22ee6da51ddc8d204c62769e628b5cde8b87825bad0ea5d2f6df0d44f6692022

Analysis

max time kernel
134s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 09:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe
Size

192KB
MD5

acba6426f3edbe68dc497c355bc57b01
SHA1

b0a050b2f4e07cb21aa8f9b2a507872ed0271013
SHA256

22ee6da51ddc8d204c62769e628b5cde8b87825bad0ea5d2f6df0d44f6692022
SHA512

7c2f699367c477b9ded921bf468f78d5c21089f10384c225909842f6d5aa211b3712bc14f06198daf709b06009afd367d760e2a625073457f4dc88234a553232
SSDEEP

3072:cnGaYg6qQ7L3xte0r4MKy3G7UEqMM6T9pui6yYPaI7DehizrVtNe8ohrQ3N:cnGaYg+7Vwhndpui6yYPaIGckfruN

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lgbnmm32.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x000c000000023b5f-6.dat	family_berbew
behavioral2/files/0x000a000000023bbd-15.dat	family_berbew
behavioral2/files/0x000a000000023bc0-22.dat	family_berbew
behavioral2/files/0x000a000000023bc2-30.dat	family_berbew
behavioral2/files/0x000a000000023bc4-38.dat	family_berbew
behavioral2/files/0x000a000000023bc6-46.dat	family_berbew
behavioral2/files/0x000a000000023bc8-54.dat	family_berbew
behavioral2/files/0x000a000000023bcb-62.dat	family_berbew
behavioral2/files/0x000a000000023bcd-71.dat	family_berbew
behavioral2/files/0x000a000000023bcf-78.dat	family_berbew
behavioral2/files/0x000a000000023bd1-87.dat	family_berbew
behavioral2/files/0x000a000000023bd3-96.dat	family_berbew
behavioral2/files/0x000a000000023bd5-106.dat	family_berbew
behavioral2/files/0x000a000000023bd9-122.dat	family_berbew
behavioral2/files/0x000a000000023bdb-132.dat	family_berbew
behavioral2/files/0x000a000000023bdd-139.dat	family_berbew
behavioral2/files/0x000a000000023be8-153.dat	family_berbew
behavioral2/files/0x0008000000023c0a-188.dat	family_berbew
behavioral2/files/0x0008000000023c3c-202.dat	family_berbew
behavioral2/files/0x0008000000023c46-223.dat	family_berbew
behavioral2/files/0x0008000000023c60-237.dat	family_berbew
behavioral2/files/0x0008000000023c62-244.dat	family_berbew
behavioral2/files/0x0008000000023c5e-230.dat	family_berbew
behavioral2/files/0x0008000000023c44-216.dat	family_berbew
behavioral2/files/0x0008000000023c3e-209.dat	family_berbew
behavioral2/files/0x0008000000023c3a-195.dat	family_berbew
behavioral2/files/0x0008000000023c08-181.dat	family_berbew
behavioral2/files/0x000e000000023c03-174.dat	family_berbew
behavioral2/files/0x0009000000023bfe-167.dat	family_berbew
behavioral2/files/0x0008000000023bf8-160.dat	family_berbew
behavioral2/files/0x000b000000023bdf-146.dat	family_berbew
behavioral2/files/0x000a000000023bd7-115.dat	family_berbew

Executes dropped EXE 40 IoCs

pid	Process
2824	Lgbnmm32.exe
2788	Mnlfigcc.exe
1612	Mdfofakp.exe
2040	Mjcgohig.exe
4620	Mdiklqhm.exe
588	Mjeddggd.exe
2764	Mpolqa32.exe
3084	Mgidml32.exe
3464	Mncmjfmk.exe
5072	Mcpebmkb.exe
4980	Mnfipekh.exe
2020	Maaepd32.exe
2724	Mcbahlip.exe
2772	Nkjjij32.exe
4772	Nnhfee32.exe
3972	Nacbfdao.exe
4600	Ndbnboqb.exe
1892	Ngpjnkpf.exe
3240	Nklfoi32.exe
1228	Njogjfoj.exe
912	Nnjbke32.exe
748	Nafokcol.exe
3904	Nqiogp32.exe
1124	Ncgkcl32.exe
2576	Ngcgcjnc.exe
3096	Nkncdifl.exe
3804	Njacpf32.exe
4896	Nbhkac32.exe
2328	Nqklmpdd.exe
4908	Ndghmo32.exe
1852	Ncihikcg.exe
2608	Ngedij32.exe
2072	Nkqpjidj.exe
4440	Njcpee32.exe
4352	Nbkhfc32.exe
224	Nqmhbpba.exe
5080	Ndidbn32.exe
1484	Ncldnkae.exe
1956	Nggqoj32.exe
2916	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mjcgohig.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mncmjfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Mnlfigcc.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5060	2916	WerFault.exe	123

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mecaoggc.dll"	acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdfofakp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2824	2704	acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe	84
PID 2704 wrote to memory of 2824	2704	acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe	84
PID 2704 wrote to memory of 2824	2704	acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe	84
PID 2824 wrote to memory of 2788	2824	Lgbnmm32.exe	85
PID 2824 wrote to memory of 2788	2824	Lgbnmm32.exe	85
PID 2824 wrote to memory of 2788	2824	Lgbnmm32.exe	85
PID 2788 wrote to memory of 1612	2788	Mnlfigcc.exe	86
PID 2788 wrote to memory of 1612	2788	Mnlfigcc.exe	86
PID 2788 wrote to memory of 1612	2788	Mnlfigcc.exe	86
PID 1612 wrote to memory of 2040	1612	Mdfofakp.exe	87
PID 1612 wrote to memory of 2040	1612	Mdfofakp.exe	87
PID 1612 wrote to memory of 2040	1612	Mdfofakp.exe	87
PID 2040 wrote to memory of 4620	2040	Mjcgohig.exe	88
PID 2040 wrote to memory of 4620	2040	Mjcgohig.exe	88
PID 2040 wrote to memory of 4620	2040	Mjcgohig.exe	88
PID 4620 wrote to memory of 588	4620	Mdiklqhm.exe	89
PID 4620 wrote to memory of 588	4620	Mdiklqhm.exe	89
PID 4620 wrote to memory of 588	4620	Mdiklqhm.exe	89
PID 588 wrote to memory of 2764	588	Mjeddggd.exe	90
PID 588 wrote to memory of 2764	588	Mjeddggd.exe	90
PID 588 wrote to memory of 2764	588	Mjeddggd.exe	90
PID 2764 wrote to memory of 3084	2764	Mpolqa32.exe	91
PID 2764 wrote to memory of 3084	2764	Mpolqa32.exe	91
PID 2764 wrote to memory of 3084	2764	Mpolqa32.exe	91
PID 3084 wrote to memory of 3464	3084	Mgidml32.exe	92
PID 3084 wrote to memory of 3464	3084	Mgidml32.exe	92
PID 3084 wrote to memory of 3464	3084	Mgidml32.exe	92
PID 3464 wrote to memory of 5072	3464	Mncmjfmk.exe	93
PID 3464 wrote to memory of 5072	3464	Mncmjfmk.exe	93
PID 3464 wrote to memory of 5072	3464	Mncmjfmk.exe	93
PID 5072 wrote to memory of 4980	5072	Mcpebmkb.exe	94
PID 5072 wrote to memory of 4980	5072	Mcpebmkb.exe	94
PID 5072 wrote to memory of 4980	5072	Mcpebmkb.exe	94
PID 4980 wrote to memory of 2020	4980	Mnfipekh.exe	95
PID 4980 wrote to memory of 2020	4980	Mnfipekh.exe	95
PID 4980 wrote to memory of 2020	4980	Mnfipekh.exe	95
PID 2020 wrote to memory of 2724	2020	Maaepd32.exe	96
PID 2020 wrote to memory of 2724	2020	Maaepd32.exe	96
PID 2020 wrote to memory of 2724	2020	Maaepd32.exe	96
PID 2724 wrote to memory of 2772	2724	Mcbahlip.exe	97
PID 2724 wrote to memory of 2772	2724	Mcbahlip.exe	97
PID 2724 wrote to memory of 2772	2724	Mcbahlip.exe	97
PID 2772 wrote to memory of 4772	2772	Nkjjij32.exe	98
PID 2772 wrote to memory of 4772	2772	Nkjjij32.exe	98
PID 2772 wrote to memory of 4772	2772	Nkjjij32.exe	98
PID 4772 wrote to memory of 3972	4772	Nnhfee32.exe	99
PID 4772 wrote to memory of 3972	4772	Nnhfee32.exe	99
PID 4772 wrote to memory of 3972	4772	Nnhfee32.exe	99
PID 3972 wrote to memory of 4600	3972	Nacbfdao.exe	100
PID 3972 wrote to memory of 4600	3972	Nacbfdao.exe	100
PID 3972 wrote to memory of 4600	3972	Nacbfdao.exe	100
PID 4600 wrote to memory of 1892	4600	Ndbnboqb.exe	101
PID 4600 wrote to memory of 1892	4600	Ndbnboqb.exe	101
PID 4600 wrote to memory of 1892	4600	Ndbnboqb.exe	101
PID 1892 wrote to memory of 3240	1892	Ngpjnkpf.exe	102
PID 1892 wrote to memory of 3240	1892	Ngpjnkpf.exe	102
PID 1892 wrote to memory of 3240	1892	Ngpjnkpf.exe	102
PID 3240 wrote to memory of 1228	3240	Nklfoi32.exe	103
PID 3240 wrote to memory of 1228	3240	Nklfoi32.exe	103
PID 3240 wrote to memory of 1228	3240	Nklfoi32.exe	103
PID 1228 wrote to memory of 912	1228	Njogjfoj.exe	104
PID 1228 wrote to memory of 912	1228	Njogjfoj.exe	104
PID 1228 wrote to memory of 912	1228	Njogjfoj.exe	104
PID 912 wrote to memory of 748	912	Nnjbke32.exe	105

C:\Users\Admin\AppData\Local\Temp\acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\acba6426f3edbe68dc497c355bc57b01_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\Lgbnmm32.exe
  C:\Windows\system32\Lgbnmm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\Mnlfigcc.exe
    C:\Windows\system32\Mnlfigcc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\Mdfofakp.exe
      C:\Windows\system32\Mdfofakp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3904
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2328
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1852
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4440
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        41⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 412
        42⤵
        Program crash
        
        PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2916 -ip 2916
1⤵
PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
192KB

MD5
35c0e6b67886da2beabc31e8e845d993

SHA1
eb5bb335cffc06970aa9d38bbe0853c9f8051ea5

SHA256
8f7bffa39cb004be8cdd317c54e6428fe2a3ba4c0cc779cf441d42e5807eb8c3

SHA512
21fb36daf767c0fbe5628ed920dec189cb4d1d3cfef94f060d383d50bc47c95a9408da783eceee297ea4133763061146445e589c43d97a6fe7f72f66402de0a4

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
192KB

MD5
179f8792efaa9190da6792e90802b12a

SHA1
1ec4657031ec84953c8b14fac6a22b9941402f2c

SHA256
b55fd82b83c7e744eb34b12d6011eab5738d0c440fab4c09fcf35a14d6c19400

SHA512
fe5ce4272c458c32cbfdd92273cfe35b8125690af98bb65f2747e5cd31037459555a576d706fc39a86bfee6552c6401b094e2d57b5ac54d2861fa4aa235233d9

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
192KB

MD5
aca856076d6f5bbc695276e201c05311

SHA1
861040c4d6a651659776bb3eeea1bd1f0ed75fa3

SHA256
c4a5af3e926647858126fd5acf9fe1e6d93adec3608ca263a9c98c69bbe18fdc

SHA512
bdf0d355ad1cdb75a1df20cc639298d61eaa5b99e624a3d376710a80510dc610025907c5fdbc2a7b94a9c94666eb24847abbed05f87ac12511ca4449ebebebdb

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
192KB

MD5
e00ac6d27c7f24858d90aecdbf7ce2d6

SHA1
c3363375ece65ec06a1e3bde9c3e0a79f51ffa5d

SHA256
6f831570d5dea90f8d5575864a2a20eaee8845aaaa4d67f2b6aff06a98b36c6f

SHA512
721f2e72adcc886b844ef49994daea9a8ac1f19c47c03a705d7e02710052fedc8189afdc2dc64d69275b8c3910e752373bde081d7cce48b29ed3fcf6794214cb

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
192KB

MD5
bd2c63076d9f2e663229e82f1273f338

SHA1
0b3b0b7c876889677cccf2e7898d660e811743cb

SHA256
35aedb25e1cda6246f75954942dea1e8cc1832361979091dda68add0a63a81ef

SHA512
557f9396266a492427cd5da56ba4cfe9be2806495e0afa996e4b6336262c5b7a08d160ac20cee71da722870c87e1d0c9baede2e26f478e9b67c1736d8e748f36

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
192KB

MD5
cb23edee6e4283711c1b419e447285fc

SHA1
8813f2935ca255155b4caf271132e23e73d401d9

SHA256
0130471491939113cf6f757f8147845dca8c6f6b71bba534727e2f9be72cbaa4

SHA512
daa10acfede028eec0075b2ef3335000a828527000898ddca4f60bff831fd7d82b2587c1c2f40b2fde7e099ad6955626a1b994fb11de71b68445f4ba59798f22

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
192KB

MD5
ee1ecdf0f00e7d42b2d0d65a06c5d0a3

SHA1
e941fdbe84d308f42e4bde4b4a2875d8d06f0943

SHA256
5b2f6c0564a31029eb3583b76289369055fb0023829632e8f35666d7ed6973df

SHA512
94b69a3ad9f20f6604bcfa050a4319ddec0cafa0962fb1cd4e14f6d8119785fbb5f47d503264842dda09c1b0723a61219a02bd8addbb111ca83ed89eff76cad7

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
192KB

MD5
f48812f0660b442a7dcf421c1551d04c

SHA1
0b8be30f67e7a1cd0f9dbf5b1a1455b711777bf7

SHA256
3312865288276660f0dc5a7115e4ad3826ad95b56fa0a1d921e7d7cb611efbfe

SHA512
c74ab881562969cb0bd3ca330dcab77372f63c5b45d5331e45e6ee9e6cc33358dc76f9c216ba165cf6f08e359e6f19e5146f2fc25806f48c936ab787df4b2e18

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
192KB

MD5
34c8f5d1744a557970b7e06c08fbaa52

SHA1
bca5c5e5b7c24ba924c9d07399a80bd3ebf80bed

SHA256
ce1ab2e52cef96572f564e6879eb375ce438b3abd21f4b0015c6059f344edeb8

SHA512
324651a50bdc89e5ab5391a4e60e2d15d1f9f4fdaa89ede498e8f8bccdffca292a1eb3ec083a8acecac2d18d508a229c64c8eb3e6ad00b16e2aca8b08660b4b1

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
192KB

MD5
cd5e83c014ec4fb6bc658bc127639814

SHA1
d9669ac19b356b4b09b4af78d3201d5d30d172c9

SHA256
5f458cdbdd18c3b7216bf9f2e34d47949f018056395549278ea5b91e92937953

SHA512
2f17b37dd1c0dcebc04126d8d2951d375d2b77bad6005df7a1e7bfd3909493cf57b264af64598ee6eaac6941888c3918ffad51089ed735de83e543d08731612a

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
192KB

MD5
b72f59cffd2b0799df7049124fd6313a

SHA1
c9466823a916168b490609a1330afc7bbc80d5c9

SHA256
438dd9c9b7434d173f5de23258bf4b81bedf596f3775100c5b9beb3e6e9a6cb8

SHA512
4bbbfe848ba3819e10b0712812bdfd678bc35653e3b9ea8a1624e5c35cb368e6f52d85f069fddf94a547831eecb06728158a54532d0671bf2636fa1103a9d5e4

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
192KB

MD5
462d85f0e56ecaf55fbf455fa06eedbf

SHA1
4487b8810b9773becd8e41705aea45de94a84059

SHA256
0340f69b4a1767c63739b74741e28f08848ee578ebbb4c658556eab02321f502

SHA512
1cf8daea880e5274cc751f98885aac7e41169e838cf70f26a97c7c6fc969e5277e380e551bd3954356dffab9e3bac2164a9f97f2206064628c2ff8ed30417f32

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
192KB

MD5
125d6628800397835d8bf9de0e1fab9e

SHA1
408b95daffb6684e09ce013c2fa2482006ec28a1

SHA256
e53b8f2332132f09536588936b8423b4b0ce1c11f365790bc9f396473475f4ee

SHA512
3de25e676e428fbbf7a04beeb4d8ac9bb6871a17aa758acc5fe2be908adc6ec3a1c3a61d19907362284257751fed41e5bf1c7e3458243626b69da512920ec0ff

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
192KB

MD5
e28ec963c55c21772c5ab991c2be51ee

SHA1
b9b7c7424e64b66f4e6ef68f2f77b8fd576304fb

SHA256
5db6da338a56bb696e8f81cd6ed27baa448a13e8e332f328f81eacf5ee2b2ba0

SHA512
8250bb180ed296f10c5224c14947d6919a2ecf4bf807a0ff3a425eb91d540ad81c6503306227a8a327bd7c76ec6eb0249d52680adcf6ff0e32cad4ee9965889e

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
192KB

MD5
bb37c24643c179fdb18715eb1d1a6f4e

SHA1
d466f6c426dd57b3019972955010dcac997fcf38

SHA256
bec71ef2e7a0b7acc42a06267668928e315a600cc4f4907712c556ca0f090631

SHA512
44a5becc576b8175ed1e7af44ce52bde100119f45cd098ce1348514782bcac2c3d8a4e480ca0191c721a6b1c19e9caf234504a24d2afa7b05abd00ce3b54243e

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
192KB

MD5
3ce9c9d664670f8751f1caca8534ec08

SHA1
acec0af489c50f1ae3a93df0a2783d157e1efd47

SHA256
04a05c02d2aefd710d1ff57fd67903ee856d89627c82cffc813543c10ae37897

SHA512
c281e73ff03e9b49ceb7a8dd2d0a993a6b595bb74f090a4669fa2dabe09a2d5efedb84d3f361e8d365e075bbc2c795b8c97728464dfc34eaae35fbd1ae899c70

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
192KB

MD5
4173738de00deca32c28fc361f45cba7

SHA1
768210dfda15c204ff5ae1b35e00c06e12f6da20

SHA256
fa47e96aa9ad9abafe17a73a552999a4752b4e4c8a26ef5ba2c6bfe69130d1a3

SHA512
f420043fe692df3f71f5e3edb966d34eed7afee761f59a6f47690e3d6cfee0ba9758e49af35013ec8fa473045bb1fa38eb209eacc52936527d336c9d641eac20

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
192KB

MD5
2598a610531545e7e87bb5f5d2c7b960

SHA1
e37ee65aba61a39eee2d5548a4386ba487306e9e

SHA256
4e734dfadbee60ad9f2600d4d350e165fc11e5fcecec83fb40cb05c6dd48c4b2

SHA512
964bce9000db46f98137b1659ed92f46b391c24413a3df6da302df5523cc423b71422e0800b2231e31299e61939586391a7707cbb8f8a531eeabd57e728a8e24

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
192KB

MD5
045d09ae614c623cc8c01a47a8fe40df

SHA1
1da0b24e5ae9fa370d0580a46da5ac4d3456cece

SHA256
8d8a48d8fc61c736d4192e9fe243ad6ea73be4bf93f3d8eb5b6680d76841017b

SHA512
4f63c80491163a3cb5a13acd3e5ed739f509329ee5e1a852d0abc1e35664bdc2b766ad8a5dc734612062df07af6bbe156c1df2599931cb19aa59d39465dc343c

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
192KB

MD5
3df64a9d95c4babe46a26a2586f49993

SHA1
bddb446f81a5d2b4f1cf9d645b2ae78362e48830

SHA256
64623c3fd604b48025242cc592f15bd051e796831b278dd9d40c8387e5e0a288

SHA512
a7e72194cb3fee15393c6b27a29cac5b33df1cba8afa7766d1a5325142a7eec567d49b4b04823f591cad7da438ad2f0c23693c1370b7ee9bdd848f6ededd5132

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
192KB

MD5
8e0625b8e48b9e912fb871c8bd6b685a

SHA1
14699c25fa60296441f70b02edf06ce4e8c1780e

SHA256
0a3064a6f7a227ffe78187638f56591995b97bba95db15998311c3081d4cfe96

SHA512
81ca9cb15f3d104c9aabad7ed99fb7aa10a3eb91844e8928ac1d1cc79280f656ae811acc89d95810a8ae2f390bffea85929965fe9d782d497274cdb95b2eed14

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
192KB

MD5
a028aa1c2067a018bc39384fc7bb9152

SHA1
51286aa198301b47d6d36c90bc4f9d2cbce7ff9b

SHA256
08a3906931246a72861ff0a0d7a0881ce5a7bc2cb119d6bcb98a5f0d29f3134f

SHA512
a053e89698002d14e84337ebd33d68f6de243c4a3735b60a0406c82f2c0383b79008e0beb27495f03a03c72be2304823c8b6536aeeeab13526d2f66d7597e9f8

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
192KB

MD5
507a68d0cd0db414aca196754a0a6fd8

SHA1
ad36f8594c84102aa9ca8a3b9e9a0705a78bff45

SHA256
f894d78213f963085fc9421ab43a82833ade7f089d3d7d6fa6b5a343c2b60b8f

SHA512
353f0770ed8a203022ac44a221926259e4a7482fcdce75c9c812339b5a4caf1004e998bdd247e27e93eb1f3e10fcdc08c63093907ed3ffc9b6bbe329a087215b

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
192KB

MD5
adc3a5dcce7095548a2abff392d7574e

SHA1
3f86aa1f46d236c8ff6d2d2496fd4893519afdb9

SHA256
59615bd91a78b62e36f10e8084dab4843e283e72bcad9c04062370ea6bf4c806

SHA512
b77213d244f503a2dc0239ac5903eea7ed92312b1cbe7de4bb7d1d93d3558c8f144d9371e1795afe62b40e0add6fe4c4db4a958748c9eaeb9ffd4b7a6270006e

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
192KB

MD5
6a2dbde580cbad325f5a1fd594cd74ff

SHA1
e5367384ed3f7fb273d601c51b396d197f1d2a6b

SHA256
d696787474907d256dff8c9a1e4b7cf8a6f3e3e2a32e5c48e5697659633efa49

SHA512
2f91a25441992dc3c5367f2de4c0dd4405f693246672355d29324fed672e2020d61e70480859ed93714f3168362eeed760086bdbbcaa9aac137069e43c6cbfe7

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
192KB

MD5
2938d5078e40adc63167a5c89a02c40c

SHA1
e09293ec23451a64ac1c7cd4b664fe8ed379a190

SHA256
b78329817ba393d6b2da9a53df4d53901241372e1fb15cfeee4e91c5800eb15b

SHA512
7864deff10c911c1230933c41363e33412e1890afdd85362d70bf682029f9dbd63d8b36a0fb4f58666022f080700da13756bd3ba332680011c84f33835c23b4b

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
192KB

MD5
820e8aa1b57fb88cb11768d9d273c6a1

SHA1
d59adf605b4f537bad6a0bf404381ac8a569f0c9

SHA256
522ae9639242984eac1e9db58dc0abd434d31c7b4ece010b44b5a335df73d83b

SHA512
8bdab90838aabd820eb9a411d4de415c6f7bd2e494c4c3a75dbd7be3c5ddbdafd4a79a8c5d09380ed83611b98e00b6f0c0ac8ac4857ad474b40001bb65ab9395

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
192KB

MD5
de29628cb9f01651989cc8ed4402cc9f

SHA1
6da65b6c01a21b23257797045974f133bec2a758

SHA256
b87b8a7a6c52dbb5758a99bfbb5d392dcc46bc877d82f2dc7453f56a53f80041

SHA512
6378aece5281488372f8c53e79a23d51fd19104fe3e25fe58078cb2fa99f7f674b28708228338c039125b0a31a6a571b50ef10d84d8980e97370b12f706409de

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
192KB

MD5
53bc2504673028e5307dba3985fc6793

SHA1
e1cb5ccb2f71a4c7012f16d67a250b297f9d4e7f

SHA256
1402f531440e03aa91ef8cb04a3691497307c8b1a397151dd64de978a3f206fc

SHA512
b1bd0b87f8e36e5a8890c8c5d79ecdafa5d84b6d24b3922721de57c005b6b4ff1b4144e7b67a380d75544b639bb9f60982eae42dc16a0efaf80dc4bd197d4281

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
192KB

MD5
9833b516c4d9456292250f1613b4a727

SHA1
0c697781bbe707a7db1e14003a0e89d217b5e2c4

SHA256
0a1150055d5b625e4308049d3f662466c1df094faf918a1c53bf89195c433d69

SHA512
a7900344c2d8c898494d1483ceec7d814927eb264d2a670a496cb6c5e00bb78b91405dbf6d390f026dfab28b0fcacd460abef4f50a5817813a2bbe5cd0696818

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
192KB

MD5
3d3438451e43947b3b30e21da21cabe3

SHA1
e05f13e646591e26ec6a0a0a84294bf8bbe3f223

SHA256
c68055147da614bab08737b42202cc71a22d4f642c51fb5ab7c3f76d7d9059f1

SHA512
5eaab5aa3c3c358902eae8a4bb785d95e061641649aebdcddc85a81d86f182d557359fa092d5ed2710e801273483d5eebe0722bb34334a5417950e2741019e02

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
192KB

MD5
2c2c77d855c033a1c95bba0e09dddd79

SHA1
37f1ccde0d769c626262a40afda32e28056a2f05

SHA256
03152eff805751d1e3ae43f59f47640974e069ec9a664af38f49179558710ef6

SHA512
de54a446a0286826123422b3a0d0abe6fcc8bb17456e306426dad27af44caf5f61c83bbd0f3c64ccb2b0b79c38895564b4fb2fd52f25ee8c546d6cc473fd5b6b

Download Submit
C:\Windows\SysWOW64\Ockcknah.dll

Filesize
7KB

MD5
c648b80effc2a34ea55a8c16b8542e80

SHA1
4290fe430a2b81c5842df2e366a6db48a56d3ec7

SHA256
7585a1ae017bb353b269097db2bd12dd4245ab1b2f694706640e6e80ad3db447

SHA512
9ebaa6eab78a43ab286ae7a6e6e93e2fcccebac129bc05f319ef192fe9f9b7da9669090036d15b8dcc4716160930d9cd0b14abf676e4e15fb5a9db88aedfb1cb

Download Submit
memory/224-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/588-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/588-316-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/748-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/912-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1124-294-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1228-290-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1484-308-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1612-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1612-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1852-301-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1892-288-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-309-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2020-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2040-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2040-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2072-303-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2328-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2576-295-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2608-302-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2704-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2704-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-108-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2724-311-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2764-315-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2772-129-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2788-102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2824-93-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2916-310-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3084-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3084-314-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3096-296-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3240-289-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3464-72-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3464-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-297-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3904-293-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3972-286-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4352-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4440-304-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4600-287-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4620-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4772-130-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4896-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4908-300-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4980-94-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5072-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5080-307-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads