365f7a816faa7c311178a2722e85ae585e067ab10d3cc6794dc034a53849dcad

Analysis

max time kernel
111s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8533fb34e83573282596bd3c9db43430N.exe
Size

71KB
MD5

8533fb34e83573282596bd3c9db43430
SHA1

026a96a88cbf2e7b8835eb0a43b4df0fb3a605b8
SHA256

365f7a816faa7c311178a2722e85ae585e067ab10d3cc6794dc034a53849dcad
SHA512

b0a9a63a068a6e66b66b826e713b9f90698284a2a63571a34c522051449c0209e79932f55804be1e4984ebbf4fe5418d8037a1c14e7e2116ced9e0534d947370
SSDEEP

1536:Yw5gfc3s77yAVudBLLtvEhRhe+iVo2LQ777RZObZUS:YDfc3ACLt8RTQuClUS

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npppaejj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngqeha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmjmekan.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nahfkigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nahfkigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlgdhcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmjmekan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nickoldp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohkdfhge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Memlki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmhqokcq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8533fb34e83573282596bd3c9db43430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbile32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngencpel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	8533fb34e83573282596bd3c9db43430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Memlki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngqeha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nianjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nianjl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngencpel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncloha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nifgekbm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npppaejj.exe

Executes dropped EXE 17 IoCs

pid	Process
1880	Memlki32.exe
2696	Mlgdhcmb.exe
2676	Nmhqokcq.exe
2836	Ndbile32.exe
2736	Ngqeha32.exe
2628	Nmjmekan.exe
2140	Npiiafpa.exe
2056	Nianjl32.exe
2528	Nahfkigd.exe
2960	Ngencpel.exe
1672	Nickoldp.exe
1888	Ncloha32.exe
1224	Nifgekbm.exe
1896	Npppaejj.exe
2252	Ncnlnaim.exe
1876	Ohkdfhge.exe
2312	Opblgehg.exe

Loads dropped DLL 38 IoCs

pid	Process
2192	8533fb34e83573282596bd3c9db43430N.exe
2192	8533fb34e83573282596bd3c9db43430N.exe
1880	Memlki32.exe
1880	Memlki32.exe
2696	Mlgdhcmb.exe
2696	Mlgdhcmb.exe
2676	Nmhqokcq.exe
2676	Nmhqokcq.exe
2836	Ndbile32.exe
2836	Ndbile32.exe
2736	Ngqeha32.exe
2736	Ngqeha32.exe
2628	Nmjmekan.exe
2628	Nmjmekan.exe
2140	Npiiafpa.exe
2140	Npiiafpa.exe
2056	Nianjl32.exe
2056	Nianjl32.exe
2528	Nahfkigd.exe
2528	Nahfkigd.exe
2960	Ngencpel.exe
2960	Ngencpel.exe
1672	Nickoldp.exe
1672	Nickoldp.exe
1888	Ncloha32.exe
1888	Ncloha32.exe
1224	Nifgekbm.exe
1224	Nifgekbm.exe
1896	Npppaejj.exe
1896	Npppaejj.exe
2252	Ncnlnaim.exe
2252	Ncnlnaim.exe
1876	Ohkdfhge.exe
1876	Ohkdfhge.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ngqeha32.exe	Ndbile32.exe
File created	C:\Windows\SysWOW64\Qlcbff32.dll	Nmjmekan.exe
File created	C:\Windows\SysWOW64\Npppaejj.exe	Nifgekbm.exe
File opened for modification	C:\Windows\SysWOW64\Ndbile32.exe	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Nmhqokcq.exe	Mlgdhcmb.exe
File opened for modification	C:\Windows\SysWOW64\Ngencpel.exe	Nahfkigd.exe
File opened for modification	C:\Windows\SysWOW64\Ncnlnaim.exe	Npppaejj.exe
File opened for modification	C:\Windows\SysWOW64\Memlki32.exe	8533fb34e83573282596bd3c9db43430N.exe
File opened for modification	C:\Windows\SysWOW64\Nifgekbm.exe	Ncloha32.exe
File opened for modification	C:\Windows\SysWOW64\Opblgehg.exe	Ohkdfhge.exe
File created	C:\Windows\SysWOW64\Pakpllpl.dll	Nahfkigd.exe
File created	C:\Windows\SysWOW64\Npiiafpa.exe	Nmjmekan.exe
File opened for modification	C:\Windows\SysWOW64\Nahfkigd.exe	Nianjl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncloha32.exe	Nickoldp.exe
File created	C:\Windows\SysWOW64\Jhjalgho.dll	Ncloha32.exe
File created	C:\Windows\SysWOW64\Njljfe32.dll	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Ahmjfimi.dll	Ohkdfhge.exe
File created	C:\Windows\SysWOW64\Admljpij.dll	Ngqeha32.exe
File opened for modification	C:\Windows\SysWOW64\Mlgdhcmb.exe	Memlki32.exe
File created	C:\Windows\SysWOW64\Fdfcaq32.dll	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Nahfkigd.exe	Nianjl32.exe
File created	C:\Windows\SysWOW64\Plbbmj32.dll	8533fb34e83573282596bd3c9db43430N.exe
File created	C:\Windows\SysWOW64\Ncnlnaim.exe	Npppaejj.exe
File opened for modification	C:\Windows\SysWOW64\Nickoldp.exe	Ngencpel.exe
File created	C:\Windows\SysWOW64\Heknhioh.dll	Ngencpel.exe
File opened for modification	C:\Windows\SysWOW64\Npppaejj.exe	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Nianjl32.exe	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Faqkji32.dll	Memlki32.exe
File opened for modification	C:\Windows\SysWOW64\Nmjmekan.exe	Ngqeha32.exe
File created	C:\Windows\SysWOW64\Pfknaf32.dll	Nianjl32.exe
File created	C:\Windows\SysWOW64\Nickoldp.exe	Ngencpel.exe
File created	C:\Windows\SysWOW64\Memlki32.exe	8533fb34e83573282596bd3c9db43430N.exe
File created	C:\Windows\SysWOW64\Nifgekbm.exe	Ncloha32.exe
File created	C:\Windows\SysWOW64\Gcjajedk.dll	Npppaejj.exe
File created	C:\Windows\SysWOW64\Blagna32.dll	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Ndbile32.exe	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Bghemo32.dll	Ndbile32.exe
File opened for modification	C:\Windows\SysWOW64\Npiiafpa.exe	Nmjmekan.exe
File created	C:\Windows\SysWOW64\Ncloha32.exe	Nickoldp.exe
File created	C:\Windows\SysWOW64\Ooicngen.dll	Nifgekbm.exe
File created	C:\Windows\SysWOW64\Ohkdfhge.exe	Ncnlnaim.exe
File opened for modification	C:\Windows\SysWOW64\Nmhqokcq.exe	Mlgdhcmb.exe
File created	C:\Windows\SysWOW64\Ngencpel.exe	Nahfkigd.exe
File created	C:\Windows\SysWOW64\Mnohgfgb.dll	Nickoldp.exe
File opened for modification	C:\Windows\SysWOW64\Ohkdfhge.exe	Ncnlnaim.exe
File created	C:\Windows\SysWOW64\Opblgehg.exe	Ohkdfhge.exe
File opened for modification	C:\Windows\SysWOW64\Nianjl32.exe	Npiiafpa.exe
File created	C:\Windows\SysWOW64\Mlgdhcmb.exe	Memlki32.exe
File created	C:\Windows\SysWOW64\Nhclfogi.dll	Nmhqokcq.exe
File created	C:\Windows\SysWOW64\Ngqeha32.exe	Ndbile32.exe
File created	C:\Windows\SysWOW64\Nmjmekan.exe	Ngqeha32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
816	2312	WerFault.exe	46

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memlki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npiiafpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nahfkigd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nickoldp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngqeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmjmekan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncnlnaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opblgehg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8533fb34e83573282596bd3c9db43430N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlgdhcmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmhqokcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndbile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nianjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngencpel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncloha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nifgekbm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohkdfhge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npppaejj.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	8533fb34e83573282596bd3c9db43430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njljfe32.dll"	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pakpllpl.dll"	Nahfkigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngencpel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooicngen.dll"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlcbff32.dll"	Nmjmekan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdfcaq32.dll"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngencpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbbmj32.dll"	8533fb34e83573282596bd3c9db43430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngqeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmjmekan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnohgfgb.dll"	Nickoldp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohkdfhge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmjmekan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nianjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	8533fb34e83573282596bd3c9db43430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjalgho.dll"	Ncloha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npppaejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Admljpij.dll"	Ngqeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npppaejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nahfkigd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncnlnaim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahmjfimi.dll"	Ohkdfhge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faqkji32.dll"	Memlki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nifgekbm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjajedk.dll"	Npppaejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohkdfhge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npiiafpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nahfkigd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heknhioh.dll"	Ngencpel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blagna32.dll"	Ncnlnaim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	8533fb34e83573282596bd3c9db43430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlgdhcmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghemo32.dll"	Ndbile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nickoldp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	8533fb34e83573282596bd3c9db43430N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlgdhcmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhclfogi.dll"	Nmhqokcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfknaf32.dll"	Nianjl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8533fb34e83573282596bd3c9db43430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Memlki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nickoldp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Memlki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npiiafpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nianjl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1880	2192	8533fb34e83573282596bd3c9db43430N.exe	30
PID 2192 wrote to memory of 1880	2192	8533fb34e83573282596bd3c9db43430N.exe	30
PID 2192 wrote to memory of 1880	2192	8533fb34e83573282596bd3c9db43430N.exe	30
PID 2192 wrote to memory of 1880	2192	8533fb34e83573282596bd3c9db43430N.exe	30
PID 1880 wrote to memory of 2696	1880	Memlki32.exe	31
PID 1880 wrote to memory of 2696	1880	Memlki32.exe	31
PID 1880 wrote to memory of 2696	1880	Memlki32.exe	31
PID 1880 wrote to memory of 2696	1880	Memlki32.exe	31
PID 2696 wrote to memory of 2676	2696	Mlgdhcmb.exe	32
PID 2696 wrote to memory of 2676	2696	Mlgdhcmb.exe	32
PID 2696 wrote to memory of 2676	2696	Mlgdhcmb.exe	32
PID 2696 wrote to memory of 2676	2696	Mlgdhcmb.exe	32
PID 2676 wrote to memory of 2836	2676	Nmhqokcq.exe	33
PID 2676 wrote to memory of 2836	2676	Nmhqokcq.exe	33
PID 2676 wrote to memory of 2836	2676	Nmhqokcq.exe	33
PID 2676 wrote to memory of 2836	2676	Nmhqokcq.exe	33
PID 2836 wrote to memory of 2736	2836	Ndbile32.exe	34
PID 2836 wrote to memory of 2736	2836	Ndbile32.exe	34
PID 2836 wrote to memory of 2736	2836	Ndbile32.exe	34
PID 2836 wrote to memory of 2736	2836	Ndbile32.exe	34
PID 2736 wrote to memory of 2628	2736	Ngqeha32.exe	35
PID 2736 wrote to memory of 2628	2736	Ngqeha32.exe	35
PID 2736 wrote to memory of 2628	2736	Ngqeha32.exe	35
PID 2736 wrote to memory of 2628	2736	Ngqeha32.exe	35
PID 2628 wrote to memory of 2140	2628	Nmjmekan.exe	36
PID 2628 wrote to memory of 2140	2628	Nmjmekan.exe	36
PID 2628 wrote to memory of 2140	2628	Nmjmekan.exe	36
PID 2628 wrote to memory of 2140	2628	Nmjmekan.exe	36
PID 2140 wrote to memory of 2056	2140	Npiiafpa.exe	37
PID 2140 wrote to memory of 2056	2140	Npiiafpa.exe	37
PID 2140 wrote to memory of 2056	2140	Npiiafpa.exe	37
PID 2140 wrote to memory of 2056	2140	Npiiafpa.exe	37
PID 2056 wrote to memory of 2528	2056	Nianjl32.exe	38
PID 2056 wrote to memory of 2528	2056	Nianjl32.exe	38
PID 2056 wrote to memory of 2528	2056	Nianjl32.exe	38
PID 2056 wrote to memory of 2528	2056	Nianjl32.exe	38
PID 2528 wrote to memory of 2960	2528	Nahfkigd.exe	39
PID 2528 wrote to memory of 2960	2528	Nahfkigd.exe	39
PID 2528 wrote to memory of 2960	2528	Nahfkigd.exe	39
PID 2528 wrote to memory of 2960	2528	Nahfkigd.exe	39
PID 2960 wrote to memory of 1672	2960	Ngencpel.exe	40
PID 2960 wrote to memory of 1672	2960	Ngencpel.exe	40
PID 2960 wrote to memory of 1672	2960	Ngencpel.exe	40
PID 2960 wrote to memory of 1672	2960	Ngencpel.exe	40
PID 1672 wrote to memory of 1888	1672	Nickoldp.exe	41
PID 1672 wrote to memory of 1888	1672	Nickoldp.exe	41
PID 1672 wrote to memory of 1888	1672	Nickoldp.exe	41
PID 1672 wrote to memory of 1888	1672	Nickoldp.exe	41
PID 1888 wrote to memory of 1224	1888	Ncloha32.exe	42
PID 1888 wrote to memory of 1224	1888	Ncloha32.exe	42
PID 1888 wrote to memory of 1224	1888	Ncloha32.exe	42
PID 1888 wrote to memory of 1224	1888	Ncloha32.exe	42
PID 1224 wrote to memory of 1896	1224	Nifgekbm.exe	43
PID 1224 wrote to memory of 1896	1224	Nifgekbm.exe	43
PID 1224 wrote to memory of 1896	1224	Nifgekbm.exe	43
PID 1224 wrote to memory of 1896	1224	Nifgekbm.exe	43
PID 1896 wrote to memory of 2252	1896	Npppaejj.exe	44
PID 1896 wrote to memory of 2252	1896	Npppaejj.exe	44
PID 1896 wrote to memory of 2252	1896	Npppaejj.exe	44
PID 1896 wrote to memory of 2252	1896	Npppaejj.exe	44
PID 2252 wrote to memory of 1876	2252	Ncnlnaim.exe	45
PID 2252 wrote to memory of 1876	2252	Ncnlnaim.exe	45
PID 2252 wrote to memory of 1876	2252	Ncnlnaim.exe	45
PID 2252 wrote to memory of 1876	2252	Ncnlnaim.exe	45

C:\Users\Admin\AppData\Local\Temp\8533fb34e83573282596bd3c9db43430N.exe
"C:\Users\Admin\AppData\Local\Temp\8533fb34e83573282596bd3c9db43430N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\Memlki32.exe
  C:\Windows\system32\Memlki32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\Mlgdhcmb.exe
    C:\Windows\system32\Mlgdhcmb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Nmhqokcq.exe
      C:\Windows\system32\Nmhqokcq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\Ndbile32.exe
        
        C:\Windows\system32\Ndbile32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\SysWOW64\Ngqeha32.exe
        
        C:\Windows\system32\Ngqeha32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\Nmjmekan.exe
        
        C:\Windows\system32\Nmjmekan.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Npiiafpa.exe
        
        C:\Windows\system32\Npiiafpa.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Nianjl32.exe
        
        C:\Windows\system32\Nianjl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Nahfkigd.exe
        
        C:\Windows\system32\Nahfkigd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Ngencpel.exe
        
        C:\Windows\system32\Ngencpel.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Nickoldp.exe
        
        C:\Windows\system32\Nickoldp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Ncloha32.exe
        
        C:\Windows\system32\Ncloha32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Nifgekbm.exe
        
        C:\Windows\system32\Nifgekbm.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Npppaejj.exe
        
        C:\Windows\system32\Npppaejj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\SysWOW64\Ncnlnaim.exe
        
        C:\Windows\system32\Ncnlnaim.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Ohkdfhge.exe
        
        C:\Windows\system32\Ohkdfhge.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Opblgehg.exe
        
        C:\Windows\system32\Opblgehg.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mlgdhcmb.exe

Filesize
71KB

MD5
9a8dff9a52b218cc8e1f78f91f94372b

SHA1
d584045d42267d385ca4dde8c083af9871f12720

SHA256
5542f3fa7b8096b3e431b8e99790131a81aa057b99f2276988053a5657892a04

SHA512
d650ba4e5e3dbd3925e2f323e130969f5d75105378b47a8e4b4f82c3c3ea435ef2e328290b6f8e50a3c529ee7eca9583e16f8bbc1eb060a7a7214e17c4c8d2d5

Download Submit
C:\Windows\SysWOW64\Ngqeha32.exe

Filesize
71KB

MD5
1d4106037555acdec81c0c827fe50a88

SHA1
457805ce5956c22de93a24396a8b221177a21280

SHA256
094c6278f020fc96eb3a1e2226be9b55d30d126de6335d616c61e74957cbdcce

SHA512
59f437a219210a753094c4ec1c85b597e0dc9f93a040343b5e2e382dbf4f241dffb79807e9ae41c40e46b2f4514e666111972af1a905efcf859739497fef96c9

Download Submit
C:\Windows\SysWOW64\Nickoldp.exe

Filesize
71KB

MD5
e63ebb02116069b0dd6f1dd998fda819

SHA1
934c630d7acc0fb3752f7b7db4f946dc0d994636

SHA256
4b4b7df0de3eac68d4b7413132533d4c54bacf99f50e48a8d946882046a92d06

SHA512
84bae888366bde32c6ad0c20f49f952597f1549460d7f89f91cd64539b36281d475bfec885f22baad32075dfe82faebb0e387055b845828022c4cea01278893a

Download Submit
C:\Windows\SysWOW64\Nifgekbm.exe

Filesize
71KB

MD5
cf71ece0d5687bc0741bf1e4fb8f4a44

SHA1
60bc802e2d17464819b0aa12f1cd3f4fa756aed0

SHA256
89cb818de1b47d4823b09a857dd58281607707bc66cb9b8507fc67dbbc99b6c9

SHA512
a4e506a65b72e89315990f3520052a8d25271dcfe56209de541bb761fe5778709f9a54c37a11f0a37852767f0198e3a940ccecdf1398cc2dc8329ff18e2b9022

Download Submit
C:\Windows\SysWOW64\Npiiafpa.exe

Filesize
71KB

MD5
1f2d7b633f448117d09c4e88da5050c1

SHA1
6ab99b37ed68feb1b4c25cb244afc329d37a78bb

SHA256
da21e091176d8b9406c81055a53361a13d69ad1b3f0f5f119365cc55471f0394

SHA512
040ba3812a28facc295b2af443011bb7c905340ff4338b3f52f84b0ab19927b229595a2f746f1fa016211b084f2ed9b61d206987e426f5ed3980710c4479d142

Download Submit
C:\Windows\SysWOW64\Opblgehg.exe

Filesize
71KB

MD5
5c42306479aa95e2cd7a62a6ad8265b3

SHA1
b2771432b0e463823e55f509216fbd641b32c1fe

SHA256
e9e90052c7fd6942eb1cd3ce2b291135fa25b3e2cfc8ae4ab4d6954796cddc5b

SHA512
e167f9f20f07e946fdf6ce0bcbd4077d4add88dd622d34902d0caa8a19846f4ef90a412a5ff409530f8d8c5047b5b25d2c5dc62d2aa833a0a34c7161bcb08ec6

Download Submit
\Windows\SysWOW64\Memlki32.exe

Filesize
71KB

MD5
1b0ed73817ec16f2158bca8a4d7a1a3d

SHA1
e453a1bfc1bb81bffd8e4e08c55aec0aaa1b97ac

SHA256
9b09d1f781257f92cbc62d90cbf2a3726c9f83a0b5f27a5f726fb2428902d34e

SHA512
48151492a47e8148b1babf8a95bbe62cc8f3a9c14c66f26b5609448e3fecf60ad9b4ffdcb7ca551edb72ddc1e6aa2c7d2b6f2abfceeea7a77f45f6ee409e9129

Download Submit
\Windows\SysWOW64\Nahfkigd.exe

Filesize
71KB

MD5
67a81f3c1bb542d2a113e27db6934c21

SHA1
91cccc6d8fe52d2c9e29b9c59465a2824e2c65d4

SHA256
be7eaa191f9018fd93db651b342abe5997e004ca79165edccbf5479253845501

SHA512
3c66253745a836b80f6b3e0ac8e6298cbf1fa8de04eb2131a89268be38307267c768d525d4e8e7dd3aa18efea8b200cfbdc6fcd159dc5b50931b45b4608e1658

Download Submit
\Windows\SysWOW64\Ncloha32.exe

Filesize
71KB

MD5
68bde6b761299401cd1262d0ba6a92b6

SHA1
575f1427a57752eb9dfd8a430e4ac1116825f9f5

SHA256
6a345dd98c23429ca6c2bdd5460972772f9e0617af6014a94efc82a85ec0d477

SHA512
35af4662a321a1e14f6fa630a6796fb70e92474998b9597a9babf4c7f85f221389cf4f48ed63476cdec7b421db41e9645921afef1a3b7bab0c43b802246e9065

Download Submit
\Windows\SysWOW64\Ncnlnaim.exe

Filesize
71KB

MD5
7797dc359a42dff8ccd92bc450722abf

SHA1
9d8827e73b492832a45f62a4c3525caaa4a8a2e8

SHA256
9b21a0dbd3131a6576ada7c141b3b15e86e2f5d02bfb60a3c7bca625ec01aef7

SHA512
d1f28ff6fcfa5ece841e71a3b03ff99c471c746bb76ac2719c94c665b15d81fd10fac06ce39472b6e09e479e2afd3a2acc8af22e66eb3f36c14931cbb7d6946f

Download Submit
\Windows\SysWOW64\Ndbile32.exe

Filesize
71KB

MD5
9b04fc99035633cd88a264b50442fc7e

SHA1
b021bec39e0c9e86d5d01b5b7e5203ef79aa2912

SHA256
6636c13a08b17abd5ce1769a0ba9fce79d72654f8a8abf7aa4cda8a40b2f1888

SHA512
ef174b78452b2aee4f40989e366b98884466d4423d53d2ac779c7771246849bb6a1de2223f30edf5204a2e296a6895952e88afa66f063cb92ffc8a9e74e8d33f

Download Submit
\Windows\SysWOW64\Ngencpel.exe

Filesize
71KB

MD5
9c3ec8e8f78ddfbac27a0368b448ec2f

SHA1
378d05e6224911aad53f610838db8d8cee3fdb69

SHA256
4db877e28e292a856f97c9390ad360c9c9db41a72f8e3837686d6989ea7b9662

SHA512
9a590c1cf15f169b2aa6ebcac6f792d624f3c59b8a1e3883b96bbfc7b7305f7f895b95399970867fc10104236d55d27a389d120d80a9bf3d8449fc21c35989f4

Download Submit
\Windows\SysWOW64\Nianjl32.exe

Filesize
71KB

MD5
aeb9194e63912f119c5dad274c8591c5

SHA1
97a5e831346a953bdc81e25328fee2d298d741ff

SHA256
0a301d567f5293209367778314bf4b9b666171d6bc158f6797d0b4dc670bab46

SHA512
03abc00f2207a122a525a7c0c6dc37c89ff66bfb3ca1134d769474f69bcb6461c7a196aead3b21db6565fe6f6d554cc881471f80d8437c292d2b6f601ba80289

Download Submit
\Windows\SysWOW64\Nmhqokcq.exe

Filesize
71KB

MD5
c24f9b30695811758aa16b6c4c91e099

SHA1
4eef00d7bddb1fb5f52f71f61cdbc73cf63063a1

SHA256
e0fdabff5c9a99597ecc1b640338cb165b805135c0c22f0904d8cb1c1753747a

SHA512
99a42616ec066be4a5ec1ed4376178cfbf441f07589449678685d3b24b8e5af1cf88aa44bda7d5be0bbede21c563d9f373df6a3ffa2612268eff93c0b85ad4cc

Download Submit
\Windows\SysWOW64\Nmjmekan.exe

Filesize
71KB

MD5
8f786bd2321ea2e12700f3606c5bc05e

SHA1
4a5d95399222ac946547566dc1f0e3eaed108121

SHA256
ffdd90116f0968bc5c87756cc0c27a744c1e0aa95fdcd95c595c162d612ebe1c

SHA512
91640d595c90b5dc655b359402fb60e6bdcae0870254a60de9ce0198c49db6609641d287f948b9cc6c460673297f9862bab5fc5ae234ceb6fd9123d4b9e56c32

Download Submit
\Windows\SysWOW64\Npppaejj.exe

Filesize
71KB

MD5
2a5658039629da42afb1a03e0e3dc73e

SHA1
80e47738fa063923598c701380a1912b4b213ab1

SHA256
3919cec0c734e02fc6be7f1cffc74d99a64d6c977239589d168b7fd45270cdd8

SHA512
f4bc61119a1bd28d81018a40b36ac09fea9a63f1301d80fe74a3c87d646971436eb3ab2121dbf47d8d466a3ade5e6e6472c2bc2e0f92165fbca36e5ead5be42f

Download Submit
\Windows\SysWOW64\Ohkdfhge.exe

Filesize
71KB

MD5
dc82199f7cfe690ca6da6b09b56b3b51

SHA1
f2afd328b1bf123e61eb9d578c8300fd2fea6af0

SHA256
5e5740cac25fb5f6633fec6957ddd3a3c624fe0570826f52224d33ddb948c0b6

SHA512
0cc19311ace76990e1d75c57f2a08bf6842198ad51b2b8ebcc754f646b18f383d12c0b76ceb5d757e2d139de32ca64e72c57157cd502e1bdf5b035967937ba7c

Download Submit
memory/1224-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1224-182-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1224-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-154-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1876-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1880-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-168-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1888-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1896-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2056-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-13-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2192-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-12-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2252-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-209-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2252-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2528-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2736-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-79-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2736-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads