3c38b4249a92a21e248d4aa2a28bf5640151f871f66218c40f1a613bee17b488

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d7039cbc803ab30aabd850552a34a30N.exe
Size

67KB
MD5

8d7039cbc803ab30aabd850552a34a30
SHA1

f44ef5b3d237f4c3a4fba880c84f4f32792a0784
SHA256

3c38b4249a92a21e248d4aa2a28bf5640151f871f66218c40f1a613bee17b488
SHA512

3408156c48ec97af7a09b1338616f26d1107fc67546da07fec657e99225aead022f70a8dbd0e1ce288d6a23696fa7723b51ae119256b81313f398ccd2acafce3
SSDEEP

1536:MpD5cSCt2r3RIeBSnWPKs6WQ0REsJifTduD4oTxw:MN5F7VHSnbBN0REsJibdMTxw

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8d7039cbc803ab30aabd850552a34a30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Memlki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nknnnoph.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngqeha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nickoldp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8d7039cbc803ab30aabd850552a34a30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbopon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Memlki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjdcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npppaejj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbopon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nifgekbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npnclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npnclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjdcp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcanq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npppaejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohkdfhge.exe

Executes dropped EXE 15 IoCs

pid	Process
1880	Mbopon32.exe
2716	Memlki32.exe
3032	Nkjdcp32.exe
2856	Nmhqokcq.exe
2824	Nacmpj32.exe
2632	Ngqeha32.exe
2036	Npiiafpa.exe
2052	Ngcanq32.exe
2064	Nknnnoph.exe
2964	Nickoldp.exe
2848	Npnclf32.exe
284	Nifgekbm.exe
1896	Npppaejj.exe
3020	Ohkdfhge.exe
2320	Opblgehg.exe

Loads dropped DLL 34 IoCs

pid	Process
2192	8d7039cbc803ab30aabd850552a34a30N.exe
2192	8d7039cbc803ab30aabd850552a34a30N.exe
1880	Mbopon32.exe
1880	Mbopon32.exe
2716	Memlki32.exe
2716	Memlki32.exe
3032	Nkjdcp32.exe
3032	Nkjdcp32.exe
2856	Nmhqokcq.exe
2856	Nmhqokcq.exe
2824	Nacmpj32.exe
2824	Nacmpj32.exe
2632	Ngqeha32.exe
2632	Ngqeha32.exe
2036	Npiiafpa.exe
2036	Npiiafpa.exe
2052	Ngcanq32.exe
2052	Ngcanq32.exe
2064	Nknnnoph.exe
2064	Nknnnoph.exe
2964	Nickoldp.exe
2964	Nickoldp.exe
2848	Npnclf32.exe
2848	Npnclf32.exe
284	Nifgekbm.exe
284	Nifgekbm.exe
1896	Npppaejj.exe
1896	Npppaejj.exe
3020	Ohkdfhge.exe
3020	Ohkdfhge.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe
2540	WerFault.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngqeha32.exe	Nacmpj32.exe
File created	C:\Windows\SysWOW64\Npiiafpa.exe	Ngqeha32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcanq32.exe	Npiiafpa.exe
File opened for modification	C:\Windows\SysWOW64\Nickoldp.exe	Nknnnoph.exe
File opened for modification	C:\Windows\SysWOW64\Npppaejj.exe	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Plbbmj32.dll	Mbopon32.exe
File created	C:\Windows\SysWOW64\Njljfe32.dll	Nkjdcp32.exe
File opened for modification	C:\Windows\SysWOW64\Nacmpj32.exe	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Nickoldp.exe	Nknnnoph.exe
File created	C:\Windows\SysWOW64\Heknhioh.dll	Nknnnoph.exe
File created	C:\Windows\SysWOW64\Npnclf32.exe	Nickoldp.exe
File created	C:\Windows\SysWOW64\Npppaejj.exe	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Ohkdfhge.exe	Npppaejj.exe
File created	C:\Windows\SysWOW64\Gibcam32.dll	8d7039cbc803ab30aabd850552a34a30N.exe
File opened for modification	C:\Windows\SysWOW64\Npiiafpa.exe	Ngqeha32.exe
File created	C:\Windows\SysWOW64\Dfpnca32.dll	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ohkdfhge.exe
File created	C:\Windows\SysWOW64\Cmnhge32.dll	Ngcanq32.exe
File created	C:\Windows\SysWOW64\Ijpfnpij.dll	Nickoldp.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ohkdfhge.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ohkdfhge.exe
File created	C:\Windows\SysWOW64\Nmhqokcq.exe	Nkjdcp32.exe
File created	C:\Windows\SysWOW64\Kcgpfpbq.dll	Nmhqokcq.exe
File opened for modification	C:\Windows\SysWOW64\Ngqeha32.exe	Nacmpj32.exe
File opened for modification	C:\Windows\SysWOW64\Memlki32.exe	Mbopon32.exe
File created	C:\Windows\SysWOW64\Bghemo32.dll	Nacmpj32.exe
File created	C:\Windows\SysWOW64\Ngcanq32.exe	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Nifgekbm.exe	Npnclf32.exe
File created	C:\Windows\SysWOW64\Nkjdcp32.exe	Memlki32.exe
File opened for modification	C:\Windows\SysWOW64\Nmhqokcq.exe	Nkjdcp32.exe
File opened for modification	C:\Windows\SysWOW64\Nknnnoph.exe	Ngcanq32.exe
File opened for modification	C:\Windows\SysWOW64\Mbopon32.exe	8d7039cbc803ab30aabd850552a34a30N.exe
File created	C:\Windows\SysWOW64\Nacmpj32.exe	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Ooicngen.dll	Nifgekbm.exe
File opened for modification	C:\Windows\SysWOW64\Nkjdcp32.exe	Memlki32.exe
File opened for modification	C:\Windows\SysWOW64\Npnclf32.exe	Nickoldp.exe
File created	C:\Windows\SysWOW64\Jhjalgho.dll	Npnclf32.exe
File created	C:\Windows\SysWOW64\Qlcbff32.dll	Ngqeha32.exe
File created	C:\Windows\SysWOW64\Nknnnoph.exe	Ngcanq32.exe
File opened for modification	C:\Windows\SysWOW64\Nifgekbm.exe	Npnclf32.exe
File opened for modification	C:\Windows\SysWOW64\Ohkdfhge.exe	Npppaejj.exe
File created	C:\Windows\SysWOW64\Blagna32.dll	Npppaejj.exe
File created	C:\Windows\SysWOW64\Mbopon32.exe	8d7039cbc803ab30aabd850552a34a30N.exe
File created	C:\Windows\SysWOW64\Memlki32.exe	Mbopon32.exe
File created	C:\Windows\SysWOW64\Koqdolib.dll	Memlki32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2540	2320	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nifgekbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbopon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memlki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjdcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiafpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhqokcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nknnnoph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d7039cbc803ab30aabd850552a34a30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngcanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nickoldp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npnclf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npppaejj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohkdfhge.exe

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npppaejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbopon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npnclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlcbff32.dll"	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koqdolib.dll"	Memlki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmhqokcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfpnca32.dll"	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibcam32.dll"	8d7039cbc803ab30aabd850552a34a30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Memlki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjdcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghemo32.dll"	Nacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnhge32.dll"	Ngcanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heknhioh.dll"	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8d7039cbc803ab30aabd850552a34a30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbopon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjdcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjalgho.dll"	Npnclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooicngen.dll"	Nifgekbm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npppaejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ohkdfhge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngqeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nickoldp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npnclf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8d7039cbc803ab30aabd850552a34a30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8d7039cbc803ab30aabd850552a34a30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njljfe32.dll"	Nkjdcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8d7039cbc803ab30aabd850552a34a30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blagna32.dll"	Npppaejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgpfpbq.dll"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmhqokcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nknnnoph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8d7039cbc803ab30aabd850552a34a30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbbmj32.dll"	Mbopon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Memlki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijpfnpij.dll"	Nickoldp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nifgekbm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1880	2192	8d7039cbc803ab30aabd850552a34a30N.exe	30
PID 2192 wrote to memory of 1880	2192	8d7039cbc803ab30aabd850552a34a30N.exe	30
PID 2192 wrote to memory of 1880	2192	8d7039cbc803ab30aabd850552a34a30N.exe	30
PID 2192 wrote to memory of 1880	2192	8d7039cbc803ab30aabd850552a34a30N.exe	30
PID 1880 wrote to memory of 2716	1880	Mbopon32.exe	31
PID 1880 wrote to memory of 2716	1880	Mbopon32.exe	31
PID 1880 wrote to memory of 2716	1880	Mbopon32.exe	31
PID 1880 wrote to memory of 2716	1880	Mbopon32.exe	31
PID 2716 wrote to memory of 3032	2716	Memlki32.exe	32
PID 2716 wrote to memory of 3032	2716	Memlki32.exe	32
PID 2716 wrote to memory of 3032	2716	Memlki32.exe	32
PID 2716 wrote to memory of 3032	2716	Memlki32.exe	32
PID 3032 wrote to memory of 2856	3032	Nkjdcp32.exe	33
PID 3032 wrote to memory of 2856	3032	Nkjdcp32.exe	33
PID 3032 wrote to memory of 2856	3032	Nkjdcp32.exe	33
PID 3032 wrote to memory of 2856	3032	Nkjdcp32.exe	33
PID 2856 wrote to memory of 2824	2856	Nmhqokcq.exe	34
PID 2856 wrote to memory of 2824	2856	Nmhqokcq.exe	34
PID 2856 wrote to memory of 2824	2856	Nmhqokcq.exe	34
PID 2856 wrote to memory of 2824	2856	Nmhqokcq.exe	34
PID 2824 wrote to memory of 2632	2824	Nacmpj32.exe	35
PID 2824 wrote to memory of 2632	2824	Nacmpj32.exe	35
PID 2824 wrote to memory of 2632	2824	Nacmpj32.exe	35
PID 2824 wrote to memory of 2632	2824	Nacmpj32.exe	35
PID 2632 wrote to memory of 2036	2632	Ngqeha32.exe	36
PID 2632 wrote to memory of 2036	2632	Ngqeha32.exe	36
PID 2632 wrote to memory of 2036	2632	Ngqeha32.exe	36
PID 2632 wrote to memory of 2036	2632	Ngqeha32.exe	36
PID 2036 wrote to memory of 2052	2036	Npiiafpa.exe	37
PID 2036 wrote to memory of 2052	2036	Npiiafpa.exe	37
PID 2036 wrote to memory of 2052	2036	Npiiafpa.exe	37
PID 2036 wrote to memory of 2052	2036	Npiiafpa.exe	37
PID 2052 wrote to memory of 2064	2052	Ngcanq32.exe	38
PID 2052 wrote to memory of 2064	2052	Ngcanq32.exe	38
PID 2052 wrote to memory of 2064	2052	Ngcanq32.exe	38
PID 2052 wrote to memory of 2064	2052	Ngcanq32.exe	38
PID 2064 wrote to memory of 2964	2064	Nknnnoph.exe	39
PID 2064 wrote to memory of 2964	2064	Nknnnoph.exe	39
PID 2064 wrote to memory of 2964	2064	Nknnnoph.exe	39
PID 2064 wrote to memory of 2964	2064	Nknnnoph.exe	39
PID 2964 wrote to memory of 2848	2964	Nickoldp.exe	40
PID 2964 wrote to memory of 2848	2964	Nickoldp.exe	40
PID 2964 wrote to memory of 2848	2964	Nickoldp.exe	40
PID 2964 wrote to memory of 2848	2964	Nickoldp.exe	40
PID 2848 wrote to memory of 284	2848	Npnclf32.exe	41
PID 2848 wrote to memory of 284	2848	Npnclf32.exe	41
PID 2848 wrote to memory of 284	2848	Npnclf32.exe	41
PID 2848 wrote to memory of 284	2848	Npnclf32.exe	41
PID 284 wrote to memory of 1896	284	Nifgekbm.exe	42
PID 284 wrote to memory of 1896	284	Nifgekbm.exe	42
PID 284 wrote to memory of 1896	284	Nifgekbm.exe	42
PID 284 wrote to memory of 1896	284	Nifgekbm.exe	42
PID 1896 wrote to memory of 3020	1896	Npppaejj.exe	43
PID 1896 wrote to memory of 3020	1896	Npppaejj.exe	43
PID 1896 wrote to memory of 3020	1896	Npppaejj.exe	43
PID 1896 wrote to memory of 3020	1896	Npppaejj.exe	43
PID 3020 wrote to memory of 2320	3020	Ohkdfhge.exe	44
PID 3020 wrote to memory of 2320	3020	Ohkdfhge.exe	44
PID 3020 wrote to memory of 2320	3020	Ohkdfhge.exe	44
PID 3020 wrote to memory of 2320	3020	Ohkdfhge.exe	44
PID 2320 wrote to memory of 2540	2320	Opblgehg.exe	45
PID 2320 wrote to memory of 2540	2320	Opblgehg.exe	45
PID 2320 wrote to memory of 2540	2320	Opblgehg.exe	45
PID 2320 wrote to memory of 2540	2320	Opblgehg.exe	45

C:\Users\Admin\AppData\Local\Temp\8d7039cbc803ab30aabd850552a34a30N.exe
"C:\Users\Admin\AppData\Local\Temp\8d7039cbc803ab30aabd850552a34a30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\Mbopon32.exe
  C:\Windows\system32\Mbopon32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\Memlki32.exe
    C:\Windows\system32\Memlki32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\Nkjdcp32.exe
      C:\Windows\system32\Nkjdcp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\Nmhqokcq.exe
        
        C:\Windows\system32\Nmhqokcq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\Nacmpj32.exe
        
        C:\Windows\system32\Nacmpj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Ngqeha32.exe
        
        C:\Windows\system32\Ngqeha32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Npiiafpa.exe
        
        C:\Windows\system32\Npiiafpa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ngcanq32.exe
        
        C:\Windows\system32\Ngcanq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Nknnnoph.exe
        
        C:\Windows\system32\Nknnnoph.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\SysWOW64\Nickoldp.exe
        
        C:\Windows\system32\Nickoldp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Npnclf32.exe
        
        C:\Windows\system32\Npnclf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Nifgekbm.exe
        
        C:\Windows\system32\Nifgekbm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\SysWOW64\Npppaejj.exe
        
        C:\Windows\system32\Npppaejj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ohkdfhge.exe
        
        C:\Windows\system32\Ohkdfhge.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 140
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mbopon32.exe

Filesize
67KB

MD5
570772f032e66082912740dd04b9abcf

SHA1
4686bd5b9d4835b720734cbbbdb4b91090907101

SHA256
78b89983aa2fa215ddbd6b0e96a0a9632769740dffb5e505cad190a0a94a3e4d

SHA512
d04315997b0c8fd02848f08ac75b99ddafea528adea5936b38f265ecdb038b9f571b52771b8921118ff4bb12bc8b1e5fd7e46f1d1ba962d22de2a4c9787eb804

Download Submit
C:\Windows\SysWOW64\Memlki32.exe

Filesize
67KB

MD5
fd9b1178c15917a0f16527f8bf642e72

SHA1
12e47a6bb8a47de0961857a03bcf11beee7dc415

SHA256
0c6a38435c9db19744b3930ee6f9883637330d8ad03506fd1385970d9ae47265

SHA512
e911fd5ac94fdc264e2e5363d0905f5b37cae5cb9a55ff35564d47ad6961f729235fd7bb7a660fc0a5eea4ed0974947d781ca148dc8b16fe1bb162793b9ff682

Download Submit
C:\Windows\SysWOW64\Nacmpj32.exe

Filesize
67KB

MD5
0990bddf12bb7342ea1e71adeea56850

SHA1
230a14764a3dbc722427fc083518cc3d5b5ed4cf

SHA256
0d890ed7b8e1a3c7b40b78124e676ef0eba19544f893bfc2518da7b49a9c69cc

SHA512
f91afb74f49996e7d755fe61ad3b555e3ff3720d2688bf39d17ecee2c30c0269a01bc2066d629b822b453b254fa17c75a1001a6f7143b7832a0d0cbf9bf29ce6

Download Submit
C:\Windows\SysWOW64\Nkjdcp32.exe

Filesize
67KB

MD5
858ad9f5704e7caa77ed6c6f159e17ca

SHA1
64ef4e6d9bd0d0c7bf0577c97f4d7d351698d9e4

SHA256
6939ea8862d9c0609f1747987db12df8667070ad2a3eb16c0fda07ae8d997368

SHA512
f2867c26d4326f490135e2fc90d41bbc01472583dcb098396e55ea7b6c912fc1d19c22d6d2c15b72e56a00f7fba60cd4bd4ac59094e4f1d521c3497b4daed628

Download Submit
C:\Windows\SysWOW64\Nknnnoph.exe

Filesize
67KB

MD5
c1636d92f43d0ee9738f9add14e562b6

SHA1
3150b5477274d4da5125b40a96b580a1f99ac058

SHA256
d9521d10f3b73e1b708a0127d676c723b6cfd9771acf79987e9a2cb83117218d

SHA512
5606408298f1b4b754dd5d7e181e74f5e8752d5d5544e121e0b108ffc8e95952eaf9c360542fdad2562099619fdda42e95b5517c4b31f22bb010f267781577a5

Download Submit
\Windows\SysWOW64\Ngcanq32.exe

Filesize
67KB

MD5
af89ccf19d1ceb629771c6f89ae5758b

SHA1
f5af3ca3842f49a9f4b4f427b0407103f47eebbb

SHA256
10ad328352054216e0b0765e065a70290edd16943830b31708b128f4f7bebfa0

SHA512
348a6141cfd1e4b1d0cac5369452c6380a0799623d9c246cf1047a35f6c9a3fff257fa31ba45d7e09515017061b6e07cf1b907b70e1d613e49006253cbbf73aa

Download Submit
\Windows\SysWOW64\Ngqeha32.exe

Filesize
67KB

MD5
c834dd740c1bcab8732a9ce76a455c3d

SHA1
2202ea2a51689f86706380045cf093173f539d38

SHA256
6e2f96df7e77d04c6b300f16d06bfa89cb091958e8409771548eba546fd260fb

SHA512
65c6ecb86fea1ae273f47dca1fff0e52d7be7adb9e095599703b8eea26e545ac48c769fddf4923c94f66190f4b19b4fd8321a6e5cadbfe6871ddc52ee89720fc

Download Submit
\Windows\SysWOW64\Nickoldp.exe

Filesize
67KB

MD5
08cb42ede86aa4b86cbb338badb92b24

SHA1
4ec37c34d25b0ae192a5f2f9714f6b58fe4f4ca9

SHA256
f254b5b4317fedb0dd225f5c506c4d0b966da352f88535e242b8d08ea3ae853c

SHA512
809240f446146cca6c7bbabe0dc3c0ae0e69be1c28941c75f2372c99ec4a44ad294b467eabcb467da3ffcacdce8e41e8e2fb77d61dd0d698f1b3a61ddea68bf4

Download Submit
\Windows\SysWOW64\Nifgekbm.exe

Filesize
67KB

MD5
bb24e1dad8210ecec0b1056d579e32c3

SHA1
8c3803482d91df771fd96c698a63c7f38519b5be

SHA256
20c90e24df6a16737ab9281540e7b16abb5ad6f1156f6569e4bf2b8996024413

SHA512
f82c0a4cda85d495477b1c27f80254098d1369870e6534b540e7d52c1fbdee2ae78d953930cf6824c7d6056b1c92bd2627c78988c6cf8d831abd7503eb7f8ee8

Download Submit
\Windows\SysWOW64\Nmhqokcq.exe

Filesize
67KB

MD5
d680615eb66cf649729f0efa498307fb

SHA1
3a683dced4e34c0a4f23dc105f06b42a871472b1

SHA256
a0b39f2f4ecf7ca461dcb00bf3e1646c7ce1ac7266f3576c66ea181e409994aa

SHA512
e977d1f37dc38b27dc0b0269717e1615583860a36bcb4ed7d9f77c91cdd94fa1b9ea10b2bbc4bee1fd295ff68dabd7a57216223fd7dda134b8942fb59fa2d778

Download Submit
\Windows\SysWOW64\Npiiafpa.exe

Filesize
67KB

MD5
acc18eee27c368f104497e8e5f251d74

SHA1
c0f1e0d39c490afacca868221b534cf9762be6ac

SHA256
bd69c9a20e08537dde33fcfbd7ba45e9f38ac0b434568dc74b4abe0a13bbfc0f

SHA512
54ce29ff09dbf7c27895ec7da5218591fcfdf09655dbe18c66b14e90464abf5a224d69d1954669116c9419cc44153f83a944a7a21f402e89f43779281cc34edf

Download Submit
\Windows\SysWOW64\Npnclf32.exe

Filesize
67KB

MD5
a904e70446fc31a6b49ffec12b00b7a6

SHA1
4d9b113d6aaaaf43204fd2caebc857dae4b28618

SHA256
14167caa6e44f2dfab7944f1245eda885dfdab88e880ee50c81373b26ba78426

SHA512
d4987ea0678c026c0faa3c969df3beef709394d417317b1ed4f699de65721b173318a88ab2f5075a8a40a54d41a224856185daae5e281d5a209b8b27d204d4fe

Download Submit
\Windows\SysWOW64\Npppaejj.exe

Filesize
67KB

MD5
85c445bfd41879ce81c83f135b78ac0c

SHA1
02f58ec5b4321c455b7bee9d991f8a5291ff0276

SHA256
a6a5e076a4a209ff6baa192318093246ea1ba5ac2913eca33b276096b7c1db68

SHA512
c2f2c69f28c672f825fcad7cee14a85fe59d3a1797232599cb2a6785c6a039013e08fbd6ff78de57405840f43e5b61930a717e3f7fa4c59ea04996851a949690

Download Submit
\Windows\SysWOW64\Ohkdfhge.exe

Filesize
67KB

MD5
db56cd41c9ad80edf1140886acf036aa

SHA1
9c6f292eacb87d20983f7495bc3971e261192538

SHA256
86a11644f55dbcf012345bb00ad905763988b48df2c0b21cbfb92894013e8b4c

SHA512
0a45419846e6e88c8d83fbde2570e772a3be02a5778e6385e047fb4865f6b945a74cc484814b120895701107592ee69fb335329106cbd386055242b5fadd9444

Download Submit
\Windows\SysWOW64\Opblgehg.exe

Filesize
67KB

MD5
31c6f16c47044cf9f6399b891179ed90

SHA1
3a6111c1091087abd79d5ed840b4b62239301367

SHA256
574cfa20cfbca8c297e6f2d5921f0ad4f9d97a630ecdff11149526f56a9030e6

SHA512
d257f85886daf7087108d0764e5c97169f2eb69e286a9fe9124d7c3addcaa4a205266e52f1f50cc63a76030f4e056d2be640aa8c04132f2132333ee49b201484

Download Submit
memory/284-227-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/284-190-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/284-189-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/284-228-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/284-229-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/1880-66-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1896-191-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1896-230-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1896-199-0x00000000002E0000-0x000000000031B000-memory.dmp

Filesize
236KB

Download
memory/2036-98-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-158-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2036-112-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2052-113-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2052-167-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2064-137-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/2064-127-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2064-181-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2192-7-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2192-51-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2192-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2192-13-0x0000000000280000-0x00000000002BB000-memory.dmp

Filesize
236KB

Download
memory/2320-233-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2320-221-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2632-153-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2632-85-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2716-26-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2716-82-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2716-83-0x0000000000300000-0x000000000033B000-memory.dmp

Filesize
236KB

Download
memory/2824-142-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2824-80-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2824-144-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2824-81-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2824-68-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2824-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2848-160-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2848-175-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2848-222-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2848-169-0x0000000000250000-0x000000000028B000-memory.dmp

Filesize
236KB

Download
memory/2856-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2856-67-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/2856-128-0x0000000000310000-0x000000000034B000-memory.dmp

Filesize
236KB

Download
memory/2856-114-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2964-219-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/2964-206-0x0000000000260000-0x000000000029B000-memory.dmp

Filesize
236KB

Download
memory/2964-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2964-201-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3020-220-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/3020-231-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3020-232-0x0000000000290000-0x00000000002CB000-memory.dmp

Filesize
236KB

Download
memory/3032-39-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3032-99-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads