3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 20:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
Size

128KB
MD5

a0ae9e266da0ef6cd10f231dc278d8ae
SHA1

50eeedefeb6a4a16dc2e40ef29b5d75917ad958c
SHA256

3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678
SHA512

2ee77323e99da1eac3705b93bf094d1a671d60e2fda86d4a3c877b7e16973e6cabfb35a0fd8c11d1e55eaf42660c9c9b554a61c48c88e237f1abcb19a1f0a27a
SSDEEP

3072:UtybiyQQUymCmxQCH08uFafmHURHAVgnvedh6:VADCm+CH08uF8YU8gnve7

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe

Executes dropped EXE 20 IoCs

pid	Process
1360	Mahbje32.exe
3256	Mciobn32.exe
2556	Mgekbljc.exe
2464	Mdiklqhm.exe
2368	Mgghhlhq.exe
3332	Mdkhapfj.exe
4624	Mkepnjng.exe
4528	Mpaifalo.exe
3608	Mcpebmkb.exe
640	Mnfipekh.exe
2268	Mcbahlip.exe
1688	Nkjjij32.exe
4692	Nqfbaq32.exe
4052	Ngpjnkpf.exe
2148	Nafokcol.exe
4116	Nddkgonp.exe
1404	Njacpf32.exe
5072	Ndghmo32.exe
3212	Ngedij32.exe
1008	Nkcmohbg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mciobn32.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4336	1008	WerFault.exe	101

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifenaok.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 1360	2744	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe	82
PID 2744 wrote to memory of 1360	2744	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe	82
PID 2744 wrote to memory of 1360	2744	3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe	82
PID 1360 wrote to memory of 3256	1360	Mahbje32.exe	83
PID 1360 wrote to memory of 3256	1360	Mahbje32.exe	83
PID 1360 wrote to memory of 3256	1360	Mahbje32.exe	83
PID 3256 wrote to memory of 2556	3256	Mciobn32.exe	84
PID 3256 wrote to memory of 2556	3256	Mciobn32.exe	84
PID 3256 wrote to memory of 2556	3256	Mciobn32.exe	84
PID 2556 wrote to memory of 2464	2556	Mgekbljc.exe	85
PID 2556 wrote to memory of 2464	2556	Mgekbljc.exe	85
PID 2556 wrote to memory of 2464	2556	Mgekbljc.exe	85
PID 2464 wrote to memory of 2368	2464	Mdiklqhm.exe	86
PID 2464 wrote to memory of 2368	2464	Mdiklqhm.exe	86
PID 2464 wrote to memory of 2368	2464	Mdiklqhm.exe	86
PID 2368 wrote to memory of 3332	2368	Mgghhlhq.exe	87
PID 2368 wrote to memory of 3332	2368	Mgghhlhq.exe	87
PID 2368 wrote to memory of 3332	2368	Mgghhlhq.exe	87
PID 3332 wrote to memory of 4624	3332	Mdkhapfj.exe	88
PID 3332 wrote to memory of 4624	3332	Mdkhapfj.exe	88
PID 3332 wrote to memory of 4624	3332	Mdkhapfj.exe	88
PID 4624 wrote to memory of 4528	4624	Mkepnjng.exe	89
PID 4624 wrote to memory of 4528	4624	Mkepnjng.exe	89
PID 4624 wrote to memory of 4528	4624	Mkepnjng.exe	89
PID 4528 wrote to memory of 3608	4528	Mpaifalo.exe	90
PID 4528 wrote to memory of 3608	4528	Mpaifalo.exe	90
PID 4528 wrote to memory of 3608	4528	Mpaifalo.exe	90
PID 3608 wrote to memory of 640	3608	Mcpebmkb.exe	91
PID 3608 wrote to memory of 640	3608	Mcpebmkb.exe	91
PID 3608 wrote to memory of 640	3608	Mcpebmkb.exe	91
PID 640 wrote to memory of 2268	640	Mnfipekh.exe	92
PID 640 wrote to memory of 2268	640	Mnfipekh.exe	92
PID 640 wrote to memory of 2268	640	Mnfipekh.exe	92
PID 2268 wrote to memory of 1688	2268	Mcbahlip.exe	93
PID 2268 wrote to memory of 1688	2268	Mcbahlip.exe	93
PID 2268 wrote to memory of 1688	2268	Mcbahlip.exe	93
PID 1688 wrote to memory of 4692	1688	Nkjjij32.exe	94
PID 1688 wrote to memory of 4692	1688	Nkjjij32.exe	94
PID 1688 wrote to memory of 4692	1688	Nkjjij32.exe	94
PID 4692 wrote to memory of 4052	4692	Nqfbaq32.exe	95
PID 4692 wrote to memory of 4052	4692	Nqfbaq32.exe	95
PID 4692 wrote to memory of 4052	4692	Nqfbaq32.exe	95
PID 4052 wrote to memory of 2148	4052	Ngpjnkpf.exe	96
PID 4052 wrote to memory of 2148	4052	Ngpjnkpf.exe	96
PID 4052 wrote to memory of 2148	4052	Ngpjnkpf.exe	96
PID 2148 wrote to memory of 4116	2148	Nafokcol.exe	97
PID 2148 wrote to memory of 4116	2148	Nafokcol.exe	97
PID 2148 wrote to memory of 4116	2148	Nafokcol.exe	97
PID 4116 wrote to memory of 1404	4116	Nddkgonp.exe	98
PID 4116 wrote to memory of 1404	4116	Nddkgonp.exe	98
PID 4116 wrote to memory of 1404	4116	Nddkgonp.exe	98
PID 1404 wrote to memory of 5072	1404	Njacpf32.exe	99
PID 1404 wrote to memory of 5072	1404	Njacpf32.exe	99
PID 1404 wrote to memory of 5072	1404	Njacpf32.exe	99
PID 5072 wrote to memory of 3212	5072	Ndghmo32.exe	100
PID 5072 wrote to memory of 3212	5072	Ndghmo32.exe	100
PID 5072 wrote to memory of 3212	5072	Ndghmo32.exe	100
PID 3212 wrote to memory of 1008	3212	Ngedij32.exe	101
PID 3212 wrote to memory of 1008	3212	Ngedij32.exe	101
PID 3212 wrote to memory of 1008	3212	Ngedij32.exe	101

C:\Users\Admin\AppData\Local\Temp\3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe
"C:\Users\Admin\AppData\Local\Temp\3f4c5ea8ea5ce4d7c480e23c3fa2c5a94a3cb26003e69d2332cb68e26a3dc678.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\SysWOW64\Mahbje32.exe
  C:\Windows\system32\Mahbje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Windows\SysWOW64\Mciobn32.exe
    C:\Windows\system32\Mciobn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\SysWOW64\Mgekbljc.exe
      C:\Windows\system32\Mgekbljc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        21⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 220
        22⤵
        Program crash
        
        PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1008 -ip 1008
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agbnmibj.dll

Filesize
7KB

MD5
0f164129b0602a8cb57f4d961fb934c1

SHA1
ae6de2114566d517a750c939cb2c327b8beccd4f

SHA256
05d8d5b7db1d1d54c1bfe4833c4be32d46b45dc6568f27344a81b38b2d44ad4d

SHA512
f79d16bc0eb54cf4f6a1acf23f9eb5847f918b01b20d2bf3680d07fe0f5b2bfed74814ac3331c408e6af9a4c27d62cfb86ad65b2f551674c11c19a90a9691a26

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
128KB

MD5
c85056c1bfd111bd5255a6069991f6da

SHA1
a4cc2051aa761dbdf358833924476c6b08f74ac5

SHA256
1d432ac0a444310dda1dbd92ef46ad2c777ab93c3aa76041f66d1fbae3c04c62

SHA512
96c76a30db47c921bce20abcd4cad72f0ee31dd310995ebeb74be5d2fb94ee0d49b0805d27f813ccbc47525c668e6e95083eeaa0b6d3a12f643404f8e8676aa2

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
128KB

MD5
d46eccfdf8f58c3b1fddd2aed472e7a1

SHA1
00755bdc2f2c9599daf7d39a8ba7a5f516cc1f88

SHA256
eb2e5086a144846915caa0ae59bcc8471b6e47f4f2ff236df84cbd83faa0cede

SHA512
e4eb8c675eec2db5dd8d4f2f31457d813b8c7e642faf3e77dc9d970f765045cadc0e45098ffe062a4d48e91a066b552611b0c2da2dc23f6189f1cb80bc285e03

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
128KB

MD5
6efb1e7bec8887509e91228626921ec3

SHA1
739c33dee38a12df5b5b5fbf9e18887e9fc353cd

SHA256
36d9b39bdf14839bf18134d3fea6b9706c51e027ae417bf8ab7c340d586702e7

SHA512
4355359662f8a8aaea7bc47fe8881f93e2fb48da79cd53de026f84dd1c137d8afa2cf14bd0f057070091670b14cd6da553c3ae914ea889313feb73305f216b98

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
128KB

MD5
6b0070325143363332b458f0ce10804e

SHA1
9d6bad70ca2437c7f9a16b9783aa51487198403d

SHA256
bc43b5d04e255a4171d802ce7af0b3ff8146766cff6e73f942dedb055219569a

SHA512
d745ff826203a0876c73e0a88574e97a4a141c3dc81cf32477040e63d58b7ef892a4df13cfb1de5361323b7ffe5e074b8dae07e5c88b3af5482c575850fab695

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
128KB

MD5
3e02318e4bb26628e9f725b62e54e4df

SHA1
dc52b4807bf2bfc1c838201008850dc8b5925a20

SHA256
3349a7c8a9f25678e70cf68980b77a70dd1cdabbafb211a344acddd29bfc2d0b

SHA512
1b15c5783217a9338f7cbe3e050ed7d8b3823b2e1f3470c10b731dded2d6a44be3caa964de47958d7e81df7e17660757e635cdd01a538beab8e9ac604058054c

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
128KB

MD5
4300d598841612eed685de37c16ab454

SHA1
2aa957375f90effc6b24808c292acbbb9a8d2658

SHA256
0b7d6e8bd9e6375bc6155a96cb8b890d0598326a7301c2c92537cc0db08dfec9

SHA512
7e7143a405d71816dc356ce01d954cae453997280ad4fb047134560fef202db52db5f177708d4d918fe6164cae6c6629db98640567cba63185e41464fe82294c

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
128KB

MD5
edb3f07c1b266c814ba7ce91bd8e4849

SHA1
ca26649029fe7864846ae6618fae2736136bbbdb

SHA256
e901e6096f3638e4f338a661b017ff1deee2fe80cf5be4c1aa69ddceaf3d0b90

SHA512
6a20aca17caff1a4a847bf87fc3ac691c13aaf7eefc0ac178e9bf983b255a6702719dd6551429f9b101c5562035c8ea9d756c5e684936e6c3aed69ad43aac2bf

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
128KB

MD5
a38c762e41ee48a09d6d03911565fcec

SHA1
f20d471e1f3393bfdadb4c4c3feab1e84037dcbf

SHA256
49ed48a7f25a40a678e392d206e009bc2ccda42e9fc6733d920793644df8817b

SHA512
6ebb7c3b7e8ecddda0d72e372cdf031875370ae8c0493af91c7ffbd3104abc8ed8203c3c45fa5b6fd3922876e6b87d788659abd4259f5e1c5c082135e72f62d8

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
128KB

MD5
7f75e15a7d5b5a99c5c2fc6829e61735

SHA1
ee0810f76190fce4585f40b9476bf9b52966ddfe

SHA256
7f2e5c656aa99e5fe785d6eaeab563b8810da6c3fea06c4cff9dbe11dbe06af1

SHA512
c2cfeeb3e908c2f56d4c3002c47764c31e94833f5fabf4f0e4864dc666c50136c4cda5ad090878f5804bc26998dc55369b7a9aec68f8c10007de22877f4d4ecc

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
128KB

MD5
c4ac47eeb9ca8ed3319ba6ad91b87ad6

SHA1
960f6f92e05f5b7136c996b6844b0a10d00f7255

SHA256
441901d64374c0d2b28bc277d5f72c75c28fc000c0a0f25553f4e69ef9b5dc25

SHA512
837adb50bbacb8cb8c5d240ab1c298851e0aab52c7455be9111586e38c2e0acf7230ff10e40a5a5a80a8131b47d883860fc9ec9f3be48135fcf4511d33b3bee0

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
128KB

MD5
4bab28fdad94a022f7ed3a4c7cba5f86

SHA1
310ff9699e1c01989b0e8a303c768c26fdfd5708

SHA256
a4c2152f3f0d5f00d1b5150bf7ecd7eb4c8c808cee231d52dbd50707c976b119

SHA512
c54524d4029b313d6f8babe07aba3be6373b84d10a81f4dd983d801de18e5fb3e57169ce624e9392f04d084ee78bb6bd5e50eca466e6e02ad20784fd2c0a0840

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
128KB

MD5
d89e1becc15c2927407e2a3ccce4be69

SHA1
9dcc99e8e979da892cc6f5f3c4f07c9a8b9e4d5c

SHA256
f06cda70aa23a57a1b8bc1ad8755017fa2a97980f1dc7d991e8bd4a7fb1305c1

SHA512
5b7dc04c7e0ae0bf7dc6c5e63f5e6ef6768a97d7fa8cb403609cb1956930813a6065ed26d076a77cd40b5437bf858099a2d8490afc1c1b2d2ff4a4f25a73ad8d

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
128KB

MD5
32637afa4d44c6f46239c504d6cfe14e

SHA1
c44fde835fb4df6b81271bfcf9984acace908475

SHA256
3098ec3236a1c968928099a3fc52b7a44c1a0e2fbdec2c45122da4c06b74b318

SHA512
3a52905ac8c10d99156aaf326e8521429c90bf746fd0ef3a36c84968804261f78d7a7e58a91d3c5819afb863462eb6cef7985f35861c02c8314700667e01eca7

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
128KB

MD5
648479383eeb57acc9a10d1d19a765ae

SHA1
ad35c6753e004cf6658d2897409486bb39720dbc

SHA256
357c827b4c353fd584f366c3c3d5f518eff596e56f450adecd024385f3ddea35

SHA512
2b2908c9a103f711b94dcb52a0332aa0f329008cf5f3402ac4d56ba3977cdff00c515aa49142d0fe9ed7b96054e127d23a839534bedf1722c2a6c8eeab8e8779

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
128KB

MD5
95bdefec61251bc05a4d1d693d60d157

SHA1
a89fcacc024d5a26223201e7873c7333114ad7d7

SHA256
665b7ae1359f106e2a624af10c61d909dfcc68ee6c54139ceaef54d5c0249382

SHA512
ac032b6f9ae223a08f4e1f912409c54dcc7a95c6f6f3a7a066111f86218a7a6451f36eb498a15d8a4ed7a94c6e846bc4f252e0467827a625582a04258a7ed401

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
128KB

MD5
afcf29790ac0bebe8ea1e700342f4dc6

SHA1
964317549cca9c7e1933b55fafe4c362d093da5b

SHA256
95fd4c880408ebd640ff6e8ae12365c97355f0b7ab24854724e670182aea5492

SHA512
8019f766bd343605ff032d411a72341f1ad837cda1de2f057b154236ed0e52ee27c4db6d21b1cd469d73cd6b5015183d6d614bf0acc2df08480d1dfdc4ff2c01

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
128KB

MD5
76eaf3517263b8eef6c6d23d344b75d0

SHA1
7ca495f21c7cb515794e786fa02213ac9b7b7af6

SHA256
d7e4d619876e9aa9cdc54b94d5f5cc154b07c0fc2515867bbe8ee779a3bdc737

SHA512
060871889b36470809a837574beaa86077189096abe1a6cec70e89c1919372eb4066d2c4ea1c805088d39e1c4ce6744f1e2141241749935501d28ccc4d28e54c

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
128KB

MD5
fff76b13e6b92a727b71b36b5c32818a

SHA1
f8a0442cd66e1ca21840594f1de9f4ceb09bbec4

SHA256
4fd4f90d9c99a93205be4050bcf65d7fd5f5bc1e8149dc2dac243ec425e8fbd4

SHA512
fbdfd434504befc59769158de85628f1de4069af86431da26ab97cbdbf2d4439559e157dde7e6843b513c140146ee398d7c6afeb768fd241d0d60e4a9af48c00

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
128KB

MD5
a449da7aa4783e7dd4bbafd05a5b083a

SHA1
ec41e80502483d8846cf36604ac3e4350adeb923

SHA256
52668c344367a97903a34d9ad2b46de33b160dab0f35ca3613717fd96f2a2807

SHA512
26866d5d2bdef231e509a5590c4d604ade9473a9134d1d863a281d57a868f401e6e09dc1c7beda61d9c0fb16f3a5f1063fc254ff58ecd1528094a3ce5c50e4df

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
128KB

MD5
80ed3abba0fcab87dddbea774cb39aab

SHA1
3ae76d611a2fbb437b107066edd03b495c273c07

SHA256
431cc73456f205fd7f09f26a2d7690a9e64014ab469c4c8be648fb26d57e945b

SHA512
09fda866c61623047796956a4c9b238d42f3ee09f14fc65b009e3d3131f9aaa7ca4eff780db4e360df70cbf77c9b8393463112d494db18781f2c07fc5b6fcc3d

Download Submit
memory/640-170-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/640-79-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1008-160-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1008-161-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1360-7-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1360-179-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1404-135-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1404-164-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1688-96-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/1688-168-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2148-125-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2268-169-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2268-88-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2368-175-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2368-40-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2464-32-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2464-176-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2556-177-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2556-24-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2744-0-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2744-180-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3212-151-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3212-162-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3256-16-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3256-178-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3332-174-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3332-52-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3608-72-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3608-171-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4052-112-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4052-166-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4116-128-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4116-165-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4528-172-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4528-64-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4624-173-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4624-56-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4692-104-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/4692-167-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5072-144-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/5072-163-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads