1db27d6659a74f79cb64ba7ed41be7a1ead612d8311ad63fc0ffa41808372130

Analysis

max time kernel
0s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 20:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e78e9b63ff667c92179fdf109585ac99.exe
Size

176KB
MD5

e78e9b63ff667c92179fdf109585ac99
SHA1

29fd58bc4cfa2c4e83e0d8de4d55df9a70df71a3
SHA256

1db27d6659a74f79cb64ba7ed41be7a1ead612d8311ad63fc0ffa41808372130
SHA512

237d0fc0b4dac7635264f9cedf50c6e06357c0cf070d19c8428d47556e246eff5f0c5370ad13483637d4b1702c75c2cd983a24af0ad515dd0124716bb683a3df
SSDEEP

3072:4B/zhVHB684arlOGA8d2E2fAYjmjRrz3E3:4BLzB684RXE2fAEG4

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e78e9b63ff667c92179fdf109585ac99.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldaeka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e78e9b63ff667c92179fdf109585ac99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe

Executes dropped EXE 11 IoCs

pid	Process
1792	Ldaeka32.exe
3132	Lgpagm32.exe
2632	Ljnnch32.exe
4984	Lnjjdgee.exe
3252	Laefdf32.exe
4988	Lddbqa32.exe
2400	Lgbnmm32.exe
1420	Mjqjih32.exe
4436	Mahbje32.exe
3600	Mpkbebbf.exe
4548	Mciobn32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lppbjjia.dll	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Ldaeka32.exe	e78e9b63ff667c92179fdf109585ac99.exe
File created	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Laefdf32.exe
File opened for modification	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Ldaeka32.exe	e78e9b63ff667c92179fdf109585ac99.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Ckegia32.dll	e78e9b63ff667c92179fdf109585ac99.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Lgpagm32.exe	Ldaeka32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3312	4628	WerFault.exe	24

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdigkkd.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e78e9b63ff667c92179fdf109585ac99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpgeph32.dll"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgpagm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e78e9b63ff667c92179fdf109585ac99.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e78e9b63ff667c92179fdf109585ac99.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e78e9b63ff667c92179fdf109585ac99.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e78e9b63ff667c92179fdf109585ac99.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegia32.dll"	e78e9b63ff667c92179fdf109585ac99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldggfbc.dll"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldaeka32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefncbmc.dll"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	Lddbqa32.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1792	2588	e78e9b63ff667c92179fdf109585ac99.exe	73
PID 2588 wrote to memory of 1792	2588	e78e9b63ff667c92179fdf109585ac99.exe	73
PID 2588 wrote to memory of 1792	2588	e78e9b63ff667c92179fdf109585ac99.exe	73
PID 1792 wrote to memory of 3132	1792	Ldaeka32.exe	72
PID 1792 wrote to memory of 3132	1792	Ldaeka32.exe	72
PID 1792 wrote to memory of 3132	1792	Ldaeka32.exe	72
PID 3132 wrote to memory of 2632	3132	Lgpagm32.exe	71
PID 3132 wrote to memory of 2632	3132	Lgpagm32.exe	71
PID 3132 wrote to memory of 2632	3132	Lgpagm32.exe	71
PID 2632 wrote to memory of 4984	2632	Ljnnch32.exe	70
PID 2632 wrote to memory of 4984	2632	Ljnnch32.exe	70
PID 2632 wrote to memory of 4984	2632	Ljnnch32.exe	70
PID 4984 wrote to memory of 3252	4984	Lnjjdgee.exe	69
PID 4984 wrote to memory of 3252	4984	Lnjjdgee.exe	69
PID 4984 wrote to memory of 3252	4984	Lnjjdgee.exe	69
PID 3252 wrote to memory of 4988	3252	Laefdf32.exe	68
PID 3252 wrote to memory of 4988	3252	Laefdf32.exe	68
PID 3252 wrote to memory of 4988	3252	Laefdf32.exe	68
PID 4988 wrote to memory of 2400	4988	Lddbqa32.exe	67
PID 4988 wrote to memory of 2400	4988	Lddbqa32.exe	67
PID 4988 wrote to memory of 2400	4988	Lddbqa32.exe	67
PID 2400 wrote to memory of 1420	2400	Lgbnmm32.exe	66
PID 2400 wrote to memory of 1420	2400	Lgbnmm32.exe	66
PID 2400 wrote to memory of 1420	2400	Lgbnmm32.exe	66
PID 1420 wrote to memory of 4436	1420	Mjqjih32.exe	65
PID 1420 wrote to memory of 4436	1420	Mjqjih32.exe	65
PID 1420 wrote to memory of 4436	1420	Mjqjih32.exe	65
PID 4436 wrote to memory of 3600	4436	Mahbje32.exe	64
PID 4436 wrote to memory of 3600	4436	Mahbje32.exe	64
PID 4436 wrote to memory of 3600	4436	Mahbje32.exe	64
PID 3600 wrote to memory of 4548	3600	Mpkbebbf.exe	63
PID 3600 wrote to memory of 4548	3600	Mpkbebbf.exe	63
PID 3600 wrote to memory of 4548	3600	Mpkbebbf.exe	63

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
PID:1612
- C:\Windows\SysWOW64\Mcpebmkb.exe
  C:\Windows\system32\Mcpebmkb.exe
  2⤵
  PID:2068

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
1⤵
PID:2584
- C:\Windows\SysWOW64\Nceonl32.exe
  C:\Windows\system32\Nceonl32.exe
  2⤵
  PID:4168

C:\Windows\SysWOW64\Njogjfoj.exe
C:\Windows\system32\Njogjfoj.exe
1⤵
PID:2888
- C:\Windows\SysWOW64\Nafokcol.exe
  C:\Windows\system32\Nafokcol.exe
  2⤵
  PID:1776

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
PID:4116
- C:\Windows\SysWOW64\Njacpf32.exe
  C:\Windows\system32\Njacpf32.exe
  2⤵
  PID:4484

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
PID:3216
- C:\Windows\SysWOW64\Nbkhfc32.exe
  C:\Windows\system32\Nbkhfc32.exe
  2⤵
  PID:744
- - C:\Windows\SysWOW64\Ndidbn32.exe
    C:\Windows\system32\Ndidbn32.exe
    3⤵
    PID:5072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4628 -ip 4628
1⤵
PID:1996

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:4628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 400
  2⤵
  - Program crash
  PID:3312

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
1⤵
PID:1016

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
PID:2480

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
1⤵
PID:4056

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
1⤵
PID:5108

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
PID:1820

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
PID:1948

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
1⤵
PID:3592

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
1⤵
PID:3760

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
PID:232

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
1⤵
PID:1668

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
1⤵
PID:1976

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
PID:4572

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
1⤵
PID:1764

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
PID:3120

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
1⤵
PID:4384

C:\Windows\SysWOW64\Mcnhmm32.exe
C:\Windows\system32\Mcnhmm32.exe
1⤵
PID:4604

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
PID:396

C:\Windows\SysWOW64\Mamleegg.exe
C:\Windows\system32\Mamleegg.exe
1⤵
PID:2052

C:\Windows\SysWOW64\Mjeddggd.exe
C:\Windows\system32\Mjeddggd.exe
1⤵
PID:228

C:\Windows\SysWOW64\Mkbchk32.exe
C:\Windows\system32\Mkbchk32.exe
1⤵
PID:3136

C:\Windows\SysWOW64\Mcklgm32.exe
C:\Windows\system32\Mcklgm32.exe
1⤵
PID:5100

C:\Windows\SysWOW64\Mpmokb32.exe
C:\Windows\system32\Mpmokb32.exe
1⤵
PID:3784

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
PID:4160

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
PID:4124

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
1⤵
PID:1724

C:\Windows\SysWOW64\Mciobn32.exe
C:\Windows\system32\Mciobn32.exe
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\SysWOW64\Mpkbebbf.exe
C:\Windows\system32\Mpkbebbf.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\Mahbje32.exe
C:\Windows\system32\Mahbje32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\SysWOW64\Mjqjih32.exe
C:\Windows\system32\Mjqjih32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\Lgbnmm32.exe
C:\Windows\system32\Lgbnmm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400

C:\Windows\SysWOW64\Lddbqa32.exe
C:\Windows\system32\Lddbqa32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4988

C:\Windows\SysWOW64\Laefdf32.exe
C:\Windows\system32\Laefdf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\Lnjjdgee.exe
C:\Windows\system32\Lnjjdgee.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\Ljnnch32.exe
C:\Windows\system32\Ljnnch32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\Lgpagm32.exe
C:\Windows\system32\Lgpagm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3132

C:\Windows\SysWOW64\Ldaeka32.exe
C:\Windows\system32\Ldaeka32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\e78e9b63ff667c92179fdf109585ac99.exe
"C:\Users\Admin\AppData\Local\Temp\e78e9b63ff667c92179fdf109585ac99.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588

Network

DNS

208.194.73.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

208.194.73.20.in-addr.arpa

IN PTR

Response
DNS

23.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

23.179.17.96.in-addr.arpa

IN PTR

Response

23.179.17.96.in-addr.arpa

IN PTR

a96-17-179-23deploystaticakamaitechnologiescom
DNS

85.177.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

85.177.190.20.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR
DNS

241.154.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.154.82.20.in-addr.arpa

IN PTR

Response
DNS

103.169.127.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.169.127.40.in-addr.arpa

IN PTR
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

28.160.77.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.160.77.104.in-addr.arpa

IN PTR

Response

28.160.77.104.in-addr.arpa

IN PTR

a104-77-160-28deploystaticakamaitechnologiescom
DNS

27.179.17.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

27.179.17.96.in-addr.arpa

IN PTR

Response

27.179.17.96.in-addr.arpa

IN PTR

a96-17-179-27deploystaticakamaitechnologiescom
DNS

55.36.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.36.223.20.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A
DNS

41.110.16.96.in-addr.arpa

Remote address:

8.8.8.8:53

Request

41.110.16.96.in-addr.arpa

IN PTR

Response

41.110.16.96.in-addr.arpa

IN PTR

a96-16-110-41deploystaticakamaitechnologiescom
DNS

9.228.82.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

9.228.82.20.in-addr.arpa

IN PTR

Response

204.79.197.200:443

tse1.mm.bing.net

tls

1.7kB
8.2kB
18
13
204.79.197.200:443

tse1.mm.bing.net

tls

1.7kB
8.2kB
18
13
204.79.197.200:443

tse1.mm.bing.net

tls

1.7kB
8.2kB
18
13
204.79.197.200:443

tse1.mm.bing.net

tls

38.6kB
1.0MB
743
732
204.79.197.200:443

tse1.mm.bing.net

tls

1.7kB
8.4kB
20
16

8.8.8.8:53

208.194.73.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

208.194.73.20.in-addr.arpa
8.8.8.8:53

23.179.17.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

23.179.17.96.in-addr.arpa
8.8.8.8:53

85.177.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

85.177.190.20.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

142 B
157 B
2
1

DNS Request

57.169.31.20.in-addr.arpa

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

241.154.82.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.154.82.20.in-addr.arpa
8.8.8.8:53

103.169.127.40.in-addr.arpa

dns

73 B
1

DNS Request

103.169.127.40.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

28.160.77.104.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

28.160.77.104.in-addr.arpa
8.8.8.8:53

27.179.17.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

27.179.17.96.in-addr.arpa
8.8.8.8:53

55.36.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

55.36.223.20.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

124 B
173 B
2
1

DNS Request

tse1.mm.bing.net

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

41.110.16.96.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

41.110.16.96.in-addr.arpa
8.8.8.8:53

9.228.82.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

9.228.82.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
176KB

MD5
7b2e204743edacd5eda0f45f0b852b7d

SHA1
0969711601c08674d95ac50ec519bdcdc4366738

SHA256
3fa8a36e408dcf99fb04dcb06cbce726cfdfbdd301ed22be83a08896434a13bc

SHA512
e42a5ada242ba1650860041191e9eab750cce3d72a43ba42d90231251f029fd88828c5e1cbc6b772412c386508d9f8b5cacd5923e45956dbd076cd045eff2cb7

Download Submit
C:\Windows\SysWOW64\Ldaeka32.exe

Filesize
94KB

MD5
12583cbea7aa0601e7b25fcf8dbb766c

SHA1
f97ce3f2cf8727138cd023584c7cca8cc31994cc

SHA256
4b91dd55922ae54379b9f836e261d06b49adc3a6a4922918e71a854a73d6a334

SHA512
84a0d3568d9936efe939d5a5de73f47396a0f726058ecfa268f3aa55adb1d8f898dd95e94299efdc933a68e2593ec0f82c1432968962e6ee77908c6272b7f7b3

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
91KB

MD5
17e62141050b4a504088d8a80d996da4

SHA1
685c057b9cbe37a60870604c2cc2b867a39e309e

SHA256
2cfdf656a906bfe7fd1301534184e68b1567b4562747e9c645e7fbecbaa008be

SHA512
bf68a23e8c7491c694d11fcac2d575ef037eabab8f95137ee1f5c8210388470d63a29deea20556cd1a84205d01497d1bcac196434fba82a0137f2c43a06392a7

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
167KB

MD5
7955e9e82b24c763d83776f8ef71dc35

SHA1
9e7254a90864638c4159072697b319d241c3e62e

SHA256
279c3dc523aa6847692370a89eef129b526f0d7842a9f5f3408ac6f8d0e5de67

SHA512
314f3f13aa46dfa4260d824643e56ec52a961282d7766ff37627881fe0bbe1115ef1158689b3796dcf9a142445e5d5224c35c896039f2249d3343ea75d2d1415

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
176KB

MD5
a2e6d60b9487df764850c3228ecae236

SHA1
48dbaf6f8cffc2dca70bb8da3ee2b32e6ea77cc4

SHA256
575409e04ce0d86ffb178155ed796c949b620a063085cd5e9153343a1fd1243d

SHA512
b6a62d8f9181d692e50fa4350d364d492326e22f7ffa9ec35655b0b819441d60f520357d4aa6ae7deb81de3d834e036398fc95182b3fdfc9a3f7f50287f810ef

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
72KB

MD5
fffcb05f22d6375cd1ec59684244af64

SHA1
384dc32482b37a50607ad1efeafed05cbbaee12c

SHA256
a48bacecd8e858af53d469a24efc3de3611161eab396cbb914d1f8a04f99b2dc

SHA512
593524f6eb389965166c238e5ee3101c7723919234bd5599023d3296f78713288acad66ebaecc60d81e1559cdbe0e6adf71c38ed216dc55634b32305bd496b05

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
176KB

MD5
196a2ad14341d86c97ac4339e77f51d2

SHA1
8ad21c99d90783acfef7ce300818cda12c025fe7

SHA256
b1428c9610a7d2bada2e7f773de18afb8441645f6ad7eb8aeafa80472b97fcab

SHA512
828a4d464684df67de8e760e5702094a2d284fb29a5e3972e7009e6b35d6f3599fae51054a747e175ad06e99e0b461c01a4420cfae1b214419b16d4425777136

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
102KB

MD5
beb874e3659899233bd609771c2d19d3

SHA1
fa484124130f07ff9b7d21e2515312f139149f7f

SHA256
2187929e15ba1d21a13ddb9c277c415c8678ef600ad00baae170c0200a64b4b1

SHA512
bc1f72677c0304cc09454d81f90b94004a6492e6d6f746d3c0b93c5cc2fa82dcd31d743e76a58e1e860d08cdcc3ed95d43be3f1ef4ad995a4b76e03a52f6a7b8

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
95KB

MD5
902e64d45807e587efa14e316a920295

SHA1
986205febc0534586dc544e8f5b95f13a971bb07

SHA256
4c51d2d896c96ff95ab0e6e63bfa7827f8812c63b37dd82ae967edb52d9e7b62

SHA512
ac461fede7dfc526056db5e1064fa9a7f6ab2c78396491f2b6986b38fec5e9d7a535474b6f5fdf42cbff4f24d9bfad42329be8166b2084bfaa2354b6e9706833

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
158KB

MD5
2641063246414422392400942564840e

SHA1
cf2cdda8fbf96b5048ad74227378c344bcabadf0

SHA256
4c935fdfb73b634e3aa212e848a07f1a3355436aa121dd222bd573a20cb1e247

SHA512
0bb2ecf84db8fd788658d0d0d972ed37a418f3c92c5accfe25af34fe2065eb27253f064d0d7ed0b156104bcf478445700085eab31d0d98f87322e3f849c07227

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
164KB

MD5
d6baf45fdda17426cb655aa2c62ca083

SHA1
a621a336018e7ce23dac66de5c0e27185636c48a

SHA256
dae025901e84d700bd6c4c54d99ed2946a84e43c919668be0c01721eabcbcee6

SHA512
89c46f7628a0b90ae01f94e2a6fcf684af49840fa0f27704065fd354ee55e55db477492040c98962b15a0a075414a8ea752b3bc23c6efcc3c6c41d6d991f139b

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
140KB

MD5
16ed619b34cc0d5d6258061d81052b49

SHA1
ae3912812915aac4aab59933fbd4c277539ae94b

SHA256
3ef93ba11826e22df911777bf0ac65a6e9d6cecab70302dcb8f495e664d34e84

SHA512
8b1cef4812ee68431801c6e43281855fa6b30702281214df04bef3046412a798722af8d9ae3f5a2482df9cf6acc60beb67d9fab0f24831a8ef0c13aaa48e962d

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
139KB

MD5
ed7bacef9e19acd6e91a8d42f775081f

SHA1
127bc63437d3ff3c9a4128ead6d8ed961fb63be2

SHA256
e16c2dff20137cf86db7f084739b0d355dc6edaa4e71d9cb04b820046babf2a6

SHA512
03b802e43a358721d45b02239a5a30361b5324d641350e1f50a73e7c85b02890f1bd56b0852d3eaa142970229b52dbdcebab069954e6e02c05ec065b364aaa76

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
175KB

MD5
45cd30735ee0537dfd345b3f2b17a4e9

SHA1
17a32e606a48c935c8d0cbcf74dd161e82253730

SHA256
6fcf28c7d23a466723cb68a93c8a76d543a0bf9e9c31a883755ac391f22ffd59

SHA512
520683ffc176da654d09c4e10c12658367d85e4096cc6e5d6510701f6fd7f4862656732d28b8487757777f24b982d719d4bf95b3df7f8d070577996c68a1b8d6

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
169KB

MD5
fccc44c626d0a95f967403b5405afe02

SHA1
311835c0a6c540a8ecd98be1b8db53750ff54b05

SHA256
8e6214a975054d7e19f0cc10fba45113a7adb19bd25797078b22b2e10be2577c

SHA512
4f6b815ab45a6398d233f1f8cf8a6e501fc3c8b615546548ab434cc88dc0925509e7ae452499d61294e5075b74c11ada0ae6cea6e2b89f456665b94e134f25ff

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
149KB

MD5
1860633513c36589ebcc4d0f9578b70c

SHA1
2ed4d78864a2f668bf7b25636d987faa16cd4d59

SHA256
77ab179f36c5fb12ff192f93dd4817355d2fad2cb1f3d5682d20da5e755d8938

SHA512
66f14059745773ac7668ebb3ac12304b4a12a86962c70e94a80da2b21c5e45f05de2fcf9d797165e646b33aa1081dbb1eacac2970371017aca48371fc9dbc31a

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
75KB

MD5
ede5c306f1df8599480a339f5a713116

SHA1
4bdf070848bb925b37bc37990328bb9bceaf25c7

SHA256
3ca03a33659a533550b4222724a84b16b96666a375f570548ac29b731307078d

SHA512
fff40099fd456a5eeb82073e8bc799460a5ebfdeb3b4881304e87b42183fc658b23369e1eebb6787bd2ca315084636403f2665e821a720eab013d71da765bc75

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
176KB

MD5
9d269102e1130e4daa6b9afcaed48923

SHA1
05f6cca8c50d37a68c502b28782134ef8802016b

SHA256
03a47d6ffbe95ad6076e4f0182816c1f1659609e242d3badba715f9b61d6edbb

SHA512
bea8fd7e127190ab5b058d2ac4d6ef87ca981979e45863f9281c7aac7c70e96534a336656016c2602e33d4be30f7490c2f642c23c41f22f81c4fd6db3fa398a9

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
137KB

MD5
993ae8d3df04493d2635d1c9d202bfa5

SHA1
0e2d6cba78201e6bcdf7e03b40d95bb6dd4f3554

SHA256
7714ac3cd6e37a548443bfe668aa979ac9adb9f00e8fd7ec8c1fe2c3ca88fcd3

SHA512
95fe5ca43f690a2b0853e6c1003cb44a4e0427d9cecb9b5f34b972038e744724cdbc99c6d3d23eea19e66a504cdb5f8803642c1f17dc4e97e4ca80db586b8ca4

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
135KB

MD5
17eb0db5d29c7595a13d74c45ed57b0b

SHA1
f3af90da072d7c6ffc974c5e7511eb7ee61935e1

SHA256
874dae109e4dc75ed17c214f7254bbf746e9ff3989bf0daa3f1f825f0474312b

SHA512
f198b4c84cbe9a705e6ff543b23352a8d12bf6da2b6bb01620ca502e4df1f5c351f98a628ad52acdd61a90f57ecf658ca4716fe99b12749fe996cafda8a7058c

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
176KB

MD5
c92edabd9735dee6f7906cd5207ee36a

SHA1
88720b2d162b42f35759971ddc4a43ff388eabab

SHA256
a9175681dcdbbca165ce51f790104640cc47b3b5ed08e2d3344c851253452292

SHA512
48d1614a512f1df3b4027ed0333d14749d841690290326f6569625cfdfe9fd7d1bad04e972e44e305741d95577bd144704a4c47c5af189217b43cf8b3bd56262

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
111KB

MD5
0f7796f03be2f910eca5855c88884e4d

SHA1
e44e33c6b6bbbabc49f4259349452ced256af191

SHA256
7c93ed3bec6d356412f48661115e936dfe9bdb1eea856a29a52dedce21b14e3f

SHA512
a092c68da07f1fe6bc554727effee5260c1a228b6cdb523fd12c5bc087941bf5b4a4418610480fa67459198a6308d87084840b696754cf3922f94c77e041e864

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
104KB

MD5
8dca9afcf58701ba1176be538f86a8bc

SHA1
76035fb46fd9246a93053aa815a5f9f54e949363

SHA256
d33d567963240a1ea2d36c0e0a00efcf020e7e483afd58c98d787c214c79c4a1

SHA512
213f6a11ab5e2f5f9798361aa50b7297973e669d4357c3a130e942f5acd3091075e75e283f6c1583caa3d6dcd62e0ca43d52a035831ed28cd8f4c145cefa70b2

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
176KB

MD5
b3ceeeb0b4c6fba449740ef246180d61

SHA1
0aaf524e0b3dd122d24c4b6b3222e12466041316

SHA256
9efc31bc97e619f46c242e36323aa32e21d99d2874d97ce6df3bc37fd0123b7b

SHA512
d4d4e8b14851d3574c7aea98681d36b0b761a89cfcc79fc6d483b973d5cd4a4ff597bc8ca381ecf7142f1223eb433946caa6fc934cdc14d1107200d8b288582d

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
133KB

MD5
770add727d4dfb6aa166b07fe41fc0b4

SHA1
ce16535a71bc4361d15a2aa34c8ef8310d7ad716

SHA256
bd49c47693e6c92647ac51854e5e9c20f6b27754e2a2509a58382c4b4027caaa

SHA512
918feff74df9c54d0e0147854ca3c3f2b4f0caf0bd94c4f80c85fdc0270a702755dae7b600ad0d0230bc8237fca70779100c962e68193f758bd492ce56a1a2e6

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
176KB

MD5
8e3c8067e97987475cbe417c1b5a7057

SHA1
1bcc49c135224f26315b377a373786702e2bd73e

SHA256
8d5563fb50fe4c7a7726ca2e71c31c92c141dd64eb3501a7caa0f39d2b58462b

SHA512
81effa07d7b0baef954e4a11a15e36387c24dc3e272959d15f595f2eeccdecb6a97f30b1f09c129cbf2c69c9899d13b3733c4d70633bf9d40b8b711fec003c86

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
176KB

MD5
da1858c249a77a52a9a4001cee391f45

SHA1
92054abaef2aa24ce7b3f96d36de06770db3f3e6

SHA256
3ffade515fa629b7242609f92748268d297736008c5288d9769abbe2b7152581

SHA512
d55ad096166f89435f56d39c2e66abdc94d12988fc2ec72d30e35f6d0b81a359644429633bab6d60ec2afc370ce18f523f881bd534b469be4fb1f9b269037b3c

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
176KB

MD5
23317e151911b818976c560659a5119e

SHA1
b2fc0bc0da9fbdec4e1c05ef77337e698a7a5a95

SHA256
103b4fb78e25be6271e137aea370a4447df54c6b44660605e6f3903d7245f34a

SHA512
c2aaf806bed3c425413763419395ea37db6a56d9fff06a2521a7fdb35947a609575b609ecdfde31f11ebd861f02b06e63155a6c4cb79ce6a86ce146192d9d0ca

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
102KB

MD5
94cde32e0a570eaa63dc9b69e6448081

SHA1
03c0871e6cb0bda461df7ab7e56dbe08f309206a

SHA256
fbc6d837b021cd1b7e7f694c11484087c7fddf26e09d9b8cb48c4b71f3013ece

SHA512
824e18c68d6f96039c2ed59348eda1723f7f68881657a80adc760f15087b0171e1851ff74e5a7bc5e81eab0a7d6317f0ee979078cd9d3825f745b3b362198c34

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
154KB

MD5
99044803976525300935e77869b0ae06

SHA1
deb74905dff164db074647f12d7305cc0585b546

SHA256
dccf52a20aaff1bded9629fcffaedbe30408215a7d3f1bdc9608acef5968e1ef

SHA512
a850927f9f8e533bd86edfac35ff79fcb593a397b8950b708ea1f27075a050ab4f8448f4ff2605f5c437f9b14e779db1e2276fae5fef831064d798e139cec0f7

Download Submit
memory/228-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/228-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/744-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1612-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-102-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1776-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2584-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3120-186-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3252-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3600-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3760-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3784-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4056-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.