579fb9ff6b1ebdec32044a9d90a7e24d0b2a0849c2531a38acf8b7954db122e4

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c23257b374bd4d07774953299fd9b0c0N.exe
Size

63KB
MD5

c23257b374bd4d07774953299fd9b0c0
SHA1

2a3cb8a69169388ab09c0e6034144735724be7b2
SHA256

579fb9ff6b1ebdec32044a9d90a7e24d0b2a0849c2531a38acf8b7954db122e4
SHA512

57cc6b354439dd839f432211278cf0cdd8d82ac59260c6c2969d92e19d4d5733144a750e7a91db7b71cb79f607f19c2207bbd7d8e581ac77a5f7e2021255794b
SSDEEP

1536:fnCeHmM4/Y/DSQw7o54U6JyiN6DH1juIZo:fCeGMPrSQwO4U6IicDH1juIZo

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moanaiie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c23257b374bd4d07774953299fd9b0c0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdacop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngdifkpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nenobfak.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nplmop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhllob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c23257b374bd4d07774953299fd9b0c0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npojdpef.exe

Executes dropped EXE 27 IoCs

pid	Process
2652	Libicbma.exe
2556	Mffimglk.exe
2528	Mieeibkn.exe
2992	Moanaiie.exe
692	Mapjmehi.exe
1568	Mlfojn32.exe
1748	Mbpgggol.exe
2036	Mdacop32.exe
1836	Mlhkpm32.exe
1140	Mofglh32.exe
824	Meppiblm.exe
2376	Moidahcn.exe
2876	Magqncba.exe
2164	Ngdifkpi.exe
1616	Nibebfpl.exe
1556	Nplmop32.exe
1560	Nckjkl32.exe
1660	Niebhf32.exe
1180	Nlcnda32.exe
1536	Npojdpef.exe
1500	Ngibaj32.exe
1644	Nekbmgcn.exe
1092	Nlekia32.exe
3044	Ngkogj32.exe
2900	Nenobfak.exe
1488	Nhllob32.exe
2540	Nlhgoqhh.exe

Loads dropped DLL 58 IoCs

pid	Process
2812	c23257b374bd4d07774953299fd9b0c0N.exe
2812	c23257b374bd4d07774953299fd9b0c0N.exe
2652	Libicbma.exe
2652	Libicbma.exe
2556	Mffimglk.exe
2556	Mffimglk.exe
2528	Mieeibkn.exe
2528	Mieeibkn.exe
2992	Moanaiie.exe
2992	Moanaiie.exe
692	Mapjmehi.exe
692	Mapjmehi.exe
1568	Mlfojn32.exe
1568	Mlfojn32.exe
1748	Mbpgggol.exe
1748	Mbpgggol.exe
2036	Mdacop32.exe
2036	Mdacop32.exe
1836	Mlhkpm32.exe
1836	Mlhkpm32.exe
1140	Mofglh32.exe
1140	Mofglh32.exe
824	Meppiblm.exe
824	Meppiblm.exe
2376	Moidahcn.exe
2376	Moidahcn.exe
2876	Magqncba.exe
2876	Magqncba.exe
2164	Ngdifkpi.exe
2164	Ngdifkpi.exe
1616	Nibebfpl.exe
1616	Nibebfpl.exe
1556	Nplmop32.exe
1556	Nplmop32.exe
1560	Nckjkl32.exe
1560	Nckjkl32.exe
1660	Niebhf32.exe
1660	Niebhf32.exe
1180	Nlcnda32.exe
1180	Nlcnda32.exe
1536	Npojdpef.exe
1536	Npojdpef.exe
1500	Ngibaj32.exe
1500	Ngibaj32.exe
1644	Nekbmgcn.exe
1644	Nekbmgcn.exe
1092	Nlekia32.exe
1092	Nlekia32.exe
3044	Ngkogj32.exe
3044	Ngkogj32.exe
2900	Nenobfak.exe
2900	Nenobfak.exe
1488	Nhllob32.exe
1488	Nhllob32.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe
2700	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ekebnbmn.dll	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Nplmop32.exe
File opened for modification	C:\Windows\SysWOW64\Npojdpef.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Npojdpef.exe
File created	C:\Windows\SysWOW64\Fhhiii32.dll	Nenobfak.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	Moidahcn.exe
File created	C:\Windows\SysWOW64\Nplmop32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Meppiblm.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Mdacop32.exe
File created	C:\Windows\SysWOW64\Mofglh32.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Moidahcn.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Npojdpef.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Nenobfak.exe	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Nenobfak.exe	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Mffimglk.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nhllob32.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Mffimglk.exe
File opened for modification	C:\Windows\SysWOW64\Mbpgggol.exe	Mlfojn32.exe
File opened for modification	C:\Windows\SysWOW64\Moidahcn.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Ngdifkpi.exe	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Mehjml32.dll	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	c23257b374bd4d07774953299fd9b0c0N.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Nckjkl32.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	c23257b374bd4d07774953299fd9b0c0N.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Fpahiebe.dll	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Mdacop32.exe	Mbpgggol.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Incbogkn.dll	Nibebfpl.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mffimglk.exe
File created	C:\Windows\SysWOW64\Mbpgggol.exe	Mlfojn32.exe
File opened for modification	C:\Windows\SysWOW64\Meppiblm.exe	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Npojdpef.exe
File opened for modification	C:\Windows\SysWOW64\Mapjmehi.exe	Moanaiie.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Nckjkl32.exe	Nplmop32.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Nckjkl32.exe
File opened for modification	C:\Windows\SysWOW64\Nekbmgcn.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Mlfojn32.exe	Mapjmehi.exe
File created	C:\Windows\SysWOW64\Negpnjgm.dll	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Ngdifkpi.exe
File opened for modification	C:\Windows\SysWOW64\Nplmop32.exe	Nibebfpl.exe
File created	C:\Windows\SysWOW64\Kcpnnfqg.dll	Nplmop32.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Npojdpef.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Nlekia32.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	c23257b374bd4d07774953299fd9b0c0N.exe
File created	C:\Windows\SysWOW64\Nhllob32.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Mjkacaml.dll	Meppiblm.exe
File opened for modification	C:\Windows\SysWOW64\Ngdifkpi.exe	Magqncba.exe
File created	C:\Windows\SysWOW64\Fbpljhnf.dll	Magqncba.exe
File created	C:\Windows\SysWOW64\Gbdalp32.dll	Ngdifkpi.exe
File created	C:\Windows\SysWOW64\Mffimglk.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Mdacop32.exe
File created	C:\Windows\SysWOW64\Lhajpc32.dll	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Nhllob32.exe	Nenobfak.exe
File opened for modification	C:\Windows\SysWOW64\Mdacop32.exe	Mbpgggol.exe
File opened for modification	C:\Windows\SysWOW64\Moanaiie.exe	Mieeibkn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2700	2540	WerFault.exe	56

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nplmop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npojdpef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meppiblm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magqncba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c23257b374bd4d07774953299fd9b0c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mapjmehi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhkpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdacop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngdifkpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mffimglk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moanaiie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibebfpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbpgggol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mapjmehi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlbongd.dll"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhiii32.dll"	Nenobfak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mffimglk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negpnjgm.dll"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c23257b374bd4d07774953299fd9b0c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Mffimglk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbgnedh.dll"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nckjkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Niebhf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nenobfak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	c23257b374bd4d07774953299fd9b0c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpljhnf.dll"	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c23257b374bd4d07774953299fd9b0c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfmdf32.dll"	Moanaiie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdacop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c23257b374bd4d07774953299fd9b0c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Nplmop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mapjmehi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngdifkpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhllob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incbogkn.dll"	Nibebfpl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2652	2812	c23257b374bd4d07774953299fd9b0c0N.exe	30
PID 2812 wrote to memory of 2652	2812	c23257b374bd4d07774953299fd9b0c0N.exe	30
PID 2812 wrote to memory of 2652	2812	c23257b374bd4d07774953299fd9b0c0N.exe	30
PID 2812 wrote to memory of 2652	2812	c23257b374bd4d07774953299fd9b0c0N.exe	30
PID 2652 wrote to memory of 2556	2652	Libicbma.exe	31
PID 2652 wrote to memory of 2556	2652	Libicbma.exe	31
PID 2652 wrote to memory of 2556	2652	Libicbma.exe	31
PID 2652 wrote to memory of 2556	2652	Libicbma.exe	31
PID 2556 wrote to memory of 2528	2556	Mffimglk.exe	32
PID 2556 wrote to memory of 2528	2556	Mffimglk.exe	32
PID 2556 wrote to memory of 2528	2556	Mffimglk.exe	32
PID 2556 wrote to memory of 2528	2556	Mffimglk.exe	32
PID 2528 wrote to memory of 2992	2528	Mieeibkn.exe	33
PID 2528 wrote to memory of 2992	2528	Mieeibkn.exe	33
PID 2528 wrote to memory of 2992	2528	Mieeibkn.exe	33
PID 2528 wrote to memory of 2992	2528	Mieeibkn.exe	33
PID 2992 wrote to memory of 692	2992	Moanaiie.exe	34
PID 2992 wrote to memory of 692	2992	Moanaiie.exe	34
PID 2992 wrote to memory of 692	2992	Moanaiie.exe	34
PID 2992 wrote to memory of 692	2992	Moanaiie.exe	34
PID 692 wrote to memory of 1568	692	Mapjmehi.exe	35
PID 692 wrote to memory of 1568	692	Mapjmehi.exe	35
PID 692 wrote to memory of 1568	692	Mapjmehi.exe	35
PID 692 wrote to memory of 1568	692	Mapjmehi.exe	35
PID 1568 wrote to memory of 1748	1568	Mlfojn32.exe	36
PID 1568 wrote to memory of 1748	1568	Mlfojn32.exe	36
PID 1568 wrote to memory of 1748	1568	Mlfojn32.exe	36
PID 1568 wrote to memory of 1748	1568	Mlfojn32.exe	36
PID 1748 wrote to memory of 2036	1748	Mbpgggol.exe	37
PID 1748 wrote to memory of 2036	1748	Mbpgggol.exe	37
PID 1748 wrote to memory of 2036	1748	Mbpgggol.exe	37
PID 1748 wrote to memory of 2036	1748	Mbpgggol.exe	37
PID 2036 wrote to memory of 1836	2036	Mdacop32.exe	38
PID 2036 wrote to memory of 1836	2036	Mdacop32.exe	38
PID 2036 wrote to memory of 1836	2036	Mdacop32.exe	38
PID 2036 wrote to memory of 1836	2036	Mdacop32.exe	38
PID 1836 wrote to memory of 1140	1836	Mlhkpm32.exe	39
PID 1836 wrote to memory of 1140	1836	Mlhkpm32.exe	39
PID 1836 wrote to memory of 1140	1836	Mlhkpm32.exe	39
PID 1836 wrote to memory of 1140	1836	Mlhkpm32.exe	39
PID 1140 wrote to memory of 824	1140	Mofglh32.exe	40
PID 1140 wrote to memory of 824	1140	Mofglh32.exe	40
PID 1140 wrote to memory of 824	1140	Mofglh32.exe	40
PID 1140 wrote to memory of 824	1140	Mofglh32.exe	40
PID 824 wrote to memory of 2376	824	Meppiblm.exe	41
PID 824 wrote to memory of 2376	824	Meppiblm.exe	41
PID 824 wrote to memory of 2376	824	Meppiblm.exe	41
PID 824 wrote to memory of 2376	824	Meppiblm.exe	41
PID 2376 wrote to memory of 2876	2376	Moidahcn.exe	42
PID 2376 wrote to memory of 2876	2376	Moidahcn.exe	42
PID 2376 wrote to memory of 2876	2376	Moidahcn.exe	42
PID 2376 wrote to memory of 2876	2376	Moidahcn.exe	42
PID 2876 wrote to memory of 2164	2876	Magqncba.exe	43
PID 2876 wrote to memory of 2164	2876	Magqncba.exe	43
PID 2876 wrote to memory of 2164	2876	Magqncba.exe	43
PID 2876 wrote to memory of 2164	2876	Magqncba.exe	43
PID 2164 wrote to memory of 1616	2164	Ngdifkpi.exe	44
PID 2164 wrote to memory of 1616	2164	Ngdifkpi.exe	44
PID 2164 wrote to memory of 1616	2164	Ngdifkpi.exe	44
PID 2164 wrote to memory of 1616	2164	Ngdifkpi.exe	44
PID 1616 wrote to memory of 1556	1616	Nibebfpl.exe	45
PID 1616 wrote to memory of 1556	1616	Nibebfpl.exe	45
PID 1616 wrote to memory of 1556	1616	Nibebfpl.exe	45
PID 1616 wrote to memory of 1556	1616	Nibebfpl.exe	45

C:\Users\Admin\AppData\Local\Temp\c23257b374bd4d07774953299fd9b0c0N.exe
"C:\Users\Admin\AppData\Local\Temp\c23257b374bd4d07774953299fd9b0c0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\Libicbma.exe
  C:\Windows\system32\Libicbma.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\Mffimglk.exe
    C:\Windows\system32\Mffimglk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Mieeibkn.exe
      C:\Windows\system32\Mieeibkn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
      - C:\Windows\SysWOW64\Mapjmehi.exe
        
        C:\Windows\system32\Mapjmehi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Mbpgggol.exe
        
        C:\Windows\system32\Mbpgggol.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Mdacop32.exe
        
        C:\Windows\system32\Mdacop32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Meppiblm.exe
        
        C:\Windows\system32\Meppiblm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Ngdifkpi.exe
        
        C:\Windows\system32\Ngdifkpi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\Nplmop32.exe
        
        C:\Windows\system32\Nplmop32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 148
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Libicbma.exe

Filesize
63KB

MD5
ed60742ff2cad84ad73cca23e7105fdc

SHA1
1269f57967151e32f0b4b02293f27cc106d4e5b5

SHA256
8c204fdff87cdaa1385d03f390b8d93a07dea3572a605b4a6178c80479e85afd

SHA512
872a4fbd9205954808ac0f2da262bcd347ed1f3df4f429e2e155679c6d8e3df06be619f4eaf18abae6d12561cde991638d71af17d1a6797f83311283c701ebcd

Download Submit
C:\Windows\SysWOW64\Meppiblm.exe

Filesize
63KB

MD5
1db4c87156b1a1990c14032ca79c1797

SHA1
98830e3bdd07a58f8a528eddc8cf48a7b528bddf

SHA256
8f2eec0376f9b5a0ad154424d137a934dc4634ba8990ca63a4b0dcb3dd7a9ea8

SHA512
e6dc67ee305da7fd22f35d807d6726d87998dbc278109e4e0fdf79fdffe16840d692b32ee50eff5e083b6741c66b3a88c169c661ee0189acd1f687cf95a6f7d2

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
63KB

MD5
50c331b65cd52d3c0aa306de0e309a74

SHA1
4755760b7effd15b59ddb7770633eef883995157

SHA256
86465e18e4665f3200b0d5b9722785c191be1f953bb27bbc04b8d5e47362ab87

SHA512
8721636b8a6963a17858fa00ea9e92647e5be19084f10a70b6b6c7fe4909d9a39e837ee8b8c26bf65a4409ff2ca6fd7531c01fab1f22dbd6c97ea23739668444

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
63KB

MD5
1ac53735a5d9490e696be4f4f04f8fcd

SHA1
3b324e17abc4c3c8560b9e0f19028ae994014fe3

SHA256
154d96dc92553d38fd3dd0d0c68faa421ec6b37437447670019d4bfcb005be95

SHA512
82485722707aac86265624147a05d2a7bac665edba3e061d22919cf43919ed4217357ed83a57c209dc059104fa32a6055ee990b6aa8124723d341df322930752

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
63KB

MD5
540c7c7e8926fa3b078192952adc3094

SHA1
6eb6ef356aa03ddde681795fb1ebd88fa7771aec

SHA256
01c013b7f47c926ea425472e191f0dfd4f04418d15730ddee0ce15d0e33324c0

SHA512
38ccd6a1b4d18afc4149f016ce7227effcb845d730adb981f15e97f3275820d1bd770722d257d900c18a95706d03167251c2191a3ec330fa726f2603bb45fb3b

Download Submit
C:\Windows\SysWOW64\Nenobfak.exe

Filesize
63KB

MD5
c93f7a919babbfb39fe0c70a118be53f

SHA1
74dbe50bac5d4127e33fc00d413181df445a841d

SHA256
aa57d916287f2e366a3cd2176f21b705ae555747c730af1cbbe37993bd2d3fe0

SHA512
85e9c36245b0ddf54df8c82bf539f8aee3119ed452abdba3c7efb3e266dabc8f83b896f9b40438ed9f05ca5ffc1976369843b5e846ccdb6745a044d9bab65e0e

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
63KB

MD5
ed1a93f0cb44183d631d5f95246adfe7

SHA1
a2ee309f92ec3f1fead4b7b1a83fd04e4f4b6e86

SHA256
afdf9569bc94ba53f3bc60423cfa110bc3b35e4558a9a541003242affb807120

SHA512
91fa251c988e628d495e07a49763cb1b5343f7c2eead5493bd8f76bb8cf6d5bbaea4feb0714dfd6f6c5aba79a9a3ef9bf1b7d7778765fd5250316293b8b577ab

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
63KB

MD5
64a2694d61bd7e790160a60bfeeead48

SHA1
c1d570f9f0b2735c6ccc7654c68fcf99db8beefa

SHA256
952b9a5d23b110741e743c0a2108d1f267e364e4c0f86448c8fbd1e743e3c5c1

SHA512
b0102d72ba347143cc69be471103abd94465f95f5b8d29f6b0150fbf3d93775129150d6597d25b3058b1b8f989281fd07e6d7f2a190bd0481d9a0d5a4cc5c9ab

Download Submit
C:\Windows\SysWOW64\Nhllob32.exe

Filesize
63KB

MD5
24b21f609a4f6f3f7dcb6266edb5c836

SHA1
b6f0ec5d064d1166e8f666b9a77f9591cf3c6589

SHA256
1ccb5a09c8cb9bf40272a4f2b5010473d061e9b3c7fd41d6360c0995ccbc673b

SHA512
ecddddcf2231c44e13546f027db2cac436c63e3b111d494a3b39a6dbbe4f0695650cb8a56b5d0904b5c148d4558d655149ea47c16469c8aedd1c812e83240124

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
63KB

MD5
fec670d6d4fb15b6de21dac1d7bfb993

SHA1
0539a73d006ecd8684b550a6451b95dac0d6e0fb

SHA256
839382999f29977ac1368e96617f51c02e6926671c3363e4f87b7c45398e24cf

SHA512
972aaa83575b9ac159071863f9b1346c1ceccd5dab6dfce456cc5f01bbb153565a22913fb3f3e4e6c5a991228f99c6740dcb00a095d93511985b0005a9cfa0d8

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
63KB

MD5
05e00e7a97739c4a7ac638e5e0e6c404

SHA1
84b7f631cf612837de82be0fd41bcc7e0ee60361

SHA256
5012e6dfef1a5f4fa6ae29fd4070df04568213d8caaa755149e61d1ca979b5f5

SHA512
16e0bc8172ec5c863b4dc66926caa9ade4be51e74c1bcaf6092713102a96e5afa5de79c2e435b9f5a0577c543a1c283ad7b8565f1006af2a4987aa06d1cca714

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
63KB

MD5
7a3be053c953b9d0ee79f09310a7e630

SHA1
141305472807c2c09f6cfb349b39befa5294b252

SHA256
c255dbb7a22a5503689e19cab57ddcc3a1d781037ec948cbc719ce3fa4c590dc

SHA512
6efc89a888f2a294009e4845f0157faf53a0f26eb2cb8427419933bfa5766ea3c3cef444779a8dd09115031334579ea874ec40b67a8f6d7b188305903fd0c162

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
63KB

MD5
10123d32fd833d39336047a6f0791239

SHA1
83384ffdced13de13080a8d672d2cf9c953eb128

SHA256
eaa9595af7a603dfbf3a3b0579a55b1cc50ede1282148513a39c0c296b2b4adb

SHA512
5c6cc41e28d2ebf60cefeddc93dde815a8a457898b43362116beb7123a7e448c5645304b8d9e5364697670bbb9ed74c27420fc67bb0f076f485c00ebba0e809e

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
63KB

MD5
dfec7dfb3cf00cc0644be8af65589817

SHA1
ed3f322087dc3814d3d495d18efd5b85df0a8b01

SHA256
7cc9219f7b9b82614f22dad988c59cf5f8ee549080e7a06d1adedfd941a0dcdd

SHA512
0064417b4a8c4cb85d513c127872f1e3928ce0dd96e4be53592235bea5db733fa3128796533ab8533ee72661f04960310276f4139872831876a262a6195afedb

Download Submit
\Windows\SysWOW64\Magqncba.exe

Filesize
63KB

MD5
8998a3d5db9cf82e6624a4df18c91eae

SHA1
51192fe3254a0ddf45a1192ce953be2f1ed59219

SHA256
99dd46f6fc2173c1902e89d9b2f53d7cf634bb6b48fed6d5d895fd642767e06e

SHA512
178ae54315a4ed41a944cb7019592286aeb0cdf8787683eadfc823a65d7c4b05204513dc6ec617c0c57ebcd9abf86455d267b8cdeb1ed836fd9f414a8940c9a1

Download Submit
\Windows\SysWOW64\Mapjmehi.exe

Filesize
63KB

MD5
899865e62afff8ab6516e4cf410ac241

SHA1
7aa3863992c9d3ce4bf68cd5b47952d9bd5936ce

SHA256
3ab78e8e1daa50c666ddedbc5f53e43a407390f989ccc0b9848b0092bbe7e70d

SHA512
063129173ddb970ebe52346809be7e8b97a20140d73f307f9b87ebe31303d8d05e48d04eb1e83f8e84aef63a121f2efea9444b63bedeb46b0240ea34b105a7a5

Download Submit
\Windows\SysWOW64\Mbpgggol.exe

Filesize
63KB

MD5
ea61ca4144c8efc2fae0960a326eed97

SHA1
de6e8350ffd01f997bd206f28264df9b6909f861

SHA256
d7a9c20d80c29ca276c96bd41b7fd45cd7b25f9fa98d576991904e6d8031a5e2

SHA512
41429076268327da21683f4638d369e434f9e5609f8319571f3df3d843bb35f9fcdfb7f40467d9717523386a5b9c228e5267d12121e29d953c207704d18635b8

Download Submit
\Windows\SysWOW64\Mdacop32.exe

Filesize
63KB

MD5
b7be6382d8e9871d9f66dac88da05aa6

SHA1
9a22007217858fed64f959887bbf3a7700eac1ea

SHA256
efde3a6715384d023f928dc26965bd6b1fb60f301cd00a9e6f61081ade160859

SHA512
22fb0cc47e851871fa066c2ab0dbb2d5641d44f0762bb691c7b6527f10a221653d7a2ee6c864ef372e1fdd669dd2584ceb57bba77bf5c9aaa34c42fed4657a37

Download Submit
\Windows\SysWOW64\Mffimglk.exe

Filesize
63KB

MD5
2a1d524bd512371fd8ba511e51b6c4a3

SHA1
5a06a3922267f329d16bbbafbf3c183839d57839

SHA256
34b8b333ea54128ec016633b55d71895b5cf7e53a14f327e1c67118717d91fd2

SHA512
54d73905b8f0a802b90abdaac17431a6ede4ed147e66fb1c26112cd23658b19454d334de27d12675cb217070f24109f1e3eddbdd374cae2312d908a4d4d1ff0e

Download Submit
\Windows\SysWOW64\Mlfojn32.exe

Filesize
63KB

MD5
877c45a4bfc8497671d6d4091bc6f645

SHA1
fa109e24152579b972bca904b7192f0f21aff1cb

SHA256
62cc360e249ab7e031e75b96f26b947436edf057cdcc84670bc98ad21a73848f

SHA512
cbd922b8a6588afed90382a65822b6836cffbddfd1018b6a59ab034c8827062516646243f919f27db8a035799162921264ab302f7a39af88333911d4a75280aa

Download Submit
\Windows\SysWOW64\Mlhkpm32.exe

Filesize
63KB

MD5
d82fe6d3b7831216341a70c90e4af866

SHA1
c7f8f8144c543d4ef5321446ae9ff40bcc348404

SHA256
7d5643af0346339f97c5fbc4529db386c2d644afbc7f84fcf243c98f75ed3d80

SHA512
e1cf9b97d4667bddbeab4626c5719f8a13762cb3deccddce170849895e9205ff2121f293d9ed7c793ff9431cbe363e4c4fc50ff674833a52ce7263b510cd8773

Download Submit
\Windows\SysWOW64\Moanaiie.exe

Filesize
63KB

MD5
ee4c79625c0c1b11e31b0c1f7bbd699e

SHA1
6e59367b9e7bd0393853425fe5063df6b7b0260b

SHA256
f8536a0d6592599721ea5119b264d48e2683fa276432a1b9c8da50f9ef2ec200

SHA512
4c53db1f76cc7d55c9480bac9bca1cb3eac8c976920f908de6dfcbf0a955347174d83243600c7026b00f40623cb6f7e50da47d1cb0ef35b17ef0be0c77030015

Download Submit
\Windows\SysWOW64\Mofglh32.exe

Filesize
63KB

MD5
8490d1668c77d44babba8835e35550f2

SHA1
c1a8d177c5027e71441fd405f12e8021862932c6

SHA256
3671ef70820aa3e1ad9f2460bd1033e4d13363cff814fd3c7abcf4f97034608f

SHA512
2ff571b93ee6aa8196a16139ca54fc9e670468b9954efecf35b1a2ac6de424a2227d7632f23e689a09b22790c14a8adff9351ff5c327cb76ada2e569b5e0df57

Download Submit
\Windows\SysWOW64\Moidahcn.exe

Filesize
63KB

MD5
c120edeef563b8a7a2ded7aa47f1a969

SHA1
bf24f1540360ebcfc4dc1d43d258745cffcb6ffc

SHA256
8f1ab0220eff3317c94f8d4c7de5d0127542256369bd8e74d95c210b1e605311

SHA512
3e9f0c19d73470cc43ee3c352733a016a54c09ac14bd699058e3092b64c59b94d25a94103b003e02193be93cd241beeb57bd9d019cf28611809d2b52635468f3

Download Submit
\Windows\SysWOW64\Ngdifkpi.exe

Filesize
63KB

MD5
52b107333366d836ed8d9a7c7fe0ad21

SHA1
bc0706a1084c0500485d2f2f38e240c0a473298b

SHA256
7f0678fb18e9e590fe5e03cdd3ccda5734beb1b12638e3006238fa59bf2febad

SHA512
cfb65475fd3390f379165494c582c35ee0d9d805c857ecb9ab88cecd03bb4ea6c6b63c4e2658015b3edb4534c9c8838cbcbe8b78974cfd8b7f50efa01d5d532d

Download Submit
\Windows\SysWOW64\Nibebfpl.exe

Filesize
63KB

MD5
0f3e89e8ed0931848b4c1c624dadb581

SHA1
7cb409c10b6aba4a1b912495123fd0f8deb9cebd

SHA256
6bbe251cb5db9c26cc622f5fc8bee51e80705093fbf2d3ca27464549db42794c

SHA512
8b4c0317fa7e84987738afb409791d740e5d3f8bec60b45775c9c9c13aa2379038572ae4ce0d7edc9132b5ee564cadc9a0b4cdcdb3fd154db0057efdb9094619

Download Submit
\Windows\SysWOW64\Nplmop32.exe

Filesize
63KB

MD5
aaee9a7ff5103ba4b751e2d73c2ba952

SHA1
7d43b099f4a1220bfc792d6cad2d2dad3392dacc

SHA256
d9527391b030cab05b08991371cc8b1bdd1c13c84edd4bbbec8ca84d1dca0aca

SHA512
882ff887d86a76cb96819b408042958f86e5a0affabb9cb583b9d1212fb8aa17e3507092fb59e7a65217d2d046d11b1dc8e1301b60bbb40670b4b5dcf205306b

Download Submit
memory/692-74-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/692-66-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/692-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/824-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/824-153-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/824-332-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1092-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1092-285-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/1092-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1140-143-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1180-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1180-244-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1180-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1488-313-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/1488-318-0x0000000000310000-0x0000000000345000-memory.dmp

Filesize
212KB

Download
memory/1488-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1488-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1500-342-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1536-253-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1536-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1556-337-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-226-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1560-338-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1560-220-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1568-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-336-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1616-205-0x00000000002E0000-0x0000000000315000-memory.dmp

Filesize
212KB

Download
memory/1616-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1644-274-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1644-275-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/1660-339-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1748-328-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1748-100-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/1748-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-330-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1836-119-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2036-118-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2036-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2164-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2376-333-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2528-350-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2528-47-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2528-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2540-348-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2652-349-0x00000000002F0000-0x0000000000325000-memory.dmp

Filesize
212KB

Download
memory/2652-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2812-326-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2812-12-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2812-13-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2812-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-334-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2876-178-0x0000000000260000-0x0000000000295000-memory.dmp

Filesize
212KB

Download
memory/2900-307-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2900-346-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2900-306-0x0000000000280000-0x00000000002B5000-memory.dmp

Filesize
212KB

Download
memory/2900-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2992-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-345-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-296-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download
memory/3044-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3044-295-0x0000000000320000-0x0000000000355000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads