771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
05/08/2024, 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
Size

71KB
MD5

b479071381f875cd00b70b9b95b81245
SHA1

e472123d81737ba7e19e191993b07a7bd512ae70
SHA256

771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e
SHA512

cecaa260ea70152ce65df4d8d1b0fab299e5234aec68432ae61fde6e24b1085f5e8f9f904915a4f6366d6ec8d67866e29035ef81cc641cca4280eebcd53d2f72
SSDEEP

1536:S40DO6OCZ4W7J2NN3/jhPVVvpSJwlQ0uQRQ4DbEyRCRRRoR4Rk:S40DhvslHRSJ3QeOEy032ya

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhpabdqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nldcagaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdplfflp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndgbgefh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlbgkgcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndiomdde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihdjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjdcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nlbgkgcc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nldcagaq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjdcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nogmin32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndgbgefh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndiomdde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oihdjk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nifgekbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdplfflp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqjdo32.exe

Executes dropped EXE 16 IoCs

pid	Process
2864	Mdplfflp.exe
2708	Nkjdcp32.exe
2676	Nmhqokcq.exe
2608	Nacmpj32.exe
2808	Nogmin32.exe
2700	Nhpabdqd.exe
2036	Nknnnoph.exe
2344	Ndgbgefh.exe
2080	Nkqjdo32.exe
2968	Nlbgkgcc.exe
2908	Ndiomdde.exe
2428	Nifgekbm.exe
972	Nldcagaq.exe
2764	Ncnlnaim.exe
1988	Oihdjk32.exe
1244	Opblgehg.exe

Loads dropped DLL 36 IoCs

pid	Process
2208	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
2208	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
2864	Mdplfflp.exe
2864	Mdplfflp.exe
2708	Nkjdcp32.exe
2708	Nkjdcp32.exe
2676	Nmhqokcq.exe
2676	Nmhqokcq.exe
2608	Nacmpj32.exe
2608	Nacmpj32.exe
2808	Nogmin32.exe
2808	Nogmin32.exe
2700	Nhpabdqd.exe
2700	Nhpabdqd.exe
2036	Nknnnoph.exe
2036	Nknnnoph.exe
2344	Ndgbgefh.exe
2344	Ndgbgefh.exe
2080	Nkqjdo32.exe
2080	Nkqjdo32.exe
2968	Nlbgkgcc.exe
2968	Nlbgkgcc.exe
2908	Ndiomdde.exe
2908	Ndiomdde.exe
2428	Nifgekbm.exe
2428	Nifgekbm.exe
972	Nldcagaq.exe
972	Nldcagaq.exe
2764	Ncnlnaim.exe
2764	Ncnlnaim.exe
1988	Oihdjk32.exe
1988	Oihdjk32.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe
2120	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nogmin32.exe	Nacmpj32.exe
File created	C:\Windows\SysWOW64\Ojqeofnd.dll	Nacmpj32.exe
File created	C:\Windows\SysWOW64\Cmnhge32.dll	Nhpabdqd.exe
File created	C:\Windows\SysWOW64\Nkqjdo32.exe	Ndgbgefh.exe
File created	C:\Windows\SysWOW64\Ndiomdde.exe	Nlbgkgcc.exe
File created	C:\Windows\SysWOW64\Mdplfflp.exe	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
File created	C:\Windows\SysWOW64\Kcgpfpbq.dll	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Nhpabdqd.exe	Nogmin32.exe
File created	C:\Windows\SysWOW64\Gnkqpnqp.dll	Nknnnoph.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Oihdjk32.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Oihdjk32.exe
File created	C:\Windows\SysWOW64\Hqnpad32.dll	Nlbgkgcc.exe
File opened for modification	C:\Windows\SysWOW64\Nhpabdqd.exe	Nogmin32.exe
File opened for modification	C:\Windows\SysWOW64\Nknnnoph.exe	Nhpabdqd.exe
File opened for modification	C:\Windows\SysWOW64\Ndgbgefh.exe	Nknnnoph.exe
File created	C:\Windows\SysWOW64\Fkohmocc.dll	Ndgbgefh.exe
File opened for modification	C:\Windows\SysWOW64\Ncnlnaim.exe	Nldcagaq.exe
File created	C:\Windows\SysWOW64\Gcjajedk.dll	Nldcagaq.exe
File created	C:\Windows\SysWOW64\Oihdjk32.exe	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Nmhqokcq.exe	Nkjdcp32.exe
File created	C:\Windows\SysWOW64\Nacmpj32.exe	Nmhqokcq.exe
File opened for modification	C:\Windows\SysWOW64\Nacmpj32.exe	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Jdbmjldj.dll	Nkqjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Nifgekbm.exe	Ndiomdde.exe
File created	C:\Windows\SysWOW64\Mmfmkf32.dll	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Ncnlnaim.exe	Nldcagaq.exe
File opened for modification	C:\Windows\SysWOW64\Nkjdcp32.exe	Mdplfflp.exe
File created	C:\Windows\SysWOW64\Ndgbgefh.exe	Nknnnoph.exe
File created	C:\Windows\SysWOW64\Jhjalgho.dll	Ndiomdde.exe
File opened for modification	C:\Windows\SysWOW64\Oihdjk32.exe	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Oihdjk32.exe
File created	C:\Windows\SysWOW64\Nlbgkgcc.exe	Nkqjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdplfflp.exe	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
File created	C:\Windows\SysWOW64\Nkjdcp32.exe	Mdplfflp.exe
File created	C:\Windows\SysWOW64\Koqdolib.dll	Mdplfflp.exe
File created	C:\Windows\SysWOW64\Njljfe32.dll	Nkjdcp32.exe
File opened for modification	C:\Windows\SysWOW64\Nogmin32.exe	Nacmpj32.exe
File created	C:\Windows\SysWOW64\Oipenooj.dll	Nogmin32.exe
File created	C:\Windows\SysWOW64\Nknnnoph.exe	Nhpabdqd.exe
File opened for modification	C:\Windows\SysWOW64\Nlbgkgcc.exe	Nkqjdo32.exe
File created	C:\Windows\SysWOW64\Nifgekbm.exe	Ndiomdde.exe
File created	C:\Windows\SysWOW64\Nldcagaq.exe	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Moanhnka.dll	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Bfnihd32.dll	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
File opened for modification	C:\Windows\SysWOW64\Nmhqokcq.exe	Nkjdcp32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqjdo32.exe	Ndgbgefh.exe
File opened for modification	C:\Windows\SysWOW64\Ndiomdde.exe	Nlbgkgcc.exe
File opened for modification	C:\Windows\SysWOW64\Nldcagaq.exe	Nifgekbm.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2120	1244	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihdjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkqjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhqokcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nogmin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhpabdqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndgbgefh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlbgkgcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nifgekbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nldcagaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjdcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdplfflp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnlnaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nknnnoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndiomdde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nacmpj32.exe

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moanhnka.dll"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndiomdde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njljfe32.dll"	Nkjdcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqeofnd.dll"	Nacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nogmin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndgbgefh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nldcagaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjajedk.dll"	Nldcagaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjalgho.dll"	Ndiomdde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkjdcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nlbgkgcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnihd32.dll"	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfmkf32.dll"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oihdjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmhqokcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nogmin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbmjldj.dll"	Nkqjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqnpad32.dll"	Nlbgkgcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqjdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oihdjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjdcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndgbgefh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnhge32.dll"	Nhpabdqd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkqjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nldcagaq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipenooj.dll"	Nogmin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhpabdqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkohmocc.dll"	Ndgbgefh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdplfflp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnkqpnqp.dll"	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nlbgkgcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koqdolib.dll"	Mdplfflp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndiomdde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Oihdjk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdplfflp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgpfpbq.dll"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhpabdqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nknnnoph.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2864	2208	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe	30
PID 2208 wrote to memory of 2864	2208	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe	30
PID 2208 wrote to memory of 2864	2208	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe	30
PID 2208 wrote to memory of 2864	2208	771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe	30
PID 2864 wrote to memory of 2708	2864	Mdplfflp.exe	31
PID 2864 wrote to memory of 2708	2864	Mdplfflp.exe	31
PID 2864 wrote to memory of 2708	2864	Mdplfflp.exe	31
PID 2864 wrote to memory of 2708	2864	Mdplfflp.exe	31
PID 2708 wrote to memory of 2676	2708	Nkjdcp32.exe	32
PID 2708 wrote to memory of 2676	2708	Nkjdcp32.exe	32
PID 2708 wrote to memory of 2676	2708	Nkjdcp32.exe	32
PID 2708 wrote to memory of 2676	2708	Nkjdcp32.exe	32
PID 2676 wrote to memory of 2608	2676	Nmhqokcq.exe	33
PID 2676 wrote to memory of 2608	2676	Nmhqokcq.exe	33
PID 2676 wrote to memory of 2608	2676	Nmhqokcq.exe	33
PID 2676 wrote to memory of 2608	2676	Nmhqokcq.exe	33
PID 2608 wrote to memory of 2808	2608	Nacmpj32.exe	34
PID 2608 wrote to memory of 2808	2608	Nacmpj32.exe	34
PID 2608 wrote to memory of 2808	2608	Nacmpj32.exe	34
PID 2608 wrote to memory of 2808	2608	Nacmpj32.exe	34
PID 2808 wrote to memory of 2700	2808	Nogmin32.exe	35
PID 2808 wrote to memory of 2700	2808	Nogmin32.exe	35
PID 2808 wrote to memory of 2700	2808	Nogmin32.exe	35
PID 2808 wrote to memory of 2700	2808	Nogmin32.exe	35
PID 2700 wrote to memory of 2036	2700	Nhpabdqd.exe	36
PID 2700 wrote to memory of 2036	2700	Nhpabdqd.exe	36
PID 2700 wrote to memory of 2036	2700	Nhpabdqd.exe	36
PID 2700 wrote to memory of 2036	2700	Nhpabdqd.exe	36
PID 2036 wrote to memory of 2344	2036	Nknnnoph.exe	37
PID 2036 wrote to memory of 2344	2036	Nknnnoph.exe	37
PID 2036 wrote to memory of 2344	2036	Nknnnoph.exe	37
PID 2036 wrote to memory of 2344	2036	Nknnnoph.exe	37
PID 2344 wrote to memory of 2080	2344	Ndgbgefh.exe	38
PID 2344 wrote to memory of 2080	2344	Ndgbgefh.exe	38
PID 2344 wrote to memory of 2080	2344	Ndgbgefh.exe	38
PID 2344 wrote to memory of 2080	2344	Ndgbgefh.exe	38
PID 2080 wrote to memory of 2968	2080	Nkqjdo32.exe	39
PID 2080 wrote to memory of 2968	2080	Nkqjdo32.exe	39
PID 2080 wrote to memory of 2968	2080	Nkqjdo32.exe	39
PID 2080 wrote to memory of 2968	2080	Nkqjdo32.exe	39
PID 2968 wrote to memory of 2908	2968	Nlbgkgcc.exe	40
PID 2968 wrote to memory of 2908	2968	Nlbgkgcc.exe	40
PID 2968 wrote to memory of 2908	2968	Nlbgkgcc.exe	40
PID 2968 wrote to memory of 2908	2968	Nlbgkgcc.exe	40
PID 2908 wrote to memory of 2428	2908	Ndiomdde.exe	41
PID 2908 wrote to memory of 2428	2908	Ndiomdde.exe	41
PID 2908 wrote to memory of 2428	2908	Ndiomdde.exe	41
PID 2908 wrote to memory of 2428	2908	Ndiomdde.exe	41
PID 2428 wrote to memory of 972	2428	Nifgekbm.exe	42
PID 2428 wrote to memory of 972	2428	Nifgekbm.exe	42
PID 2428 wrote to memory of 972	2428	Nifgekbm.exe	42
PID 2428 wrote to memory of 972	2428	Nifgekbm.exe	42
PID 972 wrote to memory of 2764	972	Nldcagaq.exe	43
PID 972 wrote to memory of 2764	972	Nldcagaq.exe	43
PID 972 wrote to memory of 2764	972	Nldcagaq.exe	43
PID 972 wrote to memory of 2764	972	Nldcagaq.exe	43
PID 2764 wrote to memory of 1988	2764	Ncnlnaim.exe	44
PID 2764 wrote to memory of 1988	2764	Ncnlnaim.exe	44
PID 2764 wrote to memory of 1988	2764	Ncnlnaim.exe	44
PID 2764 wrote to memory of 1988	2764	Ncnlnaim.exe	44
PID 1988 wrote to memory of 1244	1988	Oihdjk32.exe	45
PID 1988 wrote to memory of 1244	1988	Oihdjk32.exe	45
PID 1988 wrote to memory of 1244	1988	Oihdjk32.exe	45
PID 1988 wrote to memory of 1244	1988	Oihdjk32.exe	45

C:\Users\Admin\AppData\Local\Temp\771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe
"C:\Users\Admin\AppData\Local\Temp\771f13b9f9f839baecbe0d15bea59b2f7e5d7eab62f9e036e51304601b7c9b8e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\Mdplfflp.exe
  C:\Windows\system32\Mdplfflp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\Nkjdcp32.exe
    C:\Windows\system32\Nkjdcp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\Nmhqokcq.exe
      C:\Windows\system32\Nmhqokcq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\Nacmpj32.exe
        
        C:\Windows\system32\Nacmpj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2608
      - C:\Windows\SysWOW64\Nogmin32.exe
        
        C:\Windows\system32\Nogmin32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Nhpabdqd.exe
        
        C:\Windows\system32\Nhpabdqd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Nknnnoph.exe
        
        C:\Windows\system32\Nknnnoph.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ndgbgefh.exe
        
        C:\Windows\system32\Ndgbgefh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Nkqjdo32.exe
        
        C:\Windows\system32\Nkqjdo32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\SysWOW64\Nlbgkgcc.exe
        
        C:\Windows\system32\Nlbgkgcc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Ndiomdde.exe
        
        C:\Windows\system32\Ndiomdde.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Nifgekbm.exe
        
        C:\Windows\system32\Nifgekbm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Nldcagaq.exe
        
        C:\Windows\system32\Nldcagaq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Ncnlnaim.exe
        
        C:\Windows\system32\Ncnlnaim.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Oihdjk32.exe
        
        C:\Windows\system32\Oihdjk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mdplfflp.exe

Filesize
71KB

MD5
0d07aa4fcb30a31a7d4c8ef5ef918a3f

SHA1
db8df7a8699a969b843f9f74e1a622e1f40f4029

SHA256
387b5219b21f759d3fbf8768d670733a76919197281b541500838a5108f76b1e

SHA512
e1dca7fb991cda87cebca3972e1aa25f4bce2f8e5df26261ec0e8ff8a202cc412e304098487259c84c5f689d24b9b2e02b1f264ea5a58b593ce2e3b17e194d4d

Download Submit
C:\Windows\SysWOW64\Ndiomdde.exe

Filesize
71KB

MD5
ea58e38e5c66ab5a8325b8a59208c8eb

SHA1
a7084ab40dab1076a09b50a53e1af81e99cbea0c

SHA256
b60bcb51317181bb5b3e2eae56ca657818961157425e3e6d067ec65ce4daedbc

SHA512
60d8a628484892f452531bb36dc4b28b234bf2c3478d9bf40c80723a4b8887b2080972bd86cd1a5cfbfb96459dfb490159e05cbb7c96a9696fdf941e534b9022

Download Submit
C:\Windows\SysWOW64\Nkjdcp32.exe

Filesize
71KB

MD5
445c47400dbcc2208556ed37c70538e4

SHA1
6dba5033f4b6b92a7c24bd1cd4ec2d6f950d8aa9

SHA256
8729b1acd717389dadd09cc0f9f27444229d005b02386c472518d6862c5b8996

SHA512
c163b6025fab88c088b0387c589a01504457a50d9ba5be1d6cb1482f2eac47de0ac31bb1f150d9d2390748c5d1c7e30e7cdb167c3a18cb4fb455569d929b0062

Download Submit
C:\Windows\SysWOW64\Nknnnoph.exe

Filesize
71KB

MD5
fd5b59c4258665dd7c11bf032bec17c5

SHA1
c88b13bc2192efd49d29002b3b408172b59ba2af

SHA256
12f48196fd9617faff2360d666927c77c13f092f4ee8b309c946b089a32c7c18

SHA512
2aef3da7a048fd06471e88bbddb67741d60b3636ad4a666ff6891275d3554cfb904d845607dd87850c01526b1e763ddf81087bea19407b3a2be71b53ce3a7eee

Download Submit
C:\Windows\SysWOW64\Nldcagaq.exe

Filesize
71KB

MD5
b957e116acfab93033c4f84e33e7feec

SHA1
73aa3ac7feb053e1084b732494ffda7570651f7a

SHA256
fec1d74d351b69516ab80868c84ec0ce3220453cea4cff2f5fc7659f8d2385c8

SHA512
c75d9b6425e843c955b1a9090e37cfb04f481ed7ada0be0666165d1bbb9a559659fb636f432b94947237f9d2397df8682cb47316e15dc25ef4eb144f3b21f5f3

Download Submit
C:\Windows\SysWOW64\Nmhqokcq.exe

Filesize
71KB

MD5
453e194c0df399386ebc42ae452d9094

SHA1
4c3097d506fcf24f591398fc92ef25eb4b1cf622

SHA256
0944d0916366ad8c7ff285dc809bdda6fdf1b3d98f1e35925184c3d2d404b223

SHA512
5198eb351606a7dce9d4ecaf63cf635e24a1320fad74c4197846322ecdf9f814d06db6e7e3c1766918f95087e5bb0fdafbee5a3ff6c35994467de11fea76e20b

Download Submit
C:\Windows\SysWOW64\Nogmin32.exe

Filesize
71KB

MD5
6d2407d0be11c51eb9a9c66d5e5bbac2

SHA1
5ad6a151e31a6e54c12862ce6111416c71cc22b3

SHA256
e999ad7fcbaa1ce1b27d2ce4b5eb3dbe3139e2cd971e7162b90e005e2cff2813

SHA512
da1233dec004ac94be84d1b99791331d99ffa0d36b52466a39e8de450af07b7baae3d1ef9d7fb1eb175bb08e6ff59ab9cfb7ce82bd354dd7698f4eac35480c48

Download Submit
C:\Windows\SysWOW64\Oihdjk32.exe

Filesize
71KB

MD5
d585414b947f1194eaffdc42e749c316

SHA1
e6edb17800cccb68b0a4beb1c908d14d3e80d8d1

SHA256
7a19082fcee836c4427c27a703c644018a0cb41e399df0e18875c979e9131c81

SHA512
45d93e7b0a9f7147ef2b5ae55f06fcba1c62c36084a9c2b6758a856201fa51303752ab860e63ea73dfce0739ab0b73b4709ae0a65c26c8af02dc8d0c25d910d9

Download Submit
C:\Windows\SysWOW64\Ojqeofnd.dll

Filesize
7KB

MD5
00f990bef2f2f92f069a565c5ace2fb6

SHA1
0185ddfa35a334fb3e4e49ba382329194b533fd8

SHA256
58c25fa236a3eb650fae42f7dedf66c7f8191c8d2cd840f07a058a160f0e21f9

SHA512
41d64115f4a997b0d07d876e4709b8f65b85d8c74185c6f3e27f388c8a8b4d8b969115bd26c36ac2e0e0892ab241d5646533945a78b1add4b66512d9256afa73

Download Submit
\Windows\SysWOW64\Nacmpj32.exe

Filesize
71KB

MD5
e7077f2511034e6df4d8908597664b74

SHA1
2421958365e7fa01793fbe534604f4d7f3f09abc

SHA256
f6965e63706cfcd5844a2e29c88883b06c5aa20a37ef86c7e32d7188d67f59ea

SHA512
ce59a3e0cd4e430c8fe2fd8212fa9748a7175a32a96304651c9909d4dfea2241f856949b64b4e3f208a5ba38fbd91a6ba6d4a818679139b7dac1ee5a5c1b9514

Download Submit
\Windows\SysWOW64\Ncnlnaim.exe

Filesize
71KB

MD5
2e51aba5ce440d8989935e94069e0599

SHA1
6be907463c226d90ab3c0709ff61ed19999f1dbd

SHA256
19dfea16f1dfad61dcb5d7cc6bee49bbd345bf3177e345fd1b83f34e56d2cc2d

SHA512
cd8ac5a1814a261ba0b14d8f566bde3087b0d8eb6c0fd61cf44d001862d3b114d93d80f0a0ee84544e9e25bb00d29d064be088c1bb0b51dcec911ab8b52d7843

Download Submit
\Windows\SysWOW64\Ndgbgefh.exe

Filesize
71KB

MD5
17c5613781f9eb2593de5c11a36295d8

SHA1
bd86fe0876173ee580b4a4acb24014363c847a68

SHA256
7bc1ce632b1ade980b9da506a0c4debbac8e345a39f245517a11e1c504cb0a51

SHA512
19128ac870df643b2345dedf879985d95464bd782d26e1f0b271265b276d3ac97f8e763ffa4ee80f5ea639edd7b76a5ba6357f21f73484edadb3eb6bec96192f

Download Submit
\Windows\SysWOW64\Nhpabdqd.exe

Filesize
71KB

MD5
8b8685d575751dbe1cda2497144504be

SHA1
8ba986e7c773a9969cf1a895cf813fa0333f6275

SHA256
520cc371e51cf9f44b97298cf2a78557f7ae20a2fd71cb3072578c466d11d08c

SHA512
3658645ebfbd8ea26fff5d785f0e5cfbad1cbab06c0922850980997bfb0c87ae1eb13916ce158445758f224fe35a57ab284cde07a4d834098d74026c7a53e0b7

Download Submit
\Windows\SysWOW64\Nifgekbm.exe

Filesize
71KB

MD5
a4cfb6233a1f25d2a4ad5e593012e374

SHA1
5397ab2feae609c18a240d80582e759928770bbf

SHA256
0852686191285810d69177d2b4097107f30cabfe0f7fc7c4bd8a40855d2413ef

SHA512
427a0d9f4968fdaccf58f62e3e89a1fdc415f01682e29c2abcdad13f77322432594ac84028df23c047361fab5fcac73902c567504e19858ee7709f233a848c26

Download Submit
\Windows\SysWOW64\Nkqjdo32.exe

Filesize
71KB

MD5
ff397037506bca115076a5302157e902

SHA1
4485c468045a2964c1b35e2e3c0df28dae38462f

SHA256
2e52cf634fa27355d2b3de5c0e2c71659a59684bac965de422dd533fc054237b

SHA512
86a2a9ce5392af0566640f289408fb9cf5520e4313a68721034d37de5791b1229c7fc21d58adc8d08a4d3f7f73e8ed695b26376a38e8bb108f481c5b8f5ef256

Download Submit
\Windows\SysWOW64\Nlbgkgcc.exe

Filesize
71KB

MD5
30c891462712b2a31aca5d441b98ad0d

SHA1
4fe6dbe78250e3de33084591a84e464c9f654f43

SHA256
20735cb7d09e170172b54f9fce58340427061511d8a8655f40a7fcb5bfc6ce9d

SHA512
0ce24fb83979a170540470181f02caecd8ee0f3e557c994b789867c4bdd2b5c5712afc8176de71d8c13a262db26f34ab1c651b97c3d6d903e26f46d00eefb058

Download Submit
\Windows\SysWOW64\Opblgehg.exe

Filesize
71KB

MD5
c10da993aa4487e3c38ae9bd23684ef9

SHA1
ad9349653251228fdbd8cdde636e6ecbc4a96512

SHA256
9f450bf436948fbdba15f1eb8f7c2d5e633817868c3913ad0cdb4a1eb5b5b0d5

SHA512
8fd3e9b564157537041b8b40b25b7105858c4f64636a4f2bb59347985f9c4c31d94ee3b0a96d72d6214d393394212250f8bca00a9145a8f722d1bd285ce96174

Download Submit
memory/972-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/972-231-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/972-186-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/1244-220-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-217-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1988-218-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/1988-205-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-225-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-97-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2036-110-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2036-106-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2080-124-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2080-137-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2080-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2208-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2208-23-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2208-25-0x0000000000290000-0x00000000002C9000-memory.dmp

Filesize
228KB

Download
memory/2208-222-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2344-226-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-230-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2428-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2608-223-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2608-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2608-69-0x0000000000440000-0x0000000000479000-memory.dmp

Filesize
228KB

Download
memory/2676-46-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2676-55-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2676-54-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2700-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2708-34-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2708-45-0x0000000000300000-0x0000000000339000-memory.dmp

Filesize
228KB

Download
memory/2764-203-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2808-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2808-82-0x00000000002D0000-0x0000000000309000-memory.dmp

Filesize
228KB

Download
memory/2808-70-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2864-26-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-151-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-163-0x0000000000250000-0x0000000000289000-memory.dmp

Filesize
228KB

Download
memory/2908-229-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2968-228-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2968-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads