e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
Size

143KB
MD5

3e7b6f1ae55f10597795b8914c257ca0
SHA1

d4f15379bbbac8b70d870c518007d87f0adafc73
SHA256

e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c
SHA512

cc08a02b0d318e479aad39429455dfb02a647335e21919fcb2e044b1a4b56bbe035e4f84a820b86141ba916c48b129a29fea0f9bf391dcca6271b71db93a1811
SSDEEP

1536:jKxl9ygajUyTu9Qa7Ctk7hcTa42Dd9NUQ5ziJE93isirBUBEVGBtVM2hZV03fcaw:jiEU4uctA2TiDdD3N93bsGfhv0vt3y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqgilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkmmip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngjdopkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcnnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nojfon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnbpfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnbpfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqqlbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndebbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqnomfem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nghgipmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndebbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnpcpjfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqgilg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhnamd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkmmip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhnamd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nojfon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqqlbe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noalpmli.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nicjhchb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkagdoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkagdoge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngjdopkg.exe

Executes dropped EXE 19 IoCs

pid	Process
4436	Nqgilg32.exe
1152	Nhnamd32.exe
4580	Nkmmip32.exe
2772	Nnkiek32.exe
3800	Ndebbe32.exe
5052	Ngcnnq32.exe
5084	Nojfon32.exe
4556	Nqlbgfhp.exe
1060	Nicjhchb.exe
5008	Nkagdoge.exe
116	Nnpcpjfi.exe
4512	Nqnomfem.exe
1724	Nghgipmj.exe
2404	Nnbpfj32.exe
4680	Nqqlbe32.exe
1656	Ngjdopkg.exe
940	Noalpmli.exe
3064	Obphlhkm.exe
5064	Ogmado32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nnkiek32.exe	Nkmmip32.exe
File created	C:\Windows\SysWOW64\Ddmnkm32.dll	Nkmmip32.exe
File created	C:\Windows\SysWOW64\Gopebnpd.dll	Nnpcpjfi.exe
File created	C:\Windows\SysWOW64\Jmfijb32.dll	Ngjdopkg.exe
File created	C:\Windows\SysWOW64\Nqgilg32.exe	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
File opened for modification	C:\Windows\SysWOW64\Nhnamd32.exe	Nqgilg32.exe
File created	C:\Windows\SysWOW64\Haaapbja.dll	Ndebbe32.exe
File created	C:\Windows\SysWOW64\Fbepgcne.dll	Nicjhchb.exe
File created	C:\Windows\SysWOW64\Noggbepn.dll	Nnbpfj32.exe
File opened for modification	C:\Windows\SysWOW64\Noalpmli.exe	Ngjdopkg.exe
File created	C:\Windows\SysWOW64\Ogmado32.exe	Obphlhkm.exe
File created	C:\Windows\SysWOW64\Ojdemnjo.dll	Nqgilg32.exe
File created	C:\Windows\SysWOW64\Nqlbgfhp.exe	Nojfon32.exe
File opened for modification	C:\Windows\SysWOW64\Nqnomfem.exe	Nnpcpjfi.exe
File opened for modification	C:\Windows\SysWOW64\Ndebbe32.exe	Nnkiek32.exe
File created	C:\Windows\SysWOW64\Nojfon32.exe	Ngcnnq32.exe
File created	C:\Windows\SysWOW64\Balakchb.dll	Ngcnnq32.exe
File created	C:\Windows\SysWOW64\Nlofepqg.dll	Nkagdoge.exe
File created	C:\Windows\SysWOW64\Minigl32.dll	Nqqlbe32.exe
File created	C:\Windows\SysWOW64\Pnabddke.dll	Nnkiek32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcnnq32.exe	Ndebbe32.exe
File created	C:\Windows\SysWOW64\Nqnomfem.exe	Nnpcpjfi.exe
File created	C:\Windows\SysWOW64\Lcmbkd32.dll	Nqnomfem.exe
File created	C:\Windows\SysWOW64\Nhnamd32.exe	Nqgilg32.exe
File opened for modification	C:\Windows\SysWOW64\Nnpcpjfi.exe	Nkagdoge.exe
File opened for modification	C:\Windows\SysWOW64\Nnkiek32.exe	Nkmmip32.exe
File created	C:\Windows\SysWOW64\Nghgipmj.exe	Nqnomfem.exe
File opened for modification	C:\Windows\SysWOW64\Obphlhkm.exe	Noalpmli.exe
File created	C:\Windows\SysWOW64\Ddmibc32.dll	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
File created	C:\Windows\SysWOW64\Nkmmip32.exe	Nhnamd32.exe
File created	C:\Windows\SysWOW64\Aopalm32.dll	Nhnamd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqlbgfhp.exe	Nojfon32.exe
File created	C:\Windows\SysWOW64\Cmhdhd32.dll	Nqlbgfhp.exe
File created	C:\Windows\SysWOW64\Pminhodj.dll	Nghgipmj.exe
File created	C:\Windows\SysWOW64\Ngjdopkg.exe	Nqqlbe32.exe
File created	C:\Windows\SysWOW64\Nnpcpjfi.exe	Nkagdoge.exe
File opened for modification	C:\Windows\SysWOW64\Nqqlbe32.exe	Nnbpfj32.exe
File created	C:\Windows\SysWOW64\Ngcnnq32.exe	Ndebbe32.exe
File opened for modification	C:\Windows\SysWOW64\Nqgilg32.exe	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
File created	C:\Windows\SysWOW64\Ndebbe32.exe	Nnkiek32.exe
File created	C:\Windows\SysWOW64\Lbjljm32.dll	Nojfon32.exe
File opened for modification	C:\Windows\SysWOW64\Nnbpfj32.exe	Nghgipmj.exe
File created	C:\Windows\SysWOW64\Noalpmli.exe	Ngjdopkg.exe
File opened for modification	C:\Windows\SysWOW64\Ogmado32.exe	Obphlhkm.exe
File created	C:\Windows\SysWOW64\Daifcmfa.dll	Obphlhkm.exe
File opened for modification	C:\Windows\SysWOW64\Nkmmip32.exe	Nhnamd32.exe
File opened for modification	C:\Windows\SysWOW64\Nojfon32.exe	Ngcnnq32.exe
File created	C:\Windows\SysWOW64\Nicjhchb.exe	Nqlbgfhp.exe
File opened for modification	C:\Windows\SysWOW64\Nicjhchb.exe	Nqlbgfhp.exe
File created	C:\Windows\SysWOW64\Nkagdoge.exe	Nicjhchb.exe
File opened for modification	C:\Windows\SysWOW64\Nkagdoge.exe	Nicjhchb.exe
File opened for modification	C:\Windows\SysWOW64\Nghgipmj.exe	Nqnomfem.exe
File created	C:\Windows\SysWOW64\Nqqlbe32.exe	Nnbpfj32.exe
File opened for modification	C:\Windows\SysWOW64\Ngjdopkg.exe	Nqqlbe32.exe
File created	C:\Windows\SysWOW64\Bpghfp32.dll	Noalpmli.exe
File created	C:\Windows\SysWOW64\Obphlhkm.exe	Noalpmli.exe
File created	C:\Windows\SysWOW64\Nnbpfj32.exe	Nghgipmj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3736	5064	WerFault.exe	105

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmibc32.dll"	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Minigl32.dll"	Nqqlbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqnomfem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqqlbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkmmip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcnnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nicjhchb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndebbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balakchb.dll"	Ngcnnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nojfon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcmbkd32.dll"	Nqnomfem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqqlbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnabddke.dll"	Nnkiek32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlofepqg.dll"	Nkagdoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifcmfa.dll"	Obphlhkm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqgilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdemnjo.dll"	Nqgilg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pminhodj.dll"	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnbpfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhnamd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkmmip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnkiek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndebbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gopebnpd.dll"	Nnpcpjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnpcpjfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnbpfj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcnnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nojfon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhnamd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpghfp32.dll"	Noalpmli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopalm32.dll"	Nhnamd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhdhd32.dll"	Nqlbgfhp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkagdoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noggbepn.dll"	Nnbpfj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqgilg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Haaapbja.dll"	Ndebbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqlbgfhp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbepgcne.dll"	Nicjhchb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nghgipmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjljm32.dll"	Nojfon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkagdoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfijb32.dll"	Ngjdopkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Noalpmli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obphlhkm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddmnkm32.dll"	Nkmmip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noalpmli.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 4436	4900	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe	86
PID 4900 wrote to memory of 4436	4900	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe	86
PID 4900 wrote to memory of 4436	4900	e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe	86
PID 4436 wrote to memory of 1152	4436	Nqgilg32.exe	87
PID 4436 wrote to memory of 1152	4436	Nqgilg32.exe	87
PID 4436 wrote to memory of 1152	4436	Nqgilg32.exe	87
PID 1152 wrote to memory of 4580	1152	Nhnamd32.exe	88
PID 1152 wrote to memory of 4580	1152	Nhnamd32.exe	88
PID 1152 wrote to memory of 4580	1152	Nhnamd32.exe	88
PID 4580 wrote to memory of 2772	4580	Nkmmip32.exe	89
PID 4580 wrote to memory of 2772	4580	Nkmmip32.exe	89
PID 4580 wrote to memory of 2772	4580	Nkmmip32.exe	89
PID 2772 wrote to memory of 3800	2772	Nnkiek32.exe	90
PID 2772 wrote to memory of 3800	2772	Nnkiek32.exe	90
PID 2772 wrote to memory of 3800	2772	Nnkiek32.exe	90
PID 3800 wrote to memory of 5052	3800	Ndebbe32.exe	91
PID 3800 wrote to memory of 5052	3800	Ndebbe32.exe	91
PID 3800 wrote to memory of 5052	3800	Ndebbe32.exe	91
PID 5052 wrote to memory of 5084	5052	Ngcnnq32.exe	92
PID 5052 wrote to memory of 5084	5052	Ngcnnq32.exe	92
PID 5052 wrote to memory of 5084	5052	Ngcnnq32.exe	92
PID 5084 wrote to memory of 4556	5084	Nojfon32.exe	93
PID 5084 wrote to memory of 4556	5084	Nojfon32.exe	93
PID 5084 wrote to memory of 4556	5084	Nojfon32.exe	93
PID 4556 wrote to memory of 1060	4556	Nqlbgfhp.exe	94
PID 4556 wrote to memory of 1060	4556	Nqlbgfhp.exe	94
PID 4556 wrote to memory of 1060	4556	Nqlbgfhp.exe	94
PID 1060 wrote to memory of 5008	1060	Nicjhchb.exe	95
PID 1060 wrote to memory of 5008	1060	Nicjhchb.exe	95
PID 1060 wrote to memory of 5008	1060	Nicjhchb.exe	95
PID 5008 wrote to memory of 116	5008	Nkagdoge.exe	96
PID 5008 wrote to memory of 116	5008	Nkagdoge.exe	96
PID 5008 wrote to memory of 116	5008	Nkagdoge.exe	96
PID 116 wrote to memory of 4512	116	Nnpcpjfi.exe	97
PID 116 wrote to memory of 4512	116	Nnpcpjfi.exe	97
PID 116 wrote to memory of 4512	116	Nnpcpjfi.exe	97
PID 4512 wrote to memory of 1724	4512	Nqnomfem.exe	98
PID 4512 wrote to memory of 1724	4512	Nqnomfem.exe	98
PID 4512 wrote to memory of 1724	4512	Nqnomfem.exe	98
PID 1724 wrote to memory of 2404	1724	Nghgipmj.exe	99
PID 1724 wrote to memory of 2404	1724	Nghgipmj.exe	99
PID 1724 wrote to memory of 2404	1724	Nghgipmj.exe	99
PID 2404 wrote to memory of 4680	2404	Nnbpfj32.exe	100
PID 2404 wrote to memory of 4680	2404	Nnbpfj32.exe	100
PID 2404 wrote to memory of 4680	2404	Nnbpfj32.exe	100
PID 4680 wrote to memory of 1656	4680	Nqqlbe32.exe	101
PID 4680 wrote to memory of 1656	4680	Nqqlbe32.exe	101
PID 4680 wrote to memory of 1656	4680	Nqqlbe32.exe	101
PID 1656 wrote to memory of 940	1656	Ngjdopkg.exe	102
PID 1656 wrote to memory of 940	1656	Ngjdopkg.exe	102
PID 1656 wrote to memory of 940	1656	Ngjdopkg.exe	102
PID 940 wrote to memory of 3064	940	Noalpmli.exe	103
PID 940 wrote to memory of 3064	940	Noalpmli.exe	103
PID 940 wrote to memory of 3064	940	Noalpmli.exe	103
PID 3064 wrote to memory of 5064	3064	Obphlhkm.exe	105
PID 3064 wrote to memory of 5064	3064	Obphlhkm.exe	105
PID 3064 wrote to memory of 5064	3064	Obphlhkm.exe	105

C:\Users\Admin\AppData\Local\Temp\e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe
"C:\Users\Admin\AppData\Local\Temp\e6c0b688c0e1ad243e9f909032440d9d3f07ec128af36fe5ec1fc6a2ec3bfb0c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Windows\SysWOW64\Nqgilg32.exe
  C:\Windows\system32\Nqgilg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Windows\SysWOW64\Nhnamd32.exe
    C:\Windows\system32\Nhnamd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\SysWOW64\Nkmmip32.exe
      C:\Windows\system32\Nkmmip32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\Nnkiek32.exe
        
        C:\Windows\system32\Nnkiek32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\Ndebbe32.exe
        
        C:\Windows\system32\Ndebbe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\SysWOW64\Ngcnnq32.exe
        
        C:\Windows\system32\Ngcnnq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Nojfon32.exe
        
        C:\Windows\system32\Nojfon32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Nqlbgfhp.exe
        
        C:\Windows\system32\Nqlbgfhp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Nicjhchb.exe
        
        C:\Windows\system32\Nicjhchb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Nkagdoge.exe
        
        C:\Windows\system32\Nkagdoge.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Nnpcpjfi.exe
        
        C:\Windows\system32\Nnpcpjfi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Nqnomfem.exe
        
        C:\Windows\system32\Nqnomfem.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Nghgipmj.exe
        
        C:\Windows\system32\Nghgipmj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Nnbpfj32.exe
        
        C:\Windows\system32\Nnbpfj32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\Nqqlbe32.exe
        
        C:\Windows\system32\Nqqlbe32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Ngjdopkg.exe
        
        C:\Windows\system32\Ngjdopkg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Noalpmli.exe
        
        C:\Windows\system32\Noalpmli.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Obphlhkm.exe
        
        C:\Windows\system32\Obphlhkm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Ogmado32.exe
        
        C:\Windows\system32\Ogmado32.exe
        20⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 400
        21⤵
        Program crash
        
        PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5064 -ip 5064
1⤵
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ndebbe32.exe

Filesize
143KB

MD5
b2f6688b1776a0d39462256124c25f0b

SHA1
81933f42861b6bdd0d927e0b7d039d18d36036a7

SHA256
3589688bfd56b127ed0e655fb69f9f13a0e34420034997389958069f666cdf44

SHA512
1a495b5d0e84b4ce7c6aebebb64e7e62011dba2746f543ca29d7ae05077fe78c92e770b7414f811514553a224ec99a90cd60c0f472f2535e475b168de186dbf6

Download Submit
C:\Windows\SysWOW64\Ngcnnq32.exe

Filesize
143KB

MD5
4b29e8e02cb206b96638b80960aab144

SHA1
64b34d8f8bbfa5eb2291c88eb637554ea142c5bc

SHA256
2aef69083412111f842a3b688d8b7b44038a0477262d5e34a602f8f084474fae

SHA512
647d9935c6d7015d5c91f82316a4bc86e7c6d482114a6926661989c024e2607371e44d7c91837c3366bd202748337bbd3de166c3cc541c8e973ae64d7efbcf86

Download Submit
C:\Windows\SysWOW64\Nghgipmj.exe

Filesize
143KB

MD5
5301aad191b99b090370b132b5aca288

SHA1
bf0110c1ab2d0adb657f9f5fe0805925f03ba12c

SHA256
7dfd128e4927599858a1c13c812ff6730fe60e4875e2ebec9629eb4faec36dbb

SHA512
8853388a34439279135ad62de4cfa43e5960cf1bed63445fb2373d5cac2cdf7345fb52283320f117aa80ab357dd8c9dc0dc980f47b06f563f6eeab0b76db1a4a

Download Submit
C:\Windows\SysWOW64\Ngjdopkg.exe

Filesize
143KB

MD5
c6fdd5be0fc1d16134985c537217d781

SHA1
ba813a93336155cbc33b39e471127dc23c9f1c46

SHA256
ef5926df55c4f1170edca0a25d4409fa34a52b83bf5ac1e479dd06a859bf2649

SHA512
5eedccd8590338c0f71442aa651c37fd44285930ee38929abd9f1146d977d0f644ac35abfcbee40cc53e48722706216fac6e2fb5c09ccd2503d654bbcd3dbb8e

Download Submit
C:\Windows\SysWOW64\Nhnamd32.exe

Filesize
143KB

MD5
2469a5c5896ad4785918e47716d72ef5

SHA1
9376a8d09261591a67aea3630a5a723c3d4d9108

SHA256
9dbd7f385c293c8a1fef500df315469c3631b24501dc243ffea332f77fbaffe3

SHA512
0255a5bf5791f45a7808eac7d7e3286f81d72ebafcca73a21d486815f920abd4c56a92c75f7bcd9ec40e689da4c0087eca853cf25b97b87f1867d5b7cfa5a132

Download Submit
C:\Windows\SysWOW64\Nicjhchb.exe

Filesize
143KB

MD5
4c13506bdbe4493b301b02d64e0720dc

SHA1
1b2b2bd4f2461e7ca5dd0e4e82b40e2d7fd65cbb

SHA256
060aead2051c102ecce0e00080ed848bea0f29ad4345d875e19dac7e22951292

SHA512
109a9713a37d9d57c65e46283476fe2611b625d2227a9fa27305a6041d7ec8339131c44d7fcee44a91e82408fd850b7974a720083c9535dfe879eac7cb3aab20

Download Submit
C:\Windows\SysWOW64\Nkagdoge.exe

Filesize
143KB

MD5
8ac86aef97d6177b2b6533e55f8f682d

SHA1
a8e6c7a5a52cef125244975e90a60f482bd7be0b

SHA256
b3655fedcedbf9b5d0db461a6bbe7a830ea2d915e34bf05867d00a500e75fdaa

SHA512
d954372720a699b0c66bd4b7ec7ae95ef9cc4e47c9181a162530ce9cc2b860e5466749a8330878c1974707451131949d334b25a77450b818bee811802b4a683b

Download Submit
C:\Windows\SysWOW64\Nkmmip32.exe

Filesize
143KB

MD5
01b7c3c7d625578c224fecfb455128c8

SHA1
4fa5cb90ee244603efc617ab9d2332f15fb2f48b

SHA256
a58fd4428e12582b2211b1f37c5857d6419b2ffdfea74a14be7823d680520bed

SHA512
a44fda29957d5eb17a7fa943e48a078913b447c16a542c4ac9251be8888d20ce03865cc50a6812e6bbf2c2c005e81437c6daa89fe5610461e6379846ec6a2180

Download Submit
C:\Windows\SysWOW64\Nnbpfj32.exe

Filesize
143KB

MD5
2773528483c3088bff5e3c23a92a4576

SHA1
1c8084fc3b9208d6db3c490690722b7d9b624ffa

SHA256
ae5207a9bd1a4acd9fb4bd6030b17c8f7900917c02ea893554c2a7c21e9b4329

SHA512
51b95579cea8e34c2a4193b46b518d7e75afedd3a385ec37cd8aa17d8ab01cddb3725c81de7633f3504cf984f4e4ce0d14965735e72d52fcbcff56035d2f3913

Download Submit
C:\Windows\SysWOW64\Nnkiek32.exe

Filesize
143KB

MD5
4bf11227d21423541c629be0f59c7050

SHA1
6bdc78d54954b4bb948fec852ea63741a5a1fdf5

SHA256
36319eec8e5898e74a06c5edea07d06d4b47c633e1e2a5c8cb3362abd1b3625b

SHA512
f3eea92f2d0dca9230ff8b3e1b3bb36cc1481d04d9a1cb4066034369242909db892e2988e2bc87ff5dc66dd4ae1c99908ad34af8d815e5893425cfb4ba8d3978

Download Submit
C:\Windows\SysWOW64\Nnpcpjfi.exe

Filesize
143KB

MD5
b6560bd95afa657cf4307ae9956af483

SHA1
c33d64a01083b674cb30a8fd3f8e2cf4daad13f7

SHA256
d0c486914a380cf154c36d03fdc128760578de9511c9dbabfe39bd49fdee91d8

SHA512
cf02458e24b3436199f37ec24a4babd5be7a6a65a4d00b4d8743bebc665010fca1ce58e325cdb257c89b5fa12851f4c05f61bcb87d3e41123f3d5be3d70832d0

Download Submit
C:\Windows\SysWOW64\Noalpmli.exe

Filesize
143KB

MD5
d3a6ffa830d64befe791099245d5f3a4

SHA1
e06d7b32cbd377c74d5d4e6ba299c3fc217ed846

SHA256
1b9d9a791c3c9105041d365604e1e22338a1da89801d48d2030e78250868c4dd

SHA512
26a758330662cb9dd4985ec82c3fc23ff2a407ce23567c89875b859054d6defba52fe8383ed96568f5154bfdd087ee6d768bdc92a5b177acd0204593fbe62db9

Download Submit
C:\Windows\SysWOW64\Nojfon32.exe

Filesize
143KB

MD5
bf490af5a3f1240efc678a8ba6d65099

SHA1
53d677f16733ac6bf0833c48d1c69323e5c00452

SHA256
2650396f2f64ee76dc7a739d87025b15c6d5a4c0c25b9b2ee994fbea0206899a

SHA512
b41a6b10911ec06e1d34ed92ab861bb4e18f968c79b29e5296f4b4104c9b339c3d57f3d5cac6e403657eeb352d5c2e24974b5b021696088bf778653bc1d0a94d

Download Submit
C:\Windows\SysWOW64\Nqgilg32.exe

Filesize
143KB

MD5
9e8960f3e27fe5843cc2e74250b6cdd9

SHA1
46a7b774de809241f99b27d6acd2a2a0bc45af54

SHA256
7e0f0e999f4ef1e987c3a51c01b6865005ff4522e3e19583a7a4bfeb56f1469c

SHA512
7a9def38e7f52c28b3b19d1f06850fa32aa3fc436e62bcb47a51adc1a2266a135225b4e7dbd023ea91dbe61fbc53a8ad61de709d36f48f0e0fcc761e75c5c410

Download Submit
C:\Windows\SysWOW64\Nqlbgfhp.exe

Filesize
143KB

MD5
df6e042d2ca65c74758c14a4dd87a256

SHA1
b59242a5e68cc098478ec50eba0ca24035f292fd

SHA256
cca287a48ecf4b85d5372f3aaefa8afa46e491d71b24774f087bf9bb591eeb7b

SHA512
fe3c91f0c77f11cb908aa6f3290cbc010b673692f531e1fe1fba9d10ff3fdd3c6d821be5ca4d18bedcd7839627b2b01cfcec506a0e5103e0833f2a30fd2d4395

Download Submit
C:\Windows\SysWOW64\Nqnomfem.exe

Filesize
143KB

MD5
58a69800e24f170238937d2cba09a2dd

SHA1
55bfb40d23c4162c732fe72e8871c3175c8b9f31

SHA256
dbe41cbf5db7d0d88239b1d35c661d0b0b7885ff3a923201d1442a1dcc100f32

SHA512
62be3260cf57215eb1fd6f3827fae7bcb9781ea8d395569b849f23a9db94f036083efe3690f94500e72d47291f0bb04e6e7dbd5eacee7e12fa1818e9d7794d6c

Download Submit
C:\Windows\SysWOW64\Nqqlbe32.exe

Filesize
143KB

MD5
ea447ebb694e5c50465d6bdd293594b0

SHA1
1b08c02f4d0a45e6683af03c90857e583ef6f683

SHA256
345d1ac470e3145b6f5a8b7eddac19a60d7c48d7452d7e8a618ac80deb91ee46

SHA512
30486fc543a37d946cc6d2342a5190a78fc52dbbbe1f2234e43af8d229a6f2c325dec8d581d7a71cbda0c0a7d53f8e4fd3507712bd5ba7286a4c36166f13aee0

Download Submit
C:\Windows\SysWOW64\Obphlhkm.exe

Filesize
143KB

MD5
b87b1fb029023345908c9bb8f40e4c8c

SHA1
b884795e11896bb8c960ca05ded8f17919891743

SHA256
596ecaa41845165fcbbc445c59de8a91add4520658bb015ffbf074cf569dc74c

SHA512
fa14c803246fb47fe71fb449d2a5ae857bd6a8a386b39814aaec15ace2d2c7392e04ee9d3b78003c4c49af1219911c98d8576f68e90b77caeb91c13922ca7e64

Download Submit
C:\Windows\SysWOW64\Ogmado32.exe

Filesize
143KB

MD5
9e7693704893c995b448d78830ed9e8b

SHA1
a6f44080141c5c982a419de01c9550769f5dfd21

SHA256
3593c60468e4841caf05cc4d3446599805acbff80be593a3d5e249f0d9aa7d65

SHA512
15de3e505459feb3075ab5347e79a8558b872d20c80930afe801f80378c8ad3b251867975836325d1a80b3b82f0c4e8cb0e97480ea58137aed62ff17bb4d354f

Download Submit
memory/116-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/940-155-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1152-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2772-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3064-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3800-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4436-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-100-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-68-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-167-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4680-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4900-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5052-164-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads