0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3

Analysis

max time kernel
94s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3.exe
Size

56KB
MD5

4b568665568e95eadde7a0129d0b19b0
SHA1

4e8ddb1d90390d21155e33e2e0b6430fa66269f4
SHA256

0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3
SHA512

54f3f0ad9843a99af3cd5a1f6540db4d1522b8c5e11cc1f3665a523cd2a943d2bdbaaa10a52ff6d9bb5f86ba400a509c07051a14710d80bd1eb4e8be85de8ae9
SSDEEP

768:+dQMSHclpsur/GfJz54GFD/I3f36RoiYi30etZYYAk/1H5A/Xdnh:+PSH8psu6f9F6K+eEGU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofegni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqcejcha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdnln32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfpell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihmedma.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcaipa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcaipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcegclgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Noppeaed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpclce32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ockdmmoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ockdmmoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oflmnh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfbaalbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omalpc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obnehj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqaiecjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlofcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbkml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmaciefp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmcpoedn.exe

Executes dropped EXE 51 IoCs

pid	Process
4280	Mpapnfhg.exe
3836	Mablfnne.exe
3080	Mjidgkog.exe
4236	Mpclce32.exe
1096	Mcaipa32.exe
1360	Mfpell32.exe
4396	Mljmhflh.exe
4880	Mohidbkl.exe
1568	Mfbaalbi.exe
2972	Mhanngbl.exe
1116	Mokfja32.exe
2672	Mbibfm32.exe
1244	Mfenglqf.exe
1284	Mlofcf32.exe
3288	Nblolm32.exe
2564	Nmaciefp.exe
1552	Noppeaed.exe
224	Nfihbk32.exe
4508	Nmcpoedn.exe
3596	Nbphglbe.exe
2100	Nfldgk32.exe
4644	Nqaiecjd.exe
4744	Ncpeaoih.exe
4928	Nimmifgo.exe
396	Nqcejcha.exe
1160	Nbebbk32.exe
1984	Nfqnbjfi.exe
5104	Nqfbpb32.exe
2588	Ocdnln32.exe
496	Ojnfihmo.exe
1560	Ommceclc.exe
4332	Ofegni32.exe
716	Omopjcjp.exe
1968	Ocihgnam.exe
3084	Omalpc32.exe
1184	Ockdmmoj.exe
4088	Obnehj32.exe
5004	Oihmedma.exe
2104	Oqoefand.exe
3104	Oflmnh32.exe
2864	Omfekbdh.exe
3448	Pcpnhl32.exe
4736	Pfojdh32.exe
1412	Pmhbqbae.exe
3312	Pcbkml32.exe
4724	Pcegclgp.exe
216	Pmmlla32.exe
1848	Pcgdhkem.exe
1944	Pfepdg32.exe
1476	Pciqnk32.exe
1720	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Caecnh32.dll	Mpapnfhg.exe
File created	C:\Windows\SysWOW64\Mjidgkog.exe	Mablfnne.exe
File created	C:\Windows\SysWOW64\Mlofcf32.exe	Mfenglqf.exe
File opened for modification	C:\Windows\SysWOW64\Ncpeaoih.exe	Nqaiecjd.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmmoj.exe	Omalpc32.exe
File opened for modification	C:\Windows\SysWOW64\Mpclce32.exe	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Njogfipp.dll	Nbebbk32.exe
File opened for modification	C:\Windows\SysWOW64\Obnehj32.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Omfekbdh.exe	Oflmnh32.exe
File opened for modification	C:\Windows\SysWOW64\Pciqnk32.exe	Pfepdg32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbkml32.exe	Pmhbqbae.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mhanngbl.exe
File opened for modification	C:\Windows\SysWOW64\Nmaciefp.exe	Nblolm32.exe
File created	C:\Windows\SysWOW64\Damlpgkc.dll	Nblolm32.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Ncpeaoih.exe
File opened for modification	C:\Windows\SysWOW64\Nbebbk32.exe	Nqcejcha.exe
File opened for modification	C:\Windows\SysWOW64\Ofegni32.exe	Ommceclc.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Pcgdhkem.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Fdflknog.dll	0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3.exe
File created	C:\Windows\SysWOW64\Mokfja32.exe	Mhanngbl.exe
File created	C:\Windows\SysWOW64\Nnkoiaif.dll	Ocdnln32.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Ceohefin.dll	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Balgcpkn.dll	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Ebdpoomj.dll	Ockdmmoj.exe
File opened for modification	C:\Windows\SysWOW64\Oflmnh32.exe	Oqoefand.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nqaiecjd.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbpb32.exe	Nfqnbjfi.exe
File created	C:\Windows\SysWOW64\Ommceclc.exe	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Mnjenfjo.dll	Ofegni32.exe
File created	C:\Windows\SysWOW64\Oihmedma.exe	Obnehj32.exe
File created	C:\Windows\SysWOW64\Pfojdh32.exe	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Khlaie32.dll	Mpclce32.exe
File created	C:\Windows\SysWOW64\Mfbaalbi.exe	Mohidbkl.exe
File created	C:\Windows\SysWOW64\Bcejdp32.dll	Mhanngbl.exe
File created	C:\Windows\SysWOW64\Fjoiip32.dll	Mokfja32.exe
File opened for modification	C:\Windows\SysWOW64\Omfekbdh.exe	Oflmnh32.exe
File created	C:\Windows\SysWOW64\Pciqnk32.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Hcoejf32.dll	Mjidgkog.exe
File created	C:\Windows\SysWOW64\Mhanngbl.exe	Mfbaalbi.exe
File created	C:\Windows\SysWOW64\Fljhbbae.dll	Oihmedma.exe
File created	C:\Windows\SysWOW64\Qckcba32.dll	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pciqnk32.exe
File opened for modification	C:\Windows\SysWOW64\Mfbaalbi.exe	Mohidbkl.exe
File created	C:\Windows\SysWOW64\Dndfnlpc.dll	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Pfepdg32.exe	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Mdcajc32.dll	Mbibfm32.exe
File created	C:\Windows\SysWOW64\Lnpckhnk.dll	Nmcpoedn.exe
File created	C:\Windows\SysWOW64\Pjphcf32.dll	Ojnfihmo.exe
File created	C:\Windows\SysWOW64\Icbcjhfb.dll	Oqoefand.exe
File opened for modification	C:\Windows\SysWOW64\Nmcpoedn.exe	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Obnehj32.exe	Ockdmmoj.exe
File created	C:\Windows\SysWOW64\Kajefoog.dll	Pmhbqbae.exe
File opened for modification	C:\Windows\SysWOW64\Pcgdhkem.exe	Pmmlla32.exe
File opened for modification	C:\Windows\SysWOW64\Mjidgkog.exe	Mablfnne.exe
File created	C:\Windows\SysWOW64\Nfenigce.dll	Mfpell32.exe
File created	C:\Windows\SysWOW64\Noppeaed.exe	Nmaciefp.exe
File opened for modification	C:\Windows\SysWOW64\Nqaiecjd.exe	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Omopjcjp.exe	Ofegni32.exe
File created	C:\Windows\SysWOW64\Omalpc32.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Pcbkml32.exe	Pmhbqbae.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3048	1720	WerFault.exe	133

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldeljei.dll"	Mljmhflh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfqnbjfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ommceclc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omalpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oflmnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpapnfhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mablfnne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oflmnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcbkml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnokmj32.dll"	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaadlo32.dll"	Nmaciefp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmhbqbae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll"	Mpapnfhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obnehj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohjfifo.dll"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlaie32.dll"	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcejdp32.dll"	Mhanngbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlofcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damlpgkc.dll"	Nblolm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhanngbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njogfipp.dll"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkbpmep.dll"	Nfqnbjfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll"	Pcegclgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpckhnk.dll"	Nmcpoedn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgbfjmkq.dll"	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Noppeaed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojnfihmo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbibfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Ofegni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcoejf32.dll"	Mjidgkog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mfpell32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mfbaalbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll"	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpclce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadafn32.dll"	Nqcejcha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll"	Oflmnh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdnln32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcaipa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll"	Mfbaalbi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 4280	1040	0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3.exe	81
PID 1040 wrote to memory of 4280	1040	0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3.exe	81
PID 1040 wrote to memory of 4280	1040	0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3.exe	81
PID 4280 wrote to memory of 3836	4280	Mpapnfhg.exe	82
PID 4280 wrote to memory of 3836	4280	Mpapnfhg.exe	82
PID 4280 wrote to memory of 3836	4280	Mpapnfhg.exe	82
PID 3836 wrote to memory of 3080	3836	Mablfnne.exe	83
PID 3836 wrote to memory of 3080	3836	Mablfnne.exe	83
PID 3836 wrote to memory of 3080	3836	Mablfnne.exe	83
PID 3080 wrote to memory of 4236	3080	Mjidgkog.exe	84
PID 3080 wrote to memory of 4236	3080	Mjidgkog.exe	84
PID 3080 wrote to memory of 4236	3080	Mjidgkog.exe	84
PID 4236 wrote to memory of 1096	4236	Mpclce32.exe	86
PID 4236 wrote to memory of 1096	4236	Mpclce32.exe	86
PID 4236 wrote to memory of 1096	4236	Mpclce32.exe	86
PID 1096 wrote to memory of 1360	1096	Mcaipa32.exe	87
PID 1096 wrote to memory of 1360	1096	Mcaipa32.exe	87
PID 1096 wrote to memory of 1360	1096	Mcaipa32.exe	87
PID 1360 wrote to memory of 4396	1360	Mfpell32.exe	88
PID 1360 wrote to memory of 4396	1360	Mfpell32.exe	88
PID 1360 wrote to memory of 4396	1360	Mfpell32.exe	88
PID 4396 wrote to memory of 4880	4396	Mljmhflh.exe	89
PID 4396 wrote to memory of 4880	4396	Mljmhflh.exe	89
PID 4396 wrote to memory of 4880	4396	Mljmhflh.exe	89
PID 4880 wrote to memory of 1568	4880	Mohidbkl.exe	90
PID 4880 wrote to memory of 1568	4880	Mohidbkl.exe	90
PID 4880 wrote to memory of 1568	4880	Mohidbkl.exe	90
PID 1568 wrote to memory of 2972	1568	Mfbaalbi.exe	91
PID 1568 wrote to memory of 2972	1568	Mfbaalbi.exe	91
PID 1568 wrote to memory of 2972	1568	Mfbaalbi.exe	91
PID 2972 wrote to memory of 1116	2972	Mhanngbl.exe	92
PID 2972 wrote to memory of 1116	2972	Mhanngbl.exe	92
PID 2972 wrote to memory of 1116	2972	Mhanngbl.exe	92
PID 1116 wrote to memory of 2672	1116	Mokfja32.exe	94
PID 1116 wrote to memory of 2672	1116	Mokfja32.exe	94
PID 1116 wrote to memory of 2672	1116	Mokfja32.exe	94
PID 2672 wrote to memory of 1244	2672	Mbibfm32.exe	95
PID 2672 wrote to memory of 1244	2672	Mbibfm32.exe	95
PID 2672 wrote to memory of 1244	2672	Mbibfm32.exe	95
PID 1244 wrote to memory of 1284	1244	Mfenglqf.exe	96
PID 1244 wrote to memory of 1284	1244	Mfenglqf.exe	96
PID 1244 wrote to memory of 1284	1244	Mfenglqf.exe	96
PID 1284 wrote to memory of 3288	1284	Mlofcf32.exe	97
PID 1284 wrote to memory of 3288	1284	Mlofcf32.exe	97
PID 1284 wrote to memory of 3288	1284	Mlofcf32.exe	97
PID 3288 wrote to memory of 2564	3288	Nblolm32.exe	98
PID 3288 wrote to memory of 2564	3288	Nblolm32.exe	98
PID 3288 wrote to memory of 2564	3288	Nblolm32.exe	98
PID 2564 wrote to memory of 1552	2564	Nmaciefp.exe	99
PID 2564 wrote to memory of 1552	2564	Nmaciefp.exe	99
PID 2564 wrote to memory of 1552	2564	Nmaciefp.exe	99
PID 1552 wrote to memory of 224	1552	Noppeaed.exe	100
PID 1552 wrote to memory of 224	1552	Noppeaed.exe	100
PID 1552 wrote to memory of 224	1552	Noppeaed.exe	100
PID 224 wrote to memory of 4508	224	Nfihbk32.exe	101
PID 224 wrote to memory of 4508	224	Nfihbk32.exe	101
PID 224 wrote to memory of 4508	224	Nfihbk32.exe	101
PID 4508 wrote to memory of 3596	4508	Nmcpoedn.exe	102
PID 4508 wrote to memory of 3596	4508	Nmcpoedn.exe	102
PID 4508 wrote to memory of 3596	4508	Nmcpoedn.exe	102
PID 3596 wrote to memory of 2100	3596	Nbphglbe.exe	103
PID 3596 wrote to memory of 2100	3596	Nbphglbe.exe	103
PID 3596 wrote to memory of 2100	3596	Nbphglbe.exe	103
PID 2100 wrote to memory of 4644	2100	Nfldgk32.exe	104

C:\Users\Admin\AppData\Local\Temp\0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3.exe
"C:\Users\Admin\AppData\Local\Temp\0e581496ce56ac38bf5c673c7a64c70e0900d2bc089e3c9de0d8505068eb22c3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\Mpapnfhg.exe
  C:\Windows\system32\Mpapnfhg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Windows\SysWOW64\Mablfnne.exe
    C:\Windows\system32\Mablfnne.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\SysWOW64\Mjidgkog.exe
      C:\Windows\system32\Mjidgkog.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\SysWOW64\Mpclce32.exe
        
        C:\Windows\system32\Mpclce32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Windows\SysWOW64\Mcaipa32.exe
        
        C:\Windows\system32\Mcaipa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Mfpell32.exe
        
        C:\Windows\system32\Mfpell32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Mljmhflh.exe
        
        C:\Windows\system32\Mljmhflh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\Mohidbkl.exe
        
        C:\Windows\system32\Mohidbkl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Mfbaalbi.exe
        
        C:\Windows\system32\Mfbaalbi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Mhanngbl.exe
        
        C:\Windows\system32\Mhanngbl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\SysWOW64\Mbibfm32.exe
        
        C:\Windows\system32\Mbibfm32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Mfenglqf.exe
        
        C:\Windows\system32\Mfenglqf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Mlofcf32.exe
        
        C:\Windows\system32\Mlofcf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Nblolm32.exe
        
        C:\Windows\system32\Nblolm32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Nmaciefp.exe
        
        C:\Windows\system32\Nmaciefp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Noppeaed.exe
        
        C:\Windows\system32\Noppeaed.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Nmcpoedn.exe
        
        C:\Windows\system32\Nmcpoedn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\Nfldgk32.exe
        
        C:\Windows\system32\Nfldgk32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Nqaiecjd.exe
        
        C:\Windows\system32\Nqaiecjd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4644
        
        C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Nqcejcha.exe
        
        C:\Windows\system32\Nqcejcha.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\Nfqnbjfi.exe
        
        C:\Windows\system32\Nfqnbjfi.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Ocdnln32.exe
        
        C:\Windows\system32\Ocdnln32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2588
        
        C:\Windows\SysWOW64\Ojnfihmo.exe
        
        C:\Windows\system32\Ojnfihmo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\Ommceclc.exe
        
        C:\Windows\system32\Ommceclc.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Ofegni32.exe
        
        C:\Windows\system32\Ofegni32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\Omalpc32.exe
        
        C:\Windows\system32\Omalpc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3084
        
        C:\Windows\SysWOW64\Ockdmmoj.exe
        
        C:\Windows\system32\Ockdmmoj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\Obnehj32.exe
        
        C:\Windows\system32\Obnehj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5004
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Oflmnh32.exe
        
        C:\Windows\system32\Oflmnh32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Pfojdh32.exe
        
        C:\Windows\system32\Pfojdh32.exe
        44⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Windows\SysWOW64\Pmhbqbae.exe
        
        C:\Windows\system32\Pmhbqbae.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\Pcbkml32.exe
        
        C:\Windows\system32\Pcbkml32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Pcegclgp.exe
        
        C:\Windows\system32\Pcegclgp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4724
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        52⤵
        Executes dropped EXE
        
        PID:1720
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 412
        53⤵
        Program crash
        
        PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 1720 -ip 1720
1⤵
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mablfnne.exe

Filesize
56KB

MD5
38d64f019ee09141bf4674e315aebe98

SHA1
cf167179cfa89b0dbfe8b5d1cbe9b348ec66ece9

SHA256
c657d62f60e79f28a427b435168d1debb268af1a866efb9705ddca4682fcd9a4

SHA512
0f840467a6efec3b6defe2b8b4633c90d21746ff7e2ae0b84227dc4ee8f947e03c14183e1ee3b2b4168bb323ff3e2773ccf0d5f69a3216fd25f2ccbfee69c826

Download Submit
C:\Windows\SysWOW64\Mbibfm32.exe

Filesize
56KB

MD5
9b7c4c1646ff033522407b956462c7c2

SHA1
9004a814d3e480ee6d8fe09068486977e7d664a4

SHA256
0903c427ec01d8b17cae717d7d0176f491ecf0829d64cee05025624298787569

SHA512
34b01c6081f188b0d4022d65117603f90da5c343f6155c3942d60c1a977a2f628cac011949bcc1df65f43b026c65be098c469db300bf560e4f079d91f5759d1f

Download Submit
C:\Windows\SysWOW64\Mcaipa32.exe

Filesize
56KB

MD5
63472b49dd8d424029011584d8a46deb

SHA1
cce67f59c3988534f74b4e3c8aee4dea5ccd231c

SHA256
bd7cf3aee6bf97559ba881c305f458e64af02c121db0274e5a80a676c94a9ff2

SHA512
5d2966b7d362b137ad3674980ac5480e5dfbc8c291630e2434d15eb8277805064a95a9ada30546d20cf9caa5391b7e1c7fd1bfe509d820035d39f5cb03cb6229

Download Submit
C:\Windows\SysWOW64\Mfbaalbi.exe

Filesize
56KB

MD5
d497c16c1772ed114e381c7aa6622667

SHA1
b8582c837ae6ac402a43e69169ef1b7b56735046

SHA256
eafb98b29dfe38cff63f361cafdda3bbd083aba09f1840ec82a315fd836c699b

SHA512
0a448ed621f3e453db0195814395c2d0991938f120bb8c608d59b8e00337d4c9fb656ca3b0d26a328353b4d8a37509cf9d368092ea10fbd65f5408e7cbe318b2

Download Submit
C:\Windows\SysWOW64\Mfenglqf.exe

Filesize
56KB

MD5
c1c3fd38707a6ad556397fdcd1b5f8a0

SHA1
1a3638e6f57d22f5d9742a852945fcf2f65428dc

SHA256
3f6ab5b36942777a0909885680c7dd60b6882d1f204459f3dcdf7a00347aaced

SHA512
9e3d2d42486f124fb36ed8cf35d507b00ee0a66d0e7a95e6d675affe7bf91ecab730cac56fdcc47fc7b649e8ec92096493562892353534a367fc7cd4957e20ea

Download Submit
C:\Windows\SysWOW64\Mfpell32.exe

Filesize
56KB

MD5
2ce0f1cdc422c9b68257846d3644fb72

SHA1
5ee2a8b16e8c789b28f2437fc03e15af766b5825

SHA256
761669c713b65b0bf9e94a3ea2c6b8928443b5e53ae22c9617e90e34d1d6fb17

SHA512
64d63806e90373e700b16f769fd2a493b5cc3565cca84fccc9e326fb18f53db586836610c8e8982c755de19cd3d495cfff19f1ac21211fdf3381229444c3e09c

Download Submit
C:\Windows\SysWOW64\Mhanngbl.exe

Filesize
56KB

MD5
8c94a820c6ca70652f19e23056f5af83

SHA1
80f230bd6494dd234afa34f5997ea100491b65ab

SHA256
cafe3f38c75bfbdf39b9f7abec1e1ecd9f995559f6b990d881860df78ab3d1bd

SHA512
22b4f5419545009cc32d94e4ed94fe4cf19644a9b2fa82f68440465998eedd0ade1032a816e1a92cf59622b171d15309d34788ef288f5fb245f909bfa461d817

Download Submit
C:\Windows\SysWOW64\Mjidgkog.exe

Filesize
56KB

MD5
7ba48857f7eba9d927350f4854a65de0

SHA1
f3f4556b5f15e8e1272abdf4b1881d09c0e775e8

SHA256
00a3bf73a674b5ffacfdd24bd470a619b12da21840d37fdcc5c350e2708db1ac

SHA512
d135a3dc54d985288f5e48a681665fc3251f2e7f67085a2a73ff60a36fef9e693ed899d2bdf5ed4dc12f06be2420607b44f99e03f16ded9e589c534e0da5acf7

Download Submit
C:\Windows\SysWOW64\Mljmhflh.exe

Filesize
56KB

MD5
dd87120d4e1c4fad806e04d6d9300473

SHA1
e3bb51e6f04409584c02e35fb98111b0a66c9a6b

SHA256
7dcfc76e696f650f23f15aee0159dae6c0a06412d191ed71ee52f80b86b40bc0

SHA512
75564ff804c2e063c7540377fc1a9bcae2d2122b795f503e04acd9de7b364523c63bd3316cb0bce5398b61ccccd82b112469dc00b3b1c59b29c96c51bcb577bf

Download Submit
C:\Windows\SysWOW64\Mlofcf32.exe

Filesize
56KB

MD5
9a68a1b0bd34f9b6e359a4cd36892687

SHA1
5f80e849c520df7a3309a39ce3dc8c53eaf4adab

SHA256
5278eacfa93a279f0ac815a8996eea74ad69199ca5c6fe175c303c2427d3d49e

SHA512
f1085b6e6eb6d38ab61edec0974925d90f3288cd952bafd940a491a09654fc5ba0c8a8d2a1c5f8e8102a8baf130a6e8b362c41a78672ade5afc43e6fce0ef66c

Download Submit
C:\Windows\SysWOW64\Mohidbkl.exe

Filesize
56KB

MD5
e6475626ca474839cd248f59a24406df

SHA1
582630a10b436a8b95132385826574730a7e0ee7

SHA256
4cc23d5172df7d4e09e6fe74ec3db0b743c606404f723beef078e5894aa84e07

SHA512
19c43f030a3eae44f7d23912a5a59e9134cff1a7d3ce919a030f80e3d821e8aef2eb23d188364cb4d1dda968a9e1b6b14bdf40fde3f33d64a4ba176cf8ed945d

Download Submit
C:\Windows\SysWOW64\Mokfja32.exe

Filesize
56KB

MD5
2e12e70341ebd0e9c8c40c5cbffb94b3

SHA1
78a752bd92ad35b6c0afb22e39d7da170ed0664f

SHA256
457679ff1b8d7c0464edc84f1b24cf8ced0df2971e44a81be266be18d9f965d1

SHA512
60bca036ec7654f94d6813951ff4931c583847fd8d52ae19219acf334bcca6d552bf77e09b7cc87b0c1dce7fcff04367eb4360e1d330c0bc825226b6faa4b905

Download Submit
C:\Windows\SysWOW64\Mpapnfhg.exe

Filesize
56KB

MD5
6c0df0d9c960caf8def78c03466b2822

SHA1
3b661946b9535aaa7e478210dab7b2e4ea2741c4

SHA256
8ac37182e8cde133c05e14204d8acd49ba285e2ee968618eaa819c23c708e0ba

SHA512
02499869e77a9c869ff11ff5e70ff4c63df518d32977b4b9b746a7433085b1f4bb540e695a4caa44bbe9d18a0427983643b389ac840ffb81723aae16a9789347

Download Submit
C:\Windows\SysWOW64\Mpclce32.exe

Filesize
56KB

MD5
bec4b3541c40dce99de16f0626ba3d3e

SHA1
790f5416f539647d98c91e92b7b8850c6638404c

SHA256
dc7a32b32c829543d9c0593328fc248037d6c64325b678b2085d777e9eb4b464

SHA512
4dc7385725325f9ab6324a61eedc935251b4c7b373e3af74e55174a7c20e93167b6ed18eebe136929227b711c0f922d535b263cbea9a0daa128f924c664652e4

Download Submit
C:\Windows\SysWOW64\Nbebbk32.exe

Filesize
56KB

MD5
848ac0afc61fd5494ed91de78f20b11a

SHA1
9c776f82ff888d85cbda4b247484b8886a2c12ef

SHA256
d65cfa1ab3698e111673ea0e49e42dbc7b066b323c2d38cf109854ae7c4114dd

SHA512
057be7a56141e35447683d61c81131a908b46d85402a915d51eddddbb01e2a589aadd0e32854f051373735638a0494418c3636e903eead0560829a48d0334c46

Download Submit
C:\Windows\SysWOW64\Nblolm32.exe

Filesize
56KB

MD5
d4f4f1588d39fec1c671507435ef685b

SHA1
a456d6cda82ed988d07f9803fc3bd4856de5bd55

SHA256
70cb22efe85bc342d4459393c9fef9f306f149d9bdc2e534dd8876296a6fedb1

SHA512
6669584c855f59963c7d68eeb8958bfd7e386de0c7b6d83487c887bb07ea17d811af312f1e66f9869911e3596a4f37ad7550c3d72bc542d6bb9ff4b758de82d8

Download Submit
C:\Windows\SysWOW64\Nbphglbe.exe

Filesize
56KB

MD5
c7bf820d7f944d481fb57f596b2a4061

SHA1
6b0abfeeebbd0373c07432a5ac86422f48817a12

SHA256
0a6810013da4885f7b91ce2a344a3f664f01faa19352fc14638eee375ac5c738

SHA512
ca0c59a9b913ff1f04c061321f0d5d87102526255639c4d9c29d70b60aaffcda1b5b435f4cc5441d07986a4d70f622722f7d1bc404ab47f395c999327520d059

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
56KB

MD5
21f30ade702438ffc77060ed229d1254

SHA1
27e0b367b1e64a88e15f2ad203ee19d8770a181f

SHA256
72c77a8af2b41d28b659a716a7edf720d9187b322d4c9fc8032a951e3310aa0d

SHA512
3aab3c66b4e21f5c7bef87152690c93c41c2e2ec44de065e1fe0abe6b523411fa1393e6abd5fd1d21b8054544e04963c6f0b85acfbee680f4d26ff874d5c37a5

Download Submit
C:\Windows\SysWOW64\Nfihbk32.exe

Filesize
56KB

MD5
b9c2785a3798276d32a36717e7f962fa

SHA1
dee149e06aa150532721b55e7210d49c8666d09a

SHA256
a49181a3c57ec2ba33d60a1a316005e87885c8ffce79c385db59bc8d8bf224f1

SHA512
5db038f292ba5762d27e46aa3e2f3dc26da15f8c1759a74cd44b6f0554bfeabfc1e325c9f6bd2467a65d50e3f0f7fd1720f66a8610f09adf4c490e10c75d6dd1

Download Submit
C:\Windows\SysWOW64\Nfldgk32.exe

Filesize
56KB

MD5
d9b398c23af1dcaf6e7a04e33782b0d9

SHA1
179971785fcac861e3f0362363427a9201e10bcc

SHA256
e01d89232b49321e860e20e1b4d7305a8981800db0e354a2783aeb616eb16e1b

SHA512
839e68baafc10386502d463cb498e5f425c68970c86c6a49e15c4b016af2207173831f9ddc253eb1f81547f43ce2a18bbad11c51ae5a5862d857f0943fede4ca

Download Submit
C:\Windows\SysWOW64\Nfqnbjfi.exe

Filesize
56KB

MD5
f381f17c6b5e37179e015899c245840e

SHA1
af143ff0487b10bb254649dc53a406d76de41864

SHA256
5679f5baa9f9f1b1086f569c039b684a245a0f74dbc8a86b96187810d8aaea13

SHA512
99f0a1e55195d72f94e7d172d8193be17749e8cbe97e1a467afbd6a91aeec80fff9072a1d1e3ba34804c8a3848178e513aff831d69dc2764d4fabb189b30af72

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
56KB

MD5
046a03fb438d92852a70f5e8d72017e6

SHA1
3a489c016766752e892d36e7405b009ca3317713

SHA256
83723b09d0a98ef0463b46cd1182048812cfa64a467e17827bb0448c4c8fc3d1

SHA512
0e595deb324ecc8c4e73b8e70f664fe9e273479d4a1f5e659362041047d70f8d505854a70aa0fc2031577138663b74ed88b35ac9c0b238ae25e28b9be6828047

Download Submit
C:\Windows\SysWOW64\Nmaciefp.exe

Filesize
56KB

MD5
0e74d5c92533a36986f094f5984ed96d

SHA1
073f6701fe83533bf51f3abeeacb25a25d5e6e08

SHA256
8aa26f61c87436ab71f77ca0f3f838df310dd695e5670fedf351737e1817fcf7

SHA512
3668a355c50371c11a6905cb4d8791adb274a41e1bfc402fa7c456faa0d2a6c42e6f0be33f19bbe11c2674e93589437e5c857345e6b707b948a09838007abfe1

Download Submit
C:\Windows\SysWOW64\Nmcpoedn.exe

Filesize
56KB

MD5
4a7a3c0bdca5505c26996038cdf7aebb

SHA1
08518614604e1321f80aa5c287b1af095ef1df82

SHA256
b5a2815e753ffbb884de69096c4da13a0d6db356618e0b9849475c40c99f13cc

SHA512
921e14bf608d3ed9d06f6e3f583e76c8471f8646022b0fc22247c75b24c868cb2c2b2af9f3eedbf589f068d65266c9bd55d51f0a25da52a0f6aa8b6202dc1fde

Download Submit
C:\Windows\SysWOW64\Noppeaed.exe

Filesize
56KB

MD5
6d39371e25f89d3c0202958327725295

SHA1
6511d43cbed191f6231227cf2f1a10866dfc70a9

SHA256
488936e3ac00d006118b4bfb1ee923fdfa773def1b148cd02d65b60feea22cb8

SHA512
170426032c342ef5e0a1d2db70697d1e14cf0e87b65946137df7d595759351ed78f060d21c1016ca5dcc616a62895c099c2a1098774d3128c64a8ea20467f84e

Download Submit
C:\Windows\SysWOW64\Nqaiecjd.exe

Filesize
56KB

MD5
5922acd14459a60baf01d3fd52c4bbb8

SHA1
26fc2f4a1e0d513bdb38ea2e68860a8489e2630e

SHA256
5413e3969ba09076cd105029df981b6007656ed8ef53006a864e1473a064b488

SHA512
da488716ed6f0a6df92ec4cb6d130dba80543289ceb399e41b5689a2dc9936b395b59fabc224ca3c2b7dc204c0dad1004d0d1d98f4b5671d06f55802301c4ee7

Download Submit
C:\Windows\SysWOW64\Nqcejcha.exe

Filesize
56KB

MD5
d0bceb6362b7d73b3dae718f313cbf7c

SHA1
71ebd405c32248cba766f99d7534ac3d8cae7de9

SHA256
c377fe2ee349a779c810b02e92e12be60f014449dfa591303197510b42fc51cf

SHA512
ac4b74e89726906463012bed2b3199c91af8481c48c616023de7cb5fd3d80ff2ac85c3ad5bd637c11103d0599fdd3fc3e4dc73b4ec1bc82f290dfbae14a215bf

Download Submit
C:\Windows\SysWOW64\Nqfbpb32.exe

Filesize
56KB

MD5
972c78be3ae948c78be36ce432dd485e

SHA1
f37db0347016a27730e17fffb9710efc7112dc39

SHA256
2df8c0981ff1d4e874507bbf5424a383e0accab0fe9701795389f817a46d372c

SHA512
5ce60221b5a02a0df02fe8e5564e57eb7a3713b6d9edf9ffcf84c0e932f8b52d03bf8829cc467ed4122f0e4c31aade1fd2bf48242aab31624bad96c1a94ce4fc

Download Submit
C:\Windows\SysWOW64\Ocdnln32.exe

Filesize
56KB

MD5
3f6f00207e6f97feb3f72d2d124b41c1

SHA1
a2823d38e1d1a69f34f7594a70e89a3e7e9d7fe2

SHA256
7ad74d535f42a32bc65f4968103dceb8eccc10b3b7d90a924117936adbc34148

SHA512
376a9226ede4ed7b56fcf8c7c7ce2ffe15ff4af59859a4a056d85ba812469d963626393357db96acba0cc6b7abe140ef641678876df00f68261f88a41a857e53

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
56KB

MD5
ef493e11ced4c63261068d72d8fcd6ed

SHA1
d02f0debfeb87e8a6cbc0b02eec4eb1924674923

SHA256
10c89d1d79f69d43c91babeeb250219ff55ffa018ee5f03aab42c856ca0ec3a8

SHA512
08499133aba0852986e37fe9d29e5559272e566b3552a38d0cd991374188965bcc9e1969caa30f7b13415a76113daad3625391f7700073bee68428b1de937269

Download Submit
C:\Windows\SysWOW64\Ofegni32.exe

Filesize
56KB

MD5
5b72d4b2fec5863d38f4e3da064683de

SHA1
321509863146d2c06378c64182cfe2f113d5c109

SHA256
3e86d00438d005cb0aa1c36e19b999d1ce0f9f78fb991db70ceaab8112903e67

SHA512
4d32fcd3dd840a2426b9dfba8e4a70b6c51f97cf9cbcf527ccc63170a125efffa6f1185868ce77c41fed7ba974982bf533de71eb700ad6c5147388533a882a74

Download Submit
C:\Windows\SysWOW64\Ojnfihmo.exe

Filesize
56KB

MD5
24b55ac35a53dcef6ba1e42813d2eed3

SHA1
3852d8387d929eb72f8fdfe7de1d3ec79be4c073

SHA256
e198894c0539bb606cd4b3327d40fffd32f164e6027ed75f9649e06fa5f657fc

SHA512
cd566f594bd074619ebbe1e0a30bea3e90cffebba64d0f7ee6ae3de0418f66a66c133385b634f41710f2cd369b9ef08e836a4a89271001cc860b82ce3c99d7d4

Download Submit
C:\Windows\SysWOW64\Ommceclc.exe

Filesize
56KB

MD5
7f165d31b15412b314f76d603414c761

SHA1
ffe7f2794cc62097f62b8b68728d5bcb218cd211

SHA256
a57488c50c169943939da88338e3d675720667ce99f0eb9eb06319663c3cc848

SHA512
79c9208136ed9ba966371bc95ce23fa1d5a37a0994e2c81125808f52bb76df699d47e8faac625d2a2098ea06b0696e61a769ac962e719a30e9c6748c66972374

Download Submit
C:\Windows\SysWOW64\Pfepdg32.exe

Filesize
56KB

MD5
bbb5d0b50429e7530808410d5e580cb8

SHA1
615c6f9f19db06bd0488c13ea616aaeceab221e8

SHA256
ce0f8cf3bc892725f43c33e481e41466612f76f66addfa6e1a57e902d2df08af

SHA512
e318492fcd550c279a51b40e79d6ac7abe4972532616d35668495fd28c0c4b5cccd2512c0f40aa4a1899a617d2b0d5c90c095640b08a882ff54250d523224b06

Download Submit
C:\Windows\SysWOW64\Pfojdh32.exe

Filesize
56KB

MD5
4b07b891217a7b0802109c8c347c7778

SHA1
4b21177058cce98278046330e12b36978288bf02

SHA256
406677bc520a644c924c0e0958c7a2bbdcabec030a62c7a326f9b6bd747f7e63

SHA512
63c7507715da0142c19787f3a13672622ea4a50ad06488a04d99028edfb725a20ac8a002bc2f1bf16377ddb8c339944d12efec08c1ee97d1f536032a10f8e5c8

Download Submit
memory/216-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/224-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/496-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/496-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/716-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1040-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1096-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1096-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1116-95-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1160-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1184-375-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1244-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1284-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1412-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-415-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1568-74-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1720-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1848-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1944-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1968-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1984-312-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2100-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2588-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-100-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3080-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3104-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3288-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3312-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3448-429-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3596-171-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3836-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4236-37-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4332-279-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4396-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4508-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4644-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4724-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4736-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-198-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4744-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4928-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5004-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-243-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads