e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/03/2024, 01:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
Size

242KB
MD5

24df215a60554c6ea119924fd1d06bf2
SHA1

1c82600af80c61061e2a53c66cc3aa7410829d5a
SHA256

e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85
SHA512

ad9234fde4c5c1bfbef722518ba52ae9f21c36ce074885ec3480f9bc797ac71bd2787971dd1a512aaf00437723316d98799e26c00d3db9572c447788b8df3d14
SSDEEP

1536:MRcJmXBcoka0ty2LOVVfsrkaVUImZLAiiwfsrkaV1fsrkaVKcR4mjD9:MK1/oV6V8ZLB6V16VKcWmjR

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mabgcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mabgcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjqiq32.exe

Executes dropped EXE 8 IoCs

pid	Process
1740	Melfncqb.exe
2608	Mabgcd32.exe
2440	Mholen32.exe
2572	Mpjqiq32.exe
2476	Ndhipoob.exe
2420	Nigome32.exe
724	Ncpcfkbg.exe
1012	Nlhgoqhh.exe

Loads dropped DLL 16 IoCs

pid	Process
1956	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
1956	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
1740	Melfncqb.exe
1740	Melfncqb.exe
2608	Mabgcd32.exe
2608	Mabgcd32.exe
2440	Mholen32.exe
2440	Mholen32.exe
2572	Mpjqiq32.exe
2572	Mpjqiq32.exe
2476	Ndhipoob.exe
2476	Ndhipoob.exe
2420	Nigome32.exe
2420	Nigome32.exe
724	Ncpcfkbg.exe
724	Ncpcfkbg.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Llcohjcg.dll	Melfncqb.exe
File created	C:\Windows\SysWOW64\Nldodg32.dll	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ncpcfkbg.exe
File opened for modification	C:\Windows\SysWOW64\Melfncqb.exe	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
File created	C:\Windows\SysWOW64\Mabgcd32.exe	Melfncqb.exe
File opened for modification	C:\Windows\SysWOW64\Mabgcd32.exe	Melfncqb.exe
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Mholen32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Mpjqiq32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Melfncqb.exe	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
File created	C:\Windows\SysWOW64\Pfdmil32.dll	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjqiq32.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Ncpcfkbg.exe	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ncpcfkbg.exe
File created	C:\Windows\SysWOW64\Djdfhjik.dll	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mabgcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melfncqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mabgcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdmil32.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll"	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll"	Melfncqb.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 1740	1956	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe	28
PID 1956 wrote to memory of 1740	1956	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe	28
PID 1956 wrote to memory of 1740	1956	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe	28
PID 1956 wrote to memory of 1740	1956	e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe	28
PID 1740 wrote to memory of 2608	1740	Melfncqb.exe	29
PID 1740 wrote to memory of 2608	1740	Melfncqb.exe	29
PID 1740 wrote to memory of 2608	1740	Melfncqb.exe	29
PID 1740 wrote to memory of 2608	1740	Melfncqb.exe	29
PID 2608 wrote to memory of 2440	2608	Mabgcd32.exe	30
PID 2608 wrote to memory of 2440	2608	Mabgcd32.exe	30
PID 2608 wrote to memory of 2440	2608	Mabgcd32.exe	30
PID 2608 wrote to memory of 2440	2608	Mabgcd32.exe	30
PID 2440 wrote to memory of 2572	2440	Mholen32.exe	31
PID 2440 wrote to memory of 2572	2440	Mholen32.exe	31
PID 2440 wrote to memory of 2572	2440	Mholen32.exe	31
PID 2440 wrote to memory of 2572	2440	Mholen32.exe	31
PID 2572 wrote to memory of 2476	2572	Mpjqiq32.exe	32
PID 2572 wrote to memory of 2476	2572	Mpjqiq32.exe	32
PID 2572 wrote to memory of 2476	2572	Mpjqiq32.exe	32
PID 2572 wrote to memory of 2476	2572	Mpjqiq32.exe	32
PID 2476 wrote to memory of 2420	2476	Ndhipoob.exe	33
PID 2476 wrote to memory of 2420	2476	Ndhipoob.exe	33
PID 2476 wrote to memory of 2420	2476	Ndhipoob.exe	33
PID 2476 wrote to memory of 2420	2476	Ndhipoob.exe	33
PID 2420 wrote to memory of 724	2420	Nigome32.exe	34
PID 2420 wrote to memory of 724	2420	Nigome32.exe	34
PID 2420 wrote to memory of 724	2420	Nigome32.exe	34
PID 2420 wrote to memory of 724	2420	Nigome32.exe	34
PID 724 wrote to memory of 1012	724	Ncpcfkbg.exe	35
PID 724 wrote to memory of 1012	724	Ncpcfkbg.exe	35
PID 724 wrote to memory of 1012	724	Ncpcfkbg.exe	35
PID 724 wrote to memory of 1012	724	Ncpcfkbg.exe	35

C:\Users\Admin\AppData\Local\Temp\e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe
"C:\Users\Admin\AppData\Local\Temp\e6c5914c2fcc2c0d3f58ba813d5ff5b15e3cd0504731d37d7cd47bc034d3cb85.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\Melfncqb.exe
  C:\Windows\system32\Melfncqb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\Mabgcd32.exe
    C:\Windows\system32\Mabgcd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\Mholen32.exe
      C:\Windows\system32\Mholen32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        9⤵
        Executes dropped EXE
        
        PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
187KB

MD5
ed84c2b62ef4fad0f5ed409f61a4192f

SHA1
7e93c15cd6676b1cef0579476c137eac7ee8d3f5

SHA256
4ed722afc40173ecfd468cdf5f0cf967847dff023f531578e5c51af4763c06b0

SHA512
226d17351a76538ac1c79f113e7fe4ad71f5d92076c26372cabf769431e05c8bfd9b0f619f0ca93b601a91688e88a5e8970da5922c21bd07b8c30790a7a87792

Download Submit
C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
242KB

MD5
23ca6bb0cea47f339fbc2c21cf952b60

SHA1
4647d0e8d3995e0057b98e78b0589a7b40c121e9

SHA256
a3a8663b88871a5bcc4c1a40dded61cf8a94a08c4b29245a964ff6a642d8e88e

SHA512
370b8f6e42a26bd9da4955760dce2815f12caa4d819b4904787548d6698f7daf313ce22d5d2f4fd513e8e368b3c68610214ea88efcf402c36e5de88193e6fc13

Download Submit
C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
241KB

MD5
11563fce69a2a0d5dbbefebffb3a47f1

SHA1
5786f782bdf2922198460868ac4ea8b545893510

SHA256
fd6943d6e117af4e13b7892f43ea949aec407c7123027178f7d4eb49007c4ff7

SHA512
e2a0a73aa1beb7675c9fa29816330fde5afb0896348dceee593c13d136b78dc61446a2e6a600bef4c1b81706272bf6f92bf879a640930c39322b4e187070ae89

Download Submit
C:\Windows\SysWOW64\Melfncqb.exe

Filesize
88KB

MD5
83547bb9f6a1eaf4a52cf276fd8db1f7

SHA1
26bca82d80244fd73ef55d68b57d97936ab4f799

SHA256
96cb8e8e3abdf4c1722e98a7f472d72691a7237995f59cea1e3ed00ce9f02c10

SHA512
2872f06e8e8af69ee294710edeef5149518f3517b592e1ce4ace6df4423099235e2e7f6f3416697e44f9c318b94f2431b5a481871f3fd098241545d72a8c4e40

Download Submit
C:\Windows\SysWOW64\Melfncqb.exe

Filesize
64KB

MD5
536a798e04781d628ca36b9c377e70a2

SHA1
58fc94d75b1559dc93dba9dafb6badfd1779ceb6

SHA256
dd7d3269a7fd7dbd0ac94f4f22056214fa85136e1218ec1585b7756ef8575640

SHA512
6acec963225bc993bb452d2c2c64ba5de806788a6c43258674678a39e33998dd31a5b88709b85fd376e0f324bbdfd6262eac493d0fbfe70065e63691a7529aec

Download Submit
C:\Windows\SysWOW64\Melfncqb.exe

Filesize
125KB

MD5
d91e2bdb1e77567b39f63b9a6df8c185

SHA1
a6bda235aef859a3f9a89c7fb5e4145ddba5dea4

SHA256
5bcfa756d4bd01cdbf8441742275c509bf48d69c16f8a8f8c51e26b4586dd6b0

SHA512
93f18960012493b94cf19146d22ca888b8ce798747e1b38def85af5cdd8d71cea5c31cd668aab51a17ce6c67c84dc10b1eb44ea9a9e198a1a56a4da4f3805bfe

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
209KB

MD5
833a6651d857fcdda5830043ef8fee5f

SHA1
aa752554111facf00ad7803faa53795f79cab739

SHA256
56f102920c40997ad4f1193bd5cc5e8d82aaca90b71b463777439ce920c0755c

SHA512
f02a60aabff1cdf22b740997349d2aa989148b3f1e19bcc910073cf1b55616d7bbe6603d7be79fcb8a5c0b68170d377c1392e43e155efbee1d9974e69b0f775f

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
237KB

MD5
8fb065c032a22bf460dfbf639811056b

SHA1
f61f516510169babe3118192146ca670533e36cc

SHA256
5bf12f67c584cb113ea6c475e56e91f09d565e12ea2bc0685a0bb25c4862054b

SHA512
2515d87ef354a25d0655de2e483b278c4b82d624c7823f70830f6fc3c847f85cdaabb834840586802f8747ae9e5a5e2bdcc0c046fc29af497f150ff89981fefe

Download Submit
C:\Windows\SysWOW64\Mholen32.exe

Filesize
166KB

MD5
f2617443728c8c0f0afaf56ec25bc82b

SHA1
616e0afa89a740d2a45bc7e78cc08517b7d955af

SHA256
9af63da0ea3364e53152aeb3ac35c0a09e22a0297d9af1dce34c3a78d6deb02d

SHA512
607506beedc4c41df68f62e7511fd99f463a861bdc4c1083cb49e8bcd4c70c9b65e5774ea433c46fde1eada81fd0ff45605bc7f21a6bf5a08cd4d626ca1c55c5

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
152KB

MD5
1aa61644c82541d65e7d90ce87555a88

SHA1
65586ae7b33d5e9421c1aa5a6907908694c2ab18

SHA256
71205ec96eb53a48a2aaa405548a3ea638caf40d2977bf4d112f935647e4f47f

SHA512
93abc3012de022b728f7c64101f6105f626dfe4fcf6794e481a9c3654a08930a77f24fc6b28e1775fffe11714678d31ab154f5b5a0b6b19263f9f8c8e30d9867

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
163KB

MD5
894e9e869530f758910727c09ffd2b19

SHA1
fa302260948c1c9087c7e2170ab5e0a649d834cd

SHA256
8832f23d83d92bbbf32a3134ef5db495e25c4af88422cb182f318a716173e81c

SHA512
8ac875a2533ed3055391bcd9158c92d9d329d451d6311f3d52f49ac99f7ae52760de02d7f4d8463f81cfee07d9f1ef3ce58949c39a8eba35aeab8c112928b20f

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
130KB

MD5
7001766afa18f9e984755b2e59c480ed

SHA1
e6b59241dee926e036eb090d104ae9484447c9f7

SHA256
7a8ba4fe43798d19e439fe43ae482f2abafd4f57bac4f7817c9ae842b869e9b0

SHA512
69f57bec4c93e248e3bed8df10cc13ed18cff479fb304145999d76d73ca1c9e55d6234702a6191116a47217b8ff7e9e968204b5a356df69b47d8340cb12de282

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
153KB

MD5
c11ae73185af30bcaca9d9ae240413d3

SHA1
dedc13a5aede80f4fbcf90e89ff68fe7bdef14cc

SHA256
d2bf558893f0950002bf526b1894f7814b51ca7f594e13cfd61ef5f1a36748ff

SHA512
c4313cf8502eff4db0d64a97000fd7616d23e834c9a49c90cd53f328683bc50d5b83251420a9fc35467da74e30bf95df619a36b765d28587a7f7728685b4c510

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
52KB

MD5
f6c0e237817afb66360da37aec053975

SHA1
42db3fcfcfaa0611bab43ac7686b09fec59343d6

SHA256
18677a136ab0be839eddd55fc93b3e64fde5432a9768b379fa602a7ed135cd52

SHA512
4f017c99ff8d2ea9a9af88b9d01caa5d929db5e81eecf59f1ac8ee0c08585a4d7850ebce711b09552b8e1b584362115d4abe1693dba89257181127cfc83efdf0

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
103KB

MD5
62eed0bd3a6783c07cd0b0cd2e6bfe88

SHA1
09b93a7a84cba9ad96b20b732a137e487cf37989

SHA256
69f9f34c2f1e4b4c1f65e1a3d96a62025a9a6a25e71bdb4b5d2e6c1444be2d4b

SHA512
2bb03df61ca76bb6a587157e55a0bb618ea904449da4636a2178783ff016a394aaa1a4e150a83c770ea862c6bc1879d58599fd67d020b08cc9b3152dbe7de9d4

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
242KB

MD5
6f1de34b0329ede815a1f6c9a6c17871

SHA1
f63f3ab08c354dffe25fde5c3a79a473caed02f5

SHA256
8eb841766050941ae6200f6371b8ab7988fab991190e794d8ae7526f5190a86b

SHA512
288e8a7e58272aa130266cff45f31fff69450928ec7787533a92021280eed9db09c48c32c605fffb33eda704905161bec5adc1a5f9dbc98572f4284362f2fcb0

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
190KB

MD5
4dc2eb7f394ebeb6a77a72755b570442

SHA1
736edf713425608294603c2857f2ad30395bbede

SHA256
dacddfd0fb59394fcf435d857fbb02d277e716bffd8d727f9f4f88a6d4da3f13

SHA512
2de6733e4081afdd830cb1bb5f215ef2f3205165db8a1c84b1ca3b3bde2f2cfa41fcc0ad380ef0ff0fea9a500bd0d6b2f5644f89b457190bcb19bb0339a8ee54

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
242KB

MD5
fa57bd51b3487fbc80926b8b880d769e

SHA1
fed99901c842a6275729ef6453d00062d095bec7

SHA256
c8a11690033c6ae9995bfc47f61a109beba35fcf768d7bc00354cd3242214b09

SHA512
4709a8aaf52a2526c02763c7b2079ae322f96e3ba978924f0230697d65b786b640435e7a51458fb26e8c11fd4972625bcbb77debd50b1cc974b54cafeac1a61e

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
145KB

MD5
0cd7bc8c1cfeb9b6788b34ad5713aae6

SHA1
1f77ed37ea8d471ffcb7dffb5800f8a82970086e

SHA256
3bd0f68c130fa9b88bb92c58e42b2904b142d79ec8f19762bda3ccfd7f89be14

SHA512
a963bab0d6c062aea3c0c95a67628969826b38e2c41f39077630200d0b680df3abcd99dd3efbdee13eb151f7e224f97996200b025479e63ebabdcc4621a92cc0

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
85KB

MD5
8a505f2f22fe25751b1fd3a36b1fd4be

SHA1
09a1560212dec69bfba64f7d6d2bb70f8bce6401

SHA256
79633002af76acc1e54fa29198d0bee5123a798743cc05ef11a7f66982c707a3

SHA512
998a6685efc6a4cf378bf478f80a673012d4f68956505e1136f0935c17a5fb75dcfb9b1cb9d89b686916e7169f543acc1c7b8d25cdfa78a131d8da79fa4bc6f9

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
76KB

MD5
e4669b2fb31fc413faadbe24fb8d2db2

SHA1
09a5f2dfca5d75dc7d52e327bfe26cbc99405104

SHA256
34e128aa653e17a0d647139fd57aa7fcc5df4cd742762f11bb6ae923f11f4557

SHA512
b4703df9a727d0f86970f3e3b7a638fe805a65f275f73a4075d31e8b41bf8a190a3ba93023e6d3970e03f2e097ba57af2d8a6ccc0a20c3777843cf6483b5ca60

Download Submit
\Windows\SysWOW64\Mabgcd32.exe

Filesize
186KB

MD5
8d9c8f61cdd2e3c96392a53c376e3de8

SHA1
eaafe1dcda78b41d33a80c33a778c75fb67eeda8

SHA256
c486e3f915d3edc84281a1b1e1cf799669a455efd194aad7c99704a90087fb17

SHA512
3bc2f1c456bb9307bf1a1493071034f9bf12f0f8c8e58892ead7670ddc784c09d2fe13b31827148e91fccef3042bab8f0b5199d8d93af40dfdd5ae2cf5ca2ead

Download Submit
\Windows\SysWOW64\Mabgcd32.exe

Filesize
158KB

MD5
0c0bc1af980da7722590ad9460b07146

SHA1
c175a310a234d75161467b2f5b5cb311c09c3967

SHA256
8c55b51293f7a5409a3922e618a26f35ada1789d45960787e82384a0b2706669

SHA512
78e7271fd0dd92b4373e329e0b0f830a5e0bd78b914bd78cedd3605741dc205da19aad5ca419030f35a79903bcfff44a7e90bf455da2f8dcc2d31617a494a27b

Download Submit
\Windows\SysWOW64\Melfncqb.exe

Filesize
242KB

MD5
e01cb1965611bc26431f4d48107d9129

SHA1
75546470a361f970738d9cd57eb096e5ed465c55

SHA256
33c6030fb5b66c758dca657fc6c3a2982eabe77fb5f9a48af43bf81f98cc6962

SHA512
fca72ea1841a8b43aa616797c1285a398eec091cb79f9082217faff94039b05d99988bfdb86a34b3b38ce822b961ec37691126aca85602aed8bf232d18970f7a

Download Submit
\Windows\SysWOW64\Melfncqb.exe

Filesize
128KB

MD5
80a450d9c1071cc63886c4315604c552

SHA1
b4bbb63a191a36a0741fd6e19b76a57564c62aa5

SHA256
c94fc2b1b0f40b0b670dd07384c3027bfa19719aa07b6c24d7a1d11c6d38ce31

SHA512
8bb9aca869ae3ffd4eaf6998f7b9feedd1b20f7bff20feaac485c9a951db3f6fc3b0e10ab73083a1da28f878c83b50dc3bbdbe24a335afee565a175b35c04b66

Download Submit
\Windows\SysWOW64\Mholen32.exe

Filesize
199KB

MD5
f98239d108caadd43285b13a98f44033

SHA1
77e69812ac43aade465cb52183966f7fe31534e5

SHA256
2334dd040dd097116298c646846a0e4fff7769324c0be576fd8f6d55724ea8c1

SHA512
36135abe6f93a14547745cab5d1144ccca001c7a8a83b09d9e8944be4cc45f8adca4c1a3705b79a466559254b2d5ee4be956e48250fa47068ec04ff0e199782f

Download Submit
\Windows\SysWOW64\Mholen32.exe

Filesize
195KB

MD5
6857b9f941a34ca32422c86c33d7c734

SHA1
d798e38faf4eb0ca1fb7a2139f6cc7fba81eb620

SHA256
b33fd343fe9db9fe4f0a8454879f452dfd7e2b713c11a1749c5af1621c7c0529

SHA512
0b2ad3a1bd1282c5d2537479cf41343e9fe69ed283aba23b46e25a222fa302a6f72083f24338cd6b8c783cef0465feb13237bf453348313cc0d7814a424bf0b5

Download Submit
\Windows\SysWOW64\Mpjqiq32.exe

Filesize
218KB

MD5
440a1a29dc319c1110aad29fc5e72be4

SHA1
410c4455a067b43a22b0d323cbcec56be89b7d79

SHA256
932ce0774183fda20f9a24e3bfe7b63f9d49277b5ccae389207349df76d01b76

SHA512
b0e0991d63de4534125ff341ab4eb5559963723c0fe1cda39d8c6fae016000cb26295c52dc4d9447d04fa4b8c9e28ec2efdaf1b9f17ceb0a77cb9164ae230bd1

Download Submit
\Windows\SysWOW64\Mpjqiq32.exe

Filesize
160KB

MD5
985a2e2dfda7f121f1e389ca2c7d0526

SHA1
2bd91a3cf1f3fadfbc7454d572a4c73e318a7125

SHA256
8d947c5710829cb3db2eb5f691f0595c209f53c5279dd1c7d0073bb7f76b9b1f

SHA512
d186069adcbfce7f6b40b0ae11df687c0ec5641423310c983c4b08fac51e3a4c08badb6570dc762b76b76e7a5fb41da53ce5ffe2489410b1756050513e9cc2f5

Download Submit
\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
242KB

MD5
bd6d8c54446e7f60ed68cf052e922100

SHA1
eabc29f93b0ddd8045a9a67d71f4f147e30474bf

SHA256
058bfb7f757923b93b787781e9643bbbdfaa521313cf5621975cc76906e9084c

SHA512
19f337303be297dfb93f9a17fba8cc7840d37faa2215cda0bc8e13c794605c1c742c4b91de4e13ce1fc6482c162e20bc5bafe08b3ad07e382a69345a054c6d64

Download Submit
\Windows\SysWOW64\Ndhipoob.exe

Filesize
136KB

MD5
caa049a67b9801bdf2f598e99bebd732

SHA1
7a00a5b7b2e566b85cd70ab769647587b3b47de1

SHA256
910ebe9d09717a43edf679d4ff138d53be13b0df4a05fd6b532ab11f919ba013

SHA512
358d1c680665d24466d999981278303f4c4373c0bfc2461a5de2277599be9a16fe85496aa5d269c016b3a3e67e977c9875a82229de3b14abca58af2130b8c0fe

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
145KB

MD5
5e037ba8db22934560cd4a6e14c6fabf

SHA1
d37ebb5b058a758418c7018b521b09c5f80d6835

SHA256
4f18e54da995a95cbf6124cb381abf0a19da92d1c95b57f545d823fb54ea42ea

SHA512
5fc5dfeedd54b68c13a3e1adc129136edb957f9449d722b608d7c1d6b1110d828cca42892e3af8dea82d98618b0a113ef89b34629bf816298923fbe4a701f723

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
68KB

MD5
958e4ac100c516f23f0720f1bf3db692

SHA1
148896e402acb93e535fb651115507c0e0c6851e

SHA256
20a4aa6a71d3e7b97d90fbc5ca457292d6211776d61e6653b3adf011b471fd0c

SHA512
6dafbd24e4bce36961022dd42aebc842508c97b95301e108a17f50e8255369387cc74a3e1b5e79e977239c6b0d5e301213e5914001cdb33502549f0f6faea59d

Download Submit
\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
181KB

MD5
e2d78b68afc355cf9904d1b10734d93f

SHA1
c3a78eeb43ca150c3cced3d2511a4409410372b7

SHA256
b2469188ca6058d6daaa6bb988503c828132db4f219a3eff9ff7a24beb5a2fd0

SHA512
9927ed5c812110da080bd9c3b8521a2384bea7a7a4eb6569b9ca480e8908c1153a4cee9bdcb12a0f11b14c8e0ee56720d01cffed90562a89240fe8651565068e

Download Submit
memory/724-124-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/724-93-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1012-106-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1012-116-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1740-18-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1740-120-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1956-32-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1956-6-0x0000000000260000-0x00000000002C7000-memory.dmp

Filesize
412KB

Download
memory/1956-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1956-123-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2420-80-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2420-117-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2440-122-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2476-118-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2476-67-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2572-53-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2572-121-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2572-61-0x00000000002C0000-0x0000000000327000-memory.dmp

Filesize
412KB

Download
memory/2608-35-0x0000000000220000-0x0000000000287000-memory.dmp

Filesize
412KB

Download
memory/2608-26-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2608-119-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads