92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d

Analysis

max time kernel
95s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 21:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
Size

87KB
MD5

ebceb73f07a0df6fa11bd97db90de107
SHA1

eb2a1c040c36e7e06cdc50da5eb7fbee0073af83
SHA256

92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d
SHA512

7ca795586b04106fe45daca0ae46c065bde39cf5704403b4819d71af1a7e9ae783f9d6c970a8cc1c847ef4aadfec0e0fb89e26c16e3f46c1f57d8db57b8267ac
SSDEEP

1536:vZol+MjsTZ+yrOTPmLsvmMXJ8t8CmxEdCXXR1RQ4NRSRBDNrR0RVe7R6R8RPD2zx:vZa+gsIQkD5SZZcreQAnDlmbGcGFDex

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nafokcol.exe

Executes dropped EXE 24 IoCs

pid	Process
1040	Majopeii.exe
1276	Mdiklqhm.exe
2852	Mgghhlhq.exe
1972	Mpolqa32.exe
2060	Mcnhmm32.exe
5088	Mkepnjng.exe
1004	Mjhqjg32.exe
1436	Maohkd32.exe
1120	Mpaifalo.exe
1848	Mcpebmkb.exe
4116	Mjjmog32.exe
1660	Mnfipekh.exe
2352	Mdpalp32.exe
4244	Nkjjij32.exe
3300	Nacbfdao.exe
2892	Ndbnboqb.exe
1788	Nklfoi32.exe
4548	Nafokcol.exe
2116	Ngcgcjnc.exe
1892	Nnmopdep.exe
4976	Ndghmo32.exe
2816	Nqmhbpba.exe
2748	Ncldnkae.exe
1480	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Majopeii.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Majopeii.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Ndghmo32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3548	1480	WerFault.exe	109

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnohlokp.dll"	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Majopeii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mjhqjg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 1040	3992	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe	86
PID 3992 wrote to memory of 1040	3992	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe	86
PID 3992 wrote to memory of 1040	3992	92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe	86
PID 1040 wrote to memory of 1276	1040	Majopeii.exe	87
PID 1040 wrote to memory of 1276	1040	Majopeii.exe	87
PID 1040 wrote to memory of 1276	1040	Majopeii.exe	87
PID 1276 wrote to memory of 2852	1276	Mdiklqhm.exe	88
PID 1276 wrote to memory of 2852	1276	Mdiklqhm.exe	88
PID 1276 wrote to memory of 2852	1276	Mdiklqhm.exe	88
PID 2852 wrote to memory of 1972	2852	Mgghhlhq.exe	89
PID 2852 wrote to memory of 1972	2852	Mgghhlhq.exe	89
PID 2852 wrote to memory of 1972	2852	Mgghhlhq.exe	89
PID 1972 wrote to memory of 2060	1972	Mpolqa32.exe	90
PID 1972 wrote to memory of 2060	1972	Mpolqa32.exe	90
PID 1972 wrote to memory of 2060	1972	Mpolqa32.exe	90
PID 2060 wrote to memory of 5088	2060	Mcnhmm32.exe	91
PID 2060 wrote to memory of 5088	2060	Mcnhmm32.exe	91
PID 2060 wrote to memory of 5088	2060	Mcnhmm32.exe	91
PID 5088 wrote to memory of 1004	5088	Mkepnjng.exe	92
PID 5088 wrote to memory of 1004	5088	Mkepnjng.exe	92
PID 5088 wrote to memory of 1004	5088	Mkepnjng.exe	92
PID 1004 wrote to memory of 1436	1004	Mjhqjg32.exe	93
PID 1004 wrote to memory of 1436	1004	Mjhqjg32.exe	93
PID 1004 wrote to memory of 1436	1004	Mjhqjg32.exe	93
PID 1436 wrote to memory of 1120	1436	Maohkd32.exe	94
PID 1436 wrote to memory of 1120	1436	Maohkd32.exe	94
PID 1436 wrote to memory of 1120	1436	Maohkd32.exe	94
PID 1120 wrote to memory of 1848	1120	Mpaifalo.exe	95
PID 1120 wrote to memory of 1848	1120	Mpaifalo.exe	95
PID 1120 wrote to memory of 1848	1120	Mpaifalo.exe	95
PID 1848 wrote to memory of 4116	1848	Mcpebmkb.exe	96
PID 1848 wrote to memory of 4116	1848	Mcpebmkb.exe	96
PID 1848 wrote to memory of 4116	1848	Mcpebmkb.exe	96
PID 4116 wrote to memory of 1660	4116	Mjjmog32.exe	97
PID 4116 wrote to memory of 1660	4116	Mjjmog32.exe	97
PID 4116 wrote to memory of 1660	4116	Mjjmog32.exe	97
PID 1660 wrote to memory of 2352	1660	Mnfipekh.exe	98
PID 1660 wrote to memory of 2352	1660	Mnfipekh.exe	98
PID 1660 wrote to memory of 2352	1660	Mnfipekh.exe	98
PID 2352 wrote to memory of 4244	2352	Mdpalp32.exe	99
PID 2352 wrote to memory of 4244	2352	Mdpalp32.exe	99
PID 2352 wrote to memory of 4244	2352	Mdpalp32.exe	99
PID 4244 wrote to memory of 3300	4244	Nkjjij32.exe	100
PID 4244 wrote to memory of 3300	4244	Nkjjij32.exe	100
PID 4244 wrote to memory of 3300	4244	Nkjjij32.exe	100
PID 3300 wrote to memory of 2892	3300	Nacbfdao.exe	101
PID 3300 wrote to memory of 2892	3300	Nacbfdao.exe	101
PID 3300 wrote to memory of 2892	3300	Nacbfdao.exe	101
PID 2892 wrote to memory of 1788	2892	Ndbnboqb.exe	102
PID 2892 wrote to memory of 1788	2892	Ndbnboqb.exe	102
PID 2892 wrote to memory of 1788	2892	Ndbnboqb.exe	102
PID 1788 wrote to memory of 4548	1788	Nklfoi32.exe	103
PID 1788 wrote to memory of 4548	1788	Nklfoi32.exe	103
PID 1788 wrote to memory of 4548	1788	Nklfoi32.exe	103
PID 4548 wrote to memory of 2116	4548	Nafokcol.exe	104
PID 4548 wrote to memory of 2116	4548	Nafokcol.exe	104
PID 4548 wrote to memory of 2116	4548	Nafokcol.exe	104
PID 2116 wrote to memory of 1892	2116	Ngcgcjnc.exe	105
PID 2116 wrote to memory of 1892	2116	Ngcgcjnc.exe	105
PID 2116 wrote to memory of 1892	2116	Ngcgcjnc.exe	105
PID 1892 wrote to memory of 4976	1892	Nnmopdep.exe	106
PID 1892 wrote to memory of 4976	1892	Nnmopdep.exe	106
PID 1892 wrote to memory of 4976	1892	Nnmopdep.exe	106
PID 4976 wrote to memory of 2816	4976	Ndghmo32.exe	107

C:\Users\Admin\AppData\Local\Temp\92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe
"C:\Users\Admin\AppData\Local\Temp\92ef926da0de21344621a4dd37c66cde475e5e5ed2eeb5dfac06a82a2d816d8d.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\SysWOW64\Majopeii.exe
  C:\Windows\system32\Majopeii.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\Mdiklqhm.exe
    C:\Windows\system32\Mdiklqhm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\SysWOW64\Mgghhlhq.exe
      C:\Windows\system32\Mgghhlhq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
      - C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5088
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        25⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 412
        26⤵
        Program crash
        
        PID:3548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1480 -ip 1480
1⤵
PID:772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dgcifj32.dll

Filesize
7KB

MD5
59b8d58004454c26b41a01d86ce0ca13

SHA1
7b664e2bec79a6e5658017fe4d5fefc11acfa26a

SHA256
9b47a697fda34afcdeaf6f002fdc97057d6d2f42aa53e286691c5aa6b4c249e6

SHA512
adde17c2f1c1f543769e690300086d09a8fac5f5746a3328ab0542b57326be202d6513a3432a10b1dcbcdd0ce199545aedd31928c210385dcfef7f717401be00

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
87KB

MD5
9372dbbceac1614e35c7b57a930c59bc

SHA1
c3554336890a9f55a4879fb6c1da52503748f0d7

SHA256
ba6d75f47d7af3e23a219ed00c81ad9ae910af5006286287ef391f073923d403

SHA512
53827e3a89a87cfcdb37ef199966f5b0dfffb03b6dfe8cb668690bc48844c913a0f45bb018a24d86b32d0f836c7f977a51d9eea97359e327cfa154e0c6c570ce

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
87KB

MD5
9078f96379727217e51f14b4bd575377

SHA1
5a0c258a5272811d6be2023039d09be173ae9ec8

SHA256
6728cb952ddb218888a7426f33934ef5335cee567705353f313ba06e5d2e7e59

SHA512
2dad1667f5b2b171ad08d114f0761d1231d246d80c122e0e15da86c5681e71b2b9fb1a35211406166ae09ba963d3da6c55f113355b7e87108f02843ad143706e

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
87KB

MD5
aded79cd81975b0a13caaf94bb066168

SHA1
5ab0f4f0c6dffe12c60d44583eeafe21668830b1

SHA256
2d211b18f473019facf1c2a8d5ae73a6bb50949953fa71c91fe5aadcdff3b107

SHA512
d3b3a1b762a4f9522029a9fdde98f8cc258af350985eb902f2ab99f3b6dc82fdbd391ba29c53744d2a818afe1f9eae90531e233c51ce99d672b8a73ec02ba975

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
87KB

MD5
4faa82bd55aa2d572f619e0746e20fc5

SHA1
6abb5c8dce93b6823e7ffd4dccb7dec3d4d2782e

SHA256
452e780d876aa08b6df0850723bd5a79eb21b521dfa6f0bb1a7714d2b9ed0e71

SHA512
1310368d0fe3e3f89ad8f7a3e089c894fdcc7e520982e48e8ce4e2db74ddee0ed2241c838bcbf0f240656b420ca77e5f689933b1238282e3f1225f5a903a6196

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
87KB

MD5
30213ff220263d90344246cde47a4b37

SHA1
df6f2b61c275f162d1cef21cbc6ea24d73b0e728

SHA256
649048c3fda029acbefa3b4f342bf62306704b431852e849a3f9546b9c064e98

SHA512
04d89bfc02c5ed1c41b0ca34241947f1398358e97bd4f8a3bab50de7cc4fe194e8f40ac9f2e04a5e245a65385105ee1549029a8ce3d7538d8d17d68d8f1f22ce

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
87KB

MD5
8ad4e4cb61ce4b2ec0c71e4392968b5b

SHA1
104c427890aa0852452f80d97be907e1c2fd34eb

SHA256
1c40f9b51bb6ab5213423ef9ba02cd612fbc3614190cae16616bd78ecfd04b03

SHA512
1f170400f613ade60a86e4ea96eddf3857226b6cd46d3ed335915eb1c03229c3baee6fffbb15835fafce8d5267be00b7c6133eeff1cee192394e8dda60f711eb

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
87KB

MD5
8104cdba5a1d9cf738631fe23006e77e

SHA1
28e06ecb7af0be1af221fc3d46e2412bd163d53a

SHA256
6dbbf1d3d8afa3013f81458588ce0ce76e0fd463aea21c43b27c1fc1ef233c8b

SHA512
84d23c4d05b63ace9485920d8ddde83a72e80a45c6fba1b92cf2bfcceb3a2820d29e99e6c55091ecd231fa2467d8dcfe5524d3a14df5350f23b6e1dbe67c718c

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
87KB

MD5
4df6fa7a5d59b78aa0725ac3cb0aa246

SHA1
00ee100ca5bad32afce9460fab78d8ea6e90bd07

SHA256
82deeb707d18448f67061fea078c973341c32e14de4c4aa05706655e0830ec3b

SHA512
d1e60f6d9297de365213749ac9ef01f358169b5e9a800f4d1a4618bc92f2137bb8d7f7c71aba51d6d24c8cf1136020d870405d57d32e076ff89800cc6b20860c

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
87KB

MD5
d5cce4bf775cd87be618fbe18f7bf4ce

SHA1
91be5e38f1fd52509c94d3a7d8d19d05daeb818d

SHA256
7cb96c29a43881685fbd1821185914271f0f15a61571bb3cad4d248a60d06c71

SHA512
182a1fbc719e05efcfe964634685bc82779c5ee37de9d3172c50d94ed531058e6e9ec05846e3e7b5b7c1a259646b9ef26aa7bcc1b3a06299d5998d489acfd862

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
87KB

MD5
18bb46d0accceb19f7f1847586d68e0b

SHA1
b023e54713125b104b4c7dc66752cb1e2ae11d5e

SHA256
cb894530032c869d7a2106faee88b8bbba4594125da493ec33e0b0d55e840074

SHA512
d03b2d9e3194a08fd8009093b83b2b954d76312981825abd6986333006d078935154fcb2855f81b79732840e724eace2c7e9e5a943b8768bde266509a1d8d0aa

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
87KB

MD5
78b7a513158fd12745a40cec49ccf7db

SHA1
5c98bb898841ae9fb10ff76a04147719f792c990

SHA256
261e23126247a16a99f3102403da8a5ec6c8b7ebb373ea264b277dc6b384828a

SHA512
9654fc977caeb59cd4bfc86cc2d4db4c5304e9481e5208597ee3db8edf0b8e5e9c2c90309d9abefeff3a5e84630b4de49c69e99b3b7ada83ef14b0c012ed2ca6

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
87KB

MD5
05cdfb427a2c6e99c9de515262744bd9

SHA1
185d3638797f7bf60e6013f28395be4187a8ead7

SHA256
2896b4866b36a66ac5821d2f9aecac9e0bb9b6c00a372ee1bd8df4f147549069

SHA512
c2c8a4d4c6c2e74092964257e44f80f47afe567f15f870f3084495d4255b82f7765c4aac861ebcc29dc22a4847b91d5ed5809a917e4ffa1ccfb644cc2a4d3d46

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
87KB

MD5
bd38e5f757cc07a873acd182488b808a

SHA1
7f1330e375303e053274363be50f673635a63352

SHA256
1f83ba495af5ed86410c80a5dea8a63f02e4d3f0647fcfeb45b4c94b6213be5c

SHA512
731c74bd9813f29f621793d4d30ae84f7ce2d177852c84784ee59119e4babfcf75df6e2023d53452bc906082fba7109dc7fb68b2403760a250c639dbb454aa1d

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
87KB

MD5
da69c908ba85ce1ca58af41336a42be5

SHA1
2484b70a9ade0c2c78e9d1e4f9ab341c8f2bb441

SHA256
81f68331d8453a2deb7bb2593817eb3a393effae1ef4e66187b71edbc4b36531

SHA512
25f17ab7a4a4b2b14667e3fee7b424961c81b1caa40e2d80142a70d5a96462b313796fe5e530377f50e34145946b77f0927d2fbd8e911e6c777ba36e54e713e1

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
87KB

MD5
0d0052891bd2400e33610f468239bef1

SHA1
c2556361102238245a968c0fe7e087d159857381

SHA256
d12b9a56be900469fec4eb0e00f3089457854290489fe0723a89a4f4acc41452

SHA512
b188dfee0648e64f80dc1cac189d416974e7736681081a5636c019c39af9ed4ae4da5099f49c30e92663a5c7722a3df661a71fa8669945ec673d233a9a2cf880

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
87KB

MD5
5901de478dc50829f08a9436758b15ed

SHA1
d6a37439c9f9d80e48e92fbde6dc27fc20f5ab28

SHA256
79a01c100ee9bb646ef70e5a9aad66d38c1f95d262a1c60f8640e74984c9cb0b

SHA512
71c5741ce671bd192e1dccd081e83877b984b25f06aca619f02b8ab7eeffdb2aaee0239c766845f38a459b68716aa634624952d73c4a0ffca5bf69ac5731a1d8

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
87KB

MD5
8670173215adf201da405d324f1b0c44

SHA1
b722eec3693c3d0c585f11d1fa2970c6e5a2b643

SHA256
5603bb58353edbae67f580985004a3a0151fee544827d041fab575d9428a47c1

SHA512
09dd5fe6f40a084c1bb400da57cfc4d7d0cc26e5a6750f40e87d16e2366d9c6faf110109b99500ba658e0318b8eb27aa1d2f287bbb6a2642f230ddae3e7dca6d

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
87KB

MD5
8e8c8462d0d39d27680d62942106f420

SHA1
2e6fbeb7f3b67384d78cbbc74050b92015ce81b6

SHA256
ba1ee43da7f2e5ac5689f1bb841908854adafbceec4b28d4884b9beae42318cd

SHA512
600c425ab9af491c5d474c6f3f8591fcc1163d0ee1ef99acb9c29bc55e2cf01b3af49f71a7bc428a3c6d9a5fb4d4864369a7f45b39083e33fc41d1c8f4c6e067

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
87KB

MD5
a17d1e36d5b87d684c21932ba199af68

SHA1
6ff670adc4cb334017cc09bb1eab2bb3b345b95e

SHA256
c7de7125736b615cee7b998c33ec6e5fe5106e87597deca329c542b43b78961e

SHA512
c249f96e565fde459ee0e12df4095cf5550f6591d748c6b04c3d90d4d3d33a6d1941d04161fda7ae9d5b22d3539555957731f6c8f1ebb5c6603c4d805166731a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
87KB

MD5
9502e9f25f613e315d8ea0cf868d2f39

SHA1
6f2f015e7b6c84e9b552794b7ee5ba669117ac90

SHA256
aecff4f758c539472719de2155e9ffa5ebddb7e6c6c567deaed04d158963cf04

SHA512
b53719039e99dfdc29ef2acd3274831e41c1fd7328152b896ffa57fcaad789bab0a8495c3482b4f345ed7de89d6301d7178f9524a0bbcbba08553b00072b7b48

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
87KB

MD5
4d9ec4e5eeb24d34949aa879c7bbbbe2

SHA1
9e4b5f0370fb61e107b09e1d39152a142e609697

SHA256
30a7ea24d64bbeee1681c275feecf7e0c472cfcab2e2eaab0c4052bfb5b274f9

SHA512
55b0393bba3497a8d54be9f1ede93d2669baf4a2fc8a4045dab9160e0edc701f6b19f53f86e295a3eabb327ec4c593755554c97cb8b8c80389938520d117a76d

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
87KB

MD5
16226defe354c20a037c303f295ae129

SHA1
9d089e8de4b6374eead1425924c4d62371c7c324

SHA256
3dc4280327bbc10e2dcefafa7ffb157f0666e2b05342d12d5cafcd4aea86c6b6

SHA512
88a94b838e2667ce0f30f9dd44853e6c161051202b3c6cfca139a7e5f9b30d5017e431aac33ea35e3b5d896e65da927d3464a7e03212ddc6b1318702a73f5452

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
87KB

MD5
b56982738a636de507c0b0db60c58f72

SHA1
dd5eb7a8ddf008562f41ada3a3952b080b662cc4

SHA256
696cf4a14846bd885d3102a91d18cd89c43058218cc293cbbbbbc86ff0b79f05

SHA512
69802987c306b342c0a78df063ceade554a5c4a390972820ad59401f82697cc9483f3ea433925c82fcc896af66e6a726815ec50ad3407c9302bfd3b2a1131262

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
87KB

MD5
bd290f4f9af6f0f98d407c315cdea965

SHA1
f00cb0e8d28b06cbf7f0dbd96fd09c14ab12723d

SHA256
0b02cb411068b2a282a0f199132ceada335898d3f020d1587144694584c5f638

SHA512
3c3346e88cee0e3916748415b7e01b00d440676c94c725887f6dc59d0f433c710e949feb041481f2963020c7e7bdda5dbe9d82deb14587e76d27c23246ff4e7c

Download Submit
memory/1004-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1004-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1040-93-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1120-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1276-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1436-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1480-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1480-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1788-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1848-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1892-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1972-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1972-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-42-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2060-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-166-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-108-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2352-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-206-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2852-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2892-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-212-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3300-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4116-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4548-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4976-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5088-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads