2539347237c26627af2b91d62d828f6f2cc174a81349a16e3d43302531bc1ac2

Analysis

max time kernel
117s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
15/11/2023, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
Size

138KB
MD5

08ea1edee211fa1eabc6e32e3459b0f0
SHA1

55e0887b049c7d23382d3d63611287279c2ced35
SHA256

2539347237c26627af2b91d62d828f6f2cc174a81349a16e3d43302531bc1ac2
SHA512

b11e01e54d628397559690d882bfc9e5e2fb8ce0615c589443cc684a8142114abc339721f0c2ced9d2ba1cb0131b188d3921160dd5379d1a632dce5430a156f4
SSDEEP

3072:V9bHFypyDKsMnW0XMAX/mW2wS7IrHrY8pjq6:U1szwtPmHwMOH/Vz

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 18 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mabgcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe

Malware Backdoor - Berbew 48 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral1/files/0x00060000000120bd-5.dat	family_berbew
behavioral1/files/0x00060000000120bd-9.dat	family_berbew
behavioral1/files/0x00060000000120bd-8.dat	family_berbew
behavioral1/files/0x00060000000120bd-12.dat	family_berbew
behavioral1/files/0x00060000000120bd-14.dat	family_berbew
behavioral1/files/0x001d000000015c8a-23.dat	family_berbew
behavioral1/files/0x001d000000015c8a-26.dat	family_berbew
behavioral1/files/0x0007000000015e30-35.dat	family_berbew
behavioral1/files/0x0007000000015e30-29.dat	family_berbew
behavioral1/files/0x0007000000015e30-39.dat	family_berbew
behavioral1/files/0x0007000000015e30-41.dat	family_berbew
behavioral1/files/0x0009000000015eb0-46.dat	family_berbew
behavioral1/files/0x0006000000016466-59.dat	family_berbew
behavioral1/files/0x0006000000016466-65.dat	family_berbew
behavioral1/files/0x0006000000016619-72.dat	family_berbew
behavioral1/files/0x0006000000016619-78.dat	family_berbew
behavioral1/files/0x0006000000016ae2-91.dat	family_berbew
behavioral1/files/0x0006000000016ae2-81.dat	family_berbew
behavioral1/files/0x0006000000016c23-97.dat	family_berbew
behavioral1/files/0x0006000000016c23-99.dat	family_berbew
behavioral1/files/0x0006000000016c23-104.dat	family_berbew
behavioral1/files/0x0006000000016c35-116.dat	family_berbew
behavioral1/files/0x0006000000016c35-106.dat	family_berbew
behavioral1/files/0x0006000000016c23-105.dat	family_berbew
behavioral1/files/0x0006000000016c35-112.dat	family_berbew
behavioral1/files/0x0006000000016c35-110.dat	family_berbew
behavioral1/files/0x0006000000016c23-100.dat	family_berbew
behavioral1/files/0x0006000000016619-80.dat	family_berbew
behavioral1/files/0x0006000000016ae2-92.dat	family_berbew
behavioral1/files/0x0006000000016ae2-87.dat	family_berbew
behavioral1/files/0x0006000000016ae2-85.dat	family_berbew
behavioral1/files/0x0006000000016619-75.dat	family_berbew
behavioral1/files/0x0006000000016619-74.dat	family_berbew
behavioral1/files/0x0006000000016466-67.dat	family_berbew
behavioral1/files/0x0006000000016466-61.dat	family_berbew
behavioral1/files/0x0006000000016466-55.dat	family_berbew
behavioral1/files/0x0009000000015eb0-54.dat	family_berbew
behavioral1/files/0x0009000000015eb0-52.dat	family_berbew
behavioral1/files/0x0009000000015eb0-49.dat	family_berbew
behavioral1/files/0x0009000000015eb0-48.dat	family_berbew
behavioral1/files/0x001d000000015c8a-28.dat	family_berbew
behavioral1/files/0x0007000000015e30-33.dat	family_berbew
behavioral1/files/0x001d000000015c8a-22.dat	family_berbew
behavioral1/files/0x001d000000015c8a-20.dat	family_berbew
behavioral1/files/0x0006000000016c35-120.dat	family_berbew
behavioral1/files/0x0006000000016c35-121.dat	family_berbew
behavioral1/files/0x0006000000016c35-119.dat	family_berbew
behavioral1/files/0x0006000000016c35-122.dat	family_berbew

Executes dropped EXE 9 IoCs

pid	Process
2396	Mabgcd32.exe
2664	Mholen32.exe
2788	Mmldme32.exe
2576	Nkpegi32.exe
2752	Ndhipoob.exe
2796	Nlcnda32.exe
1692	Ncmfqkdj.exe
2552	Nigome32.exe
2868	Nlhgoqhh.exe

Loads dropped DLL 22 IoCs

pid	Process
2136	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
2136	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
2396	Mabgcd32.exe
2396	Mabgcd32.exe
2664	Mholen32.exe
2664	Mholen32.exe
2788	Mmldme32.exe
2788	Mmldme32.exe
2576	Nkpegi32.exe
2576	Nkpegi32.exe
2752	Ndhipoob.exe
2752	Ndhipoob.exe
2796	Nlcnda32.exe
2796	Nlcnda32.exe
1692	Ncmfqkdj.exe
1692	Ncmfqkdj.exe
2552	Nigome32.exe
2552	Nigome32.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe
2924	WerFault.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Nkpegi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmfqkdj.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Nkpegi32.exe	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Nkpegi32.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Mabgcd32.exe
File opened for modification	C:\Windows\SysWOW64\Mabgcd32.exe	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
File created	C:\Windows\SysWOW64\Nldodg32.dll	Mabgcd32.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Ncmfqkdj.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Mholen32.exe
File created	C:\Windows\SysWOW64\Afdignjb.dll	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nigome32.exe
File created	C:\Windows\SysWOW64\Llcohjcg.dll	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
File created	C:\Windows\SysWOW64\Mabgcd32.exe	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Mholen32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Nkpegi32.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Kgdjgo32.dll	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ncmfqkdj.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nigome32.exe

Program crash 1 IoCs

pid	pid_target	Process
2924	2868	WerFault.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll"	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll"	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2396	2136	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe	28
PID 2136 wrote to memory of 2396	2136	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe	28
PID 2136 wrote to memory of 2396	2136	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe	28
PID 2136 wrote to memory of 2396	2136	NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe	28
PID 2396 wrote to memory of 2664	2396	Mabgcd32.exe	29
PID 2396 wrote to memory of 2664	2396	Mabgcd32.exe	29
PID 2396 wrote to memory of 2664	2396	Mabgcd32.exe	29
PID 2396 wrote to memory of 2664	2396	Mabgcd32.exe	29
PID 2664 wrote to memory of 2788	2664	Mholen32.exe	30
PID 2664 wrote to memory of 2788	2664	Mholen32.exe	30
PID 2664 wrote to memory of 2788	2664	Mholen32.exe	30
PID 2664 wrote to memory of 2788	2664	Mholen32.exe	30
PID 2788 wrote to memory of 2576	2788	Mmldme32.exe	37
PID 2788 wrote to memory of 2576	2788	Mmldme32.exe	37
PID 2788 wrote to memory of 2576	2788	Mmldme32.exe	37
PID 2788 wrote to memory of 2576	2788	Mmldme32.exe	37
PID 2576 wrote to memory of 2752	2576	Nkpegi32.exe	31
PID 2576 wrote to memory of 2752	2576	Nkpegi32.exe	31
PID 2576 wrote to memory of 2752	2576	Nkpegi32.exe	31
PID 2576 wrote to memory of 2752	2576	Nkpegi32.exe	31
PID 2752 wrote to memory of 2796	2752	Ndhipoob.exe	36
PID 2752 wrote to memory of 2796	2752	Ndhipoob.exe	36
PID 2752 wrote to memory of 2796	2752	Ndhipoob.exe	36
PID 2752 wrote to memory of 2796	2752	Ndhipoob.exe	36
PID 2796 wrote to memory of 1692	2796	Nlcnda32.exe	35
PID 2796 wrote to memory of 1692	2796	Nlcnda32.exe	35
PID 2796 wrote to memory of 1692	2796	Nlcnda32.exe	35
PID 2796 wrote to memory of 1692	2796	Nlcnda32.exe	35
PID 1692 wrote to memory of 2552	1692	Ncmfqkdj.exe	34
PID 1692 wrote to memory of 2552	1692	Ncmfqkdj.exe	34
PID 1692 wrote to memory of 2552	1692	Ncmfqkdj.exe	34
PID 1692 wrote to memory of 2552	1692	Ncmfqkdj.exe	34
PID 2552 wrote to memory of 2868	2552	Nigome32.exe	33
PID 2552 wrote to memory of 2868	2552	Nigome32.exe	33
PID 2552 wrote to memory of 2868	2552	Nigome32.exe	33
PID 2552 wrote to memory of 2868	2552	Nigome32.exe	33
PID 2868 wrote to memory of 2924	2868	Nlhgoqhh.exe	32
PID 2868 wrote to memory of 2924	2868	Nlhgoqhh.exe	32
PID 2868 wrote to memory of 2924	2868	Nlhgoqhh.exe	32
PID 2868 wrote to memory of 2924	2868	Nlhgoqhh.exe	32

C:\Users\Admin\AppData\Local\Temp\NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.08ea1edee211fa1eabc6e32e3459b0f0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\SysWOW64\Mabgcd32.exe
  C:\Windows\system32\Mabgcd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\Mholen32.exe
    C:\Windows\system32\Mholen32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\SysWOW64\Mmldme32.exe
      C:\Windows\system32\Mmldme32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576

C:\Windows\SysWOW64\Ndhipoob.exe
C:\Windows\system32\Ndhipoob.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\Nlcnda32.exe
  C:\Windows\system32\Nlcnda32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 140
1⤵
- Loads dropped DLL
- Program crash
PID:2924

C:\Windows\SysWOW64\Nlhgoqhh.exe
C:\Windows\system32\Nlhgoqhh.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\SysWOW64\Nigome32.exe
C:\Windows\system32\Nigome32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\Ncmfqkdj.exe
C:\Windows\system32\Ncmfqkdj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Egnhob32.dll

Filesize
7KB

MD5
7b4e61ee67e4cc4b7b84c613acc81d68

SHA1
b27da15954db15a1f7d091f7a13ebdb469147864

SHA256
415db61d723e7eca4738180e1c8a655b4d6f41348b0546ca3b807444faf74f9a

SHA512
bb33b521a2e67686d318fcfe55923ffe075936fd3c138c62ecb31c32b7133ff58d38c8c337abdfbc5e1aa111f7d672917570952664ff070a559f30f9fc338b8d

Download Submit
C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
138KB

MD5
af2cd76bae54c1321e9769bb8836e18b

SHA1
ae6d565d504cdbf8c8369466112067aca93a66f6

SHA256
b1e44a83c0ed7c00ef6a2957117c425a499a6869e674f76538cdcb1c18b83da9

SHA512
a049398f88ca134c265ac09fbd8a173b1751ff1f9dad5d4b1563d44ff85ca7dc46c3340612406b0af4b411548c0002cbca4e71530d3a850fd76635cb5d4c65db

Download Submit
C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
138KB

MD5
af2cd76bae54c1321e9769bb8836e18b

SHA1
ae6d565d504cdbf8c8369466112067aca93a66f6

SHA256
b1e44a83c0ed7c00ef6a2957117c425a499a6869e674f76538cdcb1c18b83da9

SHA512
a049398f88ca134c265ac09fbd8a173b1751ff1f9dad5d4b1563d44ff85ca7dc46c3340612406b0af4b411548c0002cbca4e71530d3a850fd76635cb5d4c65db

Download Submit
C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
138KB

MD5
af2cd76bae54c1321e9769bb8836e18b

SHA1
ae6d565d504cdbf8c8369466112067aca93a66f6

SHA256
b1e44a83c0ed7c00ef6a2957117c425a499a6869e674f76538cdcb1c18b83da9

SHA512
a049398f88ca134c265ac09fbd8a173b1751ff1f9dad5d4b1563d44ff85ca7dc46c3340612406b0af4b411548c0002cbca4e71530d3a850fd76635cb5d4c65db

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
138KB

MD5
34435a69927245e4f6c0fe280548c0d0

SHA1
b01549c43084d5e78eff78338bbde7878a7a418e

SHA256
5a02c42efba22199ab7018cd0f45a2baca920a2bf0f1ad0e0c1f5c8852fd4b76

SHA512
1fa3c7a8452c6644589028c7ec92a6ce7cce5c8e9f6340eb005bd32f958434a9caec06fc3a23da73a86bd163c26be3595509a3fd17d1bee378a0022452c9f860

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
138KB

MD5
34435a69927245e4f6c0fe280548c0d0

SHA1
b01549c43084d5e78eff78338bbde7878a7a418e

SHA256
5a02c42efba22199ab7018cd0f45a2baca920a2bf0f1ad0e0c1f5c8852fd4b76

SHA512
1fa3c7a8452c6644589028c7ec92a6ce7cce5c8e9f6340eb005bd32f958434a9caec06fc3a23da73a86bd163c26be3595509a3fd17d1bee378a0022452c9f860

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
138KB

MD5
34435a69927245e4f6c0fe280548c0d0

SHA1
b01549c43084d5e78eff78338bbde7878a7a418e

SHA256
5a02c42efba22199ab7018cd0f45a2baca920a2bf0f1ad0e0c1f5c8852fd4b76

SHA512
1fa3c7a8452c6644589028c7ec92a6ce7cce5c8e9f6340eb005bd32f958434a9caec06fc3a23da73a86bd163c26be3595509a3fd17d1bee378a0022452c9f860

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
138KB

MD5
c1eb38b70484ef69a28c3b2a98aba560

SHA1
e305acb3edeaeec608751eee7fa11608f5c4c289

SHA256
f869fee02a446c944765f89e04946e6e00fa169e9fe7b0903d9d402ef1573b6d

SHA512
175b069b82ee32cbb7e065da74198b265c2a8b17d0dbafd8b1d83ce1e1dfe2e9ea318b9e910ae7ee148121d9a6562a41ad8f16d387363a93b0c02405817b2bde

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
138KB

MD5
c1eb38b70484ef69a28c3b2a98aba560

SHA1
e305acb3edeaeec608751eee7fa11608f5c4c289

SHA256
f869fee02a446c944765f89e04946e6e00fa169e9fe7b0903d9d402ef1573b6d

SHA512
175b069b82ee32cbb7e065da74198b265c2a8b17d0dbafd8b1d83ce1e1dfe2e9ea318b9e910ae7ee148121d9a6562a41ad8f16d387363a93b0c02405817b2bde

Download Submit
C:\Windows\SysWOW64\Mmldme32.exe

Filesize
138KB

MD5
c1eb38b70484ef69a28c3b2a98aba560

SHA1
e305acb3edeaeec608751eee7fa11608f5c4c289

SHA256
f869fee02a446c944765f89e04946e6e00fa169e9fe7b0903d9d402ef1573b6d

SHA512
175b069b82ee32cbb7e065da74198b265c2a8b17d0dbafd8b1d83ce1e1dfe2e9ea318b9e910ae7ee148121d9a6562a41ad8f16d387363a93b0c02405817b2bde

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
138KB

MD5
3983e78372c34f620a5fee7ac268ffe1

SHA1
150bbb91548fcaaaeab41e962d61717cfef0eaa5

SHA256
0229dee6b350a47ad5d39e5e8128ff17f88d388e64b1c8716c7e698ffe642b7a

SHA512
61d4b107c7b847c3c3265de6d654b081541f06169c36c58afe156d5a298861de4c5998af7b6cf344dca4158f4fc59f1d639182623d5141735631627cc6615aec

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
138KB

MD5
3983e78372c34f620a5fee7ac268ffe1

SHA1
150bbb91548fcaaaeab41e962d61717cfef0eaa5

SHA256
0229dee6b350a47ad5d39e5e8128ff17f88d388e64b1c8716c7e698ffe642b7a

SHA512
61d4b107c7b847c3c3265de6d654b081541f06169c36c58afe156d5a298861de4c5998af7b6cf344dca4158f4fc59f1d639182623d5141735631627cc6615aec

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
138KB

MD5
3983e78372c34f620a5fee7ac268ffe1

SHA1
150bbb91548fcaaaeab41e962d61717cfef0eaa5

SHA256
0229dee6b350a47ad5d39e5e8128ff17f88d388e64b1c8716c7e698ffe642b7a

SHA512
61d4b107c7b847c3c3265de6d654b081541f06169c36c58afe156d5a298861de4c5998af7b6cf344dca4158f4fc59f1d639182623d5141735631627cc6615aec

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
138KB

MD5
94078d2a02f299e56988aeb42e568b01

SHA1
81e6011a6fbfbc6bd71f86e9d4fe0b9a904917b6

SHA256
f7c6dc4f2adb6cde383c9f5dd96e51f7c294616a4dfd132675d7d50b31b59269

SHA512
e34b57d2bd24b801a7f90ff5c4c936c850f71e3f41d41e04e2f65d57f8f393e1c7758684e448b7f1a8a4530ac8939799dcd99a68c05ef28142c3a768d7b04f94

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
138KB

MD5
94078d2a02f299e56988aeb42e568b01

SHA1
81e6011a6fbfbc6bd71f86e9d4fe0b9a904917b6

SHA256
f7c6dc4f2adb6cde383c9f5dd96e51f7c294616a4dfd132675d7d50b31b59269

SHA512
e34b57d2bd24b801a7f90ff5c4c936c850f71e3f41d41e04e2f65d57f8f393e1c7758684e448b7f1a8a4530ac8939799dcd99a68c05ef28142c3a768d7b04f94

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
138KB

MD5
94078d2a02f299e56988aeb42e568b01

SHA1
81e6011a6fbfbc6bd71f86e9d4fe0b9a904917b6

SHA256
f7c6dc4f2adb6cde383c9f5dd96e51f7c294616a4dfd132675d7d50b31b59269

SHA512
e34b57d2bd24b801a7f90ff5c4c936c850f71e3f41d41e04e2f65d57f8f393e1c7758684e448b7f1a8a4530ac8939799dcd99a68c05ef28142c3a768d7b04f94

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
138KB

MD5
56efccd970f4cb47cf83031e1b8dee96

SHA1
b37758265ac6faa84222343bdea6b7fee92b40d4

SHA256
67234cf3b35fe143f3a5df9c210cc2a245ae545a44670043d270dc6029787169

SHA512
ebf44d3ceafa7bdd85464a1ef78be24f80cc165c4000c5b857ba4d9b5b034738d089c74333d5df1bf4ac8258cf4199fda083357a6e3b7349baaa2fe53d18cfc3

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
138KB

MD5
56efccd970f4cb47cf83031e1b8dee96

SHA1
b37758265ac6faa84222343bdea6b7fee92b40d4

SHA256
67234cf3b35fe143f3a5df9c210cc2a245ae545a44670043d270dc6029787169

SHA512
ebf44d3ceafa7bdd85464a1ef78be24f80cc165c4000c5b857ba4d9b5b034738d089c74333d5df1bf4ac8258cf4199fda083357a6e3b7349baaa2fe53d18cfc3

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
138KB

MD5
56efccd970f4cb47cf83031e1b8dee96

SHA1
b37758265ac6faa84222343bdea6b7fee92b40d4

SHA256
67234cf3b35fe143f3a5df9c210cc2a245ae545a44670043d270dc6029787169

SHA512
ebf44d3ceafa7bdd85464a1ef78be24f80cc165c4000c5b857ba4d9b5b034738d089c74333d5df1bf4ac8258cf4199fda083357a6e3b7349baaa2fe53d18cfc3

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
138KB

MD5
f68955974938bd0b210bbc9f506ba41a

SHA1
4ff4927c911d030814e7f756db4703e8ac80ea62

SHA256
69394e4b0d0d9bf31294599f53e896f51b4ff1fc16b14e82bf1e403719611657

SHA512
2ff513f93492e0241f4b539513e1ffa402f1c9e5193e6a9522f0533cae29de4f8794eb0605437dd21655889ce3a599b843e473ef442523b084d188d3d55ce6ed

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
138KB

MD5
f68955974938bd0b210bbc9f506ba41a

SHA1
4ff4927c911d030814e7f756db4703e8ac80ea62

SHA256
69394e4b0d0d9bf31294599f53e896f51b4ff1fc16b14e82bf1e403719611657

SHA512
2ff513f93492e0241f4b539513e1ffa402f1c9e5193e6a9522f0533cae29de4f8794eb0605437dd21655889ce3a599b843e473ef442523b084d188d3d55ce6ed

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
138KB

MD5
f68955974938bd0b210bbc9f506ba41a

SHA1
4ff4927c911d030814e7f756db4703e8ac80ea62

SHA256
69394e4b0d0d9bf31294599f53e896f51b4ff1fc16b14e82bf1e403719611657

SHA512
2ff513f93492e0241f4b539513e1ffa402f1c9e5193e6a9522f0533cae29de4f8794eb0605437dd21655889ce3a599b843e473ef442523b084d188d3d55ce6ed

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
138KB

MD5
64e8bbf73c1ea63a1889106e5a9aea37

SHA1
4c240129ac125b4cae041183e5e4136bbe6fc302

SHA256
57a1620cd75685fd2e32b63565d1b1287fad7d6483cda9d8fc9f69a4d281cd81

SHA512
9bf37fc3eb170a18d3a9df42672c00c76160df727960a4177c2f612d282d0db3688027fe57ffc739bc971af5949b851586601e47526d7eb36bb79a9702a47479

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
138KB

MD5
64e8bbf73c1ea63a1889106e5a9aea37

SHA1
4c240129ac125b4cae041183e5e4136bbe6fc302

SHA256
57a1620cd75685fd2e32b63565d1b1287fad7d6483cda9d8fc9f69a4d281cd81

SHA512
9bf37fc3eb170a18d3a9df42672c00c76160df727960a4177c2f612d282d0db3688027fe57ffc739bc971af5949b851586601e47526d7eb36bb79a9702a47479

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
138KB

MD5
64e8bbf73c1ea63a1889106e5a9aea37

SHA1
4c240129ac125b4cae041183e5e4136bbe6fc302

SHA256
57a1620cd75685fd2e32b63565d1b1287fad7d6483cda9d8fc9f69a4d281cd81

SHA512
9bf37fc3eb170a18d3a9df42672c00c76160df727960a4177c2f612d282d0db3688027fe57ffc739bc971af5949b851586601e47526d7eb36bb79a9702a47479

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
138KB

MD5
a84e963ea971ecd4ff86a167eac360d5

SHA1
7d391ec0a5fed97d3b0e2dd0b273a0c1bc76fe38

SHA256
f883ef8dfbc93b19e48b15f4c2aaf35a70bb91bb1e1d48cd9ba55c5135639e1d

SHA512
de335f69e5f95176498f38639243869b42df5f25136705d540b953a9e861630127512bec2eb97e6f089518f4f90905f8040869773db5b7a672af62416bbbeed5

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
138KB

MD5
a84e963ea971ecd4ff86a167eac360d5

SHA1
7d391ec0a5fed97d3b0e2dd0b273a0c1bc76fe38

SHA256
f883ef8dfbc93b19e48b15f4c2aaf35a70bb91bb1e1d48cd9ba55c5135639e1d

SHA512
de335f69e5f95176498f38639243869b42df5f25136705d540b953a9e861630127512bec2eb97e6f089518f4f90905f8040869773db5b7a672af62416bbbeed5

Download Submit
\Windows\SysWOW64\Mabgcd32.exe

Filesize
138KB

MD5
af2cd76bae54c1321e9769bb8836e18b

SHA1
ae6d565d504cdbf8c8369466112067aca93a66f6

SHA256
b1e44a83c0ed7c00ef6a2957117c425a499a6869e674f76538cdcb1c18b83da9

SHA512
a049398f88ca134c265ac09fbd8a173b1751ff1f9dad5d4b1563d44ff85ca7dc46c3340612406b0af4b411548c0002cbca4e71530d3a850fd76635cb5d4c65db

Download Submit
\Windows\SysWOW64\Mabgcd32.exe

Filesize
138KB

MD5
af2cd76bae54c1321e9769bb8836e18b

SHA1
ae6d565d504cdbf8c8369466112067aca93a66f6

SHA256
b1e44a83c0ed7c00ef6a2957117c425a499a6869e674f76538cdcb1c18b83da9

SHA512
a049398f88ca134c265ac09fbd8a173b1751ff1f9dad5d4b1563d44ff85ca7dc46c3340612406b0af4b411548c0002cbca4e71530d3a850fd76635cb5d4c65db

Download Submit
\Windows\SysWOW64\Mholen32.exe

Filesize
138KB

MD5
34435a69927245e4f6c0fe280548c0d0

SHA1
b01549c43084d5e78eff78338bbde7878a7a418e

SHA256
5a02c42efba22199ab7018cd0f45a2baca920a2bf0f1ad0e0c1f5c8852fd4b76

SHA512
1fa3c7a8452c6644589028c7ec92a6ce7cce5c8e9f6340eb005bd32f958434a9caec06fc3a23da73a86bd163c26be3595509a3fd17d1bee378a0022452c9f860

Download Submit
\Windows\SysWOW64\Mholen32.exe

Filesize
138KB

MD5
34435a69927245e4f6c0fe280548c0d0

SHA1
b01549c43084d5e78eff78338bbde7878a7a418e

SHA256
5a02c42efba22199ab7018cd0f45a2baca920a2bf0f1ad0e0c1f5c8852fd4b76

SHA512
1fa3c7a8452c6644589028c7ec92a6ce7cce5c8e9f6340eb005bd32f958434a9caec06fc3a23da73a86bd163c26be3595509a3fd17d1bee378a0022452c9f860

Download Submit
\Windows\SysWOW64\Mmldme32.exe

Filesize
138KB

MD5
c1eb38b70484ef69a28c3b2a98aba560

SHA1
e305acb3edeaeec608751eee7fa11608f5c4c289

SHA256
f869fee02a446c944765f89e04946e6e00fa169e9fe7b0903d9d402ef1573b6d

SHA512
175b069b82ee32cbb7e065da74198b265c2a8b17d0dbafd8b1d83ce1e1dfe2e9ea318b9e910ae7ee148121d9a6562a41ad8f16d387363a93b0c02405817b2bde

Download Submit
\Windows\SysWOW64\Mmldme32.exe

Filesize
138KB

MD5
c1eb38b70484ef69a28c3b2a98aba560

SHA1
e305acb3edeaeec608751eee7fa11608f5c4c289

SHA256
f869fee02a446c944765f89e04946e6e00fa169e9fe7b0903d9d402ef1573b6d

SHA512
175b069b82ee32cbb7e065da74198b265c2a8b17d0dbafd8b1d83ce1e1dfe2e9ea318b9e910ae7ee148121d9a6562a41ad8f16d387363a93b0c02405817b2bde

Download Submit
\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
138KB

MD5
3983e78372c34f620a5fee7ac268ffe1

SHA1
150bbb91548fcaaaeab41e962d61717cfef0eaa5

SHA256
0229dee6b350a47ad5d39e5e8128ff17f88d388e64b1c8716c7e698ffe642b7a

SHA512
61d4b107c7b847c3c3265de6d654b081541f06169c36c58afe156d5a298861de4c5998af7b6cf344dca4158f4fc59f1d639182623d5141735631627cc6615aec

Download Submit
\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
138KB

MD5
3983e78372c34f620a5fee7ac268ffe1

SHA1
150bbb91548fcaaaeab41e962d61717cfef0eaa5

SHA256
0229dee6b350a47ad5d39e5e8128ff17f88d388e64b1c8716c7e698ffe642b7a

SHA512
61d4b107c7b847c3c3265de6d654b081541f06169c36c58afe156d5a298861de4c5998af7b6cf344dca4158f4fc59f1d639182623d5141735631627cc6615aec

Download Submit
\Windows\SysWOW64\Ndhipoob.exe

Filesize
138KB

MD5
94078d2a02f299e56988aeb42e568b01

SHA1
81e6011a6fbfbc6bd71f86e9d4fe0b9a904917b6

SHA256
f7c6dc4f2adb6cde383c9f5dd96e51f7c294616a4dfd132675d7d50b31b59269

SHA512
e34b57d2bd24b801a7f90ff5c4c936c850f71e3f41d41e04e2f65d57f8f393e1c7758684e448b7f1a8a4530ac8939799dcd99a68c05ef28142c3a768d7b04f94

Download Submit
\Windows\SysWOW64\Ndhipoob.exe

Filesize
138KB

MD5
94078d2a02f299e56988aeb42e568b01

SHA1
81e6011a6fbfbc6bd71f86e9d4fe0b9a904917b6

SHA256
f7c6dc4f2adb6cde383c9f5dd96e51f7c294616a4dfd132675d7d50b31b59269

SHA512
e34b57d2bd24b801a7f90ff5c4c936c850f71e3f41d41e04e2f65d57f8f393e1c7758684e448b7f1a8a4530ac8939799dcd99a68c05ef28142c3a768d7b04f94

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
138KB

MD5
56efccd970f4cb47cf83031e1b8dee96

SHA1
b37758265ac6faa84222343bdea6b7fee92b40d4

SHA256
67234cf3b35fe143f3a5df9c210cc2a245ae545a44670043d270dc6029787169

SHA512
ebf44d3ceafa7bdd85464a1ef78be24f80cc165c4000c5b857ba4d9b5b034738d089c74333d5df1bf4ac8258cf4199fda083357a6e3b7349baaa2fe53d18cfc3

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
138KB

MD5
56efccd970f4cb47cf83031e1b8dee96

SHA1
b37758265ac6faa84222343bdea6b7fee92b40d4

SHA256
67234cf3b35fe143f3a5df9c210cc2a245ae545a44670043d270dc6029787169

SHA512
ebf44d3ceafa7bdd85464a1ef78be24f80cc165c4000c5b857ba4d9b5b034738d089c74333d5df1bf4ac8258cf4199fda083357a6e3b7349baaa2fe53d18cfc3

Download Submit
\Windows\SysWOW64\Nkpegi32.exe

Filesize
138KB

MD5
f68955974938bd0b210bbc9f506ba41a

SHA1
4ff4927c911d030814e7f756db4703e8ac80ea62

SHA256
69394e4b0d0d9bf31294599f53e896f51b4ff1fc16b14e82bf1e403719611657

SHA512
2ff513f93492e0241f4b539513e1ffa402f1c9e5193e6a9522f0533cae29de4f8794eb0605437dd21655889ce3a599b843e473ef442523b084d188d3d55ce6ed

Download Submit
\Windows\SysWOW64\Nkpegi32.exe

Filesize
138KB

MD5
f68955974938bd0b210bbc9f506ba41a

SHA1
4ff4927c911d030814e7f756db4703e8ac80ea62

SHA256
69394e4b0d0d9bf31294599f53e896f51b4ff1fc16b14e82bf1e403719611657

SHA512
2ff513f93492e0241f4b539513e1ffa402f1c9e5193e6a9522f0533cae29de4f8794eb0605437dd21655889ce3a599b843e473ef442523b084d188d3d55ce6ed

Download Submit
\Windows\SysWOW64\Nlcnda32.exe

Filesize
138KB

MD5
64e8bbf73c1ea63a1889106e5a9aea37

SHA1
4c240129ac125b4cae041183e5e4136bbe6fc302

SHA256
57a1620cd75685fd2e32b63565d1b1287fad7d6483cda9d8fc9f69a4d281cd81

SHA512
9bf37fc3eb170a18d3a9df42672c00c76160df727960a4177c2f612d282d0db3688027fe57ffc739bc971af5949b851586601e47526d7eb36bb79a9702a47479

Download Submit
\Windows\SysWOW64\Nlcnda32.exe

Filesize
138KB

MD5
64e8bbf73c1ea63a1889106e5a9aea37

SHA1
4c240129ac125b4cae041183e5e4136bbe6fc302

SHA256
57a1620cd75685fd2e32b63565d1b1287fad7d6483cda9d8fc9f69a4d281cd81

SHA512
9bf37fc3eb170a18d3a9df42672c00c76160df727960a4177c2f612d282d0db3688027fe57ffc739bc971af5949b851586601e47526d7eb36bb79a9702a47479

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
138KB

MD5
a84e963ea971ecd4ff86a167eac360d5

SHA1
7d391ec0a5fed97d3b0e2dd0b273a0c1bc76fe38

SHA256
f883ef8dfbc93b19e48b15f4c2aaf35a70bb91bb1e1d48cd9ba55c5135639e1d

SHA512
de335f69e5f95176498f38639243869b42df5f25136705d540b953a9e861630127512bec2eb97e6f089518f4f90905f8040869773db5b7a672af62416bbbeed5

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
138KB

MD5
a84e963ea971ecd4ff86a167eac360d5

SHA1
7d391ec0a5fed97d3b0e2dd0b273a0c1bc76fe38

SHA256
f883ef8dfbc93b19e48b15f4c2aaf35a70bb91bb1e1d48cd9ba55c5135639e1d

SHA512
de335f69e5f95176498f38639243869b42df5f25136705d540b953a9e861630127512bec2eb97e6f089518f4f90905f8040869773db5b7a672af62416bbbeed5

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
138KB

MD5
a84e963ea971ecd4ff86a167eac360d5

SHA1
7d391ec0a5fed97d3b0e2dd0b273a0c1bc76fe38

SHA256
f883ef8dfbc93b19e48b15f4c2aaf35a70bb91bb1e1d48cd9ba55c5135639e1d

SHA512
de335f69e5f95176498f38639243869b42df5f25136705d540b953a9e861630127512bec2eb97e6f089518f4f90905f8040869773db5b7a672af62416bbbeed5

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
138KB

MD5
a84e963ea971ecd4ff86a167eac360d5

SHA1
7d391ec0a5fed97d3b0e2dd0b273a0c1bc76fe38

SHA256
f883ef8dfbc93b19e48b15f4c2aaf35a70bb91bb1e1d48cd9ba55c5135639e1d

SHA512
de335f69e5f95176498f38639243869b42df5f25136705d540b953a9e861630127512bec2eb97e6f089518f4f90905f8040869773db5b7a672af62416bbbeed5

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
138KB

MD5
a84e963ea971ecd4ff86a167eac360d5

SHA1
7d391ec0a5fed97d3b0e2dd0b273a0c1bc76fe38

SHA256
f883ef8dfbc93b19e48b15f4c2aaf35a70bb91bb1e1d48cd9ba55c5135639e1d

SHA512
de335f69e5f95176498f38639243869b42df5f25136705d540b953a9e861630127512bec2eb97e6f089518f4f90905f8040869773db5b7a672af62416bbbeed5

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
138KB

MD5
a84e963ea971ecd4ff86a167eac360d5

SHA1
7d391ec0a5fed97d3b0e2dd0b273a0c1bc76fe38

SHA256
f883ef8dfbc93b19e48b15f4c2aaf35a70bb91bb1e1d48cd9ba55c5135639e1d

SHA512
de335f69e5f95176498f38639243869b42df5f25136705d540b953a9e861630127512bec2eb97e6f089518f4f90905f8040869773db5b7a672af62416bbbeed5

Download Submit
memory/1692-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2136-6-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2136-13-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2396-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2576-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2664-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-66-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2788-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads