fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9

Analysis

max time kernel
90s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 01:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
Size

55KB
MD5

df429bf575458c2e82415e561d25b8fa
SHA1

5fee2383696bc8a5659b587aecd676ed0c97412c
SHA256

fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9
SHA512

1f8bbfd9a289277c798b459c68d33ddf94f58886241b81ee7d42b5edde190cacf6a305b652fcfff85d8def431945abd76add5fd904fd80ea8e2bd5bcca26c948
SSDEEP

1536:B5EIPae05bKctAbLylewAlqVwSpkf/FzzW4z7o2Lx:zGe+tAbL8ewAlqQJ9x

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe

Executes dropped EXE 19 IoCs

pid	Process
3596	Mncmjfmk.exe
896	Mdmegp32.exe
1156	Mkgmcjld.exe
4364	Mjjmog32.exe
1812	Maaepd32.exe
2052	Mcbahlip.exe
3136	Nkjjij32.exe
2516	Nacbfdao.exe
4308	Ndbnboqb.exe
2976	Nklfoi32.exe
4052	Nnjbke32.exe
3236	Nddkgonp.exe
5116	Nkncdifl.exe
2464	Nnmopdep.exe
212	Ndghmo32.exe
880	Ngedij32.exe
1368	Nqmhbpba.exe
2096	Ncldnkae.exe
4896	Nkcmohbg.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mdmegp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4668	4896	WerFault.exe	104

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 3596	1116	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe	86
PID 1116 wrote to memory of 3596	1116	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe	86
PID 1116 wrote to memory of 3596	1116	fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe	86
PID 3596 wrote to memory of 896	3596	Mncmjfmk.exe	87
PID 3596 wrote to memory of 896	3596	Mncmjfmk.exe	87
PID 3596 wrote to memory of 896	3596	Mncmjfmk.exe	87
PID 896 wrote to memory of 1156	896	Mdmegp32.exe	88
PID 896 wrote to memory of 1156	896	Mdmegp32.exe	88
PID 896 wrote to memory of 1156	896	Mdmegp32.exe	88
PID 1156 wrote to memory of 4364	1156	Mkgmcjld.exe	89
PID 1156 wrote to memory of 4364	1156	Mkgmcjld.exe	89
PID 1156 wrote to memory of 4364	1156	Mkgmcjld.exe	89
PID 4364 wrote to memory of 1812	4364	Mjjmog32.exe	90
PID 4364 wrote to memory of 1812	4364	Mjjmog32.exe	90
PID 4364 wrote to memory of 1812	4364	Mjjmog32.exe	90
PID 1812 wrote to memory of 2052	1812	Maaepd32.exe	91
PID 1812 wrote to memory of 2052	1812	Maaepd32.exe	91
PID 1812 wrote to memory of 2052	1812	Maaepd32.exe	91
PID 2052 wrote to memory of 3136	2052	Mcbahlip.exe	92
PID 2052 wrote to memory of 3136	2052	Mcbahlip.exe	92
PID 2052 wrote to memory of 3136	2052	Mcbahlip.exe	92
PID 3136 wrote to memory of 2516	3136	Nkjjij32.exe	93
PID 3136 wrote to memory of 2516	3136	Nkjjij32.exe	93
PID 3136 wrote to memory of 2516	3136	Nkjjij32.exe	93
PID 2516 wrote to memory of 4308	2516	Nacbfdao.exe	94
PID 2516 wrote to memory of 4308	2516	Nacbfdao.exe	94
PID 2516 wrote to memory of 4308	2516	Nacbfdao.exe	94
PID 4308 wrote to memory of 2976	4308	Ndbnboqb.exe	95
PID 4308 wrote to memory of 2976	4308	Ndbnboqb.exe	95
PID 4308 wrote to memory of 2976	4308	Ndbnboqb.exe	95
PID 2976 wrote to memory of 4052	2976	Nklfoi32.exe	96
PID 2976 wrote to memory of 4052	2976	Nklfoi32.exe	96
PID 2976 wrote to memory of 4052	2976	Nklfoi32.exe	96
PID 4052 wrote to memory of 3236	4052	Nnjbke32.exe	97
PID 4052 wrote to memory of 3236	4052	Nnjbke32.exe	97
PID 4052 wrote to memory of 3236	4052	Nnjbke32.exe	97
PID 3236 wrote to memory of 5116	3236	Nddkgonp.exe	98
PID 3236 wrote to memory of 5116	3236	Nddkgonp.exe	98
PID 3236 wrote to memory of 5116	3236	Nddkgonp.exe	98
PID 5116 wrote to memory of 2464	5116	Nkncdifl.exe	99
PID 5116 wrote to memory of 2464	5116	Nkncdifl.exe	99
PID 5116 wrote to memory of 2464	5116	Nkncdifl.exe	99
PID 2464 wrote to memory of 212	2464	Nnmopdep.exe	100
PID 2464 wrote to memory of 212	2464	Nnmopdep.exe	100
PID 2464 wrote to memory of 212	2464	Nnmopdep.exe	100
PID 212 wrote to memory of 880	212	Ndghmo32.exe	101
PID 212 wrote to memory of 880	212	Ndghmo32.exe	101
PID 212 wrote to memory of 880	212	Ndghmo32.exe	101
PID 880 wrote to memory of 1368	880	Ngedij32.exe	102
PID 880 wrote to memory of 1368	880	Ngedij32.exe	102
PID 880 wrote to memory of 1368	880	Ngedij32.exe	102
PID 1368 wrote to memory of 2096	1368	Nqmhbpba.exe	103
PID 1368 wrote to memory of 2096	1368	Nqmhbpba.exe	103
PID 1368 wrote to memory of 2096	1368	Nqmhbpba.exe	103
PID 2096 wrote to memory of 4896	2096	Ncldnkae.exe	104
PID 2096 wrote to memory of 4896	2096	Ncldnkae.exe	104
PID 2096 wrote to memory of 4896	2096	Ncldnkae.exe	104

C:\Users\Admin\AppData\Local\Temp\fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe
"C:\Users\Admin\AppData\Local\Temp\fe28797715fc557faa5a8241aefe30c13f1b5c7e242e25975e4679540801fcd9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\Mncmjfmk.exe
  C:\Windows\system32\Mncmjfmk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Windows\SysWOW64\Mdmegp32.exe
    C:\Windows\system32\Mdmegp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:896
  - - C:\Windows\SysWOW64\Mkgmcjld.exe
      C:\Windows\system32\Mkgmcjld.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4308
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        20⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 400
        21⤵
        Program crash
        
        PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4896 -ip 4896
1⤵
PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
55KB

MD5
2a66fd8b4d7ea8b4b688ea4de88fc9e3

SHA1
64536c20e9b812647ca4c81d368e750279e1828c

SHA256
6e00e66c4e1c84b4e1bf333d64ede921051586694b6f3b8ee7c484d43642cbe3

SHA512
a876fff3017f43fc42abb30ce1a97710115b43729dbc8ce955951fd9cc0b0445f938b860742c6644d0a90ca14afe72e11c77af8097bcfda33c2c02bddfa1e04b

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
55KB

MD5
f6b418ef226f9acf16b9f4c9942c2cb7

SHA1
cc739b205c1a9bc043225002093e7b284e219f62

SHA256
610c1ae10e87b6ced2fc5b2b95d3b79093090245ec9afccb540631935466c10e

SHA512
a25a75fe9a54fe1d3cf079ead793106f962d424a9d2fd5cb44a61214aa05c4494d7a588531ed8c99a0eb6ac018553284c056f502e9ddc955b34ee0bfa0955674

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
55KB

MD5
41708971a8b74876e38aec10b6fb2146

SHA1
cc43f85fdd3fe5586cfb7820866441e3af337bea

SHA256
4fa9060c8fcd05e847f446bc46fe86cf0652ce44dd0fff35912658bb003f54fc

SHA512
6bf377db3d24b81bf02ff58600d42d3f68113544e2360ffa426021f7997e6c44e5f8e0ad268d0a387225ddf8f23a9e28b88d7fb1646001a7711680b1383c338c

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
55KB

MD5
70868e62e59159d0f681647dcd23f391

SHA1
b73e5191f9c73d9186dfef76191594f55d3138ca

SHA256
13c2b540093fea48b3a9a4ae8612fd0b82cf9bc56c7bc1696bf0291a6c184c22

SHA512
00bb3dc07006bc5a30c57a569a9e6f36fd05df68bbb39f3a1710315818d8437a9a09b5740f5520546dd467ecb4c8530147fdab8a496629f58985058bd5709880

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
55KB

MD5
4eb7eb9e989b0a0b76643af0d55273c0

SHA1
33c85a18198908f8e1fbabd9125a7e8a80741222

SHA256
e878bcc5c889c821d3cca3b045a5c81fd106e868564cea08bed192531ec7ca5c

SHA512
2cd3e0405e2bbb9a121243078f3941e251358a80e81798307820cb1486e4e5072e52cac6c5a383fcaa3ad6b9b22d42175c1f0ac1c50c1973c7ba0221c9554db0

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
55KB

MD5
5ee5f0c3fddd11b5206a5ed8c824ad87

SHA1
dc54db3906e15b48055cbdd4e1466c97198a4bf5

SHA256
306ff9b33631cfa20cfb4e3ddd8751d709ff7dc6da5359189c7017f774890a69

SHA512
7cbc5b05ecd67e6d29262820fb9742c81817139eafad82de312c1441135e6473d54e0a34b4fab21cfa1c1b02521f15a0702f195f3575cc80f3e3396b38517859

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
55KB

MD5
a124f217cc787a868a510b0ee2cec124

SHA1
8357cb0eaf108ac924b1ecc4f598a0a4e0948e96

SHA256
6e529af1bdb732e98a94e75318e8bdf26f6c3c7e9b099851707950486afce6f4

SHA512
e245f5ab52e439d0079b9fd66a303c05b2f45583953f17a6ed39357b048059936e63e06c41a935f9ec8622ba31d8f8fcbe0d1bfbec04e0e020ae90d93d9f3d1a

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
55KB

MD5
aeb0411f1a2071d336869e4cca10e664

SHA1
e149c5363c5376d73f6aac8892b39f187a21112c

SHA256
4a6f8dfa3916df2bf8bc5c1ffce934f0bd35122e09f78e52540282ba28310a46

SHA512
34757b97551c4bf89fe148235683d9ed5e5d5c5ae8f3f9b53cc16cfeb09d938ce63408a84296c57da40a2c728326cdfa8989ea87043b9e68390c374899912fa9

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
55KB

MD5
c0d3056c36ce14b5826fba4da3ed00e9

SHA1
198b653b6a629e965ef5a749ce5a53b4dd381979

SHA256
c17972853996556906c1cc63680e1a869ee23f781e4e8fea75863b1374b087c4

SHA512
5e32d1c8cd5f20c0a88ccde6cb695c09b4ffb960feaa62cab6b7095585e9d19bc31ccc37b1eb24ba9f7bb50710d4e39f8d529de48e8d2d1f5ec6a6e9b9d261f0

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
55KB

MD5
288a9ba096b7f76541ea3a7d3bb151d9

SHA1
621f4a18ff2bd72e3599e6a2be2ac58b1686adef

SHA256
0feb007515ed2884498191c8847b405537931d4ef2ee4b24ec3b44b984aeba85

SHA512
98c490f649739d4dd4d80017ebc9a8d4204d5cfc4e8a0004b4c13eea6c367bba243817bb8769dc97d3eaea6d0a1461620c67173d4e79a03876cc3e0ef19bb4b1

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
55KB

MD5
c7457df142a792fd9b1ee5c969078381

SHA1
617369b781732a5b12b80c7a3e0674a606bdcf04

SHA256
ce28347b47b8920c9b15dce0af69e7129a8e89c22924b442faf30e1baabe9f09

SHA512
7849359f1b368d57c9d7ea4b7bd1820dc8045179a76d6a0394538cf434f1347203ec500571ae4ad10c3f914e6c6593a283114654f1d1411cad15d71bb871ef9c

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
55KB

MD5
dc0340b99b32537996650527f192bd11

SHA1
add0e66375821dc640b0f890f3e5355c8c2baaa0

SHA256
ae578c09367e9020043e429470d9f8aa5a0079eb0068f86c24767ea1d2cd6bda

SHA512
9823840b2bf1b178e34cec7a50f8a4f07c55156a2d587911337b9ccc1e1f65f0630a0eb1849db54d427d00659fb4dd553be8501214411082f2050ff57391e8f6

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
55KB

MD5
c984e755f46ba85d019266fdf9546305

SHA1
d384a116d97c067370856f16f09302f54f0c536f

SHA256
338f6193ba872c6d4bdce4885bfaf8c4d6d622210b60934b88d8bf576ba6de93

SHA512
5232d33ceb5e11b65b00c3bbbdbd34df4a3ef5ddd2095c7d128e491540cd85209006626d9cefcee67d28b6a44e6fc5621ea6e4e266ee91599da26e2fa40b0391

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
55KB

MD5
3cfa5b99ba84c08975c9794fd6df45a3

SHA1
62e4747cbae101c66b94da2d136d0497519ead5d

SHA256
9b65d269c999d1de82c64e7f691bfd9bd2033baf32a86fcecc5a13cac42e8044

SHA512
e479c57132460f02f70c4c113d1f30cf6f68a11c8560a6d2e0694ffc81bb9912cdaf04b3bdf7da43a50d96b06b9faeb30c3f75a154d2a73bf69715d94da1dd02

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
55KB

MD5
2d10b5f6ad80d05aa5dec41a5c10720d

SHA1
943a53b8a495a2bf861cf12010a52db6a6bace2f

SHA256
6a63efdd71b71b3126a1059a1faeb488d7c8ada1375decbbf40d84085acb5d6f

SHA512
ca534751f5fefe77a6431fdb3e9883e237166c0ede9ea7dab09fedc57c1df1e16afcfb005543004e93c27518dfca087297bf8db31d25db4b22895cb6160d098f

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
55KB

MD5
4beff67f6fc8d79738c790df8f14e075

SHA1
c6b8b1d410c12077c4e1902305cb9631aa5e5bf0

SHA256
cfe7a8ebf565cfd5e34a535cab487757ca727964c7d46905ca2e858a6f4e91ed

SHA512
1fda0b9d944d7b28762796609212d7971090df71b5f36d48bc10f5d65f8084c25e0c966cb469e3b133cc32577cb09b479885ddd539d37bac11712dc1d397ad15

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
55KB

MD5
b60ed1dcb09c93028e5bff3478328ce3

SHA1
c5a83186778383490ff28742fa10639d3859cb4f

SHA256
c62bcb2f593c22bf5b45958aaf991f80bf491b0f38966618527e9cb98d556854

SHA512
138fb50d45a8ba1806d1ec59608ec41d5d190d8ae563efc84b16bab7227688ecba8d26cf76e911de13bb13a3e7d8d1f6997d82f3fa650bb7afc47b3ee9346456

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
55KB

MD5
ea3d614045601de0c793b9d8db088e63

SHA1
e0bdb39b483af6599998737cb795b04d9353a7cd

SHA256
1e77c180aed8db2976b9f6a0bb5933d109874a205b2bfea597b7fe3d40268632

SHA512
da38408f7527fc85d9d18d9a48f1c54edbc4ac7b6f4d7f311d3536337dabf44d1e6a283fc32a0106e6cfff94d62408eb36d02b517d2879ea5a4985b5e8edcfb1

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
55KB

MD5
862d8fb0d8b1d60e137dbaaa160b2837

SHA1
cba64c54c9c86fdc956ec1c5a455491055cf5595

SHA256
4b9c76c775ecb721a1b3045e789c32334abdaffb73f42cee787dd07b64ab3711

SHA512
24bf9de25f0841f437b6afc99cc5ba6213a351a0390cd2ae3e1b1c58bdf98d40572e09fe0f52921ca67ba6b3b18583fd07a272e7f616752247a8fe59da659f59

Download Submit
memory/212-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/212-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/880-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1116-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1368-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1812-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2096-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4364-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4896-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5116-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads