508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
Size

80KB
MD5

14bc3db9f09e384ea38929eb6ce92c41
SHA1

5daba025826ea6614bbb6b1bfe4ff082114e169e
SHA256

508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852
SHA512

ea37812c08d53cbd157cfe0c6ae5a10ca5bef3f0d9b40456148bac44f2b063f0ea4093d7a808f4ea89a5b8effe77155e11c739e9086d3a3a881f60e3d612ca60
SSDEEP

1536:r6utn4YaISWgL4zyxVSVSptM2Ltbvwfi+TjRC/6i:WQA+yxVSUpj9wf1TjYL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmldme32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lphhenhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmneda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llohjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kebgia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lapnnafn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmldme32.exe

Executes dropped EXE 17 IoCs

pid	Process
2152	Kebgia32.exe
2636	Kpjhkjde.exe
2628	Kbkameaf.exe
2520	Lapnnafn.exe
2608	Lcagpl32.exe
2884	Lphhenhc.exe
1680	Llohjo32.exe
760	Mmneda32.exe
272	Meijhc32.exe
1996	Mhjbjopf.exe
1656	Mhloponc.exe
1076	Meppiblm.exe
1360	Mmldme32.exe
1788	Nplmop32.exe
2360	Ngfflj32.exe
824	Nigome32.exe
2236	Nlhgoqhh.exe

Loads dropped DLL 34 IoCs

pid	Process
2980	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
2980	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
2152	Kebgia32.exe
2152	Kebgia32.exe
2636	Kpjhkjde.exe
2636	Kpjhkjde.exe
2628	Kbkameaf.exe
2628	Kbkameaf.exe
2520	Lapnnafn.exe
2520	Lapnnafn.exe
2608	Lcagpl32.exe
2608	Lcagpl32.exe
2884	Lphhenhc.exe
2884	Lphhenhc.exe
1680	Llohjo32.exe
1680	Llohjo32.exe
760	Mmneda32.exe
760	Mmneda32.exe
272	Meijhc32.exe
272	Meijhc32.exe
1996	Mhjbjopf.exe
1996	Mhjbjopf.exe
1656	Mhloponc.exe
1656	Mhloponc.exe
1076	Meppiblm.exe
1076	Meppiblm.exe
1360	Mmldme32.exe
1360	Mmldme32.exe
1788	Nplmop32.exe
1788	Nplmop32.exe
2360	Ngfflj32.exe
2360	Ngfflj32.exe
824	Nigome32.exe
824	Nigome32.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Kebgia32.exe	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
File opened for modification	C:\Windows\SysWOW64\Lcagpl32.exe	Lapnnafn.exe
File created	C:\Windows\SysWOW64\Gnddig32.dll	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Mhjbjopf.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Fnqkpajk.dll	Mhjbjopf.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Kpjhkjde.exe	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjhkjde.exe	Kebgia32.exe
File opened for modification	C:\Windows\SysWOW64\Kbkameaf.exe	Kpjhkjde.exe
File opened for modification	C:\Windows\SysWOW64\Lapnnafn.exe	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Meppiblm.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Olliabba.dll	Lphhenhc.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Pikhak32.dll	Kbkameaf.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	Mmldme32.exe
File opened for modification	C:\Windows\SysWOW64\Llohjo32.exe	Lphhenhc.exe
File opened for modification	C:\Windows\SysWOW64\Mmneda32.exe	Llohjo32.exe
File created	C:\Windows\SysWOW64\Jhcfhi32.dll	Llohjo32.exe
File created	C:\Windows\SysWOW64\Kmikde32.dll	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
File created	C:\Windows\SysWOW64\Lphhenhc.exe	Lcagpl32.exe
File opened for modification	C:\Windows\SysWOW64\Lphhenhc.exe	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	Mmldme32.exe
File created	C:\Windows\SysWOW64\Kebgia32.exe	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
File created	C:\Windows\SysWOW64\Daifmohp.dll	Mmneda32.exe
File opened for modification	C:\Windows\SysWOW64\Mhjbjopf.exe	Meijhc32.exe
File created	C:\Windows\SysWOW64\Djmffb32.dll	Lapnnafn.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Mhloponc.exe	Mhjbjopf.exe
File opened for modification	C:\Windows\SysWOW64\Meppiblm.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Cgmgbeon.dll	Meppiblm.exe
File created	C:\Windows\SysWOW64\Ancjqghh.dll	Kebgia32.exe
File created	C:\Windows\SysWOW64\Llohjo32.exe	Lphhenhc.exe
File created	C:\Windows\SysWOW64\Mmldme32.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Kbkameaf.exe	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Hoaebk32.dll	Kpjhkjde.exe
File opened for modification	C:\Windows\SysWOW64\Mmldme32.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nigome32.exe
File created	C:\Windows\SysWOW64\Meijhc32.exe	Mmneda32.exe
File created	C:\Windows\SysWOW64\Imbiaa32.dll	Meijhc32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Mmneda32.exe	Llohjo32.exe
File created	C:\Windows\SysWOW64\Mhloponc.exe	Mhjbjopf.exe
File opened for modification	C:\Windows\SysWOW64\Meijhc32.exe	Mmneda32.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	Mmldme32.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Nplmop32.exe
File created	C:\Windows\SysWOW64\Lapnnafn.exe	Kbkameaf.exe
File created	C:\Windows\SysWOW64\Lcagpl32.exe	Lapnnafn.exe
File created	C:\Windows\SysWOW64\Lhajpc32.dll	Mhloponc.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmldme32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daifmohp.dll"	Mmneda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhloponc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancjqghh.dll"	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djmffb32.dll"	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olliabba.dll"	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoaebk32.dll"	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbkameaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llohjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lphhenhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcfhi32.dll"	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmikde32.dll"	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kebgia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnddig32.dll"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lapnnafn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmneda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikhak32.dll"	Kbkameaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	Mmldme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmneda32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2152	2980	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe	28
PID 2980 wrote to memory of 2152	2980	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe	28
PID 2980 wrote to memory of 2152	2980	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe	28
PID 2980 wrote to memory of 2152	2980	508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe	28
PID 2152 wrote to memory of 2636	2152	Kebgia32.exe	29
PID 2152 wrote to memory of 2636	2152	Kebgia32.exe	29
PID 2152 wrote to memory of 2636	2152	Kebgia32.exe	29
PID 2152 wrote to memory of 2636	2152	Kebgia32.exe	29
PID 2636 wrote to memory of 2628	2636	Kpjhkjde.exe	30
PID 2636 wrote to memory of 2628	2636	Kpjhkjde.exe	30
PID 2636 wrote to memory of 2628	2636	Kpjhkjde.exe	30
PID 2636 wrote to memory of 2628	2636	Kpjhkjde.exe	30
PID 2628 wrote to memory of 2520	2628	Kbkameaf.exe	31
PID 2628 wrote to memory of 2520	2628	Kbkameaf.exe	31
PID 2628 wrote to memory of 2520	2628	Kbkameaf.exe	31
PID 2628 wrote to memory of 2520	2628	Kbkameaf.exe	31
PID 2520 wrote to memory of 2608	2520	Lapnnafn.exe	32
PID 2520 wrote to memory of 2608	2520	Lapnnafn.exe	32
PID 2520 wrote to memory of 2608	2520	Lapnnafn.exe	32
PID 2520 wrote to memory of 2608	2520	Lapnnafn.exe	32
PID 2608 wrote to memory of 2884	2608	Lcagpl32.exe	33
PID 2608 wrote to memory of 2884	2608	Lcagpl32.exe	33
PID 2608 wrote to memory of 2884	2608	Lcagpl32.exe	33
PID 2608 wrote to memory of 2884	2608	Lcagpl32.exe	33
PID 2884 wrote to memory of 1680	2884	Lphhenhc.exe	34
PID 2884 wrote to memory of 1680	2884	Lphhenhc.exe	34
PID 2884 wrote to memory of 1680	2884	Lphhenhc.exe	34
PID 2884 wrote to memory of 1680	2884	Lphhenhc.exe	34
PID 1680 wrote to memory of 760	1680	Llohjo32.exe	35
PID 1680 wrote to memory of 760	1680	Llohjo32.exe	35
PID 1680 wrote to memory of 760	1680	Llohjo32.exe	35
PID 1680 wrote to memory of 760	1680	Llohjo32.exe	35
PID 760 wrote to memory of 272	760	Mmneda32.exe	36
PID 760 wrote to memory of 272	760	Mmneda32.exe	36
PID 760 wrote to memory of 272	760	Mmneda32.exe	36
PID 760 wrote to memory of 272	760	Mmneda32.exe	36
PID 272 wrote to memory of 1996	272	Meijhc32.exe	37
PID 272 wrote to memory of 1996	272	Meijhc32.exe	37
PID 272 wrote to memory of 1996	272	Meijhc32.exe	37
PID 272 wrote to memory of 1996	272	Meijhc32.exe	37
PID 1996 wrote to memory of 1656	1996	Mhjbjopf.exe	38
PID 1996 wrote to memory of 1656	1996	Mhjbjopf.exe	38
PID 1996 wrote to memory of 1656	1996	Mhjbjopf.exe	38
PID 1996 wrote to memory of 1656	1996	Mhjbjopf.exe	38
PID 1656 wrote to memory of 1076	1656	Mhloponc.exe	39
PID 1656 wrote to memory of 1076	1656	Mhloponc.exe	39
PID 1656 wrote to memory of 1076	1656	Mhloponc.exe	39
PID 1656 wrote to memory of 1076	1656	Mhloponc.exe	39
PID 1076 wrote to memory of 1360	1076	Meppiblm.exe	40
PID 1076 wrote to memory of 1360	1076	Meppiblm.exe	40
PID 1076 wrote to memory of 1360	1076	Meppiblm.exe	40
PID 1076 wrote to memory of 1360	1076	Meppiblm.exe	40
PID 1360 wrote to memory of 1788	1360	Mmldme32.exe	41
PID 1360 wrote to memory of 1788	1360	Mmldme32.exe	41
PID 1360 wrote to memory of 1788	1360	Mmldme32.exe	41
PID 1360 wrote to memory of 1788	1360	Mmldme32.exe	41
PID 1788 wrote to memory of 2360	1788	Nplmop32.exe	42
PID 1788 wrote to memory of 2360	1788	Nplmop32.exe	42
PID 1788 wrote to memory of 2360	1788	Nplmop32.exe	42
PID 1788 wrote to memory of 2360	1788	Nplmop32.exe	42
PID 2360 wrote to memory of 824	2360	Ngfflj32.exe	43
PID 2360 wrote to memory of 824	2360	Ngfflj32.exe	43
PID 2360 wrote to memory of 824	2360	Ngfflj32.exe	43
PID 2360 wrote to memory of 824	2360	Ngfflj32.exe	43

C:\Users\Admin\AppData\Local\Temp\508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe
"C:\Users\Admin\AppData\Local\Temp\508abbba0f1f088c3271b3b7d04275107bf9c99e5fe0dfecec765fb3e2d69852.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\Kebgia32.exe
  C:\Windows\system32\Kebgia32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\Kpjhkjde.exe
    C:\Windows\system32\Kpjhkjde.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\Kbkameaf.exe
      C:\Windows\system32\Kbkameaf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2628
    - - C:\Windows\SysWOW64\Lapnnafn.exe
        
        C:\Windows\system32\Lapnnafn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\SysWOW64\Lcagpl32.exe
        
        C:\Windows\system32\Lcagpl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\SysWOW64\Lphhenhc.exe
        
        C:\Windows\system32\Lphhenhc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Llohjo32.exe
        
        C:\Windows\system32\Llohjo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Mmneda32.exe
        
        C:\Windows\system32\Mmneda32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Windows\SysWOW64\Mhjbjopf.exe
        
        C:\Windows\system32\Mhjbjopf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Meppiblm.exe
        
        C:\Windows\system32\Meppiblm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Mmldme32.exe
        
        C:\Windows\system32\Mmldme32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:824
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        18⤵
        Executes dropped EXE
        
        PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
80KB

MD5
c145a4d7496985223946238dce06c91b

SHA1
42222e2c44ab1100ac4cb97328876fb21dae6bda

SHA256
f9e439454f1888507913561b598e860a7ef92d2980e453548d4bb2cf1d86272b

SHA512
c4818005c9755e521d0cdf7b3d81f732e8cf06ca61138652a76f233f508971714c8891cbb5da750f8c2df0e6b9a8ac8d987cfeb8d7729fb709b43b0b2d16de21

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
80KB

MD5
1628a38f0c8491f67d679409ad0257ec

SHA1
4ead6fadb8957c64754495dc50cc754e63bd34ad

SHA256
9270c8b35982f63125ce03c24b837bb395c968b64756d54f7f4864ac1c10e2ff

SHA512
5f33ee20d144c97b347a088642acf15f605ef943ba57afe717578993985ec9cd87a1ba0627255fd0017278520c3b04db94f6e22ed2ddb3072e9609172d901be0

Download Submit
\Windows\SysWOW64\Kbkameaf.exe

Filesize
80KB

MD5
fb94c6cccbfa51cdcebcdc630f1a6801

SHA1
68216384bc87c35b2cdde3e75753fae82bd47fa5

SHA256
e6d0a4e4f1c5ba0665e90746ee3806283d0e68b567efe3c7f89236b74e0db258

SHA512
a41234bc6af0a4eba9a5d468833a8e9790a766b606095b57b505980f2a0e09a1507027d00f842d6cf611467309d4972e8ac11bd197659aebe92c7e2fdd2c72ad

Download Submit
\Windows\SysWOW64\Kebgia32.exe

Filesize
80KB

MD5
94167b90778090c2a793fabb135c0596

SHA1
5573130a1c6e0a7b3b741aa6cf00f525a65fb362

SHA256
3914cbc37f5649c67edd9eebd7d587f461e4796874b56880538e89e9cd32c7a6

SHA512
2cb9330c57bcc3616e2c6717650879919b60c63e722d8f27b74b3b739c72ed822d748df40ac93d1ddaedd315cdcc78590bd22a3edbb429f79ccb48426ebe66c4

Download Submit
\Windows\SysWOW64\Kpjhkjde.exe

Filesize
80KB

MD5
8fb92229455c4d6b2c782d4666104347

SHA1
792c806f55ce3a276ee0a158d71ad23cb40b3401

SHA256
7806cfdc37a96e1145ec15a56d74a21e5ce6e9bd5a60bb5d90c17a3c6e463808

SHA512
62eb6bb85ac02321d4f5572f6be1df580164946ce30a6da17ad6a637dd742ade24d1d94dffc2938030c23f1c784eea4f1304d448967bd361d5b0a60e9566c176

Download Submit
\Windows\SysWOW64\Lapnnafn.exe

Filesize
80KB

MD5
958b6f935a6a736cbea5d30526cc336e

SHA1
3b737404863dadd64efe77ca3481be0bf842e2e8

SHA256
677a005ab456c3aff376a93c40cfa3d298bcfa57f51ba5cb2e567d25d0bc3b89

SHA512
e887b7e13caf394b1d6eab542b4fee3d74e1ed7475291a48b60967928fe47705f453aa5b29f57bb8225f2ac359c23c98bc451b3679eb64635e63e8d8fa18f1ee

Download Submit
\Windows\SysWOW64\Lcagpl32.exe

Filesize
80KB

MD5
ed21a63c137312ba77a9608752587952

SHA1
8f8d4402ae5b30048e6ccfd9e35797e30eea89b1

SHA256
d2800ed38dd69a5604c85444cad0beb735ee2e7a357ca1dd952ffbf94cc0d962

SHA512
4692b90dfa3493e9612b6b13f3b80464a4e2026c8f99599a0ebf2fecbc44688461ddeba95f3252ff2bc4ac85cc65e22145b068363c302d45240b8be0bcfabed0

Download Submit
\Windows\SysWOW64\Llohjo32.exe

Filesize
80KB

MD5
c96641ac487f99aea93cf844cb4b3087

SHA1
e966660aba7243f2b7c1c83ba434c44b3ccac286

SHA256
0b537958fb9bf1a0c79d1c4e4316244a4f30367df22ca6dec12a9d3d232bd3ab

SHA512
96dc7feaa6ad027f3b3f20a6e11e320e70b527d61c18f968d0a6645eb3737caff36fa52bb696a3d97aa000c2b29836678391eab2693bfa9f8e65985b4911ca8f

Download Submit
\Windows\SysWOW64\Lphhenhc.exe

Filesize
80KB

MD5
20a2924e129f33aac867b57af18670d8

SHA1
3d7d75685b97dd56cb79d18ef58da9975d923c9b

SHA256
21920ce6b3b77b049cdc86afbecabd633296e4ba5fcea802fa4aabe82f71c992

SHA512
80de959e579367b54180498ebdcb99fae0ded26f3221a71f9a6ef0a7ad6ad1f79db478f0747a5ea48dcee49b4170a044528db9a159dd1ccaac4feb1f6241846c

Download Submit
\Windows\SysWOW64\Meijhc32.exe

Filesize
80KB

MD5
a863155537069f8d41bb92c5c7150edf

SHA1
40f960e8ed9c7bbd6089244c64e8abe1142a1af0

SHA256
ff5b0fcacd0c8f290647864a96b1f9453cec4cd96522b7e1ef56cac42bdcf464

SHA512
8ed2299c4a2f536848da3578ebfc0cc0641bc0865f2d376eba53f46a930e2a81830df7add59f7d330fa803894c4d49875559a4bc7736d47b1be55026c868792e

Download Submit
\Windows\SysWOW64\Meppiblm.exe

Filesize
80KB

MD5
e9cc3e568a8bf940d5636e85c74855b8

SHA1
d768c71c7c84adb2e8178a47ed3e9c12889558b2

SHA256
8e90f0dc5bde303921254b2350af6865edf372cc54b8228296df69e5a915798c

SHA512
63d5bfc0bfeceb375a2384d09f05b7d3a2ca3ae2fdd047a922cb37e3e3dcd623b3a958ca5fc8140a82bdd0e523dda88e7a8e85e21da6f1f51f028f871483279e

Download Submit
\Windows\SysWOW64\Mhjbjopf.exe

Filesize
80KB

MD5
a49c7e018edf81e310c8a2a4c09458cc

SHA1
45fad9e5ef627d3b0a3464fa644165492da219e3

SHA256
be3ba85bfb87602c17f3b9b14f0644517c9fe80d7567340a9ed69a5a2d93688f

SHA512
52dab0257df47b4e9ee2762f22d8dd5d76977ad3f678f8433bb03d635c48a981414977d31945602604cdb22f9b0668b4e16bcd2919bf02749f6a517c1cfc612e

Download Submit
\Windows\SysWOW64\Mhloponc.exe

Filesize
80KB

MD5
439e81666259c470e5244785e478f8ab

SHA1
ee597e0646d71ed9be6267d64a656a4dc3b64a8b

SHA256
875635d15a7ef2e436974186384b518ea392e21820d685ad8c87fe5031b1b275

SHA512
fca8b20fe173eff6a306741990965804066e87585af90f3f70945567f37061d16ae613dcbea3f2098ba9c4a289031fadb0a98d1ad0fbe3f3fac4ac386598cbda

Download Submit
\Windows\SysWOW64\Mmldme32.exe

Filesize
80KB

MD5
d9dd295a3ec832ae6ea8feedb227d350

SHA1
65c243b02bce17d6e228b8f67318c1c258764329

SHA256
fecbe8ecb32a594bdbd705fe47615a987092362337ea23c1efa6a87937d49b4e

SHA512
5aceb4f9894d922c9240948352e5e26d6c0658b253374ad1afbecc1b13d8381a247eb7349c547f1c603cec47224440c4b249aba137d742fbfa221273ac1ae540

Download Submit
\Windows\SysWOW64\Mmneda32.exe

Filesize
80KB

MD5
6dfa126ec72a68d26b2357ae7efb9ef7

SHA1
b6bf0d3a4f5561768a1c07825aecef936844ece3

SHA256
f506d2e19a1c07ebf04952a203fcbb8a090e35963bbc9cfea0f528c8ad2f6415

SHA512
46e3faf82cd167782e15382ed61f7959358008b0278b267f0446f80698653a842121086fe56ccceda8320e6ffc2b4eb199160d62794d20b60585c6b20f67160a

Download Submit
\Windows\SysWOW64\Nigome32.exe

Filesize
80KB

MD5
b4e60b30d87cbacccd634d0e64812101

SHA1
75ef41d1e240dc17adb5adf6f9d6f7a83794a2e3

SHA256
90cf20501e7be4eaa84500cb702a1a51bb0cc246739aaa92d00ead31eb7dcc7b

SHA512
4d766a2fe8c3ae464f3e84b5e15d6df81fc9717981651161db8b97988579f10858b8092e2fae06ee2e08dbd91c3a9a6b0078c885c22f05e4fa0de6905643d7eb

Download Submit
\Windows\SysWOW64\Nplmop32.exe

Filesize
80KB

MD5
9a8e5ad9b9d1a236169c2ab74041504e

SHA1
6366ccf2b2636c309f7f6c34c1aeb79a24d07f94

SHA256
6f87252afb647575a57e9272395c0b440c0983da64e6fc690a29f7a5f6603c63

SHA512
5d135b4dc0d456f577e60c941f0123028fd07362af836c33d95ac42983ead917ca4baa662b65711c6028fc432c78c0d482b3d5c1a896ec80443c324d71602118

Download Submit
memory/272-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/272-118-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/760-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/824-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/824-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-167-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1076-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1360-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1360-181-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1656-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-153-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download
memory/1656-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-199-0x00000000001C0000-0x0000000000200000-memory.dmp

Filesize
256KB

Download
memory/1996-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1996-139-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/1996-131-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2152-19-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2236-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2360-208-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2360-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2520-60-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2520-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-70-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2608-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-51-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/2636-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-37-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2884-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2884-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-6-0x00000000003C0000-0x0000000000400000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads