nodgel32.exe

Filesize
45KB

MD5
3ece400ce900ec3d0a6d57ea51d46975

SHA1
12f19efc867b6710ca45cea192566cced477dad9

SHA256
bc04cf81ff22a0aebe2d43c14fbeb594710e9975e993ff24e929b25db9aea9a7

SHA512
3c4e46cc83447448dc0a7e1911c183c7cd4a20d33151bec3aac5311919c711924af4bc1ec00629d52aca6db93a6623a55d409c84feb0712e8b6c0ef6af80621a

Download Submit
\Windows\SysWOW64\Nodgel32.exe

Filesize
45KB

MD5
3ece400ce900ec3d0a6d57ea51d46975

SHA1
12f19efc867b6710ca45cea192566cced477dad9

SHA256
bc04cf81ff22a0aebe2d43c14fbeb594710e9975e993ff24e929b25db9aea9a7

SHA512
3c4e46cc83447448dc0a7e1911c183c7cd4a20d33151bec3aac5311919c711924af4bc1ec00629d52aca6db93a6623a55d409c84feb0712e8b6c0ef6af80621a

Download Submit
memory/2084-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-20-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2084-26-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2528-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-40-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2620-52-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2620-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2752-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-6-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/3016-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-12-0x00000000003C0000-0x00000000003EF000-memory.dmp

Filesize
188KB

Download
memory/3040-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads