894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 22:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
Size

93KB
MD5

d514e134525bb502ab510308905db460
SHA1

b2fe4adc3e97f132a67a395ace8ab2f386369324
SHA256

894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80
SHA512

171d72144e496a718e0285ce4d361a4639b94f012a6871570034946b1c00259ca67b4a66558b924fb0c066c755ba850c7697ed7ad0e43972608f157428bb6d15
SSDEEP

1536:QORVub3wav7gARuLEbZArmfeKhnqpssoEa834vPBhMwsRQ7RkRLJzeLD9N0iQGR4:vRVqgXARQ+gm2KhnqpssE9PBhMve7SJb

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkconepp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njjieace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olgehh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkqbhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffgfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpmbjbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nplkhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcbie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olehbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oenmkngi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mbmgkp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moahdd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplkhh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mffgfo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjieace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkqbhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkconepp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Moahdd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndpmbjbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcbie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olgehh32.exe

Executes dropped EXE 17 IoCs

pid	Process
2704	Mkqbhf32.exe
2248	Mffgfo32.exe
2840	Mkconepp.exe
2436	Mbmgkp32.exe
2640	Moahdd32.exe
2660	Ndnplk32.exe
1052	Njjieace.exe
2184	Ndpmbjbk.exe
2144	Nnhakp32.exe
1632	Ncejcg32.exe
2868	Nplkhh32.exe
2116	Ngcbie32.exe
1028	Nfhpjaba.exe
2124	Olehbh32.exe
2428	Oenmkngi.exe
2564	Olgehh32.exe
2364	Ohnemidj.exe

Loads dropped DLL 38 IoCs

pid	Process
1456	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
1456	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
2704	Mkqbhf32.exe
2704	Mkqbhf32.exe
2248	Mffgfo32.exe
2248	Mffgfo32.exe
2840	Mkconepp.exe
2840	Mkconepp.exe
2436	Mbmgkp32.exe
2436	Mbmgkp32.exe
2640	Moahdd32.exe
2640	Moahdd32.exe
2660	Ndnplk32.exe
2660	Ndnplk32.exe
1052	Njjieace.exe
1052	Njjieace.exe
2184	Ndpmbjbk.exe
2184	Ndpmbjbk.exe
2144	Nnhakp32.exe
2144	Nnhakp32.exe
1632	Ncejcg32.exe
1632	Ncejcg32.exe
2868	Nplkhh32.exe
2868	Nplkhh32.exe
2116	Ngcbie32.exe
2116	Ngcbie32.exe
1028	Nfhpjaba.exe
1028	Nfhpjaba.exe
2124	Olehbh32.exe
2124	Olehbh32.exe
2428	Oenmkngi.exe
2428	Oenmkngi.exe
2564	Olgehh32.exe
2564	Olgehh32.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkqbhf32.exe	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
File opened for modification	C:\Windows\SysWOW64\Mkqbhf32.exe	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
File created	C:\Windows\SysWOW64\Gkmkilcj.dll	Moahdd32.exe
File opened for modification	C:\Windows\SysWOW64\Olgehh32.exe	Oenmkngi.exe
File created	C:\Windows\SysWOW64\Nfhpjaba.exe	Ngcbie32.exe
File created	C:\Windows\SysWOW64\Olehbh32.exe	Nfhpjaba.exe
File opened for modification	C:\Windows\SysWOW64\Olehbh32.exe	Nfhpjaba.exe
File opened for modification	C:\Windows\SysWOW64\Moahdd32.exe	Mbmgkp32.exe
File created	C:\Windows\SysWOW64\Mceodfan.dll	Mbmgkp32.exe
File created	C:\Windows\SysWOW64\Libghd32.dll	Ndnplk32.exe
File created	C:\Windows\SysWOW64\Lpjgehii.dll	Ndpmbjbk.exe
File created	C:\Windows\SysWOW64\Ngcbie32.exe	Nplkhh32.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Olgehh32.exe
File created	C:\Windows\SysWOW64\Iinnfbbo.dll	Oenmkngi.exe
File created	C:\Windows\SysWOW64\Enjaiiho.dll	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
File created	C:\Windows\SysWOW64\Lkffpabj.dll	Mkqbhf32.exe
File created	C:\Windows\SysWOW64\Mbmgkp32.exe	Mkconepp.exe
File opened for modification	C:\Windows\SysWOW64\Njjieace.exe	Ndnplk32.exe
File created	C:\Windows\SysWOW64\Olgehh32.exe	Oenmkngi.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Olgehh32.exe
File created	C:\Windows\SysWOW64\Bqhmkq32.dll	Njjieace.exe
File created	C:\Windows\SysWOW64\Nnhakp32.exe	Ndpmbjbk.exe
File created	C:\Windows\SysWOW64\Qegpeh32.dll	Ncejcg32.exe
File created	C:\Windows\SysWOW64\Oenmkngi.exe	Olehbh32.exe
File created	C:\Windows\SysWOW64\Jligibpk.dll	Olehbh32.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Olgehh32.exe
File opened for modification	C:\Windows\SysWOW64\Mkconepp.exe	Mffgfo32.exe
File opened for modification	C:\Windows\SysWOW64\Mbmgkp32.exe	Mkconepp.exe
File created	C:\Windows\SysWOW64\Ndnplk32.exe	Moahdd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndnplk32.exe	Moahdd32.exe
File created	C:\Windows\SysWOW64\Ncejcg32.exe	Nnhakp32.exe
File created	C:\Windows\SysWOW64\Pfiffp32.dll	Ngcbie32.exe
File opened for modification	C:\Windows\SysWOW64\Oenmkngi.exe	Olehbh32.exe
File opened for modification	C:\Windows\SysWOW64\Mffgfo32.exe	Mkqbhf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndpmbjbk.exe	Njjieace.exe
File opened for modification	C:\Windows\SysWOW64\Ncejcg32.exe	Nnhakp32.exe
File created	C:\Windows\SysWOW64\Jfqjjp32.dll	Nnhakp32.exe
File created	C:\Windows\SysWOW64\Nplkhh32.exe	Ncejcg32.exe
File created	C:\Windows\SysWOW64\Mffgfo32.exe	Mkqbhf32.exe
File opened for modification	C:\Windows\SysWOW64\Nplkhh32.exe	Ncejcg32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcbie32.exe	Nplkhh32.exe
File created	C:\Windows\SysWOW64\Qegdad32.dll	Nplkhh32.exe
File created	C:\Windows\SysWOW64\Ndpmbjbk.exe	Njjieace.exe
File opened for modification	C:\Windows\SysWOW64\Nnhakp32.exe	Ndpmbjbk.exe
File opened for modification	C:\Windows\SysWOW64\Nfhpjaba.exe	Ngcbie32.exe
File created	C:\Windows\SysWOW64\Mkconepp.exe	Mffgfo32.exe
File created	C:\Windows\SysWOW64\Ldcenn32.dll	Mffgfo32.exe
File created	C:\Windows\SysWOW64\Kahmln32.dll	Mkconepp.exe
File created	C:\Windows\SysWOW64\Moahdd32.exe	Mbmgkp32.exe
File created	C:\Windows\SysWOW64\Njjieace.exe	Ndnplk32.exe
File created	C:\Windows\SysWOW64\Imfkindn.dll	Nfhpjaba.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2068	2364	WerFault.exe	45

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnhakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfhpjaba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olehbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkqbhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjieace.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndnplk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncejcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplkhh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngcbie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moahdd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oenmkngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmgkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpmbjbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olgehh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffgfo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkconepp.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mffgfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqjjp32.dll"	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegpeh32.dll"	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Olgehh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcenn32.dll"	Mffgfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqhmkq32.dll"	Njjieace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahmln32.dll"	Mkconepp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegdad32.dll"	Nplkhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olgehh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Moahdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nfhpjaba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnhakp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mceodfan.dll"	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mbmgkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libghd32.dll"	Ndnplk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjgehii.dll"	Ndpmbjbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkqbhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkffpabj.dll"	Mkqbhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkqbhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jligibpk.dll"	Olehbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinnfbbo.dll"	Oenmkngi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfkindn.dll"	Nfhpjaba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkconepp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njjieace.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndpmbjbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nplkhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmkilcj.dll"	Moahdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olehbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkconepp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mffgfo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olgehh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjaiiho.dll"	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olehbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Moahdd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndnplk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njjieace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfiffp32.dll"	Ngcbie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nplkhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcbie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oenmkngi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2704	1456	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe	29
PID 1456 wrote to memory of 2704	1456	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe	29
PID 1456 wrote to memory of 2704	1456	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe	29
PID 1456 wrote to memory of 2704	1456	894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe	29
PID 2704 wrote to memory of 2248	2704	Mkqbhf32.exe	30
PID 2704 wrote to memory of 2248	2704	Mkqbhf32.exe	30
PID 2704 wrote to memory of 2248	2704	Mkqbhf32.exe	30
PID 2704 wrote to memory of 2248	2704	Mkqbhf32.exe	30
PID 2248 wrote to memory of 2840	2248	Mffgfo32.exe	31
PID 2248 wrote to memory of 2840	2248	Mffgfo32.exe	31
PID 2248 wrote to memory of 2840	2248	Mffgfo32.exe	31
PID 2248 wrote to memory of 2840	2248	Mffgfo32.exe	31
PID 2840 wrote to memory of 2436	2840	Mkconepp.exe	32
PID 2840 wrote to memory of 2436	2840	Mkconepp.exe	32
PID 2840 wrote to memory of 2436	2840	Mkconepp.exe	32
PID 2840 wrote to memory of 2436	2840	Mkconepp.exe	32
PID 2436 wrote to memory of 2640	2436	Mbmgkp32.exe	33
PID 2436 wrote to memory of 2640	2436	Mbmgkp32.exe	33
PID 2436 wrote to memory of 2640	2436	Mbmgkp32.exe	33
PID 2436 wrote to memory of 2640	2436	Mbmgkp32.exe	33
PID 2640 wrote to memory of 2660	2640	Moahdd32.exe	34
PID 2640 wrote to memory of 2660	2640	Moahdd32.exe	34
PID 2640 wrote to memory of 2660	2640	Moahdd32.exe	34
PID 2640 wrote to memory of 2660	2640	Moahdd32.exe	34
PID 2660 wrote to memory of 1052	2660	Ndnplk32.exe	35
PID 2660 wrote to memory of 1052	2660	Ndnplk32.exe	35
PID 2660 wrote to memory of 1052	2660	Ndnplk32.exe	35
PID 2660 wrote to memory of 1052	2660	Ndnplk32.exe	35
PID 1052 wrote to memory of 2184	1052	Njjieace.exe	36
PID 1052 wrote to memory of 2184	1052	Njjieace.exe	36
PID 1052 wrote to memory of 2184	1052	Njjieace.exe	36
PID 1052 wrote to memory of 2184	1052	Njjieace.exe	36
PID 2184 wrote to memory of 2144	2184	Ndpmbjbk.exe	37
PID 2184 wrote to memory of 2144	2184	Ndpmbjbk.exe	37
PID 2184 wrote to memory of 2144	2184	Ndpmbjbk.exe	37
PID 2184 wrote to memory of 2144	2184	Ndpmbjbk.exe	37
PID 2144 wrote to memory of 1632	2144	Nnhakp32.exe	38
PID 2144 wrote to memory of 1632	2144	Nnhakp32.exe	38
PID 2144 wrote to memory of 1632	2144	Nnhakp32.exe	38
PID 2144 wrote to memory of 1632	2144	Nnhakp32.exe	38
PID 1632 wrote to memory of 2868	1632	Ncejcg32.exe	39
PID 1632 wrote to memory of 2868	1632	Ncejcg32.exe	39
PID 1632 wrote to memory of 2868	1632	Ncejcg32.exe	39
PID 1632 wrote to memory of 2868	1632	Ncejcg32.exe	39
PID 2868 wrote to memory of 2116	2868	Nplkhh32.exe	40
PID 2868 wrote to memory of 2116	2868	Nplkhh32.exe	40
PID 2868 wrote to memory of 2116	2868	Nplkhh32.exe	40
PID 2868 wrote to memory of 2116	2868	Nplkhh32.exe	40
PID 2116 wrote to memory of 1028	2116	Ngcbie32.exe	41
PID 2116 wrote to memory of 1028	2116	Ngcbie32.exe	41
PID 2116 wrote to memory of 1028	2116	Ngcbie32.exe	41
PID 2116 wrote to memory of 1028	2116	Ngcbie32.exe	41
PID 1028 wrote to memory of 2124	1028	Nfhpjaba.exe	42
PID 1028 wrote to memory of 2124	1028	Nfhpjaba.exe	42
PID 1028 wrote to memory of 2124	1028	Nfhpjaba.exe	42
PID 1028 wrote to memory of 2124	1028	Nfhpjaba.exe	42
PID 2124 wrote to memory of 2428	2124	Olehbh32.exe	43
PID 2124 wrote to memory of 2428	2124	Olehbh32.exe	43
PID 2124 wrote to memory of 2428	2124	Olehbh32.exe	43
PID 2124 wrote to memory of 2428	2124	Olehbh32.exe	43
PID 2428 wrote to memory of 2564	2428	Oenmkngi.exe	44
PID 2428 wrote to memory of 2564	2428	Oenmkngi.exe	44
PID 2428 wrote to memory of 2564	2428	Oenmkngi.exe	44
PID 2428 wrote to memory of 2564	2428	Oenmkngi.exe	44

C:\Users\Admin\AppData\Local\Temp\894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe
"C:\Users\Admin\AppData\Local\Temp\894f631222228696ff0c0e16353b41a7cdb7acf7005d4c8a69b42bd12cee6e80N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\SysWOW64\Mkqbhf32.exe
  C:\Windows\system32\Mkqbhf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\Mffgfo32.exe
    C:\Windows\system32\Mffgfo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Windows\SysWOW64\Mkconepp.exe
      C:\Windows\system32\Mkconepp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\Mbmgkp32.exe
        
        C:\Windows\system32\Mbmgkp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Windows\SysWOW64\Moahdd32.exe
        
        C:\Windows\system32\Moahdd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Ndnplk32.exe
        
        C:\Windows\system32\Ndnplk32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Njjieace.exe
        
        C:\Windows\system32\Njjieace.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Ndpmbjbk.exe
        
        C:\Windows\system32\Ndpmbjbk.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Nnhakp32.exe
        
        C:\Windows\system32\Nnhakp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Ncejcg32.exe
        
        C:\Windows\system32\Ncejcg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Nplkhh32.exe
        
        C:\Windows\system32\Nplkhh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Ngcbie32.exe
        
        C:\Windows\system32\Ngcbie32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Nfhpjaba.exe
        
        C:\Windows\system32\Nfhpjaba.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Olehbh32.exe
        
        C:\Windows\system32\Olehbh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Oenmkngi.exe
        
        C:\Windows\system32\Oenmkngi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Olgehh32.exe
        
        C:\Windows\system32\Olgehh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 140
        19⤵
        Loads dropped DLL
        Program crash
        
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mceodfan.dll

Filesize
7KB

MD5
57ce7299d191358b8bee93179e638b89

SHA1
00682857aa825740b6b96da6b151b4bf100d16ed

SHA256
b53ee4637adc3c0f8ec8ea84a02808c7192a31b95c4d46e9d01b02238929922c

SHA512
60fe89c189fc8674d4cde51ec454cc99b4d74a26746af1c06b1346864652bd1ee21bd87da9aaa8943b1f49cab22c7f620bff8632c3943b4f6d0fca4e9c104ca0

Download Submit
C:\Windows\SysWOW64\Ndnplk32.exe

Filesize
93KB

MD5
f5d32d2c7d97e3bda25e8e4b68946eec

SHA1
5adba05b8fb55c83b5d1c67e94fc312041df801a

SHA256
ecb6fd744e380eb60f5124ea9079ac385e806bf0ef401b4ba1a097d7005f027b

SHA512
72cc5d5f8bbda6a6c9b6f8353c8bb507b07e6bc68cf92acdd179790e01df6c3dcdb3b4ba5c6cacc313bc33a7026a18f9d9d2edbdaad7eb9bd7af18809ef059fd

Download Submit
C:\Windows\SysWOW64\Ndpmbjbk.exe

Filesize
93KB

MD5
9575238f017f57f2ba359ef29798571c

SHA1
c52e3c0bfaf616a5185dc5b116259fb40b09003a

SHA256
a8316530989bc66b95ef9508eef69704f064277a43c62e1a1aada3f3b881b77c

SHA512
20717a45b0aa98089802f8c35883cf7723f6063403647a4862f1bb734d5621ef20d3a1fd3555eeca6869a7cffb54d44f476c8097fb39b474d970f6852fe78b8e

Download Submit
C:\Windows\SysWOW64\Ngcbie32.exe

Filesize
93KB

MD5
1d19f480f54ef2dbe0a6142e3330bda5

SHA1
873159e80485a36f263e954772d4ca34b45597a3

SHA256
6f06804320a36e917c2677111e40732b1f81c890e186578b569ff2939c6d67fe

SHA512
5752be1ffe277882f68397b0bc11e1ecf35abf9a4d7f5f83b3bf72d1d7b1fdd7a0f01ef1197b68175df506b1e12ae8db1827a5c95db57731ff6ba843373ee21e

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
93KB

MD5
a439a2e25704390edf62fb9f4fc54176

SHA1
3f35628b8625df33b8c8689f5d234a89067fd7b6

SHA256
05041a528b248729f2e130135c1d6a2acbe547429ceda1c3f4eea247050cc74c

SHA512
4eec6c236a12c5cb77294590ea909818d5b5e29fea08290617c4dc21723182b5f990e291a8362d290c062a385b8a71bbb2837ce11eb27e54d2a86492585f6178

Download Submit
C:\Windows\SysWOW64\Olehbh32.exe

Filesize
93KB

MD5
97ed934360760a6f78509c61888bcb9d

SHA1
12e55b12412c8080d828a951f7e2cb3707f4c8ba

SHA256
5b23bf27daaeeabe2ca6becab9b6bee2a82a7750cecea6783ad961454489126e

SHA512
0c8a9bf1ad5eb79f0ff92e3d9d38fe601be790f51c5920fd9b730576f9f001002f50a035abbce6c36e3097b66ecdda13ee81bc6811040e15c568904c4a15a721

Download Submit
\Windows\SysWOW64\Mbmgkp32.exe

Filesize
93KB

MD5
0a7ea1068fb576c97b97cc961511c224

SHA1
4f9b9287b5b4eb31f3b50aaf69dd0d08a07197e7

SHA256
b3cd54fa6f95502d902d01503c35f765ef8256aa31f0657abc8f0eddbfbdc24c

SHA512
1e7e7d21e560a5736c3e0327aba823e8888d0c241ffb75a8c7223ab0f3b9d7f96a3c3b6f9d7d5155e93c2d799281c514ad6dc1a2b90f7c3fa83d331e05e5e3a7

Download Submit
\Windows\SysWOW64\Mffgfo32.exe

Filesize
93KB

MD5
183bb06ea3358386d7ff837054840b6c

SHA1
d6f5a1f14310f2e5cdcb444a78004725645c32f0

SHA256
051311e6030e4c7fa84760eb03357956028a3d659dc83f0f44d83488e48513fe

SHA512
e841701c6d9bee69d9010a0e26a55655a3a3aa776cda2191ac9e518b979efab26941727a61236c164c55956b9f405708c973bd19e16f4febc6282f7cde02cc4b

Download Submit
\Windows\SysWOW64\Mkconepp.exe

Filesize
93KB

MD5
09d69a36c50038edaaef24aeb6261842

SHA1
76f1adf06ded0569f0f8c4db3d7f27b2199eaf0c

SHA256
32e703327ae5c67c1571e57c3d4162134f0242ef7f81025c672151f5cd16839a

SHA512
ca6ae006599abe447c65f379e32842ba1ec69dc20db1ad5b60bbc32ec16c18f5ed280739da78bb52e559da69a61e2cdf99baf830de6859baeac29bb0dba24ff6

Download Submit
\Windows\SysWOW64\Mkqbhf32.exe

Filesize
93KB

MD5
567f1664facfc018961ba49b63db8964

SHA1
7f0ff2c7d7f086c7e589a95307c8856192e0be92

SHA256
4805b9dc0a74fcb41cd274ff7c9c167bd9aa0f5ca695ef9cde5f22cd749bb76b

SHA512
151d6358783a860922468089145410cc4a018ea27a26e6e5dcfd3c8dd7d946d09cb5d515b388de7ceafa546f0cdbc511e9ca5184268e5159077349a793366644

Download Submit
\Windows\SysWOW64\Moahdd32.exe

Filesize
93KB

MD5
1f66e375627ba757526f64ca47fb67c5

SHA1
2e054ed3789a69ab49add7cb649e854638214b71

SHA256
92cce37a33218c062ddce593e162013bd039cd7f45627eb1534555d553ebf9ce

SHA512
1790afc25dd3703e0884530cf28570d5c04a46577279dc1e7072edf8cdf6081be9d7f75e34f330db737c98d0fbf078e6dceb8758781f774212f15f476aa01a9e

Download Submit
\Windows\SysWOW64\Ncejcg32.exe

Filesize
93KB

MD5
920a599280613723b64981c1e7e4ddc1

SHA1
af10a73fc7d8cbe360a3796cb456d153d3d256a4

SHA256
16f32945223721fc06a10b79c30493225a291de445266799075525ac154a230c

SHA512
a7490db4c20b352257e3e031d64c324cd36eb28777287298bd50c057212b1c9f72076bf4366258e49aa51985da225040102c2f068360e89a2f0fc68634dd2150

Download Submit
\Windows\SysWOW64\Nfhpjaba.exe

Filesize
93KB

MD5
72533586798f73e135467cd503ec3df8

SHA1
6c52668ae21cda33724fb070e113143a0824d143

SHA256
e630707f973f15c7192f88d3f257bff6385df44224f360fc1299ccf94ab4797d

SHA512
3e8531d80501b3f8af45db60e2a3ca1f2f24199d0cead8db77b8368b4ce811a77dee3fa5a3ede4083295f58d04908acf5b62ddcfe79746bc4838e3301be344c9

Download Submit
\Windows\SysWOW64\Njjieace.exe

Filesize
93KB

MD5
97c96fd54f200c4823c3747acfe01ca4

SHA1
9a7d7dea46ddfca29caf187b7c8fecfef274bdfd

SHA256
66807c9b283a4dc2df42c1ac5e7c3363e83b898d78a0626d1fd96d903b1084ae

SHA512
badafffb1d0c99107d3416f1de14b2fab1b3d8d0422c6e6a47be29e2ca30f2243f0efc1183c8a284f688fd2d29a79ca9f234cc3241c811524a92cd07091478de

Download Submit
\Windows\SysWOW64\Nnhakp32.exe

Filesize
93KB

MD5
1fdc3ca3b20b86bfb43265ccf57cc7e6

SHA1
726c56c630c9a6479dc40c33074341ef02e59075

SHA256
d4ea76bb69cc5a908a8326316b19ddce132b4de55514130f9b0055edc598c38a

SHA512
4b4ffb8886d04b81d4584dea9e30d3207881682bf66df2b1901cae404ddb25c08ac7198fd979f60fed070a4d19ad5631c6b773a947d0209fc6ed9ff4a34f699f

Download Submit
\Windows\SysWOW64\Nplkhh32.exe

Filesize
93KB

MD5
2532bf87fed803a290143ced25ecc925

SHA1
3098d7169c86bb37bcb766ef1e22c96eefa3acc9

SHA256
97342b74f7fdd32a55f8961817d440c34407aa5b0d8660c87e4e537bf0385b8a

SHA512
0061faaef070c3d67520d9d80cff5e41c8a4a889112f23a618b4d47b899a43f96238c9e716a88736dd6ad74e0937b6a4b7cba60c91cd45b750321eaeea9cc19b

Download Submit
\Windows\SysWOW64\Oenmkngi.exe

Filesize
93KB

MD5
6a54df3508b5b33c075ccd100aec2940

SHA1
de21bfedc897b5aa3133ffcce3f83dd5e76dbdbd

SHA256
60514a8d1e5ce4198cd43dc036d9cd849f697e89f38d4b8655775cb05eec3074

SHA512
58a88e89ebc54f983550dcb8288c603bb47d4efc81eeed50505990c567e813de8a6f4e98e5cfe3a387278b7f762b4099b06c769f928bc410ec9fd7a10d707f26

Download Submit
\Windows\SysWOW64\Olgehh32.exe

Filesize
93KB

MD5
8ccd1b3bc15452631af51c83cc5b9ca7

SHA1
dcd51e8c34595c4d9d30c3c05a3b6a91368ca929

SHA256
2ffc941730e2d4127a1a0569212a56e15c71b6169bbff58115563afc18db4378

SHA512
d7c73e51cbbd38aef1d485523ed5c149163fdfac1bc841420d78c233cd379c4ae47e8b5e2555c92f712fa4612f8e6d548cc81fd536b913862a0fe2cb80b80e09

Download Submit
memory/1028-202-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1028-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-249-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1028-250-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1052-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1052-156-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1052-110-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1052-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1456-46-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1456-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1456-7-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/1632-149-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1632-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1632-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-174-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-181-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2116-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-247-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2124-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-213-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2124-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-173-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-187-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2144-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-134-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2184-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-165-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-118-0x0000000001FB0000-0x0000000001FF0000-memory.dmp

Filesize
256KB

Download
memory/2248-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2248-38-0x0000000000440000-0x0000000000480000-memory.dmp

Filesize
256KB

Download
memory/2248-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2364-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-233-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2428-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-254-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2428-235-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2436-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2436-61-0x0000000000330000-0x0000000000370000-memory.dmp

Filesize
256KB

Download
memory/2564-255-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2564-248-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2640-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-90-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2660-139-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2660-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2704-24-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2704-60-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-48-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2840-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-220-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2868-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2868-171-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2868-166-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2868-215-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2868-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads