34331607e6d351178ca2de5a54229a13c586d46442e525d41dccf5d3a9686adc

Analysis

max time kernel
0s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f361c008d7d0e69dca8b2a1d55ec6ca1.exe
Size

128KB
MD5

f361c008d7d0e69dca8b2a1d55ec6ca1
SHA1

98d235c39307ad374b16df770399afe7f3a2e414
SHA256

34331607e6d351178ca2de5a54229a13c586d46442e525d41dccf5d3a9686adc
SHA512

0f1a4ebb6571b0dac754e2052520e4880d11484dfdbd6d47366d96fceb685e2fa6d7c1b45feb2acad8ac0a502f9de471287bec9f9540c58306ec380202db0da3
SSDEEP

3072:hvAYCVkmqGe2/BhHmiImXJ2fYdV46nfPyxWhj8NCM/r:hvA5qp4BhHmNEcYj9nhV8NCU

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe

Malware Dropper & Backdoor - Berbew 64 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/memory/3540-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/392-45-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000023211-75.dat	family_berbew
behavioral2/memory/4396-98-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1304-110-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000600000002321b-125.dat	family_berbew
behavioral2/files/0x000600000002321f-142.dat	family_berbew
behavioral2/files/0x0006000000023223-157.dat	family_berbew
behavioral2/memory/4992-166-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3488-182-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2600-194-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2884-206-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/936-214-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000023232-213.dat	family_berbew
behavioral2/files/0x0006000000023230-205.dat	family_berbew
behavioral2/memory/4992-217-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3664-220-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2636-221-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1304-223-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1112-228-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/748-230-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1404-233-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3256-235-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4304-234-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2880-232-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1720-231-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/640-229-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/5040-227-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4396-225-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4744-226-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2516-224-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3736-222-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/884-219-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/880-218-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3488-216-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2884-215-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4612-202-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000600000002322e-197.dat	family_berbew
behavioral2/files/0x000600000002322c-189.dat	family_berbew
behavioral2/memory/2448-181-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000600000002322a-180.dat	family_berbew
behavioral2/files/0x0006000000023228-173.dat	family_berbew
behavioral2/files/0x0006000000023228-172.dat	family_berbew
behavioral2/files/0x0006000000023226-165.dat	family_berbew
behavioral2/memory/568-163-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/880-150-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000023221-149.dat	family_berbew
behavioral2/files/0x0006000000023221-143.dat	family_berbew
behavioral2/memory/884-141-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000600000002321f-140.dat	family_berbew
behavioral2/files/0x000600000002321d-134.dat	family_berbew
behavioral2/memory/3664-133-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2636-126-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x000600000002321b-124.dat	family_berbew
behavioral2/memory/3736-118-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000023219-117.dat	family_berbew
behavioral2/files/0x0006000000023217-109.dat	family_berbew
behavioral2/files/0x0006000000023217-108.dat	family_berbew
behavioral2/memory/2516-102-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000023215-101.dat	family_berbew
behavioral2/files/0x0006000000023213-90.dat	family_berbew
behavioral2/memory/4744-89-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000023213-88.dat	family_berbew
behavioral2/files/0x0006000000023211-82.dat	family_berbew

Executes dropped EXE 10 IoCs

pid	Process
3256	Mncmjfmk.exe
4304	Mpaifalo.exe
1404	Mdmegp32.exe
2880	Mglack32.exe
392	Mkgmcjld.exe
2760	Mnfipekh.exe
1720	Mnfipekh.exe
748	Mdpalp32.exe
640	Mdpalp32.exe
1112	Nkjjij32.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Fhpdhp32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Codhke32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe

Program crash 1 IoCs

pid	pid_target	Process
2824	936	WerFault.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f361c008d7d0e69dca8b2a1d55ec6ca1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3256	3540	f361c008d7d0e69dca8b2a1d55ec6ca1.exe	48
PID 3540 wrote to memory of 3256	3540	f361c008d7d0e69dca8b2a1d55ec6ca1.exe	48
PID 3540 wrote to memory of 3256	3540	f361c008d7d0e69dca8b2a1d55ec6ca1.exe	48
PID 3256 wrote to memory of 4304	3256	Mncmjfmk.exe	47
PID 3256 wrote to memory of 4304	3256	Mncmjfmk.exe	47
PID 3256 wrote to memory of 4304	3256	Mncmjfmk.exe	47
PID 4304 wrote to memory of 1404	4304	Mpaifalo.exe	46
PID 4304 wrote to memory of 1404	4304	Mpaifalo.exe	46
PID 4304 wrote to memory of 1404	4304	Mpaifalo.exe	46
PID 1404 wrote to memory of 2880	1404	Mdmegp32.exe	45
PID 1404 wrote to memory of 2880	1404	Mdmegp32.exe	45
PID 1404 wrote to memory of 2880	1404	Mdmegp32.exe	45
PID 2880 wrote to memory of 392	2880	Mglack32.exe	44
PID 2880 wrote to memory of 392	2880	Mglack32.exe	44
PID 2880 wrote to memory of 392	2880	Mglack32.exe	44
PID 392 wrote to memory of 2760	392	Mkgmcjld.exe	43
PID 392 wrote to memory of 2760	392	Mkgmcjld.exe	43
PID 392 wrote to memory of 2760	392	Mkgmcjld.exe	43
PID 2760 wrote to memory of 1720	2760	Mnfipekh.exe	42
PID 2760 wrote to memory of 1720	2760	Mnfipekh.exe	42
PID 2760 wrote to memory of 1720	2760	Mnfipekh.exe	42
PID 1720 wrote to memory of 748	1720	Mnfipekh.exe	41
PID 1720 wrote to memory of 748	1720	Mnfipekh.exe	41
PID 1720 wrote to memory of 748	1720	Mnfipekh.exe	41
PID 748 wrote to memory of 640	748	Mdpalp32.exe	40
PID 748 wrote to memory of 640	748	Mdpalp32.exe	40
PID 748 wrote to memory of 640	748	Mdpalp32.exe	40
PID 640 wrote to memory of 1112	640	Mdpalp32.exe	39
PID 640 wrote to memory of 1112	640	Mdpalp32.exe	39
PID 640 wrote to memory of 1112	640	Mdpalp32.exe	39

C:\Users\Admin\AppData\Local\Temp\f361c008d7d0e69dca8b2a1d55ec6ca1.exe
"C:\Users\Admin\AppData\Local\Temp\f361c008d7d0e69dca8b2a1d55ec6ca1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\SysWOW64\Mncmjfmk.exe
  C:\Windows\system32\Mncmjfmk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3256

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
1⤵
PID:4744
- C:\Windows\SysWOW64\Nceonl32.exe
  C:\Windows\system32\Nceonl32.exe
  2⤵
  PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 936 -ip 936
1⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 408
1⤵
- Program crash
PID:2824

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:936

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:2884

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:4612

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
PID:2600

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
PID:3488

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:2448

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
1⤵
PID:4992

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
PID:568

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
PID:880

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
PID:884

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
PID:3664

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
1⤵
PID:2636

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
PID:3736

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
1⤵
PID:1304

C:\Windows\SysWOW64\Nceonl32.exe
C:\Windows\system32\Nceonl32.exe
1⤵
PID:2516

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
PID:5040

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1112

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1720

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Codhke32.dll

Filesize
6KB

MD5
51c8322fa39b10f41a83011505ef3e15

SHA1
796a9ee3123e6c08fd41f00566d3e570942da684

SHA256
fd1faa05510e5a46b714a4c1d4262649fff281c138b859ddf5c7955e0274c770

SHA512
0eff3a3bde801087c503e1087dfcf9fb84fe2a557b40f0dab2405dfed3f056275f84d7406212b498bfea020578fa94dfda495563c2dc90070a46985a2a54dd55

Download Submit
C:\Windows\SysWOW64\Fcdjjo32.dll

Filesize
6KB

MD5
b8009396601ea666b2d0e47ad0367d7c

SHA1
fc8cdcda0828101462d34afa707c94c6e6a37358

SHA256
7a09c9a3f359ae7e5bdabbd8dca9750e0563606af9a1e1c50e4bab848b8ee1f5

SHA512
01979fbf1445fef5b3b47fa3892528032e9b121542f2c9731b46e8e899aa8dc95bae6b3f6454e1c2192f576805b482f7a3fc54421654e204cc99726daf8e62ef

Download Submit
C:\Windows\SysWOW64\Fhpdhp32.dll

Filesize
6KB

MD5
5861f32a45277ce6f4ff66bd2f4641ad

SHA1
d061d74d001cb584fc187932ca677df70e5442fe

SHA256
ffcc8bd62e46c52c57d7ecce68b44a4e49eff5c591e255329589bab099c8a352

SHA512
10990a157ae9a20ddd0411d794f0a4fb5eb5e7ceb5d24b5a2b2a999fb94cfa5afc00aeeea2046f4de9fab826da46dff59dcad0ef32d71f5729b126667ec94006

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
79KB

MD5
3130d1b36aa9aeb0fe213cd6bb0b45d9

SHA1
208ee99fcf376b5a4e4f8222a912c220aa670dfb

SHA256
ce5bad57d13a8ff731022eca1385dbd7c51737b16f1f3ca4c86b816eb4bfd048

SHA512
5bb97c1bbd8c555503e2edbd5b2e7362b4c98c4f6aec9a962d7779e0358d677ac9139c71947e17c611aaf95ae8c1a5fa38e472a2a8af8530fb5dcce0b115207f

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
128KB

MD5
211959460d30819e13412b4192558f49

SHA1
d8a297513a6b8d8303e8017438c6ddc18dfb0a5d

SHA256
cd198d3c1f5120500ec957377193855b0ce4707a37163fb4d3f06c2b59098adf

SHA512
a38aadbd809977296b98b611448a94d1cb57eadefe702959576b1e2d8cc7a3bda06e9867729ac49ba091d25a3a2422cd651115b7c019044d559785f48a3d7c79

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
128KB

MD5
04c26e0eaea1b50657a4a3717a9d6087

SHA1
56ce853cc0fc32aca9095699572e839a5f121d5e

SHA256
cc4788abfe2be17bd17a59c1ac607ac9c39c60999675b134ced590c7572a6c6e

SHA512
dc6876ed2de8a6bc4d1e69d31b524c0c1eaf91740e1202038df1ae39d3dde62236bbea78b8393b791353375022e92d9c16f00f779758645c192aa1fd613a6f36

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
128KB

MD5
f68d0a45e7f5c148452cacd781e8cf39

SHA1
430326a04ca25d3bff63de68a01a38993a1b5783

SHA256
76f84d2d57d72bc5b76cd20a8d7eea69463cbe7b3b591111a20259ee48c974f4

SHA512
fb4acd41b8e5c05e851a2d87ad7adf2e963308b317ac34cbf8f1a01ab070c57b255525814dbb8510de52af377fc352dce4ba2080f878bbc8309de3babadd88bc

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
116KB

MD5
1c98eacfbafb29191795c73f8c44d1f5

SHA1
1250663ef96545bd08a04e5a1d8ccaab968e2865

SHA256
cabad15f891d6a9ad47751ba9046e33cdee51256e7ce2735d6d52f6dfccbecc6

SHA512
1972832113785784f77cd2f7f1d536b1ac06688ad2d1b41c92b9109dbbb218b843ef1cf7031d35cef388e21ee9dee08f6e1c8fa316058702031db8bf5ae4e023

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
77KB

MD5
bced3bfe770a2a7af95043a25a14c693

SHA1
16d23b819f397fb5bc47057f6c6e155a2adcb173

SHA256
73bbe350a7e060d63963945beb5b7cf9240707a7d0b3df1d63292dd977197873

SHA512
903a151a1fb96b7a210163ab62a14dd7bf5e01bb035abde2d42a985ac937d5ae66239a1d456251a79139532969c3a78d27872f8d04660f8ecac0286a11a8f2a0

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
119KB

MD5
f2e18d73af758b45bf20c0bc7caa4ab0

SHA1
d3eb6da6cd1ef5369ed65544310724f2c5e70790

SHA256
07de3ea97c0f11eaa6599504b63f2b79f90922e70ab6c8f8dd783b6a3801c454

SHA512
64e5952a911a3db3d0f64c09446411ae0882e4d9edc9de55bcff3d08e4f6abae7009d224603d3bcfa51c3651705d601d8cef9818aca98139772f6e450244b314

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
88KB

MD5
1516b24c1ba3b43cd25cd7a8e4598dc8

SHA1
5026eb7651392ac172701c24e0c58987ce1eb157

SHA256
7476096930865027128dfebbe42f994764fc13ce3331e6bb2e9cfea3656d7d29

SHA512
79d5b9ef2d12db43187e7b45bc1b17f175dcdbd9f5af92833bc630db03bfd3b2a3a1c8ac512b5f35cfa7b76b4460f935f3ed9d48580c41eac34d4d4195f2487d

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
128KB

MD5
1b2409614083db4d6a3e3d02ab259d39

SHA1
be5c8d3690fec3dce8d4fb540274f392f4cdc593

SHA256
cdb0f4f00bd5e65c748ccb9af4bed8f02493b72b65c35767d37c242219cb72d1

SHA512
2eb7bdae95938dc3afcd6b2e49072d5c76ad9119fa042c963649869b39fbfcfb11f36770b607a4628c5c04396fc675ae18ec42782b28ba3d1c7a694e25324e73

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
101KB

MD5
467c8bdcd37b1bfb16de44484b666054

SHA1
8e99618fcf931488e39c44642bf1fdc26563c7cb

SHA256
8c4b6200332ca9407f7192f3b9f96c7105420ea28a3772eed89592618fcfce63

SHA512
1e585516211506b44c8855163e4d01fc04d23cde12f8f61abd1959b527103bb1b9e0227737148c9e3e8e5912cdabfecae469927d6a8d24d301086919817fc12e

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
128KB

MD5
e6af94773a1a6a586ef7f71da0033ce7

SHA1
deb7b2a90e07343fb021aafcdfa39e7b9460e12e

SHA256
5c65daae07a31af48831ffd8b5e3a068fb509746c990afa3376ad5b86a3149b1

SHA512
a0dfaa5afaf8065fc13a245cb7e2e7a53c0412513f5e3743ba5587caeaac2702dc57dab8f5b99dc44bfa895ebea819834bb33df82cfbebc9f9bd848927dd650e

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
128KB

MD5
e4741aeafac4e5ab064c2297d2f7faa0

SHA1
a1372fbb1cdbeb5f725daf1c8e6d3855fc4286d8

SHA256
2d233c9567082620b690a7fdf6e288d02f145b9dd4d3a74e247084800c5d093c

SHA512
d894c31f068cf381d2fd18839939fa4a9b7a6290cd3f5db888b3171a453a30adccb876637b21e4218e17c8982c6e92015cccb384a74442a087357106dc9e5abf

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
128KB

MD5
17db894b356c9459e7c7eb1b0584f16c

SHA1
55751859788dd3f9a0dda31c519c9df1a8544e92

SHA256
ca7719b88e031beca9b59db998f5f160873bf2a56f62faf956dfe9360c17ca61

SHA512
70e2c9d3d5d9dd5abc100a9a7d5dbc9751c129ada6b808d2eb27eeb936608c65b2a9dae0bc44089545eefb9c23e902a25917dc81d4a3bd2afe08e8d5a4e70f00

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
128KB

MD5
3ab4670f1b514946fb6b7f6297bae86e

SHA1
3b5c7c76d2f69118fe09bc6145bf57fff7539489

SHA256
cfb6e4c129d57ae4ccec3e551d3e26bfe716d10af415f0929cabf78381991c02

SHA512
dfd81b4f3731a3bbbf7430e3af548f76ae393615cd9f59f09eabc611a38a45cd4853c66ef7e730e69c2eb1bec7b9d5d6bdf78ce0698f3f2a2da702a3592bd8b0

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
109KB

MD5
a6bfe2731dd55d04adb1b0285cc81b31

SHA1
b9d733f11ae67b4ac69528ea18c437293915efaa

SHA256
e1408af02226b62c09e60676c13991160c8367a2dd746b12626dde2636a6e538

SHA512
5d91cb30069b30af224c73004861cba9fa2369a532c6a1665484fb739b6227eae22535f41c862864686a2d115f01a14e59024ced8635fbd57aebacfdfa45e5f9

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
128KB

MD5
9de7ec305d37e7d9df57832549cb4ff7

SHA1
91890fd4bc64040af8f1285ed5c7ed79ee455b62

SHA256
433138d6e0d0e44af4bc55c86f2df2aebad383d01f148c351939116e119608a5

SHA512
00178b46d53e5635205712ff4903bc6d3753ebd6b889816ee38b5709e9113b3fbefd870b206c1392a867162bb736736a3103f9bf4b802d2f1bfcb21b4eefcbef

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
128KB

MD5
0e3ff242a6a2e3646cc848c4c752563b

SHA1
24171ace0df03df9b79f6e3d0d143eba3a8ae4de

SHA256
9d49603d68624f31008c350c81a97747c253620a617a468ccd84ad36048fb100

SHA512
f1d67b1c70bacb18c003d7d2cc58b20245b731ef66f61de1570ff4ee1034a2d09a672ab0aa5e0972740685417bd1c9ed770ed1721623849c5d0a0578b0112d4a

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
128KB

MD5
ef81d17909f2752b03106483c1c72103

SHA1
7f96decfc2b3cb8577bd84a8d6dac7af0a0631bd

SHA256
44f7a346dca691de79c949feaa301c30c905525ae4f029d13c4f846243ba52f8

SHA512
0d1e41af1d5cf4796bfb11347c9ffa9c42562baea3adaab5ba276cc18536e07a19fa8a88203615ef1c8e7a18a7d55d84beb33cc741f988b55cf1b2446678df8a

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
105KB

MD5
88703a863e30a867d630ee8b9ec5c78c

SHA1
3915337fad4366f2a986d1c2826c15d351d607b5

SHA256
4196e1aa1e13283b8b9d57bcdb91ac54582cb4079e84df593cdb1955d9f6ae60

SHA512
289b9676e3270b5b8bad9d84d169328b8eeaca2a21a62d5e7a1ba60ca08d65f29400338705acf9ca2e2b1e6acb37de7fd709be396668e66065a3eae6326c30ea

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
128KB

MD5
6dbb4e98c7b4c4b31514255aced24d03

SHA1
88d48d204498e10ceb941718e037ac1f2f1c4b5e

SHA256
ab784cf89fbb6b234289e0c0e68d68ccefaf130b1c8e56db4f65d4515656b2a6

SHA512
2dafffc935ffbc9725a51dc782888968b79e8128540b006c2176049f9ec81aeca8d5e3fd15c64301a37bad92bcef427c1cfe79512cd57828caebf1130e754616

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
128KB

MD5
9456edaa90b1ac6cb63325ea7b0b35ec

SHA1
613f55e3adff1ec6d9322f99cb3ed1deb718a695

SHA256
50bb14f0548905876665762d2c9f7720cc7002db931e8c74dcf217dc64b27704

SHA512
716998bd712450a2105e695893045a470a5fb77664a3f4a0e344a718e81617afd4f53a101147f6ad01354d59d5d15060c65fd1b25c5227582da1705b8fe39c5f

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
92KB

MD5
efe7e1a55290d25ab2953214a1f7b016

SHA1
a8a76764d36ed4d602eb322285a49396806c095d

SHA256
42cbe143b6e046b66bd4dcc87c9c5768411a557e7e3aadb3a232e481b3ae39bb

SHA512
15befc268241009597fb69852d21167bd329748b033a6fe1e6df6cbb8b0fd43c800b68cc22744f586d78157cacf2ac99ff75e232722e3c25abcbaf5537bc2507

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
120KB

MD5
4949f08e5de075dac526a47cc5131ce9

SHA1
fa4be7ca763c5d87e923b22cc0e5e7b1db75fdf2

SHA256
4af0c62f5fbc67982d52a14ed743d77daada3f0d3f7f98d4bd83895c5d5ceee6

SHA512
eeb39bc3e1ca95f733336857adc29a631f8945a9c58eeb5f9645e6eee88802ffeed76db2e3fe02533256ce4a5ceaa7b566148f08919a886da4307d4996ce3a26

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
128KB

MD5
e52b5d33730da3abafdc6479a6258428

SHA1
3ec7a0c70f5220365ea6cfbef94c3efb67a3ec90

SHA256
8417c3768a141fe6211b8b267b3d27506aa3a37be47317a0c58550834df73f8f

SHA512
356e8b027c38bf15d13c224692ee01087f19359f84625af4a1d529fb9ba4212aa738d078822156be4937460724e574ed31f04dc12f5d0c761e1af882800c4306

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
128KB

MD5
0a852bb169a2804cbc9316b0e40205fc

SHA1
20371f202d2b5f1e5842e3653067d0d64051b2b8

SHA256
eda744fb2d63eb445d048a1b301a340f2735e81bad3fa2d4d01922da21dca19c

SHA512
6e5d2139562399cde7c81ca0f60519db6a391b4a9aa0c4434f7e4ca4e203de0c8711f6ec40d7fbc02a4aac385393e4f191714a15860f940b66ddcffcd2587422

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
59KB

MD5
abd62c4abf04117446f3f9ca8a36c05d

SHA1
6eb030b1cef7e7ef9a460289c40861cfda99a74b

SHA256
5f410860142378a628e1306c1427fee85e870847ec573c5e73d531b6d8d2ace1

SHA512
3d45e89b2fabf88c05472afa93318f20b282a1b41cfba0bfc80461a47c94920557f39eaacf8544ab8ea5ddc42ce21399829bfdbec075eb0b0f1ae88a03c8c170

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
128KB

MD5
63fce15aa6cf68f3edb6746ebf4bd2b1

SHA1
5575991ba225efadfbe9111d14f9fea8d4ec45ad

SHA256
58b3da658b589c5566a1f3f73183d53d592cd6f8ee780fc8787b445d6f64a969

SHA512
99a82d85596b99ac05df14a00461fdbb3fb0fdabef3eaff9ce9e31b6fe0b36765b09fab69a14e4c1ca7f5ccdca9796dd5d3275cec2b923427466dd2e558b1cbf

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
128KB

MD5
475b0ee741ccdf20f7a665fe1e8e84a1

SHA1
665fa968578f0b3753986a81dcdb5f053a7bb4d5

SHA256
d7faf3145936551bb74a5f6795088e3382536e2fa47384ed4234660b6a0912a0

SHA512
320b30c1d5722e8f8b8d29b5ecd3b0a444caf74b72bb0bec49bc65664b5ccbb64a49ddae7a91b46f569c8c81075eab6cb9be5e6427d79a38526afa5e06b4b41e

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
128KB

MD5
cd3eaa6415b197348c09dea93ec0a675

SHA1
37d1fc9c18be72683e9a0dd0b1ed01fe8241867e

SHA256
df1e99cdd3d7b619c8245b3abdb33a24be34f02e0658371b52c2e06523002199

SHA512
b6b23a41f23c93287155b9596974bbc2838bdd0694242853c2f5dc69fe20045abb7560581601ec2bb39efacf22be5e1a84f2eebb02cd65cbe45d1ae3b0a6c1c9

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
128KB

MD5
e55945b7fbcdd151d1373880e1e6f906

SHA1
f22bac271dae50a4b64f5cc514e74c592d88ee1c

SHA256
66a4e408f11b780e0ee52d7d096fc4cc33276451e984b5f913fcda5d5a0fd485

SHA512
e9fc7e064901545f5b00f506a5e2e49eb1fa9f83b7d7aae2acac4715a48d1524023ad655be7d7e9d65fb99e43183fc7b1fed799314520769090ffbbbb68ecdfa

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
92KB

MD5
4870ff039c6155ece4bbbdc2f981d19f

SHA1
d40751d2ee4705d7395c87f440dabae730d585fb

SHA256
50b2e65b759563ebf99e9c29a8a9ae9691b8b0a49b5084f9ddb7e06396d06cdb

SHA512
e770d9111431376cc7b2d8b7700e9e90b6ec4e10899775bad90c262b36ad294df6fd7bd6ef51a8caa5f9d0e648b9b7e8e2a5de37ac54954074a189b12e13f40e

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
128KB

MD5
84b064ef90a913e379fb9a0b9e48e9ed

SHA1
4f2409f96f59f968fe712019a1d4a9dc952bfda2

SHA256
e6b43a396568c4573dd8eec4c9b0a07c222b4206cb6020a155c643e06727388b

SHA512
977d26f37e4c530e5aca63bba2d26591edb18ccf7ec89d33e2703e8586a6e258dccdd4a240b31b20072af4794ed884c0efaa2f5e0b661be3c4a192382d56b333

Download Submit
memory/392-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/568-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/640-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/640-68-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/748-230-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-218-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/880-150-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/884-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/936-214-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1112-228-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1304-110-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1304-223-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1404-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1404-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1720-53-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1720-231-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-102-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2516-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2600-194-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2636-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2760-51-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2884-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3256-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3256-235-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3488-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3540-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3540-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3540-5-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3664-220-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3664-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-222-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-21-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4304-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4396-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4396-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4612-202-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4744-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4744-226-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4992-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5040-227-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads