Overview

overview

10

Static

static

3

16f6a4c863...e0.exe

windows7-x64

10

16f6a4c863...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    30/12/2023, 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    16f6a4c8638cd1f64d5c54a9d08152e0.exe

  • Size

    224KB

  • MD5

    16f6a4c8638cd1f64d5c54a9d08152e0

  • SHA1

    8e72d5f84de27882ea626f498a85658bcffbcf39

  • SHA256

    bfc1a8d2bda05bbab36b3a68c8d1c7c8e8b5b3a6016c8b6d82346acd5b34926d

  • SHA512

    141976fc3b8975ccf32bff149d7cf396e708bd373fc200a4b0b66096b01c5f078a49731e3b73cedbb82be4b53276933434056d7baa76edb3130c91de3f9248db

  • SSDEEP

    6144:4O2aKjqBFfIWu6BSllf7Qbuv3p30u6BSl:cOBFY6BwUbmP6B

Score
10/10
persistence

Malware Config

Signatures

  • Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\SysWOW64\Ncjqhmkm.exe
    C:\Windows\system32\Ncjqhmkm.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2832
    • C:\Windows\SysWOW64\Nhfipcid.exe
      C:\Windows\system32\Nhfipcid.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2628
  • C:\Windows\SysWOW64\Onmdoioa.exe
    C:\Windows\system32\Onmdoioa.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Windows\SysWOW64\Ombapedi.exe
      C:\Windows\system32\Ombapedi.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2112
  • C:\Windows\SysWOW64\Omdneebf.exe
    C:\Windows\system32\Omdneebf.exe
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Executes dropped EXE
    • Loads dropped DLL
    PID:1792
    • C:\Windows\SysWOW64\Ofmbnkhg.exe
      C:\Windows\system32\Ofmbnkhg.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Modifies registry class
      PID:1104
      • C:\Windows\SysWOW64\Okikfagn.exe
        C:\Windows\system32\Okikfagn.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        PID:1776
  • C:\Windows\SysWOW64\Pmanoifd.exe
    C:\Windows\system32\Pmanoifd.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    PID:2948
    • C:\Windows\SysWOW64\Pfjbgnme.exe
      C:\Windows\system32\Pfjbgnme.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1316
      • C:\Windows\SysWOW64\Pmdjdh32.exe
        C:\Windows\system32\Pmdjdh32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Modifies registry class
        PID:2744
        • C:\Windows\SysWOW64\Pcnbablo.exe
          C:\Windows\system32\Pcnbablo.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          PID:2584
  • C:\Windows\SysWOW64\Pjhknm32.exe
    C:\Windows\system32\Pjhknm32.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in System32 directory
    • Modifies registry class
    PID:2140
    • C:\Windows\SysWOW64\Qmfgjh32.exe
      C:\Windows\system32\Qmfgjh32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Loads dropped DLL
      PID:3032
  • C:\Windows\SysWOW64\Qcpofbjl.exe
    C:\Windows\system32\Qcpofbjl.exe
    1⤵
    • Executes dropped EXE
    PID:2496
    • C:\Windows\SysWOW64\Qjjgclai.exe
      C:\Windows\system32\Qjjgclai.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      PID:588
      • C:\Windows\SysWOW64\Qpgpkcpp.exe
        C:\Windows\system32\Qpgpkcpp.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        PID:1284
        • C:\Windows\SysWOW64\Qfahhm32.exe
          C:\Windows\system32\Qfahhm32.exe
          4⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Modifies registry class
          PID:2176
          • C:\Windows\SysWOW64\Alnqqd32.exe
            C:\Windows\system32\Alnqqd32.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            PID:396
  • C:\Windows\SysWOW64\Ahdaee32.exe
    C:\Windows\system32\Ahdaee32.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies registry class
    PID:2256
    • C:\Windows\SysWOW64\Abjebn32.exe
      C:\Windows\system32\Abjebn32.exe
      2⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      PID:1736
      • C:\Windows\SysWOW64\Ahgnke32.exe
        C:\Windows\system32\Ahgnke32.exe
        3⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        • Drops file in System32 directory
        • Modifies registry class
        PID:1940
  • C:\Windows\SysWOW64\Albjlcao.exe
    C:\Windows\system32\Albjlcao.exe
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Executes dropped EXE
    PID:2724
    • C:\Windows\SysWOW64\Abmbhn32.exe
      C:\Windows\system32\Abmbhn32.exe
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      PID:2748
  • C:\Windows\SysWOW64\Ahlgfdeq.exe
    C:\Windows\system32\Ahlgfdeq.exe
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Executes dropped EXE
    • Modifies registry class
    PID:2152
    • C:\Windows\SysWOW64\Amhpnkch.exe
      C:\Windows\system32\Amhpnkch.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:1808
  • C:\Windows\SysWOW64\Bbhela32.exe
    C:\Windows\system32\Bbhela32.exe
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Executes dropped EXE
    PID:2980
    • C:\Windows\SysWOW64\Bmmiij32.exe
      C:\Windows\system32\Bmmiij32.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      PID:2968
  • C:\Windows\SysWOW64\Bblogakg.exe
    C:\Windows\system32\Bblogakg.exe
    1⤵
    • Adds autorun key to be loaded by Explorer.exe on startup
    • Executes dropped EXE
    • Drops file in System32 directory
    PID:988
    • C:\Windows\SysWOW64\Bhigphio.exe
      C:\Windows\system32\Bhigphio.exe
      2⤵
        PID:1960
    • C:\Windows\SysWOW64\Bldcpf32.exe
      C:\Windows\system32\Bldcpf32.exe
      1⤵
      • Drops file in System32 directory
      • Modifies registry class
      PID:3056
      • C:\Windows\SysWOW64\Bocolb32.exe
        C:\Windows\system32\Bocolb32.exe
        2⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Executes dropped EXE
        PID:2276
    • C:\Windows\SysWOW64\Chnqkg32.exe
      C:\Windows\system32\Chnqkg32.exe
      1⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Drops file in System32 directory
      PID:2604
      • C:\Windows\SysWOW64\Cklmgb32.exe
        C:\Windows\system32\Cklmgb32.exe
        2⤵
        • Modifies registry class
        PID:1980
        • C:\Windows\SysWOW64\Cafecmlj.exe
          C:\Windows\system32\Cafecmlj.exe
          3⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Drops file in System32 directory
          PID:2400
    • C:\Windows\SysWOW64\Cdikkg32.exe
      C:\Windows\system32\Cdikkg32.exe
      1⤵
      • Drops file in System32 directory
      • Modifies registry class
      PID:1544
      • C:\Windows\SysWOW64\Ckccgane.exe
        C:\Windows\system32\Ckccgane.exe
        2⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        PID:3044
        • C:\Windows\SysWOW64\Cldooj32.exe
          C:\Windows\system32\Cldooj32.exe
          3⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Modifies registry class
          PID:1300
    • C:\Windows\SysWOW64\Dcadac32.exe
      C:\Windows\system32\Dcadac32.exe
      1⤵
      • Modifies registry class
      PID:2404
      • C:\Windows\SysWOW64\Dfoqmo32.exe
        C:\Windows\system32\Dfoqmo32.exe
        2⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        PID:3108
    • C:\Windows\SysWOW64\Dccagcgk.exe
      C:\Windows\system32\Dccagcgk.exe
      1⤵
      • Drops file in System32 directory
      • Modifies registry class
      PID:3228
      • C:\Windows\SysWOW64\Dfamcogo.exe
        C:\Windows\system32\Dfamcogo.exe
        2⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Drops file in System32 directory
        PID:3268
        • C:\Windows\SysWOW64\Egllae32.exe
          C:\Windows\system32\Egllae32.exe
          3⤵
          • Modifies registry class
          PID:3312
          • C:\Windows\SysWOW64\Ejmebq32.exe
            C:\Windows\system32\Ejmebq32.exe
            4⤵
            • Drops file in System32 directory
            • Modifies registry class
            PID:3352
    • C:\Windows\SysWOW64\Dpeekh32.exe
      C:\Windows\system32\Dpeekh32.exe
      1⤵
      • Drops file in System32 directory
      PID:3188
    • C:\Windows\SysWOW64\Dhnmij32.exe
      C:\Windows\system32\Dhnmij32.exe
      1⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Modifies registry class
      PID:3148
    • C:\Windows\SysWOW64\Dlgldibq.exe
      C:\Windows\system32\Dlgldibq.exe
      1⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Drops file in System32 directory
      PID:2504
    • C:\Windows\SysWOW64\Djhphncm.exe
      C:\Windows\system32\Djhphncm.exe
      1⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Drops file in System32 directory
      • Modifies registry class
      PID:1768
    • C:\Windows\SysWOW64\Dgjclbdi.exe
      C:\Windows\system32\Dgjclbdi.exe
      1⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Drops file in System32 directory
      • Modifies registry class
      PID:436
    • C:\Windows\SysWOW64\Eqijej32.exe
      C:\Windows\system32\Eqijej32.exe
      1⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Drops file in System32 directory
      • Modifies registry class
      PID:3472
      • C:\Windows\SysWOW64\Ebjglbml.exe
        C:\Windows\system32\Ebjglbml.exe
        2⤵
        • Drops file in System32 directory
        • Modifies registry class
        PID:3512
    • C:\Windows\SysWOW64\Fjaonpnn.exe
      C:\Windows\system32\Fjaonpnn.exe
      1⤵
      • Adds autorun key to be loaded by Explorer.exe on startup
      • Modifies registry class
      PID:3552
      • C:\Windows\SysWOW64\Fkckeh32.exe
        C:\Windows\system32\Fkckeh32.exe
        2⤵
          PID:3592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 140
        1⤵
        • Program crash
        PID:3616
      • C:\Windows\SysWOW64\Ejobhppq.exe
        C:\Windows\system32\Ejobhppq.exe
        1⤵
        • Modifies registry class
        PID:3432
      • C:\Windows\SysWOW64\Egafleqm.exe
        C:\Windows\system32\Egafleqm.exe
        1⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        PID:3392
      • C:\Windows\SysWOW64\Cdlgpgef.exe
        C:\Windows\system32\Cdlgpgef.exe
        1⤵
        • Adds autorun key to be loaded by Explorer.exe on startup
        • Drops file in System32 directory
        • Modifies registry class
        PID:2364
      • C:\Windows\SysWOW64\Caknol32.exe
        C:\Windows\system32\Caknol32.exe
        1⤵
          PID:2988
        • C:\Windows\SysWOW64\Ckafbbph.exe
          C:\Windows\system32\Ckafbbph.exe
          1⤵
          • Drops file in System32 directory
          • Modifies registry class
          PID:1732
        • C:\Windows\SysWOW64\Chbjffad.exe
          C:\Windows\system32\Chbjffad.exe
          1⤵
          • Drops file in System32 directory
          PID:1032
        • C:\Windows\SysWOW64\Cahail32.exe
          C:\Windows\system32\Cahail32.exe
          1⤵
          • Modifies registry class
          PID:1988
        • C:\Windows\SysWOW64\Ckoilb32.exe
          C:\Windows\system32\Ckoilb32.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Modifies registry class
          PID:1596
        • C:\Windows\SysWOW64\Cddaphkn.exe
          C:\Windows\system32\Cddaphkn.exe
          1⤵
          • Drops file in System32 directory
          • Modifies registry class
          PID:688
        • C:\Windows\SysWOW64\Cdbdjhmp.exe
          C:\Windows\system32\Cdbdjhmp.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:1688
        • C:\Windows\SysWOW64\Coelaaoi.exe
          C:\Windows\system32\Coelaaoi.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Modifies registry class
          PID:1868
        • C:\Windows\SysWOW64\Bhkdeggl.exe
          C:\Windows\system32\Bhkdeggl.exe
          1⤵
          • Executes dropped EXE
          PID:2052
        • C:\Windows\SysWOW64\Bemgilhh.exe
          C:\Windows\system32\Bemgilhh.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:2812
        • C:\Windows\SysWOW64\Bpnbkeld.exe
          C:\Windows\system32\Bpnbkeld.exe
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          PID:1816
        • C:\Windows\SysWOW64\Blbfjg32.exe
          C:\Windows\system32\Blbfjg32.exe
          1⤵
          • Executes dropped EXE
          PID:2348
        • C:\Windows\SysWOW64\Bfenbpec.exe
          C:\Windows\system32\Bfenbpec.exe
          1⤵
          • Executes dropped EXE
          • Modifies registry class
          PID:2460
        • C:\Windows\SysWOW64\Bpleef32.exe
          C:\Windows\system32\Bpleef32.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:876
        • C:\Windows\SysWOW64\Bmkmdk32.exe
          C:\Windows\system32\Bmkmdk32.exe
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          PID:1600
        • C:\Windows\SysWOW64\Bhndldcn.exe
          C:\Windows\system32\Bhndldcn.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:1156
        • C:\Windows\SysWOW64\Bdbhke32.exe
          C:\Windows\system32\Bdbhke32.exe
          1⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:1624
        • C:\Windows\SysWOW64\Adpkee32.exe
          C:\Windows\system32\Adpkee32.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          PID:1620
        • C:\Windows\SysWOW64\Amfcikek.exe
          C:\Windows\system32\Amfcikek.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:472
        • C:\Windows\SysWOW64\Ajhgmpfg.exe
          C:\Windows\system32\Ajhgmpfg.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Modifies registry class
          PID:1380
        • C:\Windows\SysWOW64\Adnopfoj.exe
          C:\Windows\system32\Adnopfoj.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies registry class
          PID:2792
        • C:\Windows\SysWOW64\Abhimnma.exe
          C:\Windows\system32\Abhimnma.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Modifies registry class
          PID:1464
        • C:\Windows\SysWOW64\Pgeefbhm.exe
          C:\Windows\system32\Pgeefbhm.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          PID:2524
        • C:\Windows\SysWOW64\Pqkmjh32.exe
          C:\Windows\system32\Pqkmjh32.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2332
        • C:\Windows\SysWOW64\Pjadmnic.exe
          C:\Windows\system32\Pjadmnic.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          PID:1712
        • C:\Windows\SysWOW64\Pedleg32.exe
          C:\Windows\system32\Pedleg32.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          PID:556
        • C:\Windows\SysWOW64\Pogclp32.exe
          C:\Windows\system32\Pogclp32.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          PID:1160
        • C:\Windows\SysWOW64\Pfoocjfd.exe
          C:\Windows\system32\Pfoocjfd.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          PID:956
        • C:\Windows\SysWOW64\Obojhlbq.exe
          C:\Windows\system32\Obojhlbq.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          PID:2012
        • C:\Windows\SysWOW64\Ocgpappk.exe
          C:\Windows\system32\Ocgpappk.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1500
        • C:\Windows\SysWOW64\Ojolhk32.exe
          C:\Windows\system32\Ojolhk32.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:700
        • C:\Windows\SysWOW64\Ngpolo32.exe
          C:\Windows\system32\Ngpolo32.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:800
        • C:\Windows\SysWOW64\Nacgdhlp.exe
          C:\Windows\system32\Nacgdhlp.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2024
        • C:\Windows\SysWOW64\Ngnbgplj.exe
          C:\Windows\system32\Ngnbgplj.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3024
        • C:\Windows\SysWOW64\Nocnbmoo.exe
          C:\Windows\system32\Nocnbmoo.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2784
        • C:\Windows\SysWOW64\Nhiffc32.exe
          C:\Windows\system32\Nhiffc32.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1780
        • C:\Windows\SysWOW64\Nncahjgl.exe
          C:\Windows\system32\Nncahjgl.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:2640
        • C:\Windows\SysWOW64\Nlphkb32.exe
          C:\Windows\system32\Nlphkb32.exe
          1⤵
          • Adds autorun key to be loaded by Explorer.exe on startup
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2708
        • C:\Windows\SysWOW64\Nefpnhlc.exe
          C:\Windows\system32\Nefpnhlc.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2844
        • C:\Windows\SysWOW64\Mlmlecec.exe
          C:\Windows\system32\Mlmlecec.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3040
        • C:\Users\Admin\AppData\Local\Temp\16f6a4c8638cd1f64d5c54a9d08152e0.exe
          "C:\Users\Admin\AppData\Local\Temp\16f6a4c8638cd1f64d5c54a9d08152e0.exe"
          1⤵
          • Loads dropped DLL
          • Drops file in System32 directory
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:2528
        • C:\Users\Admin\AppData\Local\Temp\577193805\zmstage.exe
          C:\Users\Admin\AppData\Local\Temp\577193805\zmstage.exe
          1⤵
          • Executes dropped EXE
          • Modifies registry class
          PID:1960

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Windows\SysWOW64\Dccagcgk.exe
          Filesize

          224KB

          MD5

          029392edd99c9c4309926f63aa3c775e

          SHA1

          7426f66ac8412e6d53d6bd210bdf30683bb742cc

          SHA256

          2b2585c3a2629f2fbca7c0c9e193060e7a7158760a023d87b2e7e2aba5534018

          SHA512

          e2275ece3b0174cdf122cf8877f39d3c31bbbad29793e821c9df3ab414cf812043d14c2052ce05513674cf3db9ef8d28aef2b48986e9fa6e7dd1f0f7c8beb61d

          Download Submit

        • C:\Windows\SysWOW64\Dfamcogo.exe
          Filesize

          224KB

          MD5

          86e95cf2447b2bc5f769eef8a4403db6

          SHA1

          d49fdccd734e24dc52a9d7907f9183d2ec428da1

          SHA256

          209e501cddcbd79be76e61ccd4bfcaa43d0ee7881925ed817e661416d9843981

          SHA512

          ba7c83af1fded26eb8c0dd0b3b340708b2f121a014191287972584d04de9cb7cc17b1afd7a8a163a78f8569a376a00f39fef5f0272388baad585ae02d0f8bdd3

          Download Submit

        • C:\Windows\SysWOW64\Dpeekh32.exe
          Filesize

          224KB

          MD5

          b5cd6651a23998f0530fad8d36ff261e

          SHA1

          eb12f03fb2d2051ef0c5605bf37631c5bbe96ac7

          SHA256

          c245040c253a33643ca6d55a9a0c7055d3ecf73adb007da2f0ed4cf406bb4cba

          SHA512

          b9c7aae5aa29143ecbafe79a04284cf9038f2076dec8d4f49ca70e24c163b86b0fc900847e2edf842b1cd20d91cf5f836218edb41c2990f5eb003a170d24e7b4

          Download Submit

        • C:\Windows\SysWOW64\Ebjglbml.exe
          Filesize

          224KB

          MD5

          56cafb6fb4e678655d216121afabd375

          SHA1

          4a3889ed942de7ee19395ac9629a52490f1b81b5

          SHA256

          04ceb1db081467ea961d6f9582224b88ce7dd5743421a15b7e56471bd52ef4c1

          SHA512

          0fa8462e71fd5f43a512ba57b4096eca683abaeaa194ca2aa0380eb46df63db044795beb347d77af73af6fb0337c53ddf397dee42126e195574a6cddef69c4db

          Download Submit

        • C:\Windows\SysWOW64\Egafleqm.exe
          Filesize

          224KB

          MD5

          bd5eea4eda12097b380f47c246d74f64

          SHA1

          8506c6d20ff2fdb192bfa4db93e6a604a3a9f9e1

          SHA256

          54854abe731841fabc891ac00f85531767ae3835f005b186869e9e13aa1696f1

          SHA512

          8b481de80a0fd882370c8bf127a4aaa425de58491b98a105ea11d8a9e3598569080602db4498748312a8d60a6cf91a42976743e85a081c44f1041774a86e2ffa

          Download Submit

        • C:\Windows\SysWOW64\Egllae32.exe
          Filesize

          224KB

          MD5

          43b264c752eef27ff7f3de3a43edb13e

          SHA1

          75c0e15b6e0b78dcf81f7816e401556d93eeeb0e

          SHA256

          2a21f2c0f288d36cf0c4e324bb266688247850e37a8adc6c5aa629638cb29fd2

          SHA512

          c8605f85dfcc2996fc7e42019e3d8025d36f083db43237e430730fa23cf28fbc7ff300d904e6144439c60059cdb7df3c5660a32cc30c7e03cb0209cf17b59d51

          Download Submit

        • C:\Windows\SysWOW64\Ejmebq32.exe
          Filesize

          224KB

          MD5

          20d2eb5723d159a04c6ee446b4317125

          SHA1

          2ddd7c31662fc15d54ae6552a328675dc32e104a

          SHA256

          002c62a8d50da9903d8e40a4605f8c322694bfe0f11390a1deca332f2e51355e

          SHA512

          21e3fc11ebf5ba7c44e34b18b38cfdf0b83ea1229baf73e03a053c9ea0062261a553aed01bdbfcba0f82dd9b64d788d8beca188d60a41cec2c136593dc2e1a57

          Download Submit

        • C:\Windows\SysWOW64\Ejobhppq.exe
          Filesize

          224KB

          MD5

          c656b15d0bbb7f25757a75fccd7cfc36

          SHA1

          7f2563c38ad27b8bfae9603a559522810d66b227

          SHA256

          0921a7a5137ed5a00d0b5b9975b937991707497edbe5491453b5b154a94ffd15

          SHA512

          6cbd4c8b04a44e03c332e48bbd38c3be66bebeb6cfe4ffb2f6e2ce8838387e6f3e84b3633d1f694d2a707af66a666def73c618c427a15d32318bd7696061b260

          Download Submit

        • C:\Windows\SysWOW64\Eqijej32.exe
          Filesize

          224KB

          MD5

          8d25469fa02f78f3417b740b8520c15a

          SHA1

          84482025f37df8e4a14bc00cee3b3ff026afae3b

          SHA256

          a1bd6496f2d6b1e453a0a953000ba0ceff103ed42b01437d6a656fd734842420

          SHA512

          0b646fe91d5da0983d9403d17d5b67fb29d30df67a5e5a9c93ce6673779a1b604cca911072200673e299161bcd828446608ae72276a1711b975a648ad6ba9a42

          Download Submit

        • C:\Windows\SysWOW64\Fjaonpnn.exe
          Filesize

          224KB

          MD5

          cf17d95e942a11b7943fded40d8a4ff6

          SHA1

          73d1bc72053c2bebc13b59b9a5943279f5d80ecc

          SHA256

          09748df6494d0471847c578146c4ff4df1109077d9ceae3750d72a8c8f6236ad

          SHA512

          e17246ce1e05435476569a61eb46039bc5e4b422403c1bfc2f318e01ccd95782d1af36b4d15741981f01c1df34bf32ef2bf94eb62de0a549133e863bff0fefcd

          Download Submit

        • C:\Windows\SysWOW64\Fkckeh32.exe
          Filesize

          224KB

          MD5

          ecc678b86168dab6f74ddbb460403c4d

          SHA1

          b825e51eb922c8996b7d7ed25634f4b7dac97d86

          SHA256

          b33d120783e0f03632a878457d759f18d23c5360daa93200e14cb61f92f8048e

          SHA512

          adcb87925823c19abe4e91569b89eaf3afe891ddaa342f308906244ee23ca5f50766783b909c5fd736e509f92c3ee845b0f83e0c121603ba0fbbdfb37f314310

          Download Submit

        • C:\Windows\SysWOW64\Mlmlecec.exe
          Filesize

          224KB

          MD5

          b5c726d4da97e98f46dd4503ec8be4a9

          SHA1

          0aed6fad8dd141aa2103a6eab40a524d3dee4d54

          SHA256

          0309e043e3b50e910d8b85057af9d1333a93660123a068ae5b6ac86df640f83e

          SHA512

          b38b14129c070641f042ebbacd4a020a2a3c5d4e8a2b62db596dea94dfffe833e9672ddc9c0346876af68085fecc49bd9c52b0197a153e73f0e6cccdf9086d81

          Download Submit

        • C:\Windows\SysWOW64\Nefpnhlc.exe
          Filesize

          224KB

          MD5

          a7c17405dc500389d2140382fbbc9e9d

          SHA1

          cf9a9d268373ae03567f309aa6c94b42ced6878f

          SHA256

          d249d21e0737fdded29c11e6148b613634402aaa3906420f4075694f2b32c356

          SHA512

          3a332306752c90616e258de1425bed2906033fc17188fdf362223adc07871f5136498d1e0ecbc53bf3b29fb7e0dd857fd8aaeed6c8f73f2584667a2692b9e4bc

          Download Submit

        • \Windows\SysWOW64\Nefpnhlc.exe
          Filesize

          91KB

          MD5

          80ff0e70f6f4781113e13e7c25f6c676

          SHA1

          958fe6c47562eae5f17ddfb4a890f01b07ec58e9

          SHA256

          a16f3f95a57de6e0261931e8a3dd6db069e4e76c364af76221cfea7cb87776a3

          SHA512

          7b474fe0948b4335dc3aa56db81fefd14c3f7b459875aea12329007bc95a53d8ff74108672e5a14dc598533f6e299c93ea730934972062b4ab3fa0f009a8da8e

          Download Submit

        • memory/556-299-0x00000000003A0000-0x00000000003D4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/556-294-0x00000000003A0000-0x00000000003D4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/556-289-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/588-1064-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/700-170-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/700-167-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/800-161-0x00000000001B0000-0x00000000001E4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/800-153-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/956-266-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/956-1051-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/956-272-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/956-273-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1104-246-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1104-252-0x00000000002B0000-0x00000000002E4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1104-248-0x00000000002B0000-0x00000000002E4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1160-274-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1160-1052-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1160-288-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1160-283-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1316-355-0x0000000000440000-0x0000000000474000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1316-344-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1316-349-0x0000000000440000-0x0000000000474000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1464-1068-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1500-181-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1500-188-0x0000000001BA0000-0x0000000001BD4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1500-195-0x0000000001BA0000-0x0000000001BD4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1712-305-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1712-300-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1712-310-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1776-267-0x00000000001B0000-0x00000000001E4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1776-1050-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1776-261-0x00000000001B0000-0x00000000001E4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1780-94-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1780-101-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1792-245-0x0000000000230000-0x0000000000264000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1792-240-0x0000000000230000-0x0000000000264000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1960-1090-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2012-231-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2012-227-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2012-225-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2024-152-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2024-146-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2024-133-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2072-196-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2072-204-0x0000000001B70000-0x0000000001BA4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2072-205-0x0000000001B70000-0x0000000001BA4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2112-219-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2112-207-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2152-1078-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2176-1066-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2276-1096-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2332-316-0x00000000002B0000-0x00000000002E4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2332-321-0x00000000002B0000-0x00000000002E4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2332-311-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2524-332-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2524-327-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2524-322-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2528-12-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2528-0-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2528-6-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2628-66-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2640-79-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2640-87-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2724-1072-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2744-354-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2744-1059-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2784-114-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2792-1074-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2832-53-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2844-35-0x0000000000440000-0x0000000000474000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2948-343-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2948-338-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/2948-333-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/3024-127-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/3040-19-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download

        • memory/3040-22-0x0000000000220000-0x0000000000254000-memory.dmp

          Filesize

          208KB

          Download

        • memory/3056-1091-0x0000000000400000-0x0000000000434000-memory.dmp

          Filesize

          208KB

          Download