0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18

Analysis

max time kernel
33s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
Size

305KB
MD5

9835067c125a59397873f190cca7e65a
SHA1

57eb5f18a7334a65b8c6ef62b45892e6be4005aa
SHA256

0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18
SHA512

c2b87f7cf608ede3ae153669b85644f512f703de5b693df2d7ffe10a7115a7b17b2d221b44f219ed111fc16de1ed3614004a2360fce8983e10305628cb613b9d
SSDEEP

3072:dNPyoYF0Na5NpYqAd+lc802eS5pAgYIqGvJ6887lbyMGjXF1kqaholmtbCQVDb0E:ioYF0QpiElc85dZMGXF5ahdt3b0668

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mmkafhnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kcpcho32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lckflc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpddgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpddgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmkafhnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Moqgiopk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhkhgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbqgolpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lckflc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhkhgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncloha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbqgolpf.exe

Executes dropped EXE 11 IoCs

pid	Process
2976	Kbqgolpf.exe
2712	Kcpcho32.exe
2904	Lckflc32.exe
2856	Lpddgd32.exe
2568	Mmkafhnb.exe
928	Moqgiopk.exe
2372	Mhkhgd32.exe
1980	Nacmpj32.exe
1380	Npiiafpa.exe
2860	Ncloha32.exe
1760	Opblgehg.exe

Loads dropped DLL 26 IoCs

pid	Process
1292	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
1292	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
2976	Kbqgolpf.exe
2976	Kbqgolpf.exe
2712	Kcpcho32.exe
2712	Kcpcho32.exe
2904	Lckflc32.exe
2904	Lckflc32.exe
2856	Lpddgd32.exe
2856	Lpddgd32.exe
2568	Mmkafhnb.exe
2568	Mmkafhnb.exe
928	Moqgiopk.exe
928	Moqgiopk.exe
2372	Mhkhgd32.exe
2372	Mhkhgd32.exe
1980	Nacmpj32.exe
1980	Nacmpj32.exe
1380	Npiiafpa.exe
1380	Npiiafpa.exe
2860	Ncloha32.exe
2860	Ncloha32.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe
324	WerFault.exe

Drops file in System32 directory 33 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lckflc32.exe	Kcpcho32.exe
File created	C:\Windows\SysWOW64\Npiiafpa.exe	Nacmpj32.exe
File created	C:\Windows\SysWOW64\Ncloha32.exe	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Lbbbnidk.dll	Lckflc32.exe
File opened for modification	C:\Windows\SysWOW64\Mmkafhnb.exe	Lpddgd32.exe
File created	C:\Windows\SysWOW64\Nacmpj32.exe	Mhkhgd32.exe
File opened for modification	C:\Windows\SysWOW64\Moqgiopk.exe	Mmkafhnb.exe
File opened for modification	C:\Windows\SysWOW64\Nacmpj32.exe	Mhkhgd32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ncloha32.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ncloha32.exe
File created	C:\Windows\SysWOW64\Ajenah32.dll	Lpddgd32.exe
File created	C:\Windows\SysWOW64\Mhkhgd32.exe	Moqgiopk.exe
File opened for modification	C:\Windows\SysWOW64\Mhkhgd32.exe	Moqgiopk.exe
File opened for modification	C:\Windows\SysWOW64\Ncloha32.exe	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Kbqgolpf.exe	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
File created	C:\Windows\SysWOW64\Kcpcho32.exe	Kbqgolpf.exe
File created	C:\Windows\SysWOW64\Dacppppl.dll	Kcpcho32.exe
File created	C:\Windows\SysWOW64\Lpddgd32.exe	Lckflc32.exe
File created	C:\Windows\SysWOW64\Mnohgfgb.dll	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Gkbafe32.dll	Moqgiopk.exe
File created	C:\Windows\SysWOW64\Kcgpfpbq.dll	Mhkhgd32.exe
File created	C:\Windows\SysWOW64\Moqgiopk.exe	Mmkafhnb.exe
File created	C:\Windows\SysWOW64\Bgbjkg32.dll	Mmkafhnb.exe
File opened for modification	C:\Windows\SysWOW64\Kbqgolpf.exe	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
File opened for modification	C:\Windows\SysWOW64\Kcpcho32.exe	Kbqgolpf.exe
File created	C:\Windows\SysWOW64\Caolfcmm.dll	Kbqgolpf.exe
File opened for modification	C:\Windows\SysWOW64\Lckflc32.exe	Kcpcho32.exe
File opened for modification	C:\Windows\SysWOW64\Lpddgd32.exe	Lckflc32.exe
File created	C:\Windows\SysWOW64\Mmkafhnb.exe	Lpddgd32.exe
File opened for modification	C:\Windows\SysWOW64\Npiiafpa.exe	Nacmpj32.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ncloha32.exe
File created	C:\Windows\SysWOW64\Jjamcall.dll	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
File created	C:\Windows\SysWOW64\Qlcbff32.dll	Nacmpj32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
324	1760	WerFault.exe	40

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lckflc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpddgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncloha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbqgolpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcpcho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiafpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmkafhnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moqgiopk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhkhgd32.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lckflc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mmkafhnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgpfpbq.dll"	Mhkhgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ncloha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Moqgiopk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhkhgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjamcall.dll"	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caolfcmm.dll"	Kbqgolpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpddgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dacppppl.dll"	Kcpcho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mmkafhnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbjkg32.dll"	Mmkafhnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lckflc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhkhgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlcbff32.dll"	Nacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnohgfgb.dll"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajenah32.dll"	Lpddgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbafe32.dll"	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncloha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbqgolpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbqgolpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kcpcho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Moqgiopk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kcpcho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbbnidk.dll"	Lckflc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpddgd32.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 2976	1292	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe	30
PID 1292 wrote to memory of 2976	1292	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe	30
PID 1292 wrote to memory of 2976	1292	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe	30
PID 1292 wrote to memory of 2976	1292	0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe	30
PID 2976 wrote to memory of 2712	2976	Kbqgolpf.exe	31
PID 2976 wrote to memory of 2712	2976	Kbqgolpf.exe	31
PID 2976 wrote to memory of 2712	2976	Kbqgolpf.exe	31
PID 2976 wrote to memory of 2712	2976	Kbqgolpf.exe	31
PID 2712 wrote to memory of 2904	2712	Kcpcho32.exe	32
PID 2712 wrote to memory of 2904	2712	Kcpcho32.exe	32
PID 2712 wrote to memory of 2904	2712	Kcpcho32.exe	32
PID 2712 wrote to memory of 2904	2712	Kcpcho32.exe	32
PID 2904 wrote to memory of 2856	2904	Lckflc32.exe	33
PID 2904 wrote to memory of 2856	2904	Lckflc32.exe	33
PID 2904 wrote to memory of 2856	2904	Lckflc32.exe	33
PID 2904 wrote to memory of 2856	2904	Lckflc32.exe	33
PID 2856 wrote to memory of 2568	2856	Lpddgd32.exe	34
PID 2856 wrote to memory of 2568	2856	Lpddgd32.exe	34
PID 2856 wrote to memory of 2568	2856	Lpddgd32.exe	34
PID 2856 wrote to memory of 2568	2856	Lpddgd32.exe	34
PID 2568 wrote to memory of 928	2568	Mmkafhnb.exe	35
PID 2568 wrote to memory of 928	2568	Mmkafhnb.exe	35
PID 2568 wrote to memory of 928	2568	Mmkafhnb.exe	35
PID 2568 wrote to memory of 928	2568	Mmkafhnb.exe	35
PID 928 wrote to memory of 2372	928	Moqgiopk.exe	36
PID 928 wrote to memory of 2372	928	Moqgiopk.exe	36
PID 928 wrote to memory of 2372	928	Moqgiopk.exe	36
PID 928 wrote to memory of 2372	928	Moqgiopk.exe	36
PID 2372 wrote to memory of 1980	2372	Mhkhgd32.exe	37
PID 2372 wrote to memory of 1980	2372	Mhkhgd32.exe	37
PID 2372 wrote to memory of 1980	2372	Mhkhgd32.exe	37
PID 2372 wrote to memory of 1980	2372	Mhkhgd32.exe	37
PID 1980 wrote to memory of 1380	1980	Nacmpj32.exe	38
PID 1980 wrote to memory of 1380	1980	Nacmpj32.exe	38
PID 1980 wrote to memory of 1380	1980	Nacmpj32.exe	38
PID 1980 wrote to memory of 1380	1980	Nacmpj32.exe	38
PID 1380 wrote to memory of 2860	1380	Npiiafpa.exe	39
PID 1380 wrote to memory of 2860	1380	Npiiafpa.exe	39
PID 1380 wrote to memory of 2860	1380	Npiiafpa.exe	39
PID 1380 wrote to memory of 2860	1380	Npiiafpa.exe	39
PID 2860 wrote to memory of 1760	2860	Ncloha32.exe	40
PID 2860 wrote to memory of 1760	2860	Ncloha32.exe	40
PID 2860 wrote to memory of 1760	2860	Ncloha32.exe	40
PID 2860 wrote to memory of 1760	2860	Ncloha32.exe	40
PID 1760 wrote to memory of 324	1760	Opblgehg.exe	41
PID 1760 wrote to memory of 324	1760	Opblgehg.exe	41
PID 1760 wrote to memory of 324	1760	Opblgehg.exe	41
PID 1760 wrote to memory of 324	1760	Opblgehg.exe	41

C:\Users\Admin\AppData\Local\Temp\0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe
"C:\Users\Admin\AppData\Local\Temp\0e22048ae52134c9bdd32d01242d3ac96ae331f2549a9b9512d12e83fc7eae18.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\SysWOW64\Kbqgolpf.exe
  C:\Windows\system32\Kbqgolpf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\Kcpcho32.exe
    C:\Windows\system32\Kcpcho32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\Lckflc32.exe
      C:\Windows\system32\Lckflc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Lpddgd32.exe
        
        C:\Windows\system32\Lpddgd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\Mmkafhnb.exe
        
        C:\Windows\system32\Mmkafhnb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\SysWOW64\Moqgiopk.exe
        
        C:\Windows\system32\Moqgiopk.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Mhkhgd32.exe
        
        C:\Windows\system32\Mhkhgd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
        
        C:\Windows\SysWOW64\Nacmpj32.exe
        
        C:\Windows\system32\Nacmpj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Npiiafpa.exe
        
        C:\Windows\system32\Npiiafpa.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Ncloha32.exe
        
        C:\Windows\system32\Ncloha32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 140
        13⤵
        Loads dropped DLL
        Program crash
        
        PID:324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajenah32.dll

Filesize
7KB

MD5
5650beb628309695b62e8d476fd732f7

SHA1
93d786ab2418dfa5c5a5467d0132eb17c61aa499

SHA256
49027e82e89ab11415cfcdc4e7c491cd3be9513ae3c9fe2ed324b7b64d071abb

SHA512
01735c92a97f9d9cd7e9710fac360402ac800b8e413c40805e14233335e5a3af3e97f9e16750a424553195d11ce3d5f112668b42a94257ce2acdecd8f1aba9e2

Download Submit
C:\Windows\SysWOW64\Kbqgolpf.exe

Filesize
305KB

MD5
89fdefcbc825eb4454e5e9029cd99033

SHA1
15f1bf034e245b2c4e54ff386aa07d33bb4579ed

SHA256
9b119df03fb3a18f9a09770fdfce77057e6203c8c46a0ffac8893cf3ee950f3d

SHA512
db727f5edd1a504a9381ca9aece80772fe4a327273b02d53714f3636a8d8481d6f87ecd289995ff9b86824698e93ce7a11323eb462f7b6c06744c0c8eb6eea74

Download Submit
\Windows\SysWOW64\Kcpcho32.exe

Filesize
305KB

MD5
4ee9f6ab9ec9c8913d55ea5ae9936b42

SHA1
19bd6aee09c345cef47f5d24d62c258d60f390b4

SHA256
49d8c5aeadef36cc36ea250a0db3426f79251573c23b7a90a121fabcc365484f

SHA512
fc97d375274da51ead75d1d7789653c0091acd81116efdb07429326d5ff0698774c2d0c20e61fe1ee0a5e1193d391b85d1874800b4dd6351040c090f24414ad5

Download Submit
\Windows\SysWOW64\Lckflc32.exe

Filesize
305KB

MD5
333b6e527576b4e7461e9dcc81c4b9d7

SHA1
31ca1fdf163a28760082940912738fc465752a3b

SHA256
ccb2a1c4b0cf139cd781aa4caa6d50012c7308a2630912c22be1cc2d3f9f3137

SHA512
dc5768a6bcd8fbab4b652cf775eeb0f7362306f20c6185a51e0a3a41d3f3f2d13014c114b650c281151416e9cafed5d8cc7e6dd4e5d7415aee22b3be33df82cc

Download Submit
\Windows\SysWOW64\Lpddgd32.exe

Filesize
305KB

MD5
b5e1581588696bb72731d33f2ba44068

SHA1
2985fc22f8cb0579e62795454772e99b389f0076

SHA256
b353a8ee2c85e824caccdfb196d19990f3fa6a82e18d13074f6e6221b75a6e7f

SHA512
f24c651e4ccb7107aa7471a4af1d016f1686ca54c96d7effcf54cc745c8d4b3746711631dbef51a522fd8455cf5da5c760f706230e0e23437fc27e692544b821

Download Submit
\Windows\SysWOW64\Mhkhgd32.exe

Filesize
305KB

MD5
9b3cac6f8483e663f015c6ffa059367b

SHA1
641511bcbbc22319f1d7eda7025e58d351e4e100

SHA256
b9403addc193a2f808473bf522b3c5530aefc960dedf024d63d92872bb9e7b47

SHA512
c0c7fc33a2a33b730c3316872068f8f6bb52e1cc4d8d39a9766f0551958b34c15a31be8f4d66a36a76d82c376ba976847655336e7cf4f18ff3c7f62513cdec51

Download Submit
\Windows\SysWOW64\Mmkafhnb.exe

Filesize
305KB

MD5
f40bfe5f8c9829fb10ae4db81975b4b2

SHA1
6e203c0b231b2bb5200f52a35b42e4be68409dfc

SHA256
19bafb7aa2420ae61956706b3cdb6f42a4c939176e1a394599ca470681b26918

SHA512
d2eeedd916d7908cac7240ca31976ee89f633487d0bf2670cf6b98ba9dea8a24e460345c249a99445226a6d15f891bf3bda69040c2633bb174f0029b7a435f21

Download Submit
\Windows\SysWOW64\Moqgiopk.exe

Filesize
305KB

MD5
8b0a762a8d72d40e2ab66848a7c97579

SHA1
fe98d9d6850cda4b8df7a46c5a5c4865e9377ca8

SHA256
cbd6285908f324025f83979d1cdac09b92b6ad04495cc14f7e60279636eb8d9c

SHA512
2544e12b9438ecb7e5dd813fa669a1bafe1ffc2c5d4ced8b14dc2cc56579e507dd136c6cc29a712e244cd288a48003108c728fcf1c7cb7c233754c8141493fe9

Download Submit
\Windows\SysWOW64\Nacmpj32.exe

Filesize
305KB

MD5
68b6a9f02746870e1b11789525426f0a

SHA1
bafb01e3bfe170d92b78feb25f68fea07cfe1b31

SHA256
71c9bc87148e496e162ed8107489a0a27c2d360b702315e2d4c2e80a464b3a3d

SHA512
460466d124fc387702f930be3ce77c327d286a73756c0e4297a0c82bccfa4d154a88b43804ed632286b011c2b14888b8070c761e3c4526e0722dc422ae285ee6

Download Submit
\Windows\SysWOW64\Ncloha32.exe

Filesize
305KB

MD5
6ebe6fcbe29205cce0244bcdcb7d2afa

SHA1
b629d4b96254fef69853c4892750d81ecf139ea6

SHA256
3eea365965b441fb0913c4e495a5cbad2150690815d068e04bde4e483b4cef49

SHA512
6caba616a2245d1d873ab2e07808e6acd23a4eeb161860226c609a0a3f81d8e124d20edad78d77e2d6c73eac9fa0950f1beaf6d528cbeb9f0cea08aba6107b46

Download Submit
\Windows\SysWOW64\Npiiafpa.exe

Filesize
305KB

MD5
17001d57851c9fd0addd479ec16ace19

SHA1
685687197b5110adb552ea13f019f38f0bb43ae6

SHA256
72aed1952ff59af701302e4afe55393febb48228cbc17bbbfcf084030a445012

SHA512
6104c63a697aea3d7befc599722229074d4b297213c848a26383c555eb739ddff3e27aeb17a9a4aa1d225da786897cc2b18bb5a697a12edebf38efcb33e931fb

Download Submit
\Windows\SysWOW64\Opblgehg.exe

Filesize
305KB

MD5
77103f56972b2b140838d5db941f02dc

SHA1
3875de8745a72a94efd08db9d0c0da626543e99c

SHA256
9094a8ba735bc642bf9194f57727417d00138b26b0e1fd247ffdfe7065b27ec2

SHA512
e72f715106edacf3de4d9693e4d09828b790f7e4197b26ec678c89b249bcc4e77facdd3b2149f40c95384905128a95a57010022388904680c96e123d2e6ecfb3

Download Submit
memory/928-110-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/928-165-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/928-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1292-12-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1292-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1292-13-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1292-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1380-138-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1380-137-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1380-125-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1380-166-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1760-154-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1980-117-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2372-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-83-0x0000000000330000-0x0000000000373000-memory.dmp

Filesize
268KB

Download
memory/2568-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2568-164-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2712-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2712-28-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2712-36-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2712-42-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2856-67-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/2856-68-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/2856-56-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2856-163-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-140-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2860-153-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2860-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-162-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2904-54-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/2976-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2976-14-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2976-26-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads