79e91528c5b60e3f79d26623b11f2aa809799b6614cfd1cc9efc89479f57325b

Analysis

max time kernel
0s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2023 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52262b61121736e3cbe3baadafb667b3.exe
Size

55KB
MD5

52262b61121736e3cbe3baadafb667b3
SHA1

7583c6c8e3b198549b67b6bc31c3455bf25e03fe
SHA256

79e91528c5b60e3f79d26623b11f2aa809799b6614cfd1cc9efc89479f57325b
SHA512

a517e7cbd702408b8795a3eecd84ac26141995654597930e57189a35e328cb4eedb40be96b2a9b30092502c889b43401ab3258539ded0ea9507b90edbce23bf3
SSDEEP

768:1RGaZZYiIG7c2qYNhsJSkUSvKcDbB6BAvoipEZzfOF/bxWSXv12p/1H5hXdnh:FZeiG25hAUP2VpEZzuf12LZ

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	52262b61121736e3cbe3baadafb667b3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	52262b61121736e3cbe3baadafb667b3.exe

Executes dropped EXE 11 IoCs

pid	Process
3928	Mnapdf32.exe
856	Mpolqa32.exe
3576	Mdkhapfj.exe
1972	Mcnhmm32.exe
3156	Mkepnjng.exe
4364	Mncmjfmk.exe
4192	Maohkd32.exe
396	Mpaifalo.exe
3664	Mcpebmkb.exe
2136	Mglack32.exe
4680	Mjjmog32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	52262b61121736e3cbe3baadafb667b3.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	52262b61121736e3cbe3baadafb667b3.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	52262b61121736e3cbe3baadafb667b3.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe

Program crash 1 IoCs

pid	pid_target	Process
3656	2736	WerFault.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	52262b61121736e3cbe3baadafb667b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	52262b61121736e3cbe3baadafb667b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	52262b61121736e3cbe3baadafb667b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	52262b61121736e3cbe3baadafb667b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	52262b61121736e3cbe3baadafb667b3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	52262b61121736e3cbe3baadafb667b3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3928	2752	52262b61121736e3cbe3baadafb667b3.exe	73
PID 2752 wrote to memory of 3928	2752	52262b61121736e3cbe3baadafb667b3.exe	73
PID 2752 wrote to memory of 3928	2752	52262b61121736e3cbe3baadafb667b3.exe	73
PID 3928 wrote to memory of 856	3928	Mnapdf32.exe	72
PID 3928 wrote to memory of 856	3928	Mnapdf32.exe	72
PID 3928 wrote to memory of 856	3928	Mnapdf32.exe	72
PID 856 wrote to memory of 3576	856	Mpolqa32.exe	70
PID 856 wrote to memory of 3576	856	Mpolqa32.exe	70
PID 856 wrote to memory of 3576	856	Mpolqa32.exe	70
PID 3576 wrote to memory of 1972	3576	Mdkhapfj.exe	69
PID 3576 wrote to memory of 1972	3576	Mdkhapfj.exe	69
PID 3576 wrote to memory of 1972	3576	Mdkhapfj.exe	69
PID 1972 wrote to memory of 3156	1972	Mcnhmm32.exe	68
PID 1972 wrote to memory of 3156	1972	Mcnhmm32.exe	68
PID 1972 wrote to memory of 3156	1972	Mcnhmm32.exe	68
PID 3156 wrote to memory of 4364	3156	Mkepnjng.exe	67
PID 3156 wrote to memory of 4364	3156	Mkepnjng.exe	67
PID 3156 wrote to memory of 4364	3156	Mkepnjng.exe	67
PID 4364 wrote to memory of 4192	4364	Mncmjfmk.exe	66
PID 4364 wrote to memory of 4192	4364	Mncmjfmk.exe	66
PID 4364 wrote to memory of 4192	4364	Mncmjfmk.exe	66
PID 4192 wrote to memory of 396	4192	Maohkd32.exe	65
PID 4192 wrote to memory of 396	4192	Maohkd32.exe	65
PID 4192 wrote to memory of 396	4192	Maohkd32.exe	65
PID 396 wrote to memory of 3664	396	Mpaifalo.exe	63
PID 396 wrote to memory of 3664	396	Mpaifalo.exe	63
PID 396 wrote to memory of 3664	396	Mpaifalo.exe	63
PID 3664 wrote to memory of 2136	3664	Mcpebmkb.exe	62
PID 3664 wrote to memory of 2136	3664	Mcpebmkb.exe	62
PID 3664 wrote to memory of 2136	3664	Mcpebmkb.exe	62
PID 2136 wrote to memory of 4680	2136	Mglack32.exe	61
PID 2136 wrote to memory of 4680	2136	Mglack32.exe	61
PID 2136 wrote to memory of 4680	2136	Mglack32.exe	61

C:\Users\Admin\AppData\Local\Temp\52262b61121736e3cbe3baadafb667b3.exe
"C:\Users\Admin\AppData\Local\Temp\52262b61121736e3cbe3baadafb667b3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\Mnapdf32.exe
  C:\Windows\system32\Mnapdf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3928

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:1296
- C:\Windows\SysWOW64\Nkqpjidj.exe
  C:\Windows\system32\Nkqpjidj.exe
  2⤵
  PID:4964

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
PID:4776
- C:\Windows\SysWOW64\Nnolfdcn.exe
  C:\Windows\system32\Nnolfdcn.exe
  2⤵
  PID:4728

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:4420
- C:\Windows\SysWOW64\Ndidbn32.exe
  C:\Windows\system32\Ndidbn32.exe
  2⤵
  PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2736 -ip 2736
1⤵
PID:2532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 400
1⤵
- Program crash
PID:3656

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:2736

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
1⤵
PID:328

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:2116

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
PID:2392

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
1⤵
PID:2036

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
PID:4700

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
1⤵
PID:4512

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
PID:4284

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
1⤵
PID:3644

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
1⤵
PID:4676

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
PID:464

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
1⤵
PID:4560

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
1⤵
PID:4600

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
1⤵
PID:4204

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
1⤵
PID:1984

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
1⤵
PID:2852

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
PID:5096

C:\Windows\SysWOW64\Njljefql.exe
C:\Windows\system32\Njljefql.exe
1⤵
PID:3640

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
PID:1180

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
PID:4476

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
PID:1352

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
PID:2460

C:\Windows\SysWOW64\Mjjmog32.exe
C:\Windows\system32\Mjjmog32.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4364

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\Mpolqa32.exe
C:\Windows\system32\Mpolqa32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
55KB

MD5
4c9850203543bbf86be6e402678f9864

SHA1
ffe7d9fef8e8e4dae7271ccc93bb78c60c7185f8

SHA256
543d4061b5e0d9b431668bd74ee84ee8117dc5db491d0607bac910f44eee819f

SHA512
8478e8baafc810e4463da7717541225a4fe21223cd5a4aa17f6ad58aa34dd3ed0cacb25934767731ee9b190cd98ebe6f7c3a8b348f6fc09211b73ead42a39710

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
55KB

MD5
22616de91b99bf8c72c9a5bf40f35734

SHA1
f73e5b8745a0e78575e6f4e4d600b347c472acdf

SHA256
b86df4d80b5469d29d49de4c70bd1d242303569e5fda72f0d56ef6cee2c167cf

SHA512
a4bdaeb081048c19002446c2f07f746f21db70c70a1bff7b11492ff2dc0ac0f626f5b2d730a380ca8688fa6b3af0265e6496492d9778408fb8adbabb7fe3490f

Download Submit
memory/328-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2392-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2460-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3576-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3644-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3928-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4284-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4680-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4700-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4728-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4776-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5096-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads