718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507

Analysis

max time kernel
95s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
Size

320KB
MD5

1a0791eba14c762551038d5b0fa8d92a
SHA1

23619d5a7240ad6512491e994c7e2e91b110942e
SHA256

718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507
SHA512

46be79cccb50e15eca28cdabd5664c10b016b07dd829f4115aa33573713c3c0f03ad9145b1e877dc7416ed80d3f592d8e376f57837923c1a800107e7e53a1b41
SSDEEP

6144:C9JvNmorYSvljY/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:wvooxv8m05XEvG6IveDVqvQ6IvP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkjqcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkojooih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nomcen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkjqcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbeledn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbdipjej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkccjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nelhbdlc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmfkkhl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnkiek32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkccjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbeledn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkojooih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nelhbdlc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjdopkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbdipjej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmfkkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nomcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnkiek32.exe

Executes dropped EXE 17 IoCs

pid	Process
1512	Mkjqcp32.exe
4716	Mbdipjej.exe
3508	Ndbeledn.exe
4620	Nnkiek32.exe
3868	Nkojooih.exe
1888	Nnmfkkhl.exe
4396	Nomcen32.exe
2712	Nejkmdnf.exe
1344	Nkccjo32.exe
4492	Nbnlfimp.exe
4508	Nelhbdlc.exe
4480	Ngjdopkg.exe
8	Nkfpon32.exe
1312	Nndlkj32.exe
4136	Obphlhkm.exe
3912	Oendhdjq.exe
3080	Ogmado32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mbdipjej.exe	Mkjqcp32.exe
File created	C:\Windows\SysWOW64\Nelhbdlc.exe	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Nkfpon32.exe	Ngjdopkg.exe
File opened for modification	C:\Windows\SysWOW64\Obphlhkm.exe	Nndlkj32.exe
File created	C:\Windows\SysWOW64\Cjkbfgoc.dll	Mbdipjej.exe
File created	C:\Windows\SysWOW64\Nkojooih.exe	Nnkiek32.exe
File created	C:\Windows\SysWOW64\Kikkoh32.dll	Nejkmdnf.exe
File opened for modification	C:\Windows\SysWOW64\Mkjqcp32.exe	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
File created	C:\Windows\SysWOW64\Nbnlfimp.exe	Nkccjo32.exe
File created	C:\Windows\SysWOW64\Khbmbp32.dll	Nbnlfimp.exe
File created	C:\Windows\SysWOW64\Nndlkj32.exe	Nkfpon32.exe
File opened for modification	C:\Windows\SysWOW64\Ogmado32.exe	Oendhdjq.exe
File created	C:\Windows\SysWOW64\Ddmnkm32.dll	Ndbeledn.exe
File created	C:\Windows\SysWOW64\Cknhgocb.dll	Nnkiek32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmfkkhl.exe	Nkojooih.exe
File created	C:\Windows\SysWOW64\Qpbobidb.dll	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
File created	C:\Windows\SysWOW64\Holjqf32.dll	Nkojooih.exe
File created	C:\Windows\SysWOW64\Ndbeledn.exe	Mbdipjej.exe
File created	C:\Windows\SysWOW64\Nnkiek32.exe	Ndbeledn.exe
File created	C:\Windows\SysWOW64\Obphlhkm.exe	Nndlkj32.exe
File opened for modification	C:\Windows\SysWOW64\Ngjdopkg.exe	Nelhbdlc.exe
File opened for modification	C:\Windows\SysWOW64\Nkojooih.exe	Nnkiek32.exe
File created	C:\Windows\SysWOW64\Oendhdjq.exe	Obphlhkm.exe
File opened for modification	C:\Windows\SysWOW64\Oendhdjq.exe	Obphlhkm.exe
File created	C:\Windows\SysWOW64\Daifcmfa.dll	Oendhdjq.exe
File opened for modification	C:\Windows\SysWOW64\Ndbeledn.exe	Mbdipjej.exe
File opened for modification	C:\Windows\SysWOW64\Nejkmdnf.exe	Nomcen32.exe
File created	C:\Windows\SysWOW64\Ccbahp32.dll	Ngjdopkg.exe
File created	C:\Windows\SysWOW64\Mkjqcp32.exe	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
File created	C:\Windows\SysWOW64\Lbcojfeb.dll	Nnmfkkhl.exe
File created	C:\Windows\SysWOW64\Ogmado32.exe	Oendhdjq.exe
File created	C:\Windows\SysWOW64\Nomcen32.exe	Nnmfkkhl.exe
File opened for modification	C:\Windows\SysWOW64\Nkccjo32.exe	Nejkmdnf.exe
File created	C:\Windows\SysWOW64\Lfbpem32.dll	Nkfpon32.exe
File opened for modification	C:\Windows\SysWOW64\Nelhbdlc.exe	Nbnlfimp.exe
File opened for modification	C:\Windows\SysWOW64\Nndlkj32.exe	Nkfpon32.exe
File created	C:\Windows\SysWOW64\Nkccjo32.exe	Nejkmdnf.exe
File created	C:\Windows\SysWOW64\Hbfqcq32.dll	Nkccjo32.exe
File created	C:\Windows\SysWOW64\Ngjdopkg.exe	Nelhbdlc.exe
File created	C:\Windows\SysWOW64\Minigl32.dll	Nelhbdlc.exe
File created	C:\Windows\SysWOW64\Pmkcjf32.dll	Obphlhkm.exe
File created	C:\Windows\SysWOW64\Ogmpmqak.dll	Mkjqcp32.exe
File created	C:\Windows\SysWOW64\Nnmfkkhl.exe	Nkojooih.exe
File opened for modification	C:\Windows\SysWOW64\Nbnlfimp.exe	Nkccjo32.exe
File created	C:\Windows\SysWOW64\Bpghfp32.dll	Nndlkj32.exe
File created	C:\Windows\SysWOW64\Mbdipjej.exe	Mkjqcp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnkiek32.exe	Ndbeledn.exe
File opened for modification	C:\Windows\SysWOW64\Nomcen32.exe	Nnmfkkhl.exe
File opened for modification	C:\Windows\SysWOW64\Nkfpon32.exe	Ngjdopkg.exe
File created	C:\Windows\SysWOW64\Nejkmdnf.exe	Nomcen32.exe
File created	C:\Windows\SysWOW64\Midmcack.dll	Nomcen32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
428	3080	WerFault.exe	104

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkbfgoc.dll"	Mbdipjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbahp32.dll"	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngjdopkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkccjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpbobidb.dll"	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khbmbp32.dll"	Nbnlfimp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minigl32.dll"	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbcojfeb.dll"	Nnmfkkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nomcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nelhbdlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nndlkj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifcmfa.dll"	Oendhdjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmkcjf32.dll"	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkccjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oendhdjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbdipjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmnkm32.dll"	Ndbeledn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikkoh32.dll"	Nejkmdnf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbeledn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nndlkj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkjqcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbdipjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkojooih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmfkkhl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nomcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nejkmdnf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfbpem32.dll"	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknhgocb.dll"	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holjqf32.dll"	Nkojooih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midmcack.dll"	Nomcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfqcq32.dll"	Nkccjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbnlfimp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkfpon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmpmqak.dll"	Mkjqcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkojooih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbeledn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkjqcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmfkkhl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpghfp32.dll"	Nndlkj32.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1512	1752	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe	86
PID 1752 wrote to memory of 1512	1752	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe	86
PID 1752 wrote to memory of 1512	1752	718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe	86
PID 1512 wrote to memory of 4716	1512	Mkjqcp32.exe	87
PID 1512 wrote to memory of 4716	1512	Mkjqcp32.exe	87
PID 1512 wrote to memory of 4716	1512	Mkjqcp32.exe	87
PID 4716 wrote to memory of 3508	4716	Mbdipjej.exe	88
PID 4716 wrote to memory of 3508	4716	Mbdipjej.exe	88
PID 4716 wrote to memory of 3508	4716	Mbdipjej.exe	88
PID 3508 wrote to memory of 4620	3508	Ndbeledn.exe	89
PID 3508 wrote to memory of 4620	3508	Ndbeledn.exe	89
PID 3508 wrote to memory of 4620	3508	Ndbeledn.exe	89
PID 4620 wrote to memory of 3868	4620	Nnkiek32.exe	91
PID 4620 wrote to memory of 3868	4620	Nnkiek32.exe	91
PID 4620 wrote to memory of 3868	4620	Nnkiek32.exe	91
PID 3868 wrote to memory of 1888	3868	Nkojooih.exe	92
PID 3868 wrote to memory of 1888	3868	Nkojooih.exe	92
PID 3868 wrote to memory of 1888	3868	Nkojooih.exe	92
PID 1888 wrote to memory of 4396	1888	Nnmfkkhl.exe	93
PID 1888 wrote to memory of 4396	1888	Nnmfkkhl.exe	93
PID 1888 wrote to memory of 4396	1888	Nnmfkkhl.exe	93
PID 4396 wrote to memory of 2712	4396	Nomcen32.exe	94
PID 4396 wrote to memory of 2712	4396	Nomcen32.exe	94
PID 4396 wrote to memory of 2712	4396	Nomcen32.exe	94
PID 2712 wrote to memory of 1344	2712	Nejkmdnf.exe	95
PID 2712 wrote to memory of 1344	2712	Nejkmdnf.exe	95
PID 2712 wrote to memory of 1344	2712	Nejkmdnf.exe	95
PID 1344 wrote to memory of 4492	1344	Nkccjo32.exe	96
PID 1344 wrote to memory of 4492	1344	Nkccjo32.exe	96
PID 1344 wrote to memory of 4492	1344	Nkccjo32.exe	96
PID 4492 wrote to memory of 4508	4492	Nbnlfimp.exe	97
PID 4492 wrote to memory of 4508	4492	Nbnlfimp.exe	97
PID 4492 wrote to memory of 4508	4492	Nbnlfimp.exe	97
PID 4508 wrote to memory of 4480	4508	Nelhbdlc.exe	98
PID 4508 wrote to memory of 4480	4508	Nelhbdlc.exe	98
PID 4508 wrote to memory of 4480	4508	Nelhbdlc.exe	98
PID 4480 wrote to memory of 8	4480	Ngjdopkg.exe	100
PID 4480 wrote to memory of 8	4480	Ngjdopkg.exe	100
PID 4480 wrote to memory of 8	4480	Ngjdopkg.exe	100
PID 8 wrote to memory of 1312	8	Nkfpon32.exe	101
PID 8 wrote to memory of 1312	8	Nkfpon32.exe	101
PID 8 wrote to memory of 1312	8	Nkfpon32.exe	101
PID 1312 wrote to memory of 4136	1312	Nndlkj32.exe	102
PID 1312 wrote to memory of 4136	1312	Nndlkj32.exe	102
PID 1312 wrote to memory of 4136	1312	Nndlkj32.exe	102
PID 4136 wrote to memory of 3912	4136	Obphlhkm.exe	103
PID 4136 wrote to memory of 3912	4136	Obphlhkm.exe	103
PID 4136 wrote to memory of 3912	4136	Obphlhkm.exe	103
PID 3912 wrote to memory of 3080	3912	Oendhdjq.exe	104
PID 3912 wrote to memory of 3080	3912	Oendhdjq.exe	104
PID 3912 wrote to memory of 3080	3912	Oendhdjq.exe	104

C:\Users\Admin\AppData\Local\Temp\718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe
"C:\Users\Admin\AppData\Local\Temp\718d3ecebce19ba465c63a277ddc7821bf6f5583840f7bbb8ad00133be878507.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\Mkjqcp32.exe
  C:\Windows\system32\Mkjqcp32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\Mbdipjej.exe
    C:\Windows\system32\Mbdipjej.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\SysWOW64\Ndbeledn.exe
      C:\Windows\system32\Ndbeledn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3508
    - - C:\Windows\SysWOW64\Nnkiek32.exe
        
        C:\Windows\system32\Nnkiek32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Windows\SysWOW64\Nkojooih.exe
        
        C:\Windows\system32\Nkojooih.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
        
        C:\Windows\SysWOW64\Nnmfkkhl.exe
        
        C:\Windows\system32\Nnmfkkhl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Nomcen32.exe
        
        C:\Windows\system32\Nomcen32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Nejkmdnf.exe
        
        C:\Windows\system32\Nejkmdnf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\SysWOW64\Nkccjo32.exe
        
        C:\Windows\system32\Nkccjo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Windows\SysWOW64\Nbnlfimp.exe
        
        C:\Windows\system32\Nbnlfimp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Windows\SysWOW64\Nelhbdlc.exe
        
        C:\Windows\system32\Nelhbdlc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Ngjdopkg.exe
        
        C:\Windows\system32\Ngjdopkg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\SysWOW64\Nkfpon32.exe
        
        C:\Windows\system32\Nkfpon32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Nndlkj32.exe
        
        C:\Windows\system32\Nndlkj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\Obphlhkm.exe
        
        C:\Windows\system32\Obphlhkm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Oendhdjq.exe
        
        C:\Windows\system32\Oendhdjq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\Ogmado32.exe
        
        C:\Windows\system32\Ogmado32.exe
        18⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 400
        19⤵
        Program crash
        
        PID:428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3080 -ip 3080
1⤵
PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mbdipjej.exe

Filesize
320KB

MD5
6c8680b1c8fefb601623c936204a75f6

SHA1
26029b0a71e13602af4685402833f05d7741a3ce

SHA256
7e04a85b57890e2e442a3ae33eaedd019a43bee6947b74c1b86be51edf5b51b4

SHA512
eb5b1d96ef2b15b7f00cf7a85a4eb086157ba867bf739c0fffa29469d95fa0ff03b8d62bb679ae8d4b7c505d7e2b7a87df7cbf7925fb338eeaaba69eb306185c

Download Submit
C:\Windows\SysWOW64\Mkjqcp32.exe

Filesize
320KB

MD5
1f48e3ad919ccf9a8392de57cc2f3353

SHA1
d4b2bbf60c3c9a29a4d9ee56a313976bc7c15ece

SHA256
0286a0b2c56020a5017f2f1e874cf60d4226c9fc1e011b2a1fb4e883efb8dd82

SHA512
a5eae9d97e779c54bc5798dc512d26b5e450c4a5fac600afa8216189dc8d29cc6d4372df782d232946aea113aaa742f12a6d2ad65d06a33d18ad212d51159214

Download Submit
C:\Windows\SysWOW64\Nbnlfimp.exe

Filesize
320KB

MD5
8bf639f7ba7b1402272fb150f19dba4f

SHA1
6cd8d6a7cf5db6519e6e2d998b2a7edc3223e46a

SHA256
3a7e4a98d471d8bf8dfc1ee085ecc274ac61817337beb46d70d7196b39a3ba14

SHA512
1e60e8c363a0eafa928a1ba76faf23f866d2db0dc4b6e773d9f36d6d8b36d37058e1deac3a5fb63ee2ee59ffbee18d60c4df9f78f3059d848ccb4d71d5a5e9ef

Download Submit
C:\Windows\SysWOW64\Ndbeledn.exe

Filesize
320KB

MD5
d7a795d39d640b890579f5afd8818f3d

SHA1
6f7f4ff7710bdd6727cc7d9b0bab1356dcace781

SHA256
02334d4f902e8ad2bf9c4189a22f79d0f26299ae325705842fe0fbf5bc345cf6

SHA512
225cb2de1a7f45443529466fc1dd107c452350c6c73d11481524bd2ea0e5dd0d1c5ed5659ee9bc407bef621aa788c069e9c574fcbbd193365596acd3143026d4

Download Submit
C:\Windows\SysWOW64\Nejkmdnf.exe

Filesize
320KB

MD5
dfff7c65351237d53235d34512ea8293

SHA1
fe5c635f07e3b2567a9d3cd6096160766e34196b

SHA256
b5c2c75c2a3f42087f507ed413172b8ba45d3408bfed3d07da5c09d99ccad538

SHA512
c2701a91881c79dd2b5c8c698d387d5bcc29a5b546ea1cd61ffad5071eae02f73a9e90a5d45276e70d2807ea611eb54862145b1a1885138b21d0fa0f9b856cbb

Download Submit
C:\Windows\SysWOW64\Nelhbdlc.exe

Filesize
320KB

MD5
b5d8e6977af7077a690ffe82b8912ca6

SHA1
01f24692cf4e6b122b00894228f2fb4e911359c6

SHA256
b15abc0cb15fc042f72793ebe2835b13ebb62cf14db8e54908e7b4767b66344f

SHA512
213b28c762d632d7d95182db2c569c5d573450b77dc0e98413ac2dad3d9aeba65cc1be54fd7601fd07b5ba937fb4cb138405f01a9ba2a73fdd7dad32f70ac3ce

Download Submit
C:\Windows\SysWOW64\Ngjdopkg.exe

Filesize
320KB

MD5
6db0d24acfd84b6848bba050e8aa28a4

SHA1
6fe8a7e26fa928a20ad43c16f72b7aa1089d419d

SHA256
54aa07c40051b4d0cd6fb847f1fb27d70d0d641b4f13904cb61da727fd8fdb4a

SHA512
4a2b89d0ad3e5ca3bba5057ae432bf42100b62b3505e7c4cb2bb7d949d3b14e7a551d57c5cdbe241cfdbd923c20ef1c78a6e5a765204915eec54dfe04cb0fbf9

Download Submit
C:\Windows\SysWOW64\Nkccjo32.exe

Filesize
320KB

MD5
be0530f5a2cf1f311a99066f350cc19a

SHA1
5cd7786d1d5a75ea546eb6b5df97b104386d626f

SHA256
f637cac702ca619215575188687cd765667357084755edef398860487fc05699

SHA512
87445dff429f7d510142ab7c5472a60a526634130227594cccd1db6e3c648de5a20334d21523faee5d57abb657cbf447057009b2db6981d6bad51e0fb7149769

Download Submit
C:\Windows\SysWOW64\Nkfpon32.exe

Filesize
320KB

MD5
c83413365f57c9e20e560e2a0fb11730

SHA1
f9b7ec4306559ffe79f596f906cc2d192fba7b66

SHA256
c6767b7526203f2f68e56589ba3aa518d05e4b83615e84751ede04a7f80f24b3

SHA512
316486ef5de5d92864196c4c8b9945aae89df355f59a57ddc3bfc999a4387df4dc72dfc63a134892da24607983fba60dcac2d74f26e4fb450f09ccc35570fb34

Download Submit
C:\Windows\SysWOW64\Nkojooih.exe

Filesize
320KB

MD5
a5b825869a600737fa767ed3cbbed8ab

SHA1
dcdcdb32f40504ec55288d3a061c0bf9584612a9

SHA256
9b8d85c32ab84555941727795d962c73fb069338b952d887f0f829aa5c8dad91

SHA512
fd249395614f062dc689a98b26d3e67f518be82338179c36357ca33fe036cb2ea48b56cf783b7658330f33c338917a9de3d8d8ca07604937e5305fed1c1a5586

Download Submit
C:\Windows\SysWOW64\Nndlkj32.exe

Filesize
320KB

MD5
52e4b6878c7985e9fa80936e46adf773

SHA1
d2f2f7166d9e6adac2643726f8ecdb0ee34ae1fc

SHA256
47d26e4f8ec9cf63f7226c3acaeb5ed6c3916cde0d19be08442d1f6ab4d74a4f

SHA512
f77afaf4897d121fe076f8a19d191fe7cd3d285e8672cadce8771db0451e33c54f4b957612a81e2a224e5754c5b15901d448399b9625e1c030e3c2f975cfbdbb

Download Submit
C:\Windows\SysWOW64\Nnkiek32.exe

Filesize
320KB

MD5
6f5c59dfd3b783cda953faabe6463958

SHA1
fb0c94e2e1f2667ea15d1dee8ab173a5d7a27ec0

SHA256
2aff479eae730d6cae189b822a555b7e44223508b103a049099ee546370782cf

SHA512
746bde144c3ce225cabcf14aded61bf1994ac243913f1bc0fee1474676643ac891605abd88a03d882c351e3fa998579571934c959a2b73765dd2c73e33a5ddac

Download Submit
C:\Windows\SysWOW64\Nnmfkkhl.exe

Filesize
320KB

MD5
a99f728a22e87dfb50db5bbcf2075fdd

SHA1
03d98c94579112e4e1428eff22f3568e9c00e19c

SHA256
ee4fa49396751f3086c6d8bc7b0030afbb4fb920139b720c34e48be2b0e7a653

SHA512
d24ca18acce3be77e1aa511bc5a9848a38d279c2958636be7855003196c248f79b597a2d8f01ef4faefcaf28e00f75654cde0ecd7c23532a482d02d046cad74e

Download Submit
C:\Windows\SysWOW64\Nomcen32.exe

Filesize
320KB

MD5
19d78252020d65077a8e18af0f48c771

SHA1
b982158345511e23832b976f4b43ce97e79a37f9

SHA256
932b05de293edd720b04a82c91899d588448e98a41db410ab4d6e43bb01ad3a3

SHA512
4b438faf265f2f7fa61f40b4783041cd580ad2f146459523ecd72a0418ef16af3d8a842c2e2274f59ed999b4f162a73bbb42252fc32c6bac92def0f3b8158a25

Download Submit
C:\Windows\SysWOW64\Obphlhkm.exe

Filesize
320KB

MD5
c67b395a1c1e205056b446841f642f15

SHA1
3c8861f4167eb30a81e313aa30bbe95657a6e7fd

SHA256
e3cdc0b9d33229dbc1b430cb1dba794ca59ebb90b3e1af831d4ced87ee41dabb

SHA512
82783aa606cf99cc640495c4c0181b53bcc84e79600ef43d61610e38d08c85d131a5750a14c72c4ed862e32165f99bc366726319580d3e47cc6956edd516fdab

Download Submit
C:\Windows\SysWOW64\Oendhdjq.exe

Filesize
320KB

MD5
ae41b294fe8a96134f78a2694c26bed2

SHA1
b17762845579b43997176e0593c2081945fc1147

SHA256
d11956698cb33e449951a91f21e6acd93215df1170be90e48daacfe29ae8b2c7

SHA512
a4c63c7eae8ab2bb64f595ea0a793a0de0c1cbbedac3d54cf58eeb2f260f53f48952b2b89332a35f0738ceb1090dce529eb622a59bd33917ac3f373d8c1077d6

Download Submit
C:\Windows\SysWOW64\Ogmado32.exe

Filesize
320KB

MD5
76dfc4568eef56c441de8e71cd21db1c

SHA1
531edc6789ca9aba03f55200e5016aa4b59b15a4

SHA256
deafeef2028db0203c04e8b9052d56e56869eb94aa5e5e6beee89c69da2a169b

SHA512
78c7d1fec77501d7ec47e2f51eceffedfd771ebf9a8aeb54adc1ed389435a7fa362f615606dcc8c15d71ef7a8362234e963eebb5697df72bf096453ece6fa3bb

Download Submit
memory/8-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/8-139-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-138-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-117-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1344-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-150-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1752-6-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1888-146-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3080-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3508-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3868-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3868-147-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3912-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4136-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4396-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4396-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4480-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4480-140-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-142-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4492-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4508-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4620-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4716-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads