65609bf2bdd0b4944a615f4c9658f874b84db731af9b6392bb393d647d017585

Analysis

max time kernel
111s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 18:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7d49aa98350a71f1692ae222303834b0N.exe
Size

91KB
MD5

7d49aa98350a71f1692ae222303834b0
SHA1

11a34a4440c2b77f535b78aea47ad17773af2248
SHA256

65609bf2bdd0b4944a615f4c9658f874b84db731af9b6392bb393d647d017585
SHA512

5ca64d0d22b81015c8ddcccc25ac353bfb8a910da138fcc1d3158bef882d51737491287aeadc80e89b85f3ebdb19f3090f89b724395d6279590cf93981db7261
SSDEEP

1536:o1lqCVrH0XbBv67DbpJkXW9FI8dad8mYN/yp4lLOreS:i70XbSpJkGv6qbyp6LOreS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncggifep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nidoamch.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mffgfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhdcbjal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7d49aa98350a71f1692ae222303834b0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbjgjqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ombhgljn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnfeep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obopobhe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njmejaqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ombhgljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olgehh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgjpcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbjgjqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncggifep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Olehbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffgfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhdcbjal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkcgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcfob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdlkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofklpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npngng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7d49aa98350a71f1692ae222303834b0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngafdepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nidoamch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfcfob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olehbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olgehh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngafdepl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbodpo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmejaqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obopobhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbodpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnfeep32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npngng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oenmkngi.exe

Executes dropped EXE 30 IoCs

pid	Process
2448	Mffgfo32.exe
2724	Mhdcbjal.exe
2816	Mdkcgk32.exe
2736	Mgjpcf32.exe
2756	Nbodpo32.exe
2676	Nglmifca.exe
2168	Nnfeep32.exe
2184	Ndpmbjbk.exe
2480	Njmejaqb.exe
2348	Nmkbfmpf.exe
1872	Ndbjgjqh.exe
2852	Ngafdepl.exe
1056	Nfcfob32.exe
1124	Nqijmkfm.exe
2148	Ncggifep.exe
2296	Nffcebdd.exe
1112	Nidoamch.exe
1220	Nmpkal32.exe
1792	Npngng32.exe
1312	Ncjcnfcn.exe
1552	Nfhpjaba.exe
1992	Ojdlkp32.exe
1620	Ombhgljn.exe
1924	Olehbh32.exe
2808	Obopobhe.exe
2940	Ofklpa32.exe
2768	Oenmkngi.exe
2924	Olgehh32.exe
2780	Opcaiggo.exe
2632	Ohnemidj.exe

Loads dropped DLL 64 IoCs

pid	Process
2324	7d49aa98350a71f1692ae222303834b0N.exe
2324	7d49aa98350a71f1692ae222303834b0N.exe
2448	Mffgfo32.exe
2448	Mffgfo32.exe
2724	Mhdcbjal.exe
2724	Mhdcbjal.exe
2816	Mdkcgk32.exe
2816	Mdkcgk32.exe
2736	Mgjpcf32.exe
2736	Mgjpcf32.exe
2756	Nbodpo32.exe
2756	Nbodpo32.exe
2676	Nglmifca.exe
2676	Nglmifca.exe
2168	Nnfeep32.exe
2168	Nnfeep32.exe
2184	Ndpmbjbk.exe
2184	Ndpmbjbk.exe
2480	Njmejaqb.exe
2480	Njmejaqb.exe
2348	Nmkbfmpf.exe
2348	Nmkbfmpf.exe
1872	Ndbjgjqh.exe
1872	Ndbjgjqh.exe
2852	Ngafdepl.exe
2852	Ngafdepl.exe
1056	Nfcfob32.exe
1056	Nfcfob32.exe
1124	Nqijmkfm.exe
1124	Nqijmkfm.exe
2148	Ncggifep.exe
2148	Ncggifep.exe
2296	Nffcebdd.exe
2296	Nffcebdd.exe
1112	Nidoamch.exe
1112	Nidoamch.exe
1220	Nmpkal32.exe
1220	Nmpkal32.exe
1792	Npngng32.exe
1792	Npngng32.exe
1312	Ncjcnfcn.exe
1312	Ncjcnfcn.exe
1552	Nfhpjaba.exe
1552	Nfhpjaba.exe
1992	Ojdlkp32.exe
1992	Ojdlkp32.exe
1620	Ombhgljn.exe
1620	Ombhgljn.exe
1924	Olehbh32.exe
1924	Olehbh32.exe
2808	Obopobhe.exe
2808	Obopobhe.exe
2940	Ofklpa32.exe
2940	Ofklpa32.exe
2768	Oenmkngi.exe
2768	Oenmkngi.exe
2924	Olgehh32.exe
2924	Olgehh32.exe
2780	Opcaiggo.exe
2780	Opcaiggo.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe
2080	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nqijmkfm.exe	Nfcfob32.exe
File created	C:\Windows\SysWOW64\Olehbh32.exe	Ombhgljn.exe
File created	C:\Windows\SysWOW64\Depojmnb.dll	Mgjpcf32.exe
File created	C:\Windows\SysWOW64\Nnfeep32.exe	Nglmifca.exe
File opened for modification	C:\Windows\SysWOW64\Ojdlkp32.exe	Nfhpjaba.exe
File created	C:\Windows\SysWOW64\Ofklpa32.exe	Obopobhe.exe
File opened for modification	C:\Windows\SysWOW64\Ndpmbjbk.exe	Nnfeep32.exe
File created	C:\Windows\SysWOW64\Nffcebdd.exe	Ncggifep.exe
File created	C:\Windows\SysWOW64\Dpeack32.dll	Ojdlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Oenmkngi.exe	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Ceahlg32.dll	Nbodpo32.exe
File created	C:\Windows\SysWOW64\Nmkbfmpf.exe	Njmejaqb.exe
File opened for modification	C:\Windows\SysWOW64\Nfcfob32.exe	Ngafdepl.exe
File created	C:\Windows\SysWOW64\Oenmkngi.exe	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Jligibpk.dll	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Mffgfo32.exe	7d49aa98350a71f1692ae222303834b0N.exe
File opened for modification	C:\Windows\SysWOW64\Mgjpcf32.exe	Mdkcgk32.exe
File created	C:\Windows\SysWOW64\Khggofme.dll	Nfcfob32.exe
File created	C:\Windows\SysWOW64\Igffogeb.dll	Nffcebdd.exe
File created	C:\Windows\SysWOW64\Obopobhe.exe	Olehbh32.exe
File opened for modification	C:\Windows\SysWOW64\Opcaiggo.exe	Olgehh32.exe
File created	C:\Windows\SysWOW64\Ndpmbjbk.exe	Nnfeep32.exe
File created	C:\Windows\SysWOW64\Bqhmkq32.dll	Nnfeep32.exe
File opened for modification	C:\Windows\SysWOW64\Ngafdepl.exe	Ndbjgjqh.exe
File created	C:\Windows\SysWOW64\Idomll32.dll	Nidoamch.exe
File created	C:\Windows\SysWOW64\Ombhgljn.exe	Ojdlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Olgehh32.exe	Oenmkngi.exe
File created	C:\Windows\SysWOW64\Opcboqhc.dll	Mffgfo32.exe
File created	C:\Windows\SysWOW64\Bbfojg32.dll	Nglmifca.exe
File created	C:\Windows\SysWOW64\Dlmoai32.dll	Nqijmkfm.exe
File created	C:\Windows\SysWOW64\Nidoamch.exe	Nffcebdd.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Ndbjgjqh.exe	Nmkbfmpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqijmkfm.exe	Nfcfob32.exe
File created	C:\Windows\SysWOW64\Apeblc32.dll	Ndbjgjqh.exe
File opened for modification	C:\Windows\SysWOW64\Ofklpa32.exe	Obopobhe.exe
File opened for modification	C:\Windows\SysWOW64\Nffcebdd.exe	Ncggifep.exe
File created	C:\Windows\SysWOW64\Gaijph32.dll	Ncggifep.exe
File opened for modification	C:\Windows\SysWOW64\Npngng32.exe	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Keniknoh.dll	Obopobhe.exe
File created	C:\Windows\SysWOW64\Hmdcof32.dll	Nmkbfmpf.exe
File created	C:\Windows\SysWOW64\Ncggifep.exe	Nqijmkfm.exe
File created	C:\Windows\SysWOW64\Ogpaem32.dll	Ndpmbjbk.exe
File created	C:\Windows\SysWOW64\Ngafdepl.exe	Ndbjgjqh.exe
File created	C:\Windows\SysWOW64\Npngng32.exe	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Ncjcnfcn.exe	Npngng32.exe
File opened for modification	C:\Windows\SysWOW64\Ncjcnfcn.exe	Npngng32.exe
File opened for modification	C:\Windows\SysWOW64\Ombhgljn.exe	Ojdlkp32.exe
File created	C:\Windows\SysWOW64\Mdkcgk32.exe	Mhdcbjal.exe
File created	C:\Windows\SysWOW64\Njmejaqb.exe	Ndpmbjbk.exe
File created	C:\Windows\SysWOW64\Imfkindn.dll	Ombhgljn.exe
File created	C:\Windows\SysWOW64\Olgehh32.exe	Oenmkngi.exe
File opened for modification	C:\Windows\SysWOW64\Mdkcgk32.exe	Mhdcbjal.exe
File created	C:\Windows\SysWOW64\Nglmifca.exe	Nbodpo32.exe
File opened for modification	C:\Windows\SysWOW64\Nglmifca.exe	Nbodpo32.exe
File created	C:\Windows\SysWOW64\Bllndljk.dll	Njmejaqb.exe
File opened for modification	C:\Windows\SysWOW64\Ncggifep.exe	Nqijmkfm.exe
File created	C:\Windows\SysWOW64\Hacdjlag.dll	Npngng32.exe
File created	C:\Windows\SysWOW64\Lkffpabj.dll	7d49aa98350a71f1692ae222303834b0N.exe
File created	C:\Windows\SysWOW64\Mhdcbjal.exe	Mffgfo32.exe
File created	C:\Windows\SysWOW64\Ojdlkp32.exe	Nfhpjaba.exe
File opened for modification	C:\Windows\SysWOW64\Nmkbfmpf.exe	Njmejaqb.exe
File opened for modification	C:\Windows\SysWOW64\Nidoamch.exe	Nffcebdd.exe
File opened for modification	C:\Windows\SysWOW64\Nfhpjaba.exe	Ncjcnfcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2080	2632	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombhgljn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjcnfcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olehbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nidoamch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdkcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmejaqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngafdepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfhpjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdlkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oenmkngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d49aa98350a71f1692ae222303834b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgjpcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncggifep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obopobhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofklpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndbjgjqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkbfmpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbodpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglmifca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnfeep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npngng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opcaiggo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhdcbjal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpmbjbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcfob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqijmkfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nffcebdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olgehh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffgfo32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfiffp32.dll"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idomll32.dll"	Nidoamch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nidoamch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npngng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacdjlag.dll"	Npngng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkicgjf.dll"	Mhdcbjal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngafdepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjqigm32.dll"	Ngafdepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfcfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncggifep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nidoamch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mffgfo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbodpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Depojmnb.dll"	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbodpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhdcbjal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfcfob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncggifep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bholhi32.dll"	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obopobhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfojg32.dll"	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllndljk.dll"	Njmejaqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Olgehh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofilmn32.dll"	Mdkcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll"	Nbodpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnfeep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njmejaqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaijph32.dll"	Ncggifep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	7d49aa98350a71f1692ae222303834b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcboqhc.dll"	Mffgfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgojd32.dll"	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmoai32.dll"	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nffcebdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obopobhe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbfhefe.dll"	Olgehh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngafdepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igffogeb.dll"	Nffcebdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ombhgljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ombhgljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofklpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apeblc32.dll"	Ndbjgjqh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7d49aa98350a71f1692ae222303834b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhdcbjal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmkbfmpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbjgjqh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqijmkfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7d49aa98350a71f1692ae222303834b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	7d49aa98350a71f1692ae222303834b0N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2448	2324	7d49aa98350a71f1692ae222303834b0N.exe	29
PID 2324 wrote to memory of 2448	2324	7d49aa98350a71f1692ae222303834b0N.exe	29
PID 2324 wrote to memory of 2448	2324	7d49aa98350a71f1692ae222303834b0N.exe	29
PID 2324 wrote to memory of 2448	2324	7d49aa98350a71f1692ae222303834b0N.exe	29
PID 2448 wrote to memory of 2724	2448	Mffgfo32.exe	30
PID 2448 wrote to memory of 2724	2448	Mffgfo32.exe	30
PID 2448 wrote to memory of 2724	2448	Mffgfo32.exe	30
PID 2448 wrote to memory of 2724	2448	Mffgfo32.exe	30
PID 2724 wrote to memory of 2816	2724	Mhdcbjal.exe	31
PID 2724 wrote to memory of 2816	2724	Mhdcbjal.exe	31
PID 2724 wrote to memory of 2816	2724	Mhdcbjal.exe	31
PID 2724 wrote to memory of 2816	2724	Mhdcbjal.exe	31
PID 2816 wrote to memory of 2736	2816	Mdkcgk32.exe	32
PID 2816 wrote to memory of 2736	2816	Mdkcgk32.exe	32
PID 2816 wrote to memory of 2736	2816	Mdkcgk32.exe	32
PID 2816 wrote to memory of 2736	2816	Mdkcgk32.exe	32
PID 2736 wrote to memory of 2756	2736	Mgjpcf32.exe	33
PID 2736 wrote to memory of 2756	2736	Mgjpcf32.exe	33
PID 2736 wrote to memory of 2756	2736	Mgjpcf32.exe	33
PID 2736 wrote to memory of 2756	2736	Mgjpcf32.exe	33
PID 2756 wrote to memory of 2676	2756	Nbodpo32.exe	34
PID 2756 wrote to memory of 2676	2756	Nbodpo32.exe	34
PID 2756 wrote to memory of 2676	2756	Nbodpo32.exe	34
PID 2756 wrote to memory of 2676	2756	Nbodpo32.exe	34
PID 2676 wrote to memory of 2168	2676	Nglmifca.exe	35
PID 2676 wrote to memory of 2168	2676	Nglmifca.exe	35
PID 2676 wrote to memory of 2168	2676	Nglmifca.exe	35
PID 2676 wrote to memory of 2168	2676	Nglmifca.exe	35
PID 2168 wrote to memory of 2184	2168	Nnfeep32.exe	36
PID 2168 wrote to memory of 2184	2168	Nnfeep32.exe	36
PID 2168 wrote to memory of 2184	2168	Nnfeep32.exe	36
PID 2168 wrote to memory of 2184	2168	Nnfeep32.exe	36
PID 2184 wrote to memory of 2480	2184	Ndpmbjbk.exe	37
PID 2184 wrote to memory of 2480	2184	Ndpmbjbk.exe	37
PID 2184 wrote to memory of 2480	2184	Ndpmbjbk.exe	37
PID 2184 wrote to memory of 2480	2184	Ndpmbjbk.exe	37
PID 2480 wrote to memory of 2348	2480	Njmejaqb.exe	38
PID 2480 wrote to memory of 2348	2480	Njmejaqb.exe	38
PID 2480 wrote to memory of 2348	2480	Njmejaqb.exe	38
PID 2480 wrote to memory of 2348	2480	Njmejaqb.exe	38
PID 2348 wrote to memory of 1872	2348	Nmkbfmpf.exe	39
PID 2348 wrote to memory of 1872	2348	Nmkbfmpf.exe	39
PID 2348 wrote to memory of 1872	2348	Nmkbfmpf.exe	39
PID 2348 wrote to memory of 1872	2348	Nmkbfmpf.exe	39
PID 1872 wrote to memory of 2852	1872	Ndbjgjqh.exe	40
PID 1872 wrote to memory of 2852	1872	Ndbjgjqh.exe	40
PID 1872 wrote to memory of 2852	1872	Ndbjgjqh.exe	40
PID 1872 wrote to memory of 2852	1872	Ndbjgjqh.exe	40
PID 2852 wrote to memory of 1056	2852	Ngafdepl.exe	41
PID 2852 wrote to memory of 1056	2852	Ngafdepl.exe	41
PID 2852 wrote to memory of 1056	2852	Ngafdepl.exe	41
PID 2852 wrote to memory of 1056	2852	Ngafdepl.exe	41
PID 1056 wrote to memory of 1124	1056	Nfcfob32.exe	42
PID 1056 wrote to memory of 1124	1056	Nfcfob32.exe	42
PID 1056 wrote to memory of 1124	1056	Nfcfob32.exe	42
PID 1056 wrote to memory of 1124	1056	Nfcfob32.exe	42
PID 1124 wrote to memory of 2148	1124	Nqijmkfm.exe	43
PID 1124 wrote to memory of 2148	1124	Nqijmkfm.exe	43
PID 1124 wrote to memory of 2148	1124	Nqijmkfm.exe	43
PID 1124 wrote to memory of 2148	1124	Nqijmkfm.exe	43
PID 2148 wrote to memory of 2296	2148	Ncggifep.exe	44
PID 2148 wrote to memory of 2296	2148	Ncggifep.exe	44
PID 2148 wrote to memory of 2296	2148	Ncggifep.exe	44
PID 2148 wrote to memory of 2296	2148	Ncggifep.exe	44

C:\Users\Admin\AppData\Local\Temp\7d49aa98350a71f1692ae222303834b0N.exe
"C:\Users\Admin\AppData\Local\Temp\7d49aa98350a71f1692ae222303834b0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\SysWOW64\Mffgfo32.exe
  C:\Windows\system32\Mffgfo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\Mhdcbjal.exe
    C:\Windows\system32\Mhdcbjal.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\Mdkcgk32.exe
      C:\Windows\system32\Mdkcgk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\SysWOW64\Mgjpcf32.exe
        
        C:\Windows\system32\Mgjpcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\Nbodpo32.exe
        
        C:\Windows\system32\Nbodpo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Nglmifca.exe
        
        C:\Windows\system32\Nglmifca.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Nnfeep32.exe
        
        C:\Windows\system32\Nnfeep32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Ndpmbjbk.exe
        
        C:\Windows\system32\Ndpmbjbk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Njmejaqb.exe
        
        C:\Windows\system32\Njmejaqb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Nmkbfmpf.exe
        
        C:\Windows\system32\Nmkbfmpf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\Ndbjgjqh.exe
        
        C:\Windows\system32\Ndbjgjqh.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\SysWOW64\Ngafdepl.exe
        
        C:\Windows\system32\Ngafdepl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Nfcfob32.exe
        
        C:\Windows\system32\Nfcfob32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Nqijmkfm.exe
        
        C:\Windows\system32\Nqijmkfm.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Ncggifep.exe
        
        C:\Windows\system32\Ncggifep.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Nffcebdd.exe
        
        C:\Windows\system32\Nffcebdd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Nidoamch.exe
        
        C:\Windows\system32\Nidoamch.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Nmpkal32.exe
        
        C:\Windows\system32\Nmpkal32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Npngng32.exe
        
        C:\Windows\system32\Npngng32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Ncjcnfcn.exe
        
        C:\Windows\system32\Ncjcnfcn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\Nfhpjaba.exe
        
        C:\Windows\system32\Nfhpjaba.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Ojdlkp32.exe
        
        C:\Windows\system32\Ojdlkp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1992
        
        C:\Windows\SysWOW64\Ombhgljn.exe
        
        C:\Windows\system32\Ombhgljn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Olehbh32.exe
        
        C:\Windows\system32\Olehbh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1924
        
        C:\Windows\SysWOW64\Obopobhe.exe
        
        C:\Windows\system32\Obopobhe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Ofklpa32.exe
        
        C:\Windows\system32\Ofklpa32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Oenmkngi.exe
        
        C:\Windows\system32\Oenmkngi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Olgehh32.exe
        
        C:\Windows\system32\Olgehh32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Opcaiggo.exe
        
        C:\Windows\system32\Opcaiggo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2632 -s 140
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mffgfo32.exe

Filesize
91KB

MD5
acd5c5aca3e81542563186361b42fe54

SHA1
8eaa4ddfbbedfd0ada5629c84979918cff0504fc

SHA256
4044799f1676e28290949b4da4869f593d5dee01e02dfd7b158bae9cec8c0ec5

SHA512
77e7290c54c2491461773449dac449bfedacd49df67459c693b405749d3a15dbf3951280f05969c27895df67883a8f2a709a2cb643de20814a66ddda39ac73bf

Download Submit
C:\Windows\SysWOW64\Ncggifep.exe

Filesize
91KB

MD5
5fdcba83228882bc7b22fc2a687e52e8

SHA1
f891517aa231044e10c8a2247e32e80b6f1a945a

SHA256
7b9ba39b8203e6fe8607ae4cc24fddf3be5618d383de1cb91aa51ed533d8ffaa

SHA512
e3f3719125721fb8c265ee649298a3fe408b21673991cc254600254bd42721782a19d467648734d1732c0e1c7199ec0bcdab7338d7d00a4429c84d583c9cc656

Download Submit
C:\Windows\SysWOW64\Ncjcnfcn.exe

Filesize
91KB

MD5
d4f52542a3474b455467850486314b6b

SHA1
a34618da57c68d51d9d82f3c43cf1068f43a58d3

SHA256
68f80d2dc5932f1a936b62319d9f3a8afcdaf2fa405f70bd9eb22c5908829753

SHA512
1233f40f1a04c51825b285943d4275f64287325152bc74d86fb1a1b8a0b42a99a55f04a190e2750f59a81c32b4d29e8ce397ea9f7f54575325b5357bac76d4aa

Download Submit
C:\Windows\SysWOW64\Ndbjgjqh.exe

Filesize
91KB

MD5
b97d6b3108c7083b31cf3c22435a83b2

SHA1
925ae3fe2c0f3e8b80b30a5bb07edfd581313850

SHA256
e95580663d5bd67365d1e4ead3e06eb8fb9998bce1e8c6cc3c9a236608ecddde

SHA512
4b91e07ccad11336ae43552651db5e38fd6d40b1270016ee7a98e5287d94d6c75ad924d17cbc2bb743d95d4b53f8f48479a22f30b47a7acd5aa64dcc8d3273bd

Download Submit
C:\Windows\SysWOW64\Ndpmbjbk.exe

Filesize
91KB

MD5
86a9a66524f202988aeab1c9ea246a23

SHA1
23255891443ee07bfd2acc2aecd98e867195d3e0

SHA256
8cdf5b852681f4c0d2b2c7ac1d5dc2c3e75ad0c4a13e9d0dc5185b289bc61107

SHA512
fafad99d74e19f9a68f488d17da3008bc00acd2815edc36a750a211f512a1aaac862ea62d5f64a1c7668c6855a1f67131ea5d6e1160ad8b46ea1d8c2c5e2617a

Download Submit
C:\Windows\SysWOW64\Nfhpjaba.exe

Filesize
91KB

MD5
feb3b2bb0f60b950674966ec5957717d

SHA1
9e4724fba18fb3a47a037fb59e61a443f24c1473

SHA256
6165c85d27d27b822172a845d92f76e2cc4d229ee7cecb06157354547f7bd60b

SHA512
d0bb1c53bcfa499c0b14a6ae14ec42c8bc14c127d007af08a140ba96f26ea60953eb015648b0d6951d162e664652497ad1fd4ec49c521f760736fcb489abde34

Download Submit
C:\Windows\SysWOW64\Ngafdepl.exe

Filesize
91KB

MD5
844fbdc4874c01086c35422454a00a4c

SHA1
91e94dfa255a34e7f4ca066c3ed3fd3ae422e459

SHA256
4619c35ded5b5148fb7733caa70af58d7dcc632a00b300bc1b2074ec5867b3e6

SHA512
c2f4ff9a7af920ee27d08c84a73e1cef501a41bbca0117b1064df0ce1c8e047db0d7877ec859fdfdddc333fa63ed30f95518dc4968d7f6c06933fb50013327c7

Download Submit
C:\Windows\SysWOW64\Nidoamch.exe

Filesize
91KB

MD5
3eb3c5748fc0a23613c8133d37ea2844

SHA1
291aa47768f48c9b38ab124831c378c7ba43ad6d

SHA256
859fd02f486ba9fe965541785e8044dfc51f6bbd91fb7cc8beef8e29cf711b8a

SHA512
53a3971aadeeac843b3bfe03bf563a4f1f74e1885bf5c3fd4150022ab1f647eb982ce284d1b0fd1a9133e8ae5c35d8b159bfe70e751a1427901efc352478fec2

Download Submit
C:\Windows\SysWOW64\Nmkbfmpf.exe

Filesize
91KB

MD5
ab3b1e69b97b5ee1dc19c70fd391a6cc

SHA1
2e626c924230fd718bd86be3e7f4c1f9ffdfea62

SHA256
3c73f599b463f3e4d39564f41127bc984a26971f3f798f6d8453ab9f486bfcbb

SHA512
d5fc23f6277aca3b36af19d5dd72ed6c4c0273a61c3e78c501b0db57a812c29659e5f6f9b3f7fc39ef36adbeca2bb49930043281381f9b9bb5158528978a883e

Download Submit
C:\Windows\SysWOW64\Nmpkal32.exe

Filesize
91KB

MD5
3459b4f478a68c92d4687b72fde1f1fd

SHA1
8bc6e90c3abb900652d468f9e1bd618d27e211c2

SHA256
a4e7100fb44f904de99e840e12ba849030f03b53087e8ef5b7041fe6eb9d0836

SHA512
e90719707367b5288140097f04280b345c00fb1f82709843656e5eaf6d0f4d2f5f134de50c5e8ddc3b865df6d378c82b5ca7602a22ba8022e76f6f3fbe607448

Download Submit
C:\Windows\SysWOW64\Npngng32.exe

Filesize
91KB

MD5
4eee2e487524dd7f9252599955f0583e

SHA1
2ba4b39af69e8029dbd519ba2c4b26add2386a9d

SHA256
823519ee5b4e8d6f6623a78c4d9f55ea4a017d0007fd2bd9c29bccd65804be83

SHA512
9360af90ab82fb655c5b26f834b07260f45fbd3ca6590ebcfea82ccec775cb1ccb7ca71c1b574d10cc1665c134153bd1191872f6cf3cbdfe52a39cbc50fa79a7

Download Submit
C:\Windows\SysWOW64\Nqijmkfm.exe

Filesize
91KB

MD5
46f92e1680a0071cdb38af0abfe1b54d

SHA1
2b28fc3c9b4d2395cf4c9d1cd24e85d62e3a0335

SHA256
43828e48c89303ac96e2a82833459acbf5ee9aeceb84be0fdb1e6391b09aefd8

SHA512
d62b3a3240c3b16d15c04e36383411aed66fd208bea1d032d98e22b2d1df32c54efefe257bdc2db2547e43fd4613c4dea18bf6b41e0b7e99891ed04d0d77cd41

Download Submit
C:\Windows\SysWOW64\Obopobhe.exe

Filesize
91KB

MD5
baecd7e67c094b997e1c524a2014e930

SHA1
824edda6e4834d86634d72986295600b7f927158

SHA256
1387d1f577452d4d6f85194044eee5e5331da7d16c56481f493343b011a3226c

SHA512
9b83dcb2868fc035934081e083d83b938e662a6b6b3815b3580c754a7d880ce094f84dc1544b573c29723d3ff2864cf5013c02433ed7916d5de5bd3a717f8671

Download Submit
C:\Windows\SysWOW64\Oenmkngi.exe

Filesize
91KB

MD5
d46589e3973ac19b4c8ed0bcff820b04

SHA1
314f5d28260e811f4c2d737f8b263f62e4d68b08

SHA256
34fe68ca1fa6ab036a350485fa00da723b0296a0298e05e28f39a4f37eeb63c5

SHA512
143cb3cf2068396461309850d55d6fc031be28e37157b35442f7a07e34185f7d36cb22d6748a4218854dacf6d6406a82c5fbf1aa968b862ed811b0bb0d49ad36

Download Submit
C:\Windows\SysWOW64\Ofklpa32.exe

Filesize
91KB

MD5
3a51f47d39da0df5480ee897c2ff2b5d

SHA1
88ee1e7854fedbd8c7401aae12d824a7b63f89de

SHA256
26c1cb82a3b623d7060b487091f9dbe5a941845a7360253ad08e5133714abb4a

SHA512
dc6090b2f43609af3af047db22428d138146f9b292beb4891bf3af18c02be243238f539df3358d74a5006debb5880b7d4aa2677a6e69a2a554596b0f469dfb2b

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
91KB

MD5
c61166f4a8de9ccf793010794e04c0cf

SHA1
0ad695896ad8c00d781327d2f180cc1b55263d3b

SHA256
51197ea15a11c07a06f982cb3217d871f6fb7a579ff2184dd54aada6b87321ac

SHA512
62622846d2c56c510af897b825d43357c767696271f53cee2e68b4c52e328ac75c019c8393a4ef1d10db331c30beacb71f2ed6bf29017031b4dfe0693117bed5

Download Submit
C:\Windows\SysWOW64\Ojdlkp32.exe

Filesize
91KB

MD5
0ca125da2db56c1346788c6fb2c958a2

SHA1
23d494690014dd9a9ac6b184c8b670705fd85a96

SHA256
991958e3b6557a3baeb25bf91ac1cbdf390a644719b74606eedfff882847b3af

SHA512
7b0a289565266b5be749d2bc77ab1a9649916a522112ea6a6afe0596434255fed0369310ad11b5c979807d8f2367d4699632007ff916d476e406d407b4204b46

Download Submit
C:\Windows\SysWOW64\Olehbh32.exe

Filesize
91KB

MD5
c56c75401e346a803be1411ea160122a

SHA1
27d44e6bd7f41d8ea47805a8f1279d0cf0a791a7

SHA256
9b14ba775fc9a6a2dd3d5f47f9a835c3e398a99661efc8ca65ed6c723f7ae988

SHA512
30b8f22fa41f30a19796dfac6230db2f29be735590af5f54f74bf8187543acfe22197dec3c2a13102aad50d5fa4ccf266ae5cfe5d4d340d67028bff90cb5535a

Download Submit
C:\Windows\SysWOW64\Olgehh32.exe

Filesize
91KB

MD5
c7f0aaab81973c7db1f5caf7e7150030

SHA1
9dfe68941c66d2699df62273632d068d247fcb1c

SHA256
9e1d5c82b53b5d78b44a1a9a2f4db29b69828122c4569fb8d954086bdc8a05ac

SHA512
4d1c777cb78dabd1399721e337a6c1bf4a4722eacab1b3952681dba046087522a9f0e5cbc6e6749c9f980363fa0ae8d2d76e4acd31bf7c2c11bf07dd7d243cc6

Download Submit
C:\Windows\SysWOW64\Ombhgljn.exe

Filesize
91KB

MD5
1b3dd3763f8663e92d21989d93df34ea

SHA1
fc61eb7bb9f7b16e45a73049eab1a832b7821733

SHA256
fe74bdef6a4a794208726b4f6a4940e428f22f06d763543b5008a1001a9d3fd3

SHA512
ec15e9f649ee81d75746dfc827597c64252aba004f26b11778cd192f5f99c7e6e44994020ced1afd90cdf000c0e3c73259e2a350e2e737e263144985f443c7a1

Download Submit
C:\Windows\SysWOW64\Opcaiggo.exe

Filesize
91KB

MD5
361d9dbe6bd1b44a7613ac13502fe52a

SHA1
f69f135d7ebb7017d8a690df8ac5b8e2251cf962

SHA256
f8b05fe84f19c7ed2ed3058e18b536bef0894252d3836216b07780f6433b243c

SHA512
72ea14d34bbf7f9d8cced70769ccb0609ed3c5814dd73bb01b491f4b1fd154af972cd5016a0f5ea36b4e8f3987cac1b4f09a6944e29af9ca57d7f5241e753b41

Download Submit
\Windows\SysWOW64\Mdkcgk32.exe

Filesize
91KB

MD5
8dff32a6429f4ef214602e96279b4c1a

SHA1
f2dae2ae208e59e606761f3469f92173069724e7

SHA256
b50fba11a9ad00d0f6d577c8d5b54a6c7c9317c3fb23507c9a723e0f0ce3f298

SHA512
55b578b148c810bcd0edd249c08babc847e61d11f6e31cb8ac4f1e082ac3c439b4b81c5172419fc51a49ac137852cc6f9f12e118b443018579a1fc13685179c4

Download Submit
\Windows\SysWOW64\Mgjpcf32.exe

Filesize
91KB

MD5
5c242be132d0e3c838b012951eb43674

SHA1
2deecf52ca7cab9f6634f4f568fc0d34527e506b

SHA256
f33c2005925df5ecb38faaa0a13d1dfb0b7745762faaf6c70516b7b538558972

SHA512
35a5d68b4a2d65f181188a8d088c468b7fcc511ab9206c27db23fcbef5b7f55beccaa18ce2719f49addf820e6b6cac412dff8ad6b2924b4e02db04e2c7acb013

Download Submit
\Windows\SysWOW64\Mhdcbjal.exe

Filesize
91KB

MD5
712673eebfecf9641f15b6fb556df2b4

SHA1
7798aa27b418604a46a887541a3119edf3ca5cd5

SHA256
8ddfa6374ee2027b54bc4c6571336c3c28710fcfd3ec9f079300b942c817862d

SHA512
2c58bcb3ff2fa14ce6e2d2cf74cd948f4b047adb7d5a4e8deb0150acdb4f55a4fa5f4a0f31186206620874a5e3a54633b4ec16638a86b4770fcc66d59d61e024

Download Submit
\Windows\SysWOW64\Nbodpo32.exe

Filesize
91KB

MD5
50032dcb1ba09ba54dff940e98cd3365

SHA1
9b0a21d745d0aabaa102edc66ff68eb5d3d7aca9

SHA256
810b9b36a479da1a2796f814c7f3806a46a3de386811fc5f8bcf6eccd0a7d3b0

SHA512
d7ebe037ebe1146fe0c2e06d03cec06ba49051129e1d2183a54b13ab13fa97a2661185365cfe481bdb051ed5758aae292ed1e1710aa351dd4aac15190cc87881

Download Submit
\Windows\SysWOW64\Nfcfob32.exe

Filesize
91KB

MD5
afb916034c14e97d9d7359b9b137bddb

SHA1
e79fcfd0174404587aae24afe6f78034d6793ac9

SHA256
188cc1c3a4bd76496c597c4242c0546f9416519d1b398ab9e0f7db01ce08aa1b

SHA512
20b49a0268e8e80c74d2865634c5392f5419083dd36696f2de61da4b1773b0d15dee8f56e50e016cad47991dd7b91338c64b793dc2b8f7673955bfba24ffb591

Download Submit
\Windows\SysWOW64\Nffcebdd.exe

Filesize
91KB

MD5
a3003ce3394588a170d9e98ec386dc06

SHA1
ecb26282725e0b97025732bac4731e82e68b7e9f

SHA256
533b35f8a846c1fa3d7557b40e564828b765f24fbe6366c1f4ba6c80ee98508f

SHA512
b2c2fda7370fa03fbc46ed1aac6b80a2eaa2971bf5286212db1553f1fea65157a22f26f1ca32e3c0e22ad0589acb20bb9765a9eaf5483ddaffaec6e5c870c00e

Download Submit
\Windows\SysWOW64\Nglmifca.exe

Filesize
91KB

MD5
bbab27648bbc21ebeaa407438c235558

SHA1
235eeb5c88134171949c5bac7b0c4eae25764bca

SHA256
2991c8706ad4408996c09c12295dadfb29a563199cd326218506a23287ece531

SHA512
beac462a5eb8df084c34eaa917f49f9f77b9474018b6e05dc60c4441eda3bffcc4b1beeebb744d3cb3ff6769ae74975e30a9ecfafbecfa1a9e0f2b2398f6f86e

Download Submit
\Windows\SysWOW64\Njmejaqb.exe

Filesize
91KB

MD5
76ee010eb300ecd2511c03406a23d13b

SHA1
c9f1aaadb05eb02d5062845dc5fef58885691804

SHA256
2302dd5af6b7339f9b796538790209fdc3588eec8d5e7eccfc17b906ae8fb5c5

SHA512
76e2ac4e4a7eaa0ca798eefc1387ef2ecf0d0517b314301a9067c6ce3961e6edec475b41d1e2f1ae1e9102c04d96d11b6aef5b872e1ac5d35526e14e7aa9c043

Download Submit
\Windows\SysWOW64\Nnfeep32.exe

Filesize
91KB

MD5
679021cf858a61ceb92086861da78ba1

SHA1
418a98633b1e455e8598bf636d92f23fc4743609

SHA256
0828b850dce8d0b0ee61312a753f8dd1f4abdcbf9b41f23a8c3c0473d6fe5c65

SHA512
3585ec0386ca1c04213045c56daf5189099559ad74cd8b4edd03e1e1c94c1fc91b50d7cb2ba13c90701c2f6fe2014f4d75369cb45c5aeae784b00eb5882aefad

Download Submit
memory/1056-374-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1056-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-233-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1112-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1112-378-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-197-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/1124-375-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1124-189-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1220-379-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1312-260-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1312-381-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1552-382-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-290-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1620-291-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1620-384-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-245-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1792-251-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1792-380-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1872-159-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/1872-372-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-301-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1924-385-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1924-297-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1992-272-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-383-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1992-278-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2148-376-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2148-215-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2168-100-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2168-368-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2184-120-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2184-424-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2184-369-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-377-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-216-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-223-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/2324-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2324-17-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2324-19-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2324-358-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/2324-356-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-371-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-144-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2348-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2448-22-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2448-357-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2480-370-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-130-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2480-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-355-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2632-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-88-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2676-367-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2676-81-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-39-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2724-40-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2724-359-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-360-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2736-365-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2736-62-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2736-392-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2756-366-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-332-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2780-354-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2780-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-353-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2780-344-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-386-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-311-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2808-310-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2816-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-170-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2852-373-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-339-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2924-343-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2940-326-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2940-327-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/2940-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2940-387-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads