31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 17:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe
Size

115KB
MD5

1559511d0261c5e9bdf85fe3c2f81cb0
SHA1

19ebe92f5a288ac5e0eba1b5409a445373ad553d
SHA256

31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504
SHA512

109cf5970dd7ce861560332d42053e8539c1b002e9754121ffa7fb6c2367027382bd5b981b279935e0ecb831c25150a83e300672afe312375df4b01fa1032623
SSDEEP

3072:u4+5IxV/+inzEdbrIR/SoQUP5u30KqTKr4:uN52minzEhrIooQUPoDqTKE

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe

Malware Dropper & Backdoor - Berbew 32 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral2/files/0x0007000000023400-16.dat	family_berbew
behavioral2/files/0x0007000000023402-23.dat	family_berbew
behavioral2/files/0x0007000000023404-31.dat	family_berbew
behavioral2/files/0x0008000000022f51-8.dat	family_berbew
behavioral2/files/0x0007000000023406-40.dat	family_berbew
behavioral2/files/0x0007000000023408-48.dat	family_berbew
behavioral2/files/0x000700000002340c-63.dat	family_berbew
behavioral2/files/0x0007000000023410-78.dat	family_berbew
behavioral2/files/0x0007000000023412-86.dat	family_berbew
behavioral2/files/0x0007000000023416-100.dat	family_berbew
behavioral2/files/0x0007000000023418-107.dat	family_berbew
behavioral2/files/0x0007000000023414-93.dat	family_berbew
behavioral2/files/0x000700000002340e-72.dat	family_berbew
behavioral2/files/0x000700000002340a-56.dat	family_berbew
behavioral2/files/0x000700000002341a-119.dat	family_berbew
behavioral2/files/0x000700000002341c-127.dat	family_berbew
behavioral2/files/0x000700000002341e-136.dat	family_berbew
behavioral2/files/0x0007000000023420-143.dat	family_berbew
behavioral2/files/0x0007000000023422-152.dat	family_berbew
behavioral2/files/0x0007000000023424-159.dat	family_berbew
behavioral2/files/0x0007000000023426-168.dat	family_berbew
behavioral2/files/0x0007000000023428-175.dat	family_berbew
behavioral2/files/0x000700000002342a-183.dat	family_berbew
behavioral2/files/0x000700000002342c-191.dat	family_berbew
behavioral2/files/0x000700000002342e-199.dat	family_berbew
behavioral2/files/0x0007000000023430-207.dat	family_berbew
behavioral2/files/0x0007000000023432-215.dat	family_berbew
behavioral2/files/0x0007000000023434-223.dat	family_berbew
behavioral2/files/0x0007000000023436-231.dat	family_berbew
behavioral2/files/0x00080000000233fc-240.dat	family_berbew
behavioral2/files/0x0007000000023439-247.dat	family_berbew
behavioral2/files/0x000700000002343b-255.dat	family_berbew

Executes dropped EXE 32 IoCs

pid	Process
1812	Mnlfigcc.exe
724	Mpkbebbf.exe
4592	Mdfofakp.exe
2308	Mkpgck32.exe
3924	Majopeii.exe
2892	Mdiklqhm.exe
3776	Mgghhlhq.exe
1484	Mkbchk32.exe
2428	Mjeddggd.exe
852	Mamleegg.exe
1572	Mpolqa32.exe
1344	Mdkhapfj.exe
2568	Mcnhmm32.exe
4140	Mgidml32.exe
3432	Mkgmcjld.exe
4872	Mnfipekh.exe
3712	Mdpalp32.exe
2020	Mgnnhk32.exe
3116	Njljefql.exe
2304	Nqfbaq32.exe
512	Nceonl32.exe
3088	Ngpjnkpf.exe
4956	Nnjbke32.exe
5104	Nqiogp32.exe
3320	Ncgkcl32.exe
5056	Nkncdifl.exe
2320	Nbhkac32.exe
2432	Ndghmo32.exe
4796	Nkqpjidj.exe
1716	Nnolfdcn.exe
4352	Ndidbn32.exe
4664	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Njljefql.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mpkbebbf.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Kmdigkkd.dll	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Njljefql.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Majopeii.exe	Mkpgck32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Mnlfigcc.exe	31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkpgck32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mgidml32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2868	4664	WerFault.exe	118

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpkbebbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 1812	2840	31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe	83
PID 2840 wrote to memory of 1812	2840	31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe	83
PID 2840 wrote to memory of 1812	2840	31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe	83
PID 1812 wrote to memory of 724	1812	Mnlfigcc.exe	85
PID 1812 wrote to memory of 724	1812	Mnlfigcc.exe	85
PID 1812 wrote to memory of 724	1812	Mnlfigcc.exe	85
PID 724 wrote to memory of 4592	724	Mpkbebbf.exe	87
PID 724 wrote to memory of 4592	724	Mpkbebbf.exe	87
PID 724 wrote to memory of 4592	724	Mpkbebbf.exe	87
PID 4592 wrote to memory of 2308	4592	Mdfofakp.exe	88
PID 4592 wrote to memory of 2308	4592	Mdfofakp.exe	88
PID 4592 wrote to memory of 2308	4592	Mdfofakp.exe	88
PID 2308 wrote to memory of 3924	2308	Mkpgck32.exe	89
PID 2308 wrote to memory of 3924	2308	Mkpgck32.exe	89
PID 2308 wrote to memory of 3924	2308	Mkpgck32.exe	89
PID 3924 wrote to memory of 2892	3924	Majopeii.exe	90
PID 3924 wrote to memory of 2892	3924	Majopeii.exe	90
PID 3924 wrote to memory of 2892	3924	Majopeii.exe	90
PID 2892 wrote to memory of 3776	2892	Mdiklqhm.exe	91
PID 2892 wrote to memory of 3776	2892	Mdiklqhm.exe	91
PID 2892 wrote to memory of 3776	2892	Mdiklqhm.exe	91
PID 3776 wrote to memory of 1484	3776	Mgghhlhq.exe	92
PID 3776 wrote to memory of 1484	3776	Mgghhlhq.exe	92
PID 3776 wrote to memory of 1484	3776	Mgghhlhq.exe	92
PID 1484 wrote to memory of 2428	1484	Mkbchk32.exe	93
PID 1484 wrote to memory of 2428	1484	Mkbchk32.exe	93
PID 1484 wrote to memory of 2428	1484	Mkbchk32.exe	93
PID 2428 wrote to memory of 852	2428	Mjeddggd.exe	94
PID 2428 wrote to memory of 852	2428	Mjeddggd.exe	94
PID 2428 wrote to memory of 852	2428	Mjeddggd.exe	94
PID 852 wrote to memory of 1572	852	Mamleegg.exe	95
PID 852 wrote to memory of 1572	852	Mamleegg.exe	95
PID 852 wrote to memory of 1572	852	Mamleegg.exe	95
PID 1572 wrote to memory of 1344	1572	Mpolqa32.exe	96
PID 1572 wrote to memory of 1344	1572	Mpolqa32.exe	96
PID 1572 wrote to memory of 1344	1572	Mpolqa32.exe	96
PID 1344 wrote to memory of 2568	1344	Mdkhapfj.exe	97
PID 1344 wrote to memory of 2568	1344	Mdkhapfj.exe	97
PID 1344 wrote to memory of 2568	1344	Mdkhapfj.exe	97
PID 2568 wrote to memory of 4140	2568	Mcnhmm32.exe	98
PID 2568 wrote to memory of 4140	2568	Mcnhmm32.exe	98
PID 2568 wrote to memory of 4140	2568	Mcnhmm32.exe	98
PID 4140 wrote to memory of 3432	4140	Mgidml32.exe	99
PID 4140 wrote to memory of 3432	4140	Mgidml32.exe	99
PID 4140 wrote to memory of 3432	4140	Mgidml32.exe	99
PID 3432 wrote to memory of 4872	3432	Mkgmcjld.exe	100
PID 3432 wrote to memory of 4872	3432	Mkgmcjld.exe	100
PID 3432 wrote to memory of 4872	3432	Mkgmcjld.exe	100
PID 4872 wrote to memory of 3712	4872	Mnfipekh.exe	101
PID 4872 wrote to memory of 3712	4872	Mnfipekh.exe	101
PID 4872 wrote to memory of 3712	4872	Mnfipekh.exe	101
PID 3712 wrote to memory of 2020	3712	Mdpalp32.exe	102
PID 3712 wrote to memory of 2020	3712	Mdpalp32.exe	102
PID 3712 wrote to memory of 2020	3712	Mdpalp32.exe	102
PID 2020 wrote to memory of 3116	2020	Mgnnhk32.exe	103
PID 2020 wrote to memory of 3116	2020	Mgnnhk32.exe	103
PID 2020 wrote to memory of 3116	2020	Mgnnhk32.exe	103
PID 3116 wrote to memory of 2304	3116	Njljefql.exe	104
PID 3116 wrote to memory of 2304	3116	Njljefql.exe	104
PID 3116 wrote to memory of 2304	3116	Njljefql.exe	104
PID 2304 wrote to memory of 512	2304	Nqfbaq32.exe	105
PID 2304 wrote to memory of 512	2304	Nqfbaq32.exe	105
PID 2304 wrote to memory of 512	2304	Nqfbaq32.exe	105
PID 512 wrote to memory of 3088	512	Nceonl32.exe	107

C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe
"C:\Users\Admin\AppData\Local\Temp\31184d8ed942388a3eb30d53ad83bb934a1f9afa41fea3b191488b0206a53504.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\Mnlfigcc.exe
  C:\Windows\system32\Mnlfigcc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\SysWOW64\Mpkbebbf.exe
    C:\Windows\system32\Mpkbebbf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Windows\SysWOW64\Mdfofakp.exe
      C:\Windows\system32\Mdfofakp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4872
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5056
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2432
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        33⤵
        Executes dropped EXE
        
        PID:4664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 400
        34⤵
        Program crash
        
        PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4664 -ip 4664
1⤵
PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Majopeii.exe

Filesize
115KB

MD5
ece2d0fbb5a9bd6b4c95e123b548c4f0

SHA1
4eb27843dfad7945afa4f6befa425f338df56ace

SHA256
0d9f7ed3df87dd8fbcf0be4a72ae536b8b22c4c353df7a563a40d98cf6e6c67f

SHA512
03e079d12be2e334f4a632f86078cbefc07816945eeb8aefcd3bea3f3c8d9905f737bc8cd66c926edc5c51087eb7a46415f37383a832703b56d887d4e9ebb3bb

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
115KB

MD5
c52fd2b5cb6331d40dcda6eae2ccd4c5

SHA1
2afca2129e2c7ff3877f258369926e67def542b2

SHA256
638894f446ac0c1de795f7d8f412daa4fa340b419b421309bd3cb6fd7d487f4c

SHA512
ef5786702a2d5d33d3267450717563dde573b56bf7daa701eb6a5457b0cbe5f61552c56bbaf15091a4c6e3af589b438416c5335fe5f8cd13b5de37caf9449974

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
115KB

MD5
8170b32d62f3867abf8731838ccd857f

SHA1
cdc09e31d9565144c91d559996a41219727adbe5

SHA256
abc754ff6c66a14b05803de392a183a9c73c029caa44a990a063fb2a7bc76e0d

SHA512
bdabca13515415447d4724d66c8c3931913156f8fd4215632b1e52a20ad015a6abc9f4241709df700a7db971e0830df3a9e4a7efaeb69fc30187852f03f02792

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
115KB

MD5
a30d38a55ff1d214891477eba8c4c9f6

SHA1
d4ea8c9c43acc037a435fe9f14f361186a1f0c83

SHA256
17adae4e999d5a41ea85f3e90665db2119bdd565d45c515b26585a5dd77147f5

SHA512
bd518e9b88e8b2b5d0da95e1fbef4e57dba31edd3e962207e8a0f79cc8db694bffc48256cc7862c5367d93c56cba57f67cffd3cb6a0eb8f45956be0dcb515c06

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
115KB

MD5
53660c558b106f508145b3ec7c786b67

SHA1
c9a785a2ce42a77b9c56b2aa7a2b2ee98470bc61

SHA256
6c1db608fe8b9052bb455c25f287da974c1013ced189861edac7d7794f68771b

SHA512
5f68bce2d07cd3527e86aedfaa5839f095063bd74cd6e5ebe7a46c6f864ca95d47ab986d84ff95c316a2b78392d986d4f8612cb5d2d891eb911457d2a11f87f9

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
115KB

MD5
d46bdf13f1c9cc64d65f2ebb5762e5a4

SHA1
7e638662d42cec94b6f6cfee48e1ecb963c5ce8b

SHA256
03fa3a253dced923c8543a84cc08ade1e5b5ff0ff6af4b8f371905b3d5f413c3

SHA512
be5f78a7dc85ab95699093e49f3f5fcbd26b9bd09b2e0da4f977f10b227e26491813420341346523da6b86187221750d23c24fdc6f89ca3b3a7c9c763742df3e

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
115KB

MD5
d8124c2d16383fa3386bf5882dd8553a

SHA1
82256c41b8a23f8c585d680ffe64d9d3631edbaf

SHA256
9ca7ff83060fc759f232e0e69fecdd6f59531000bc8b2c6fba72f1e69e5bec2d

SHA512
120f422b42c3d477605d438f4fd70732ac6715097d79d591cb8eb8253c2bd15047afccd239a82d7cf77ed85df45b5231621ae672d2330c99f3f88b43c298da89

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
115KB

MD5
0496f672ea3e8d9f0bd84de554bf3d90

SHA1
6926fb7dd747c77ecf50365b2acd4f0536daf031

SHA256
5a9c36d2470499bc4e62edd0ddecba7e2b119fc66577b58bfe177654de401e69

SHA512
01184875032cd2a5ecdd2a11b03726f85fe5faf1dcddf86d483d5d072f86e77e82923f3008e0a1e11ed1d935ff34ec787a838c73ae3be278ae0d8fc725efaba6

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
115KB

MD5
1232c52171aab59df7dbb3e4da19bd4e

SHA1
a447fd1cb4556c72f87887c1ea127353930b299b

SHA256
63d1888eaa93330ab7036a9d2d97b3518251a1666532d0b89c25225ff91b1692

SHA512
d3977bae9f9e62c65e1f70df3255f0b02c1eb742681424053bb1774ec5266a4ec0d6d6e5e08cfff042b39be6751b6d10839424af07ed0447f405aa53a616ef80

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
115KB

MD5
aa4e3ad3bb252ce83a3981e04a709173

SHA1
f8dcfc77bfaf4ba770f0c056f65461292111b10c

SHA256
113f676730702cc5ada8565417a026751fb7bdad398cad13579c8a600300b143

SHA512
127abfdafb2e430eb872809eaeb1bd5340a87b87e473b287cc52b1de2e20ad5d1893151e8c93fe1312fc9833ef71c1110bdde9f33b57301403ce57e8f9d653b9

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
115KB

MD5
345e43b72ad0d4c3b8f82ad39f93b456

SHA1
cac41eda31ed379fd505773dd4137887b4f27615

SHA256
bdc64fa3de0ece0aa748a07dfbef97566e5cb1c99be7c2df76b3da72fe534ab1

SHA512
a9cdb68de83f8189b8d3303aee1114e3ce9db901a136172bbff4c7321ea4b0f92f73e785c259566a8626ed8fb5df7cfda8d3369c5b15bc2287514876d83d50a3

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
115KB

MD5
93c973a1e5be834ecb3ad37aa6cc6bac

SHA1
bd31571bb255b3a91574f6a249d10a1bb089453f

SHA256
e9ba4a6aae66453a051bfce5a700125154008172a2a936be8866ca75721532ff

SHA512
3284099cb9a5e7d476313d923998444140ccdde9df304eb8994968375927acbffe6f92da9783c93d096b0c7c9bdb4a4ef689e10842825373b4a543fbc42c6198

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
115KB

MD5
3d4b200185ef064bae107d8040a89d87

SHA1
74d425410172423fadbb586f5b2d094517571b5a

SHA256
032e7a546bdcca9b9212dbb97a9e2cd1cd4cd1947e85dd0ef1a93201665e5161

SHA512
0d4d5e5f448652ba153a97688c2f1018f9ccb73b1d1de91744e9925a556a9885d7f7c7392d8c20f307dd4cc0ab921f6869fef7002568e30ea46c8225889ab72c

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
115KB

MD5
6932709089231ae9fd41ca4c2602e32a

SHA1
8fee31dab033ad073e6ad6f9360cbd2555ae1230

SHA256
ce2c4bf668d31e52d5319255e7245e865820f3d907e7fbf972b22bc52230d60f

SHA512
cb4d63f61d6b6ab4d34d9d63a8389c10f26500c8ad65604b55d30d98d20d13c1cfd0ef88aded06848227fadcf9cd6e9e81468484e17fe83dcd6604bd32cb1ee8

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
115KB

MD5
269cdf5440e6b8fea8b06763356d8b33

SHA1
6f09f8dbf9542ec6e0965e95468a4b3959a3290e

SHA256
e7672d57d0c420ba2e7477596bc8bfc65d2d7a8f7c42c2ea6ac6e5a481b287e7

SHA512
3d7732118cc6cf7ca88ed42046a08ad4648501a92313cd38fc312cda8bc43919ea950cda314799f29c2100e7fd4be5d74a72d29edd862c8294d3ce550cc2097e

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
115KB

MD5
7417171cf5268021a9175eb2324b4f61

SHA1
70d37c4d67387e4c7bbfd6db583162a0404d1379

SHA256
bbd939d4651252db3f515cfcf260a16246531cf76bb99f2be10d990f6617cf93

SHA512
afaf3f6e3880fa1988ae5abe9052c54e82fc9f9ef5022acac2a30174ac84dff7c6b23028de3950c4afd26a41128a019cfdcb1ff650360c63b2cdaaefbb2ef381

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
115KB

MD5
2c423eb6667931c223e215e03c3f34ee

SHA1
64e319dd872c138f9a965c61c2b60b9abb2f3bf7

SHA256
6310bd3090d287f211c38838e897ab407797227c48c7b84e6c3163de1b2e0fb6

SHA512
c1a3a807af385cf475c415307eec1d4d32e71ae456e8e14071fb1a00455b661c313f3ce2511c2b6d3933d1dd63e8237e6c6fdad7e099fe0bbb188f52f81a6be3

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
115KB

MD5
e4434032eea8b0fd9c44d36c831c07b6

SHA1
dc4fc6dfbea43a30e5a9bce65e7fc63c7a2432e2

SHA256
8703f3e26232d61e286c40a172ef51d4efd3c4a19913f078a1c5ab2923fce2d2

SHA512
aaf91a379717d1826bba305e7813a4795cbdbfc10df849ff089fa29c67762efe68bb4e5f7c9eb8f6bf9090579a9c44c04e51064d9a53e303ab609d9e5528fce0

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
115KB

MD5
5c3bb0f7f4d044a53000934578adaccf

SHA1
b1cbe509de6cff8bc55493dedf4655c46ea98fe8

SHA256
a8282f01e54254791a101202c3e58cbcfbeacc42a35224ef052cfc9b048def7c

SHA512
d76cf7103e00d84cb4ea25241ba49b65ad2262facc6160de34b0e49be82e9932020b4bccf1dda50728c23fb0ac1349082ea6bc24dd9a0167bc1f200443b014b3

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
115KB

MD5
9141ef50de28ab2b83cd4711d6084116

SHA1
0968340b334f2853642fb8e2a000135b3aa59e85

SHA256
8e84433ff16131ff3697a245243566671341b57ebbc2ecd0966cfe9647102e09

SHA512
32872cb2e1936d732c26eab0645c8f2b64f61faf2c54d96f77dd282f18c972476914dff0f74e97561e99c7faf428beeda373b999423f2e2d9f8765c36ada3e2a

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
115KB

MD5
b1de26c166f2eddb0952663f312bfb53

SHA1
15742857d4a79858cb493856e61c77776da561e1

SHA256
b22c7df6a3bc9bff4b50195ac10d3816416248496894f5a4be13d5ff69f51359

SHA512
7fa0bf9128266eea97fdec7bdbf1d83ce5dad558ed2a08a8f0e52df93fa84f604c3fa64135120da70b56f4721aab90a339ebcf23f9159ee5232e7d5e2f26a6d1

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
115KB

MD5
1c675167ad4cd4511b0bded8eab985a2

SHA1
fe6409f4af0353e3c62cfde92fef1b6c710b06cc

SHA256
add97ecb5b96b4d36008baf571915e6f16452171ba3ad887274a5839ce19f6a1

SHA512
c6aff0f6e9cd73b0e7b593bef65f9d31386c037bef4e87cd24c2021a70f541595b50d764105a3d49cf7cf66aeb6fc65b1556e1c50cd0acec9bf08c4827eb4777

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
115KB

MD5
08224233ad6e43a818140e5164c8dced

SHA1
2dc3e80c4c75ace2aad14625af4d5663427d89c1

SHA256
5535775c4171a8df69aa362257a3d044fc8ca508f23531849e31bb148892d1df

SHA512
3cebedd2b0b38a4bc62af8d284964a8e111d977c3ab470d54fd3164d4c160fcba50a083bd4d407b55f09240a448501b0f7510cb0bb52930c5b635eeeb33dbd5e

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
115KB

MD5
df717a4b54940db6684f1261010fddc4

SHA1
1ec4f83cc63bb93929c59f3613e3649617409e92

SHA256
fa3d13e1082d3a36626b31f29a57b347dbd93946a5b05eed78598952028df984

SHA512
b889fcb9ac1b99aee533c55709f39daf3ada52249ca3727be5522d4c273f574a3e39a54683e1040456526c737f6d55143848299f0a8ff303215ef1d9af7d88b7

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
115KB

MD5
0a4c9759ee0a5c6855474937947f27fd

SHA1
e2cdfedd844af0e8c51fd489d615b323041e5eaa

SHA256
58c0ce99a81962ad846f7a42b2943ade0fb799d4c54a5bcb0bc703b918a918cc

SHA512
8a0c751d297cf7e799b1b583882bba6a405e2477d862992fa87d1a8cf3e6a8a0db34c427f662e40bb9336eb8715ed9b53f1f410b1a5ad94cc94f0b8e3795f87c

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
115KB

MD5
13d080b44e1d565603dbaa0aa7ba0fe0

SHA1
a5f9fcff787e7c6e0fd9a93fbf720cd84c4970b0

SHA256
13116936edf13c99dc4a371abe9b9ffa2b30cc243249193d9b9bd13fb0af890b

SHA512
42f0787b7a7ead09e0a8093aedfd8499821d9e7ede9e16c83d0b23bff70f6a65018e18c145f53bc1717ba26a03f148d830ae5052bfbc9f152ead82949f04d4d1

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
115KB

MD5
34e95bdf261f9bc5b750dcc7c0f7a1ef

SHA1
d25b6495a02d68d03dee07381ba06d111cfda77b

SHA256
858fe7978151c2cb6e938bea22e56bd7f322847253756317d74915074ecb7ba1

SHA512
dc6dbce1885ae5a50bcca82eb32669262941177f75dc4fac90f659c5e2a6f74c2c2017421233e1c15dcec872c84bea5a7cc1e3aac867d0427d9248f2fcc661e3

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
115KB

MD5
1ea5192707504d81ab2658a47c8ecca0

SHA1
9e92cb837263059710315e9e63b5f5411a864dfc

SHA256
c737e2826bb3fd3766921a8a1f525b0cbe976d56b75f9c0aa2f22fd8816c237b

SHA512
a9808c6989cd3bb406bc4ed038827f10f3313cab85ff540edf9cc7400bae8b210c93d6161add2cae694fd9b4f6939ff33e33200d30df32a23a6554166d4454d3

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
115KB

MD5
19d48691f3ebfc14f64e58a47527a04a

SHA1
01056202adff13f4516a3c8e67c27a184693f088

SHA256
af2a0551612552fbd5e3045095f3a5d3e9656af97b5517b4877a1a58fa51ce24

SHA512
ad0468d58f6898f972368cfb71b8c5302aced95d9d10bd644aedeaef3ce4d9c6b698e25539d12b314f0c2d592986bd828334f42e75fc5b2af4d31f3bd993a498

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
115KB

MD5
75a02dd4c89082bcd52d48ddbc8a5733

SHA1
ceb9928dc3ba0337a9eaf4ebbbe81c6862d138b9

SHA256
2925c870ce92d828ec659bab02abda0493adaf352a34a7590d6608fb8bcb50b5

SHA512
e0e53a0906b25772ba70a94548dccfc7736625a8c64c9542ccbdba56b3178502842fd0d567ba555ad920557b3fcff5f4cd41a8b38c5f4984fd88847c78c4751e

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
115KB

MD5
e0626116b79569b49c739d26dc97f78f

SHA1
b7e2494a865ea6c87afd7bdf8ebe68f3e668693a

SHA256
384e84f7a00deb5d908b18c924843dca2400f2437351d030b4e19c4c544765ae

SHA512
f06acbc5382c7cdb2d6a004e5ad4dbb430dd79017520660cadfe5f359afcc07f12effbb569aa0fcdfeee0f7644b7ce9099ce4ea849201bf90847e212a1f7d64e

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
115KB

MD5
2025f0cf255d18f0c3a509e0be1a946d

SHA1
cbe3fd8aeda768e44ac44c4de66fc10d14a2a9dc

SHA256
453bfd8b0faae88007cb6852eb94f7ddd0e383cfdb14b12a6cabe9ec03afe109

SHA512
86fc8894d61853d4ab733d87a94bdf0ccb20b17ad578ef62f96c3df2bcea9349787585d9bdd76ae956d06999da9609da83129b5fe8039787477814a78a656875

Download Submit
memory/512-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/512-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/724-22-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/852-109-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1344-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1484-69-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1572-110-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1716-260-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1716-241-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1812-9-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1812-266-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2020-145-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2020-271-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2304-273-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2308-38-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2320-217-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2320-263-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-108-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2432-225-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2432-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2568-112-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2840-265-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2840-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2840-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2892-53-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-177-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3088-275-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3116-153-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3116-272-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3320-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3320-201-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3432-268-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3432-121-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3712-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3712-270-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3776-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3924-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4140-267-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4140-113-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4352-249-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4352-259-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4592-30-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4664-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4664-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4796-261-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4796-237-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-269-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4872-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4956-184-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4956-276-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5056-264-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5056-209-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5104-193-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5104-277-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads