3f7efed33877883c46ff2c901428dab7f5668887552133d303d325bed90846fb

Analysis

max time kernel
0s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
07/01/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fee788c28db28b45dbd18db5e4e2f7e1.exe
Size

790KB
MD5

fee788c28db28b45dbd18db5e4e2f7e1
SHA1

3cc68d917f58afc326365cdb2404ec47cf72b867
SHA256

3f7efed33877883c46ff2c901428dab7f5668887552133d303d325bed90846fb
SHA512

1cc6b49a17c0f44e2153749792d496337ee7ab27125ee76184cc6d7038b2964b7105b27c86a17d4fdbc54b1425c2156111ff0e48ebce5f66cfec1db9f771e840
SSDEEP

12288:CCFB24lwR45FB24lJ87g7/VycgE81lgxaa79y:PPLPEoIlg17o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	fee788c28db28b45dbd18db5e4e2f7e1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fee788c28db28b45dbd18db5e4e2f7e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe

Executes dropped EXE 10 IoCs

pid	Process
4232	Mahbje32.exe
3192	Mdfofakp.exe
2136	Mgekbljc.exe
3100	Mkpgck32.exe
224	Mnocof32.exe
1692	Majopeii.exe
4092	Mdiklqhm.exe
2928	Mgghhlhq.exe
4156	Mjeddggd.exe
3636	Mnapdf32.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mahbje32.exe	fee788c28db28b45dbd18db5e4e2f7e1.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	fee788c28db28b45dbd18db5e4e2f7e1.exe
File created	C:\Windows\SysWOW64\Jfbhfihj.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	fee788c28db28b45dbd18db5e4e2f7e1.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Pdgdjjem.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe

Program crash 1 IoCs

pid	pid_target	Process
1508	4532	WerFault.exe

Modifies registry class 34 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	fee788c28db28b45dbd18db5e4e2f7e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	fee788c28db28b45dbd18db5e4e2f7e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	fee788c28db28b45dbd18db5e4e2f7e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fee788c28db28b45dbd18db5e4e2f7e1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fee788c28db28b45dbd18db5e4e2f7e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	fee788c28db28b45dbd18db5e4e2f7e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3560 wrote to memory of 4232	3560	fee788c28db28b45dbd18db5e4e2f7e1.exe	67
PID 3560 wrote to memory of 4232	3560	fee788c28db28b45dbd18db5e4e2f7e1.exe	67
PID 3560 wrote to memory of 4232	3560	fee788c28db28b45dbd18db5e4e2f7e1.exe	67
PID 4232 wrote to memory of 3192	4232	Mahbje32.exe	66
PID 4232 wrote to memory of 3192	4232	Mahbje32.exe	66
PID 4232 wrote to memory of 3192	4232	Mahbje32.exe	66
PID 3192 wrote to memory of 2136	3192	Mdfofakp.exe	65
PID 3192 wrote to memory of 2136	3192	Mdfofakp.exe	65
PID 3192 wrote to memory of 2136	3192	Mdfofakp.exe	65
PID 2136 wrote to memory of 3100	2136	Mgekbljc.exe	64
PID 2136 wrote to memory of 3100	2136	Mgekbljc.exe	64
PID 2136 wrote to memory of 3100	2136	Mgekbljc.exe	64
PID 3100 wrote to memory of 224	3100	Mkpgck32.exe	17
PID 3100 wrote to memory of 224	3100	Mkpgck32.exe	17
PID 3100 wrote to memory of 224	3100	Mkpgck32.exe	17
PID 224 wrote to memory of 1692	224	Mnocof32.exe	60
PID 224 wrote to memory of 1692	224	Mnocof32.exe	60
PID 224 wrote to memory of 1692	224	Mnocof32.exe	60
PID 1692 wrote to memory of 4092	1692	Majopeii.exe	59
PID 1692 wrote to memory of 4092	1692	Majopeii.exe	59
PID 1692 wrote to memory of 4092	1692	Majopeii.exe	59
PID 4092 wrote to memory of 2928	4092	Mdiklqhm.exe	18
PID 4092 wrote to memory of 2928	4092	Mdiklqhm.exe	18
PID 4092 wrote to memory of 2928	4092	Mdiklqhm.exe	18
PID 2928 wrote to memory of 4156	2928	Mgghhlhq.exe	58
PID 2928 wrote to memory of 4156	2928	Mgghhlhq.exe	58
PID 2928 wrote to memory of 4156	2928	Mgghhlhq.exe	58
PID 4156 wrote to memory of 3636	4156	Mjeddggd.exe	19
PID 4156 wrote to memory of 3636	4156	Mjeddggd.exe	19
PID 4156 wrote to memory of 3636	4156	Mjeddggd.exe	19

C:\Users\Admin\AppData\Local\Temp\fee788c28db28b45dbd18db5e4e2f7e1.exe
"C:\Users\Admin\AppData\Local\Temp\fee788c28db28b45dbd18db5e4e2f7e1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\SysWOW64\Mahbje32.exe
  C:\Windows\system32\Mahbje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4232

C:\Windows\SysWOW64\Mnocof32.exe
C:\Windows\system32\Mnocof32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\Majopeii.exe
  C:\Windows\system32\Majopeii.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1692

C:\Windows\SysWOW64\Mgghhlhq.exe
C:\Windows\system32\Mgghhlhq.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\SysWOW64\Mjeddggd.exe
  C:\Windows\system32\Mjeddggd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4156

C:\Windows\SysWOW64\Mnapdf32.exe
C:\Windows\system32\Mnapdf32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3636
- C:\Windows\SysWOW64\Mpolqa32.exe
  C:\Windows\system32\Mpolqa32.exe
  2⤵
  PID:3260

C:\Windows\SysWOW64\Mdkhapfj.exe
C:\Windows\system32\Mdkhapfj.exe
1⤵
PID:856
- C:\Windows\SysWOW64\Mgidml32.exe
  C:\Windows\system32\Mgidml32.exe
  2⤵
  PID:2328

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
1⤵
PID:5092
- C:\Windows\SysWOW64\Mkgmcjld.exe
  C:\Windows\system32\Mkgmcjld.exe
  2⤵
  PID:956

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
1⤵
PID:5028
- C:\Windows\SysWOW64\Nkjjij32.exe
  C:\Windows\system32\Nkjjij32.exe
  2⤵
  PID:4276

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
1⤵
PID:880
- C:\Windows\SysWOW64\Nceonl32.exe
  C:\Windows\system32\Nceonl32.exe
  2⤵
  PID:1340

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
1⤵
PID:1032
- C:\Windows\SysWOW64\Ncihikcg.exe
  C:\Windows\system32\Ncihikcg.exe
  2⤵
  PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4532 -ip 4532
1⤵
PID:3324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 412
1⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
1⤵
PID:4532

C:\Windows\SysWOW64\Nggqoj32.exe
C:\Windows\system32\Nggqoj32.exe
1⤵
PID:4944

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
1⤵
PID:5072

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
1⤵
PID:2784

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
1⤵
PID:4180

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
1⤵
PID:4356

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
1⤵
PID:2052

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
1⤵
PID:3500

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
1⤵
PID:396

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
1⤵
PID:2688

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
1⤵
PID:3520

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
1⤵
PID:2308

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
1⤵
PID:1688

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
1⤵
PID:2440

C:\Windows\SysWOW64\Nacbfdao.exe
C:\Windows\system32\Nacbfdao.exe
1⤵
PID:3900

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
1⤵
PID:3068

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
1⤵
PID:4204

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
1⤵
PID:2480

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
1⤵
PID:3492

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
1⤵
PID:992

C:\Windows\SysWOW64\Mjhqjg32.exe
C:\Windows\system32\Mjhqjg32.exe
1⤵
PID:4116

C:\Windows\SysWOW64\Mdiklqhm.exe
C:\Windows\system32\Mdiklqhm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\Mkpgck32.exe
C:\Windows\system32\Mkpgck32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\Mgekbljc.exe
C:\Windows\system32\Mgekbljc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\Mdfofakp.exe
C:\Windows\system32\Mdfofakp.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mahbje32.exe

Filesize
94KB

MD5
32f7384ef759a7911d8aa57566860b1a

SHA1
04a7dd482b32cdc26245b1fbb7b90ad8129714aa

SHA256
70b3bd0bbac7e599c6afbdee1965e6bcaaae065fb31f2552acdd137a904b3cdf

SHA512
611753c8152ca141ca05b3459134509ede859db7de055a322e3913973b520b3e2a2934ca2b422b08ba62f42770d3f0e7aeea7a874bac5e48c06a32a87c215a38

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
790KB

MD5
9a90b707b1b0b4e4afc943bcb72abc97

SHA1
513a4a17e070326cab2aac8c00b08492187dadad

SHA256
07d69edb2942d9b43dedb690e457a924f77cd8db750f3a5abe812d5ab2e16a0e

SHA512
3603af27d09994f5469ca8b0d1e9b624e9c17f5b424b32e99f8de68deccfcf5d54041c476045f79175c62a63976725f6e22d31c81dd65abd1c8efa3dce491dcd

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
411KB

MD5
9df2c0bf844381e2a08bf06c654d43ae

SHA1
30aecc4e2d378dd6c67a31290af2523f996f18f2

SHA256
d028d408338c82f0f4afe3554b239906f117e64cb2695327e5ad980c9b4a52c3

SHA512
9e30c9abfb91a260d6150779250f27bd8b15a51acd89115bbfb81933e665af9dd31380c40ef5c23d02cab27e9c0a36fee7f7e4a4898912fe45e60a611ac3674e

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
790KB

MD5
d1e9e5bcef374ac4dc72ebdfcbd157e3

SHA1
68063e115de07a5c69141f2bafa7f0bdedcc7985

SHA256
1497676434a755448a140977c4e5c6a7f2b0f7a0b41988a81714c2cdd0c1a461

SHA512
33adfc9ade1f36fab74a95500b69069b4f52ae8fbd5d90c05a66b295a588dabe8b2e72e2c42e7b032ec093bcc4199b891fef4de5a902109e3e5635cb2f9675ed

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
790KB

MD5
e8e95fd3f48b3fe970caff436c34b992

SHA1
29d7d018d6440c6ef0acd61b0701a140a8802552

SHA256
1dc8c1754741e878b093eaf026dcaddd00f18e875a7f27a97f0a8bdc81731d9b

SHA512
4ab7203e697841938bb8726134f6b1da3d396ae87eafa258df5db96fc2c7aa6ad0be02bf19fa56e51269e190afabb254522e6c944fe9bd58e808d9d6380609c7

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
790KB

MD5
e46d18211cdc9c128be86c4b62a6028c

SHA1
f6b00fbf52d83c5622ee27f24a3dbf88d6e7887c

SHA256
655e0e1c3ee31797cd1a77f3f9acb87c0fe30f34f62b976ff0be1b6324179535

SHA512
86ce6be16a735c3294bf1a1a3da66e46a01c02bd3191b185623dac70776fe5e94573d3e41be08a2e851021e0dd8b20f12f5ceec151a21589483e9cec805d5d88

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
790KB

MD5
75cffb92e3cabb550a7ffe0d5867c37a

SHA1
9ada714181916238b27b61df577d49646ac7f64e

SHA256
262ac606106125fc21bce7d3590f26461a16504c1bef742b1862df347d2d7325

SHA512
4d1f6ce1517b8404440288758cc38907dafe29dc9824350a728d7cf7f911d639c06f7b7b8826a027e37a68482a8d9179109feb8bad42571500635f95556bdec2

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
790KB

MD5
64b15b696fdcc1e95816ec806e1fb266

SHA1
7fbebee2481ba8f513196200563510db2e950b35

SHA256
6fc7f8b95db46e8ec10db5c47d54623ba35b578bf75f267ed3fa3d779c0fd737

SHA512
0c53451c5d33f95030d1556de3034205727eb4575c60503600b22db97faa41fd0c01cac0279c1f16079b67d12c2d3db2bb7a5b42910272dabdecf333f8aae5cf

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
790KB

MD5
0c5c97254f21702314820778d1057187

SHA1
ea8eb63a1aa54b5226a5a185f13862116993d21c

SHA256
d42918cdd132022e443ccb2783345e2e8afa10133721bc0f0008ddc18b570c82

SHA512
484e4d02e71b935907f09ad4bdb3d4d8a1f7177d3e23232208d048d1c036d9c57b5938bc249320a718b32970d9f3ae1401f78e00b999d14591575277c5dc8ae1

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
790KB

MD5
cb17d43d01a66bb0548aa0c3efd4ba40

SHA1
b5bab324704f8cf8497337754ce745be34244ba1

SHA256
6fa4413a18b747bc1c14ff0dbb1479a87f3698a6ef2bd8f24ecbab95c6fde46d

SHA512
6c7688f6be00d2c6bcb148f70f15e65b2f47538a7ebd78915017018a8d7966d7c72adbd3320c98f263739b577121784e967f7d60812dc136e77813c21836355e

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
790KB

MD5
08c7b36215ac6683c6c7920dd48936f6

SHA1
f1c48730f999477d99e37d070f8bebf1923ad0c3

SHA256
81f264a4a7d0790b0e525e0b441aec11155cd2cde0e20bf29e0d98003622de82

SHA512
d95de331fb76e0ac0b929723a3502db544fca2e8227191b0621d2c25f5c05efb6d9d09f4a5be370fa7b0bd7064f0894b3e441cd118d02a5fe3c5ebf650ddaed0

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
790KB

MD5
62c873c3d3fc2f597dc69bcbc18c2010

SHA1
cf2ed40bb46d7e5d5959ff754663c1f54a74942b

SHA256
ac5cead6e5a8e6e82c3a8b0bdf25a0005ab5dc22a90da3a5f68d0477f0bed7c5

SHA512
b1dbca2bac9043b2935b84d88463814f5f15eab9d0fa0e80dd2abf63347b7b517d11401f646def20d8b5378feb40fd986311f202c668059c963a3058c38cf246

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
790KB

MD5
ac3232b973943828894d2a62fd8c45a9

SHA1
2b23ab2201fe20935e095bc6df89eb99105b72ff

SHA256
dc63120d2a34ae5eb2289b59b3af8152f15dde216a9a7a8430383c0d728143b3

SHA512
87a733bc99f23e5680f8cc8426fa2454f2309f6e8963af2a4dee216e4b8993bfdcd3cd210de385f6feaf6ff063f27bd84709f87db5908c77254ec7dc2eba6a2f

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
790KB

MD5
c4ffa3f03e1c6b8017dbb950450802ab

SHA1
472d811e264aad57d2c54bb404c03f567a812491

SHA256
810b6c365d6a867ee59e31317a652b3da71a1247fe806e92d6fa888f507e6fa0

SHA512
e76ca5e44b466572b22034f541da8ebc663401d35515167e58f9a38a2f8c6ba6e3e831141dd58c13f0031a6a890c34b94aae06fb564b50cd84d2c9809c07a7a1

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
790KB

MD5
513bdce95784938a4926ff86d7e0fab3

SHA1
f5bbea02fa96af7f19be9df44bc78d020858ba95

SHA256
fce954fbbed93eaa8db4d0f0a4050bc3542b4aa7550f395523eb78433d5fa529

SHA512
9f943c2c32d549f99905b70f54f505772f5020e5fd27bb074f3bc3a67c827bd45159ea63c818f1e4651ec564726ad0e17c70a1253b90cc49aa718193f0f1732a

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
790KB

MD5
7e50d0165030f16e14f8b5e3e494a08a

SHA1
6905c5895ce4ea6c396ea91b7732372285fec1b0

SHA256
51281172a91e5b972f47837955d7bc40d74546a82919244b5c947510b2b906a8

SHA512
1b09420de1ce6d29c51b37588679b270b0a087475370744ef52c71834a5c339d8c21ae5ec60cff75c4b68daf7f5304f13c324a46dcfb0f2b04494be50712a881

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
759KB

MD5
8a3e61581d640a815282b2de50b7934d

SHA1
8e9f1f120fca84f1c85f8777d614404724d09e02

SHA256
ea0300e7a4db92f273d7450f1a0dbed92df13549f859ab77ce707c918476686f

SHA512
c5648570782c7b5e4cc71083d559c3f7d90593355f5ad1f4431be4128ee72fa65e9b4602a017f2f66f5bd5730672792fe8afeff53b3761add1d103bfdfa5fafa

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
790KB

MD5
70d6c312f719de299db684ef217ed71b

SHA1
7828dbe682e208ac3728b8469e48e009191368fc

SHA256
2d341c6fc08ced23fb27b6e3566b77edd4a5e6502382cf44deae735428758965

SHA512
a7b6fbb9db00f4122c790a51ee7953b0f746959a5e5099485b078f5528b8c2ef0e3b8c523dcd8950bbea5d9987ccec15fd19049f18c7145d37b6021fe506c776

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
790KB

MD5
135989808ffc91f05a6698586a8e8d88

SHA1
1b765e7eb7f4ecec5a637555872b838c9bb123b3

SHA256
a060b80a28731984ebaa614a90e3b1434b55a5e337ca09530ccf0665fc7859d1

SHA512
98fe511fadf2066f0c5f5dfe3786ae8e6cec086c47dc67f65222e582b75701ef451b86b191b4ee372f3f94d7ab434163475a68febe4d19ab7b8cca7169c43f65

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
790KB

MD5
e8bc7bca6b35e7935b8ada9c4a564b6c

SHA1
ef3d40c39c6ecafb34660fa0e78274e8cb248f86

SHA256
c4946d9ba62acf8556c4fd2eb1a2080b13ba579448aba7b95fcbec8a9a905dc2

SHA512
2020615157af05233e6cfdcb3cfc43b6dd578c0958b955eb9ef4830ac90850510f491e06290274ed5f997d08b8bb6a86e8215b846c1f5dd141a8a5a6642065f8

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
790KB

MD5
4eabeea55253170bd1ce801665a5257a

SHA1
81ac5beac6b5ad1f29663046374361dee98fcc86

SHA256
3884fab88fcc17f8e5785ac755e6445f0c7df2759f50029df5c4c1ebd9fa4efa

SHA512
5c3cf3a2dc8ab7bfe82e47fe8f86d18f1fc29e1e31c39ca6af53249690157fc6fae45c2f55890d255f2e7b1c8af579d86677f6fbaf2b268a989164ec6ae5146b

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
381KB

MD5
afbcb00eb1b7bffede815acf3dc35feb

SHA1
bcd4ca09a89fdebf07145bad0b2c82b66dc37821

SHA256
d07e312492e042e14aed41ea8002ce9cc11b9caf6e2834cf76b10b31396ba992

SHA512
0c5baaee7c7d5c6a7ed75631088dc11907bf7057b949e37deb193f6e74bf670378213d7542499561aa80ada58add452f3648328fd64a5221385c0091890f2e3a

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
92KB

MD5
c862487f89c6b7cd8b54118404b34fe1

SHA1
1d98d639928116d6c5d3e623e2e4266059fc885d

SHA256
476b7527bf4ed1c8f2883e6a44ee59a9135b17c727cbb3b08ca8e4f00ab99888

SHA512
55473f75998fcd798968e4531578608d7e00605ec4140bf4384d401092664d8fc4f46379a6598291701fd8cccfce1e890d6d785ae0a30439d7fb9d502afd3727

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
790KB

MD5
890bb70fe70317460f233d8e046b1eb2

SHA1
14dde4224ea86c31ea9b14f078b7f7091c385659

SHA256
6c989d38301c61dce75829b6d3ea3f9006bbce82c924bd4699df4182b91fffb5

SHA512
7cdc3547a57944560f1950259def72675b68d4a3ba5c8ceb6baecc13e7979bbc4048c6f8018daf763c5b78e0ac2dde16cecff172fa4d2df1cc7a9f062e37ccec

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
790KB

MD5
5cc78ae300e4313450832d701661ec88

SHA1
267865b460751a5c6b5b8435be49cb05aa53d893

SHA256
496b9bd99fd90803182b7c1e3aa632cc2eb5b2548ad86db5815ddf97d994e849

SHA512
642c610e16f26e3a1ba2801f56463289b6885965dcd8ba620beb1c9baf4aee1193f8651d1db42b2f06b2cf1381d118aaa73fc0752ed81f3cbc55080abf2e927b

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
790KB

MD5
c020126ba051b9a9841b82c0ff2f433b

SHA1
c8b71fbb654e514779b35e9428f82cc729473960

SHA256
4fb817ad444b503c95047321559284a2cba33f32afccc9462374f2577f11bfb5

SHA512
8a776c39f38255d32d502e471ae66f8ae1cee07923ce56994e5210cdeb132a9d2bced456e93081ae5772e4b1fd199011d2ddc78e60956f5ddee34682a815bc6d

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
689KB

MD5
d670eb4c8c07ebb373ca9a0ad5955e4b

SHA1
c454e97e4f0ec81c6561ed7e1ba8cd4fd64a93f7

SHA256
e97ac16a6760336fb5c9416b00dda2312102d31a27c9eded5323c1150f87674e

SHA512
86bed0b405b1f4a1cafa635dff87df36236493618dcd9dc0c21089ef4bfba23be176f75b98a654bf6be95c5852ba06d83b836e0d1f1d8f55e6040ec80bdbdda0

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
92KB

MD5
ea71e8b6b083d4f7f1dea54a5013d23a

SHA1
772c31ecfe17d89616e37caf60857b26eeeff31d

SHA256
30e80c412950f143b37363238c9bd4312a81c43be126df02c6760f826f28c698

SHA512
f3e003020c4e6cebd518ca194b3fbd3246bcc2678c7756909362bdbe09ed1ae5bef5242de48adeb5da20dbbf0952635440dee93f0d440ef500ef9d6e99df18a2

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
790KB

MD5
b57f6ba9bf91e61794ac5013eabb06fe

SHA1
6e2a1ea3817667881a2bc8e2108d1dd845a5eaf3

SHA256
c715ef9cbbfe2311301c1371837b24da855c5c3c2175daabb96267341b7c2be1

SHA512
d35eadab63a7d12e735c6595d1f09150a524df623339961227aba33cc023b0509f9ee3672a0b0d64155448d140b0addf59e9c0db15575be9a9e740a3c123725a

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
790KB

MD5
bc2a8bfe7099db97e54f72f8a418216b

SHA1
6cb0a92e6352360cd6867babf5a6323d5c2b8da9

SHA256
576b446c4104a4c75518334892a756561690ea0b91facd9b987aca58c43e29c9

SHA512
623968d40ed366453f85446191f6df941fb75e18c46a4a757755037de3d382fe51b9a9c1b04e9fcb2786316f4ed4ae5a4b7c375f846309bbe7d842e1a52b5cf9

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
790KB

MD5
5cf39f4982c47be8f8b15a9024268c8c

SHA1
0da6b63b76553c414ee68e116c355cec4decd2b8

SHA256
0f15898e600326d6dbdc39a82d7b2a9d7e7db0e66b4503c9d765b5f361f9f8e9

SHA512
9ba9fac4c876fe5a092ed4e4297031dcbb29e0cf804509dd9e67a63cb05e1a3055c6ff3cd9301580e72759f36176776200c9490e2165a91d34bfcfda16b8a541

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
790KB

MD5
2490a080cf2f287a24b1346f46629c70

SHA1
417d1ae0ea72a2fe81a59b3138faa04e86fe257b

SHA256
350e7c39cc83fb58baaad6a2201d40cf1a08ec1201e7f80311095acdcdc91f17

SHA512
4c6f9e83ed7b6d50ef66e1211615281fd6cbd9d6a12be346ae950979e472b3f7cc93f765ad5ef6c5276f0fa4e4563d94db6575d3cb0b44ca7cce0be4c6f85cd2

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
790KB

MD5
332e5016562e1ddf66f43513de067514

SHA1
8f37e1d2c879af12393b4998475e01febd5003bf

SHA256
e3ae6af825582ea6cab2d8dd6ccb932ab3dc8d9029cff6549148e23fba26a924

SHA512
784385bb259e168bc8d6b2d3639ae1ce05628b59afb989241f9162ea3c51497e9bb420399583f128e795fa9f6437af2234abe9a84a354be3df37d1a66a4e092e

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
790KB

MD5
45a56e14a3c99374935dd730a494030f

SHA1
45cef1583a9c2d5293fd58ad3c59fc723e58af2a

SHA256
7cc689906cda1e0d3ffbc668f3aeecea96d30ddccf709c292e5d89c530fa071d

SHA512
4fc7ed4508e737cfa06423dd901fa0d2aa1a9e87b0caf8f01c2050343663636d1eb20c6047fb2eb973a3582173556ddbb1e70286ed294922bb3efc62b46fb514

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
790KB

MD5
95cffb81f3a845470ce731d0d2aa5e9d

SHA1
6de7ee027390fff25fcdaa2009676012f3f8571d

SHA256
971f9ae64c1725fe90c6afa36d52a3b7d52e042548695591bc7bfff1550ac553

SHA512
8afb9cff2eeec57ce13d7fcf78bafff30771800da13ce7a54615551d216d00ba46396b8dca7885a1802f444851cfa58c6c3041463ce3d95b276dc78eabe81d71

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
790KB

MD5
3c8e0edecbe889bcc574ae44d60a5f9a

SHA1
4500583cbdd01a58ab153d5b3ba82370157c5fd3

SHA256
05eb02a5b37b87fe805dd91c3cb019ed6e6728ae8d4cf9c67edc71fcc12ac9ab

SHA512
82a38c5e42703962f40b92e4045722a3e810070d335ed495763514ecce75565d61c659634e8619c66ee2ad001524261a5c67716e81caf47519c46174d1c1a67d

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
790KB

MD5
1cf9fc11c6190e2a04c09486510ea0d1

SHA1
3a95ecc1bbcd4fd187baf4a50f131b4aa4a1a66f

SHA256
19feca392ee57d6951c7c35e06c20b58e247656d3b47948a048cc1ce437adc0d

SHA512
8f57e2ac010f858ec69b7714fa7e62b8da754ebc4ef89d182500b9c643197d004f674378ebb31e2d20b407b535824a6542f3de53220c5d5bddbfbcef995cbccd

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
790KB

MD5
0c165e28778537d37087d0f61efb4ef4

SHA1
c2364a4ea878da164672e08a31a9beb3095bc4d8

SHA256
bcb74fc3b6c1be925b0a3d848358ce06ee5343f16e13c0ca93644f4e9e476e79

SHA512
aeebfc5e054d908b0ce89abd3cd4fabdf3680f4a0e56a784d8763bef66ec9d2b46e50a1eb7135dfc6440be371c1e0d23e8ba4e454b267673d8197eacc5906eb8

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
790KB

MD5
9644dea9536e652aa84632602bd1e65d

SHA1
110edc8d54feac39d3e11c38207a2ae5da2149fb

SHA256
3a781959284e66db2d8362b2320b8e2a6bfc7f12921bfedf41eeaf4d730b49f5

SHA512
d35c7daa4c554ef192db02a9a0a38b8399d2e86054d940344f7f215ef0ef76a50dd8ac9178ab4caa013438ac1fbcb208193317e09d6e4827107cdd5fb949f839

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
790KB

MD5
105d1c19d824c74b810cb952b3ec6e74

SHA1
45b2b4a85eef64524cc7719017d1058475de1474

SHA256
4adfaf8b6a391d851715a5aa454d7b726ecf2b155a5811995f81009fe43ce99e

SHA512
0cb09f640bf0211d25aa83fe9c599805880063368e43d0ea1d6177583979b8591648e0684e13bcb1c89d90e3ccf641da4588c2d2f71e75a1d062a261e6a0f1e8

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
790KB

MD5
63ab95c5bab9321283f3d7bb321db732

SHA1
61d2e28cfe69b9e7955f7b559450b0fc5cd158a6

SHA256
c8df00d6bf7d0e5f26fd35d456fb8afb5bad55bcbb61d9081303f04d4586f2fd

SHA512
ab1977179ce6a33d65703a37accb827599a26db45d97fb2dfa11d72d3c35ba004b3fa2c8fcd1768104b72d87028da3a2bfb2c1f385f42a455b3ec046797efb2b

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
790KB

MD5
67fd23e403a4006bad61db6c2b3976ee

SHA1
1dd3d90bbb8761ce85dacd47b3dab8dec90f8251

SHA256
739de7aa7a357d6539c4166f95ef94ed7224c38d7d03492163b896f4d4ff78b2

SHA512
d6d5762ed10107882581a0a9bd2fddb42cb31187f2c907bc7a649a770336b883d70cecd47bbebe3c2977d475bec321a3e356c84889a9bfd30d4f1e3fcabe6a66

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
790KB

MD5
07e50c6d527194f43132ea3b8d088771

SHA1
800951bfc27feb88375799bc0e7438d15dbd3763

SHA256
28d758d6af0a6e17a95f6a7d68c5208458fa99a57f7f7cbf68e29b883cbd6055

SHA512
b0ae750f1f0d7a90d1f08fc7a6300ce13c735d2c4d6b6123ea3df8517753b12cae1b8703a0902972ffbd413a533f5307b4af784970e0304315e22c5db006faec

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
790KB

MD5
67819c33721e0a6ff87bcb2d4a14c071

SHA1
a6d96975fa0deba6ab5ef0112895ae3a355108a9

SHA256
6cf12ea36cd780f67006a7eeec434b414b6d6e9e7a8efd5ad3477f507d152a6c

SHA512
f8bf850cb0484ac5034324581fc20584590be4d0dce74bc2fc991d7f6deba8baa43c033d2cc2f12f598f4a1e8f71a161007a300bb338fde5a2f277a4775ce88f

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
790KB

MD5
b7f6a5e44289f0ba2166bfe7cf146c75

SHA1
ef79f0414f7f790b14b57271c554824a18601a08

SHA256
8dab007097d032bf4a8a107df088fa481f7df266f558fb5f364e67da6e96bef4

SHA512
69cc41aca9b48c843f1f2ae2de956c877d9a034027336241f04e5b4a28716efcc06e5420066666d3c21d02574750ba8b147c1377cfb1da4fd344b191f7256fe3

Download Submit
C:\Windows\SysWOW64\Oedbld32.dll

Filesize
7KB

MD5
06f8dd7309d0a7db1831deee867b3039

SHA1
4f9ce1966d44a1f89b5c773da278eb87dd059b34

SHA256
02fc9723b5a1488cf077d90c9c0e102da3f5c81c8d906faa8db6cd732243569b

SHA512
c029aacd666cebd3b369ecee1f90b3684e86a657d071c603be56e57d48fbe21223b9c9c1caef4460d153cc500ed7cf7dbe577a40bd806fae2dc49b83c668c2c9

Download Submit
memory/224-39-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/224-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/856-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1340-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1688-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2308-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2328-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2440-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3100-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3192-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3260-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3500-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4156-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4180-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4276-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4356-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5028-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads