32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/03/2024, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe
Size

207KB
MD5

55308934ba4582bcee6f561c8a2cbef7
SHA1

e4766184fb673f274f7ffa4b8ea848bc9999d67d
SHA256

32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66
SHA512

db17715ba2f261df2500afa0fab04e368cd75747228dcf779e7275906f388818293eea651f8ec7c8dc3c1b85ef1a74041e8bb375378151b3ccbde8fe935ee488
SSDEEP

3072:edEV3agvtLWraFuzVV+Cxt1VjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoS:edYakLJIoCH1Vjj+VPj92d62ASOwj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe

UPX dump on OEP (original entry point) 56 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023148-6.dat	UPX
behavioral2/memory/404-8-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x00060000000231fa-9.dat	UPX
behavioral2/files/0x00060000000231fd-23.dat	UPX
behavioral2/memory/2608-16-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x00060000000231fa-15.dat	UPX
behavioral2/files/0x00060000000231ff-30.dat	UPX
behavioral2/files/0x0006000000023201-38.dat	UPX
behavioral2/files/0x0006000000023207-63.dat	UPX
behavioral2/files/0x0006000000023209-72.dat	UPX
behavioral2/files/0x000600000002320d-87.dat	UPX
behavioral2/files/0x000600000002320f-94.dat	UPX
behavioral2/files/0x0006000000023211-102.dat	UPX
behavioral2/files/0x0006000000023211-97.dat	UPX
behavioral2/files/0x0006000000023213-111.dat	UPX
behavioral2/files/0x000600000002321f-159.dat	UPX
behavioral2/files/0x0006000000023221-166.dat	UPX
behavioral2/files/0x0006000000023221-168.dat	UPX
behavioral2/files/0x0006000000023227-191.dat	UPX
behavioral2/files/0x000600000002322b-206.dat	UPX
behavioral2/files/0x0006000000023234-245.dat	UPX
behavioral2/files/0x0006000000023236-254.dat	UPX
behavioral2/files/0x0006000000023236-253.dat	UPX
behavioral2/files/0x0006000000023236-248.dat	UPX
behavioral2/files/0x0006000000023234-246.dat	UPX
behavioral2/files/0x0006000000023232-239.dat	UPX
behavioral2/files/0x0006000000023232-233.dat	UPX
behavioral2/files/0x00080000000231f6-231.dat	UPX
behavioral2/files/0x000600000002322f-223.dat	UPX
behavioral2/files/0x000600000002322d-215.dat	UPX
behavioral2/files/0x000600000002322b-208.dat	UPX
behavioral2/files/0x0006000000023229-199.dat	UPX
behavioral2/memory/3716-192-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x0006000000023227-190.dat	UPX
behavioral2/files/0x0006000000023225-183.dat	UPX
behavioral2/files/0x0006000000023223-175.dat	UPX
behavioral2/files/0x0006000000023221-161.dat	UPX
behavioral2/files/0x000600000002321f-158.dat	UPX
behavioral2/files/0x000600000002321d-151.dat	UPX
behavioral2/files/0x000600000002321b-143.dat	UPX
behavioral2/files/0x0006000000023219-135.dat	UPX
behavioral2/files/0x0006000000023217-127.dat	UPX
behavioral2/files/0x0006000000023217-120.dat	UPX
behavioral2/files/0x0006000000023215-119.dat	UPX
behavioral2/files/0x0006000000023213-110.dat	UPX
behavioral2/files/0x0006000000023211-104.dat	UPX
behavioral2/memory/3092-96-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x000600000002320f-95.dat	UPX
behavioral2/files/0x000600000002320b-79.dat	UPX
behavioral2/memory/4904-71-0x0000000000400000-0x000000000045B000-memory.dmp	UPX
behavioral2/files/0x0006000000023209-70.dat	UPX
behavioral2/files/0x0006000000023209-65.dat	UPX
behavioral2/files/0x0006000000023207-62.dat	UPX
behavioral2/files/0x0006000000023205-55.dat	UPX
behavioral2/files/0x0006000000023203-47.dat	UPX
behavioral2/files/0x0006000000023201-39.dat	UPX

Executes dropped EXE 34 IoCs

pid	Process
404	Mdfofakp.exe
2608	Mkpgck32.exe
5012	Majopeii.exe
1912	Mcklgm32.exe
4384	Mgghhlhq.exe
4412	Mjeddggd.exe
3360	Mamleegg.exe
4128	Mdkhapfj.exe
4904	Mkepnjng.exe
1560	Mncmjfmk.exe
3008	Maohkd32.exe
3092	Mdmegp32.exe
3504	Mnfipekh.exe
2200	Mpdelajl.exe
2080	Mgnnhk32.exe
1120	Nkjjij32.exe
1948	Njljefql.exe
3224	Nacbfdao.exe
4256	Nqfbaq32.exe
1864	Ndbnboqb.exe
4508	Ngpjnkpf.exe
2212	Nnjbke32.exe
3252	Nqiogp32.exe
3716	Nddkgonp.exe
1076	Ngcgcjnc.exe
1016	Nnmopdep.exe
1740	Nqklmpdd.exe
708	Ncihikcg.exe
4704	Nkqpjidj.exe
5008	Nnolfdcn.exe
1956	Nbkhfc32.exe
4624	Ncldnkae.exe
4752	Nggqoj32.exe
3204	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mkpgck32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe

Program crash 1 IoCs

pid	pid_target	Process
2996	3204	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 404	4072	32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe	83
PID 4072 wrote to memory of 404	4072	32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe	83
PID 4072 wrote to memory of 404	4072	32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe	83
PID 404 wrote to memory of 2608	404	Mdfofakp.exe	84
PID 404 wrote to memory of 2608	404	Mdfofakp.exe	84
PID 404 wrote to memory of 2608	404	Mdfofakp.exe	84
PID 2608 wrote to memory of 5012	2608	Mkpgck32.exe	85
PID 2608 wrote to memory of 5012	2608	Mkpgck32.exe	85
PID 2608 wrote to memory of 5012	2608	Mkpgck32.exe	85
PID 5012 wrote to memory of 1912	5012	Majopeii.exe	86
PID 5012 wrote to memory of 1912	5012	Majopeii.exe	86
PID 5012 wrote to memory of 1912	5012	Majopeii.exe	86
PID 1912 wrote to memory of 4384	1912	Mcklgm32.exe	87
PID 1912 wrote to memory of 4384	1912	Mcklgm32.exe	87
PID 1912 wrote to memory of 4384	1912	Mcklgm32.exe	87
PID 4384 wrote to memory of 4412	4384	Mgghhlhq.exe	88
PID 4384 wrote to memory of 4412	4384	Mgghhlhq.exe	88
PID 4384 wrote to memory of 4412	4384	Mgghhlhq.exe	88
PID 4412 wrote to memory of 3360	4412	Mjeddggd.exe	89
PID 4412 wrote to memory of 3360	4412	Mjeddggd.exe	89
PID 4412 wrote to memory of 3360	4412	Mjeddggd.exe	89
PID 3360 wrote to memory of 4128	3360	Mamleegg.exe	90
PID 3360 wrote to memory of 4128	3360	Mamleegg.exe	90
PID 3360 wrote to memory of 4128	3360	Mamleegg.exe	90
PID 4128 wrote to memory of 4904	4128	Mdkhapfj.exe	91
PID 4128 wrote to memory of 4904	4128	Mdkhapfj.exe	91
PID 4128 wrote to memory of 4904	4128	Mdkhapfj.exe	91
PID 4904 wrote to memory of 1560	4904	Mkepnjng.exe	92
PID 4904 wrote to memory of 1560	4904	Mkepnjng.exe	92
PID 4904 wrote to memory of 1560	4904	Mkepnjng.exe	92
PID 1560 wrote to memory of 3008	1560	Mncmjfmk.exe	93
PID 1560 wrote to memory of 3008	1560	Mncmjfmk.exe	93
PID 1560 wrote to memory of 3008	1560	Mncmjfmk.exe	93
PID 3008 wrote to memory of 3092	3008	Maohkd32.exe	94
PID 3008 wrote to memory of 3092	3008	Maohkd32.exe	94
PID 3008 wrote to memory of 3092	3008	Maohkd32.exe	94
PID 3092 wrote to memory of 3504	3092	Mdmegp32.exe	95
PID 3092 wrote to memory of 3504	3092	Mdmegp32.exe	95
PID 3092 wrote to memory of 3504	3092	Mdmegp32.exe	95
PID 3504 wrote to memory of 2200	3504	Mnfipekh.exe	96
PID 3504 wrote to memory of 2200	3504	Mnfipekh.exe	96
PID 3504 wrote to memory of 2200	3504	Mnfipekh.exe	96
PID 2200 wrote to memory of 2080	2200	Mpdelajl.exe	97
PID 2200 wrote to memory of 2080	2200	Mpdelajl.exe	97
PID 2200 wrote to memory of 2080	2200	Mpdelajl.exe	97
PID 2080 wrote to memory of 1120	2080	Mgnnhk32.exe	98
PID 2080 wrote to memory of 1120	2080	Mgnnhk32.exe	98
PID 2080 wrote to memory of 1120	2080	Mgnnhk32.exe	98
PID 1120 wrote to memory of 1948	1120	Nkjjij32.exe	99
PID 1120 wrote to memory of 1948	1120	Nkjjij32.exe	99
PID 1120 wrote to memory of 1948	1120	Nkjjij32.exe	99
PID 1948 wrote to memory of 3224	1948	Njljefql.exe	100
PID 1948 wrote to memory of 3224	1948	Njljefql.exe	100
PID 1948 wrote to memory of 3224	1948	Njljefql.exe	100
PID 3224 wrote to memory of 4256	3224	Nacbfdao.exe	101
PID 3224 wrote to memory of 4256	3224	Nacbfdao.exe	101
PID 3224 wrote to memory of 4256	3224	Nacbfdao.exe	101
PID 4256 wrote to memory of 1864	4256	Nqfbaq32.exe	102
PID 4256 wrote to memory of 1864	4256	Nqfbaq32.exe	102
PID 4256 wrote to memory of 1864	4256	Nqfbaq32.exe	102
PID 1864 wrote to memory of 4508	1864	Ndbnboqb.exe	103
PID 1864 wrote to memory of 4508	1864	Ndbnboqb.exe	103
PID 1864 wrote to memory of 4508	1864	Ndbnboqb.exe	103
PID 4508 wrote to memory of 2212	4508	Ngpjnkpf.exe	104

C:\Users\Admin\AppData\Local\Temp\32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe
"C:\Users\Admin\AppData\Local\Temp\32f97b96b43d65d82617b9817efb37b165707f5c6693d90400548bb733a15e66.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\Mdfofakp.exe
  C:\Windows\system32\Mdfofakp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:404
- - C:\Windows\SysWOW64\Mkpgck32.exe
    C:\Windows\system32\Mkpgck32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\SysWOW64\Majopeii.exe
      C:\Windows\system32\Majopeii.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5012
    - - C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4128
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1016
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4624
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        35⤵
        Executes dropped EXE
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 420
        36⤵
        Program crash
        
        PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3204 -ip 3204
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agbnmibj.dll

Filesize
7KB

MD5
0f164129b0602a8cb57f4d961fb934c1

SHA1
ae6de2114566d517a750c939cb2c327b8beccd4f

SHA256
05d8d5b7db1d1d54c1bfe4833c4be32d46b45dc6568f27344a81b38b2d44ad4d

SHA512
f79d16bc0eb54cf4f6a1acf23f9eb5847f918b01b20d2bf3680d07fe0f5b2bfed74814ac3331c408e6af9a4c27d62cfb86ad65b2f551674c11c19a90a9691a26

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
207KB

MD5
24a85c1466344e8f64c2c553d6dd9b1f

SHA1
7d07ed447d6cd69da60450d77aa36a87fa17ccbd

SHA256
1477b8e468b833bcbf2bebc0ffd5d65cfcbcf92099cec219472d0640e7fc3f49

SHA512
5f8f2ba5c2346b5b70cad07d16052eb2b62d8a9be82aa94163a6ce3a861e3f8b7d70bdf22609e4d0a326bb2fb6a10dfd729b44db389617ac4400a38ef8e59f8f

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
207KB

MD5
476200fc1899118edf18095d9f638967

SHA1
35ebfc095e529bb3430f8a2b0dd6bd7fdec1784f

SHA256
bfc52cfdb39e1ee8f984b1953650de6228bb4e7475a534153a287626378821a9

SHA512
99c8a5f40a9963aec7af0a4f9747432d2f53adb6025765ee0c80eebaf6fb67dfffa03ae77cf84b2dbccdd4e4fe955e15527f14a7a80d94c02f3d436332f8d47b

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
207KB

MD5
113acb99b9adbbb2ecb522bc7915f0c5

SHA1
372d6f527ea3bea72485a757ddecf003f34425a7

SHA256
30c6aaf2f2363e7e0da9d02c746f714f710a794a96537efbe9c96e644499ed50

SHA512
b52d1d75eed8db5bfd6cad3e6436132ae714482b4fbe7134b3510cd1ca445ce17af05e069d9fcc74b467716a56993185703622895490c4341fc2d54547ded096

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
207KB

MD5
b54ade4568e680e0abd93282e58a9f3d

SHA1
b3bfa56890eec9b4289298e329854d8e9812bd07

SHA256
dc302840d99547f55f376220459300f52a6857dbc66f1b020a9f43213f6d1159

SHA512
30205a1f343375dbc89af0b68b7f49b3209e72642802d2f661d67605cf9dffec4b3537062404ddc02673c33b8b47c3212d4d07a2cc93afe5641a0f57d2920958

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
207KB

MD5
644a1a406a1150b8fd8ae7638be6df67

SHA1
ff2764ea4f1fdb1473e9b5fe4476c1e73fa21265

SHA256
6f06acc32d26729758510d4909aa16b24c37f872691e0b74b06041c716e47faa

SHA512
12d944d0ecea151d2ace33a596dd10de2fbbbb7baee97f881791dd74c4ec0fb33447fa8bcca2bd0ce473cb869f079e89e2a18fe2f63e08e4f5f8c7f5bdcf3a2f

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
207KB

MD5
9cb3ca616db918147ce5f5d05dd2ed2e

SHA1
8fd1de891b5ba017ad51d9a3942445e3128483c9

SHA256
a90e6d0499431bb89918168d815cafed7d4defc3bc393cb113ec87ae21f38af1

SHA512
c71436ca05ddc928d2bd9c0bb8c43a5ae73373fa4537df6d8fc89fe564417bd89933a6f20413b205a978c9d7ebe697560ff9983df5381b1aa5a71fd73f0f5c6d

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
144KB

MD5
6f42afd08c0376c3404c2b1df7d58f7c

SHA1
0efb16f152dd97cabf40fc95caa99d58f45dc524

SHA256
427cea73d1df9f5162644b4cba67dbc60ebbaad36ed4827ed543b83cd5febd67

SHA512
867f421fef188a31e43094effcd7f67031c4251395bf530e1784488a2db437eb26cb7c8d84d835ff6ce0760f3af86e256f82b2d31796ee7438407237d9b0119e

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
87KB

MD5
286bf0c1cdd4e8ce8d7b42ecc95594cf

SHA1
689d83a193f6a11d8fb84635af2be2067828cf2c

SHA256
d9c82984ec5d6c2bb026791485cd7a16d41133a9c9b90cc64b090d55e4b20a44

SHA512
e5752526dd80fe48e2ea5a32d49347877611b9cde82d7cb95590d5e0dfa9c7bc2f4e2f278fc6328ed74e67d8aa2e3969ea7c29c79650c36b4f01e8871cb6516f

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
207KB

MD5
e2c4f5304808f45ac52b2f432cd38544

SHA1
0a680599de2c21e376ee13420772a719613e13ff

SHA256
881a8e7606323db9d737915a807884d8af48128103ed848e974a4bba4665cdad

SHA512
ce25bb39724097aad94d08c23c09f123c966e0d0e1baa179b1d8ff2a7afc65ac6d5f6a8aa12f7d26fbf83c4cb64a2724fb139b09acad846a06d31c5c0b704b05

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
116KB

MD5
a1af7830d77ea78a7ca47e4b74a6d070

SHA1
8a9895c778f99c11d38bef0d69263cae34700b7e

SHA256
1e807ca1e2e5cc1593bc57bb2bdefd297808c05d23bbcc5580d8b9c323d2eafd

SHA512
f1c5f85cfb509eee3c4bdabf61fb1f46958966de34f5fcd296f43eab156b581cddacdbf8a7498a016fbb3ad0489bd73428979bf0ffafb4440a1be746ea6671a6

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
207KB

MD5
40987da2faedd181193b011a7f80b624

SHA1
aa11744846441c5e9bfd02dd770bc7f32d287898

SHA256
b7be642ae7fbb106af5bb0e12a043d2069a290b1df94dd124372c1f6a6115ea6

SHA512
d64745f1ae2d13ee2d73c0d3b3186e86d52e46725bb6d216bfe2e96d3da6a17b974d39cf9bc6a0a90eb8ea9b8ebf681614639f1d52ee65212fb0ed954d28b098

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
207KB

MD5
db8bc837b1ab99692510d4f3adfbb27a

SHA1
9e5f834b5563a8d8326e5ee68ea504b56739fe8b

SHA256
e41acebf36febecc1047a70c7b56fb1bb40457afd20bff029892f347506df7da

SHA512
8d7ad1436b53736b4f991c13029d6d3a87782e2b82aff3543ab568214072ef17f78e9561cf8bd737c3646b6f7f85a832764da291c6273a279066f90f6e2b0d42

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
207KB

MD5
1f3c5aa40459bb6f36a95d52827e7b1d

SHA1
d6bf55463a7f061f91697cb36a1203a6abf46529

SHA256
92bd4974a15ccb256a081d91658f455782c11968fa04e8add5c6d48a7dc9b888

SHA512
da4c61c344fa332b4ce4ac8c001225dc7063a8de3e164dea763c27f6c42f3f58b33734f356dcd6f999152a8bc97c9d2b15d21ccd5c67b03b343d65ff1e04b99c

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
207KB

MD5
4fa9acb2c1ff5384e2ff67ab548c04d6

SHA1
3f1c14b44c0910641e4072a5f83ce5cb294fd11f

SHA256
738316a4f78a4427562a54d0d35b07d542d0fc1a3747cf0ca169466decab37d8

SHA512
f5dc359b17e2c43abb554486d3a9fc25c3df0116adb47e68bef3ebf8e70661de5186b1fd7c039f2802295113cc94f835e2e8a47bc631e974edccce3a30077223

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
207KB

MD5
9ded4185b4f90667ad28b536a5d840a6

SHA1
a81e8c078473e50d4beb864e4179fd5d2aca420c

SHA256
7431f5b08743ce389f24036796d2675e65ae851f3c7d0824a7adc2d24500b340

SHA512
f6699238d1d5d188ce435efd64936a1614f030586cbd089e6d9712ff5727d7fc80ed7141592fa413f9fcf113d8d329bd6f9c46a1f5f1391bbb05dd753f132871

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
199KB

MD5
154c7e0e3d8633c52e625f55f0d76899

SHA1
0701049c200e36cfe2ff1dd74a1ac14d719afcbe

SHA256
8c2b0b2ea6f42690189009997438494e3a8a2385bcf3002948467bb27060a4b6

SHA512
fe29d0d341c4c1d341bdf7d8ab65d1b21cdf2f86aa37b304472bb2cbb22b92a5fb4741900b9dd75668428104076e4bd9fe8c582903c5a7e5baee17b186c22494

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
207KB

MD5
d1b06ea12b0bc7affdd8e39b26cf2204

SHA1
962dd0a3f75a192de1766c4fbb8704995f2d2189

SHA256
d9a7f46c6ba78d6786340e2d722a976d2e350f737762d9d982852fa7ce3c750d

SHA512
c7170d6de0a795213199faca87ea6c64742d5e952cb2c69f9e18693f2db50c12415d26c0dc8019db1603814d2ff2e52f0c374a52f8be97078e13f51aec1a201c

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
207KB

MD5
a3405e8e03ed785b67dede26341f095f

SHA1
9698fae364bb6656e1a23d8fc150e26d655b8499

SHA256
0b35ead8d3b7176594c3f478928cca79688338658065c2ff95934df6aa5c30d3

SHA512
7b002ab64ce07b5ff846db3ed9c330b5e38f4bfefd309775ae76f3b4a1c908519e4f5215611a82316c9967544ea0bea94dfa6ccacbe14700ceffbc2eba769c53

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
207KB

MD5
62f4b75a81da5ee1eca6756dc291617a

SHA1
b0e11058150b3822491f4de0777422e82e8ce906

SHA256
31562361f49e293241a93545887abbbd4784a4fd669e47ae06f4988612b32e4d

SHA512
9698918842922f0f25efa714108bb0532a52d98ca03d0ed0e05d8c89da582ef045ace21aa38126060f733a20dcd9aa2ae207d4774484c4ea84edcb57fcf315de

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
125KB

MD5
1c582a08177d5a7cc33fe17d95a0e33d

SHA1
4ebdf75f95e49da032f017a59d2c5531d4a59828

SHA256
668f941e3cc75121eb1f47e19fcf6e0c5b084f2f47a425154002c8b713ba60e9

SHA512
eefa71e26d5d9fab6ca9cfe039a3d2cd77ab973b28d1546ca091567ba33994a71a1eccbd2e8876c80069eaca0befaa62f2225144aa09dbe861baee9698c6eb4a

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
207KB

MD5
ab824eb0f9ab14394b0cc1985f8fc833

SHA1
38e8260c06653de9a29c3da82b5324d76f5d49e9

SHA256
d3c65a869a58cb06ae3d5b05f3160a213301e8af08eefa274feab66eaf38bd7a

SHA512
399935a500f58b3b3b82e5d3b8270b135ab24b1b04e74d40143bf0f0bc96b4e1ee56439d1994f22327b0540b481107fd3ae7731fcf44f4e12a4779e954fd66ab

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
151KB

MD5
ed595445fba4e0b589de976353807ed0

SHA1
e5836f756d44f8367fc35f93041087a914fc3162

SHA256
ba8e89cb30094f4f1c712443957b0cf8e5f5896a9805c6e1a2aac5e42b4724e2

SHA512
8203844f0c7984c99c6dbd855bcd0eae38494cbce2cff2aedbf79e26900a03da337a2be396eca649f7a3923d54010575270def24dc0b67ddea0c08de49fb32f7

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
207KB

MD5
7c63ceb4528b710a6cfce10ea97dfdd2

SHA1
202ee313f44628fdb41459fe5f87c2f056d8df27

SHA256
0786222a651eb08e8dcc7cd45d6a2e918831c456339bbe52c12ca0053504149c

SHA512
b845afb21acae4dab13180b55a6f7e2ed99b82dbeb750709741baac6ab2cdeccaccbc3f5a724242fe0eb5ec629222a0683764fe46b941b3b677981f70d395d13

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
20KB

MD5
d4765643bee05bf3b61e8fb45cf9a52c

SHA1
ec4ecc41807f0a21cd062fbf728796a182abe961

SHA256
9d28fc1b4435a3d8195f26966aa72aba2ec216e3abadad2df92a5260838e3bb7

SHA512
ccfa23b91876e4ff7e2dc2d36e611654358fd717f124726523989bc30e8f84592b5fc98f7897e86fc7ee6f54fd8c2b7bd8f8b4880e26b5499b19b39350f106c2

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
207KB

MD5
7c75f2c5690b5a707934a9aca6776cb6

SHA1
d8427b3f2f4cb965816545456818c3abb4715674

SHA256
a3ab41887689799d1d1efeca1124f00bdb37661a7a92fe4d22281b3b1cf7d41a

SHA512
4b9bbaddc6755076cfd0df5f85c9760c3c0172156a4ece7b7181a4092f0bf53f6a7247bc2d79abc602a1feb88a1051fc7c960a17a2f7159735920ba129635f1a

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
202KB

MD5
1cd7837b91822af3a3b97da41456f319

SHA1
6c5719bcd21b377e4a4528cce8e0e05a9bba2719

SHA256
2fcd4fd5207743ce8be6e7226ef96b6222cb5d7e4b9fd4fa7fc7e1fc47309569

SHA512
1ce61fd11ff74886b3cc647a560e45f01b275f25f0c4c4bc8a6db844eae8e67dd8ece6f6f9683e28321251abad610e2368182107a67ab8ab7fc9065453744a1d

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
207KB

MD5
739b7841f7c77f3238ed45748b14469d

SHA1
26aa0416c0b448c9a1908da1bba5f123d555ded0

SHA256
6a6eeb9b71b79fc5d5ee7b2a5e5c80241c55ed1c6a05a3903678a5cc4ac2488b

SHA512
d398cc52c1bc4263d85281d259c568e271dc8aa23e2da2ef83d0249f0f6734bddef971fd49196b6fd860c64dda8c9b2f8001490c2e198f4cb9044b3da30ff66a

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
207KB

MD5
feac51570725d5cda1467e18714b7a7c

SHA1
c4cfe3e2294864af323a2d3df7d1631e4cf6e981

SHA256
37a0cd16a8d6042f756375e6f40d8dca54600d8fa2c6949345a67369b7f9fa18

SHA512
254ac19e0e03f9290e869afc376fdf8333b353f3214b2f27bb37bf223891bd0f54f7fa82cb856c4202edce4f07b40aab241ea003d7ca38274af5d9530704024c

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
77KB

MD5
c1dfd90519a859c83d317b97c23ba784

SHA1
6a741633c6a5df7a6580e22c71eb8644750ab19f

SHA256
5ed7e79e3bb0b246937ee12d0d23e0bfffce56db97e281c2c8719a49fc290a94

SHA512
88da4fe664c544c5ed83fe34f6b430949f9c09962183b50a94ba2dbdbae04ad8d3038e4748f8b8d11aa403abb0a0cad54bbd6483678fadbad9d08b03953e4697

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
170KB

MD5
1903e1bad6a9f3c0f63f7a48742875dc

SHA1
262060811ff11bf8f2ff5d3292a38867efdbbd98

SHA256
f327d0ba60e833de0de7629a1b7bcab4f49f27d9c813b96d44f0fd986df18523

SHA512
a3f1f1337f1adea2a87e3bf3b1d12a14f2e64efa659fc75a8b97ac0c8432ba4476251f3fa854272ad392faf0e084f9864fcabeb9b558ab89bfbb6ac4d3f6d5b3

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
141KB

MD5
ccb4967e5b7181533597a5f30b764cb0

SHA1
c51a2048c2ba334f28ab0c08ac5766eff3619d87

SHA256
b11b2750a6ad8e805a15b575ac1c93142aeded10d1f90524f118a6838e538d10

SHA512
264e0a125a968a7344177ce1b83b117bbdcdc6a4e3edd4c8e739c11358da6d163a11a8341feb9af7bdeed3f904fe85593837bbbcafd9d860a684e32d105f40f8

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
207KB

MD5
2a853a583f90bce744f20feed5e5b1fb

SHA1
2bb4d8a08bb2460daad3210c03305299fbb0d0a1

SHA256
e6b6f82712ada7bfcf8657443ad5e4e64e49b0a2972eaa80e97451cc90e866b6

SHA512
0a3b64c2dcbc3aaf0a894c1e89d1908eab8025c0804b3fed76d489966d00b2f1d7a7624cb50258c1019eaa0160a3ff68a4db346ca6db4891556edebc99d901ae

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
100KB

MD5
1eb566a42e910b3374abb04d5628f831

SHA1
1acad6f970609de1821a529915284dcd283e3607

SHA256
5dada29d381e55b3af09ed3597f55082d781aa3edfaa1950cd3ae5f09f0779a8

SHA512
83a15dedc03b24257e8d462e988c8231d848bc861ab4ecb4d6be80fee22f37e25fabbb534403d179a33cff4487b915a0a5767b38e8de022d17f560bd69243398

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
207KB

MD5
94c7fc7a1289f52f1264663dfe47edd3

SHA1
4a356626214480961d618ab62df8f6529d0db25b

SHA256
73108187ba0e79dd7def643aa8258e8b058d8dc3a79fa1381c2b153b2b51b1cd

SHA512
78a0a69cbb36ed99570f2fd56bdaf6bbb4917d7f60ec50d6d1687366d82e5b70535a0c054e7ae7bf06aaf7afc81aba827289ec04b4f7139e50ec8918c2478cd5

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
13KB

MD5
c78ab54642a2179a4464b5565bf994c1

SHA1
a247e4063b11d065551c9b1ccca98ee2db7f0ccb

SHA256
84b48c8e3e3b44f65e5c4f867610aba1dc6b7b2cdb73095725d13aacf01eaf67

SHA512
e4bef1e547f90cb0ae8970cd88f73b2d495f479a76b239eead0ae39c476f729bcdb985395874578c5735b1a26afdbc3ca4645564ee1c6a7007c8e58393b0619e

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
207KB

MD5
8f370413f1b9bd17f7f02e96300b5ecb

SHA1
7692de60ce63ae83cccb9b24e801d99c5018237a

SHA256
bd95402bd9bb1afe9471a63745f080d923b1999654c6df9d2aaef1f2476ee791

SHA512
46c9fb3b021203f008fda67b74eeddee85c232c6aa8cdd320f53f4a36c90e0186277ab4cc4ddd26be522995ebca69b8127953ac0b07e57b99c2302229986f6cb

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
207KB

MD5
001f110e03afe7752a3d3d4adee100fe

SHA1
e0bc3a5e0758075465fabd36479975f27a7309ab

SHA256
7161c3ddd28ffdcf2190be3e08852fc7cf6d6f6c0e6edd17d3590b3c122cf563

SHA512
0f3fb760ef8235550f1e90f1d429153f77c80e44425b6060a6eac2c2a81b661c2adfc8491b4730a3b794f660d6effd1a75fc0f971012c504c237c3de328bab3c

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
64KB

MD5
138d8fe9e7c6fde469de905d4051eb0a

SHA1
11511f9f3246cd0ba9709c94cc518b7e9dc38eb3

SHA256
0ff70adc107d172d50cc94e8c68f70822d930e2459df639ab50a7ceecb5eb43f

SHA512
ff012d11568e3aa6d49dbf95943a4f389a8318d8222e5002d0ce1056b03f03cf7d48c734d78aeea0d54aef39a4834262d0fc9ca07157afe13d85d5b527eaeee2

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
76KB

MD5
ad372f4e169c4778e900d9c7a1593f35

SHA1
25fab7b78c82e961b84e54d62a8ef5ac2347957d

SHA256
96f55aff94dab6d95b10a6253fd99435fdc349ca6bded62eaa80771e01a42f01

SHA512
085b497421fa23cfc20b6783ba7343cd9bb845e78233093a0b75ba0ae6edbdc5ad4c38d3248c87ebcecabf89fd94a173e8e57903cdc1cda0cad9ef7bb73a198d

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
207KB

MD5
5b3da1de826d07ce0c417b25a8b49049

SHA1
74e674c19278b1f4a4a33395db739eeec70d002c

SHA256
9ab6c3574afb4aa8ea1c9d75bc29bf10e33d3f783a691fe5f1f31008fe630602

SHA512
3fec206779f54634461452c72e0aa67681c7d53c63ea28dee81ea97d9dce7005a803a2ff38c1803cc8f2762f60d1a79b7304a83efd486d924a240d8da3064d0d

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
207KB

MD5
048535cc06458297d332d4f06f5f8ea9

SHA1
7982eab0f6d2a41e624f7e16564fe4b88f0be82a

SHA256
e0f0b500dcacb1c4c77527a242f9dce1a71a0e1ea79bd2c1b22c7a27412449ca

SHA512
3da5ec92cb030623eff531912356c91aa998240e678371ac4ba3e747b0a0f5833e0cc563e55d0bcba6ed4bda7662f45d360d802951b944428bbb34b765fb1e51

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
207KB

MD5
e26639ff50307f4e02511c80a110a813

SHA1
4c9ddc0e60102e49257d761038945b784037236e

SHA256
ecdcf5005c901146c90300b068d16ee9f4e1e18b1fa17e23da0c78fcd09f0c83

SHA512
d3c9f1ee86e4e258aa145b518e85181e7e078a5c85785d02f8af2e68ffa8ea53e7ac9b8c9eb839cc4d71ab344c4be5fcf7316644ce45a7ca71554017c91ecd49

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
207KB

MD5
172723e259a85f1f7df6f98ab50afc76

SHA1
927846cf387b8435039ec1c9f8779ed618cd84c1

SHA256
ac9f9eb0835576947e5784fb7d6e38619bc21f66ac0b4a8c62ab4b9db304ef84

SHA512
06c2005a25b7ff268bc18426829423c8fc0b8860acbe4762d5802d4783330422a72307a9f1d7f0e99991033327d801e939152399fa61a50750a118bdb36b2c1f

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
207KB

MD5
db95452fa0b103877bf9a57da92f9276

SHA1
269e62c3264e22daea5dc6b2402b23bbf6046390

SHA256
f00ae7f95586fc7a13e825cf2536271a88e716ef2fb23b2ba99b4b7fc3a8818e

SHA512
b9471d7f3303edf29aa69ab170ac140e1da81e0e71bddb0e7886fac290d18e802dda356e341a8a194251f782c162753bca63e88885866fcef51984b0fbd76c4e

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
137KB

MD5
bca7f292dbbda273b32817aafe205355

SHA1
a43bfe92ecaee1426a00d2c6b0efeb961ba20c0f

SHA256
f8f076edf53666f5b7c1099994b29250da480671efe816808ae7370741bf2225

SHA512
8ac50edabef44b80740ae35c87f40acc10dd545469648e1278ebd81b52a68476c1a19242b6a5638d0ef07b300a910c57318a1dc54cd5b6e3a172922b67e6fd58

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
207KB

MD5
8c6169c3c1725902a195b8f3c14f5099

SHA1
ec33b59b977116eb4c79b26fef135d3681b433e3

SHA256
56899e845a4b92a92e5327b59cd2383f1649d8d1b39056f21966d7939b0b87e2

SHA512
e751cf695386fc867af035f6a652fdc46ef11d1d3993145ec6737444825844c755f269987e1dac190bbfc7ac98b95f9c7eabd79e52e1b47326bbeb73293c8781

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
207KB

MD5
fd9a69f0be81c7416ba4822e78d91f0e

SHA1
77fc219db1e2a6f4ad833319a92fd7d90bbe6977

SHA256
fafce8ac1584df0137a57fa063b4498b71a8090b3778e6c4de0f25d9518b13a9

SHA512
80f90147f6c70944577b724bbdf483b1bef5102a3257f4b5527a0bd848ff825b68511edf45007eea547179339b50af36b2a79b1fcca96e3b3a1ec3e65fc7d6fe

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
207KB

MD5
1fb477b2fd953684784c79fdef10d0d1

SHA1
2846eb59d703fafedda94d0c83843b223bad63c4

SHA256
8d94af98e423888b7965719007ac2ba07d6dd966f558ed892b8e6acbcc09391f

SHA512
49d7c9713245d6dcc912ce16d6a3207cf18f11a9e6ed0da8186d7849630b301cda68f791e95b800315c80ee58d6555c15b2b2107e7c3f2ebb133e35995a26bdd

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
207KB

MD5
c67b33eaeb86fea275af200348462ede

SHA1
139a99df1c92f3ba3f570643ba571926e3ea1b3f

SHA256
67a706b0a93dbad2bba9706af697639d0b3ae825e414dfeddba5b451d9e61761

SHA512
bfaeea9d10843274b837395a4f71e24a46ceb396726b2ed6e9a9b6ce2299bec55812ad5e5e76390a68de135b58f2d497a77605fd81b481f10bb353f2f83b51b4

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
207KB

MD5
cec691d53359f53dd1687254493a4f1c

SHA1
e1296babee9d363eff91e007f130bb63b4bb29b6

SHA256
cdccc4e231443ea5ff76b551dc5ab2abed99c53a1ad1dfc4c84116526b086db4

SHA512
ec5f6e69ec115212a23f5f943c4c76602dcefbf398e6c6d3768599aa8089e84ae954c71c6a0d9fa2440a39b741d647864616b122e36b614d6db4343bd683ecd9

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
207KB

MD5
db330d243514e53ceee1d164be473dca

SHA1
10c72533edf1a6ec000d9520872832b55ecc3019

SHA256
fec35bcc71b8350ad8deceafdedca8b631e85a40a4ab5168e80fbabb381fb22c

SHA512
7c8b0448389e78b01640745c4af5fc228e7db27e2cabdaccb044b3f0738d3b7ae9b52dbff3cc8dcb2b69aa65ff556a1649761f20677a74b171e574984ca97692

Download Submit
memory/404-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/708-281-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/708-227-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1016-207-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1016-286-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1076-200-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1076-288-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1120-128-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1120-305-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1560-318-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1560-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1740-284-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1740-216-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1864-160-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1864-298-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1912-36-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1948-136-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1948-304-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1956-247-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1956-276-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2080-308-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2080-124-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-112-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2200-310-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2212-176-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2212-294-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2608-16-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2608-327-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3008-316-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3008-88-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3092-96-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3092-314-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3204-267-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3204-270-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3224-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3224-302-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3252-292-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3252-188-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3360-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3360-324-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3504-312-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3504-103-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3716-290-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3716-192-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4072-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4128-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4128-322-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4256-299-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4256-152-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4384-40-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4412-48-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4508-296-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4508-167-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4624-255-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4624-274-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4704-232-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4704-280-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4752-272-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4752-266-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4904-71-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4904-320-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5008-278-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5012-329-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5012-24-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads