1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2024, 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe
Size

176KB
MD5

15aab16b02fea9c64d2462ce3dddf8fa
SHA1

7b5cba7f6a2b364c7358bb517304bf1fb20f274e
SHA256

1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9
SHA512

8be1fea50ea52405eaad410e9caad904c9d868f53af190e5b8f78443068f12355ec6abb7763cd8c5757c22f973118b64b420a2b500e86b9b0fd0e332e13a53e1
SSDEEP

3072:vBXHxZwGpW+UjmOiBn3w8BdTj2h33ppaS46HUF2pMXSfN6RnQShl:5XzwGpWrjVu3w8BdTj2V3ppQ60MMCf0F

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe

Executes dropped EXE 24 IoCs

pid	Process
3060	Mahbje32.exe
4644	Mgekbljc.exe
5016	Mpmokb32.exe
1760	Mcklgm32.exe
2300	Mkbchk32.exe
1752	Mdkhapfj.exe
1008	Mgidml32.exe
1060	Mdmegp32.exe
3208	Mjjmog32.exe
4604	Mdpalp32.exe
2996	Nkjjij32.exe
4840	Nnhfee32.exe
2252	Nklfoi32.exe
3920	Nnjbke32.exe
3272	Nddkgonp.exe
1956	Ncgkcl32.exe
436	Njacpf32.exe
4624	Nbhkac32.exe
3692	Ndghmo32.exe
3552	Ngedij32.exe
3168	Nkqpjidj.exe
3800	Nnolfdcn.exe
4148	Nqmhbpba.exe
4908	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ibhblqpo.dll	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nnolfdcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
876	4908	WerFault.exe	113

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 3060	2580	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe	90
PID 2580 wrote to memory of 3060	2580	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe	90
PID 2580 wrote to memory of 3060	2580	1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe	90
PID 3060 wrote to memory of 4644	3060	Mahbje32.exe	91
PID 3060 wrote to memory of 4644	3060	Mahbje32.exe	91
PID 3060 wrote to memory of 4644	3060	Mahbje32.exe	91
PID 4644 wrote to memory of 5016	4644	Mgekbljc.exe	92
PID 4644 wrote to memory of 5016	4644	Mgekbljc.exe	92
PID 4644 wrote to memory of 5016	4644	Mgekbljc.exe	92
PID 5016 wrote to memory of 1760	5016	Mpmokb32.exe	93
PID 5016 wrote to memory of 1760	5016	Mpmokb32.exe	93
PID 5016 wrote to memory of 1760	5016	Mpmokb32.exe	93
PID 1760 wrote to memory of 2300	1760	Mcklgm32.exe	94
PID 1760 wrote to memory of 2300	1760	Mcklgm32.exe	94
PID 1760 wrote to memory of 2300	1760	Mcklgm32.exe	94
PID 2300 wrote to memory of 1752	2300	Mkbchk32.exe	95
PID 2300 wrote to memory of 1752	2300	Mkbchk32.exe	95
PID 2300 wrote to memory of 1752	2300	Mkbchk32.exe	95
PID 1752 wrote to memory of 1008	1752	Mdkhapfj.exe	96
PID 1752 wrote to memory of 1008	1752	Mdkhapfj.exe	96
PID 1752 wrote to memory of 1008	1752	Mdkhapfj.exe	96
PID 1008 wrote to memory of 1060	1008	Mgidml32.exe	97
PID 1008 wrote to memory of 1060	1008	Mgidml32.exe	97
PID 1008 wrote to memory of 1060	1008	Mgidml32.exe	97
PID 1060 wrote to memory of 3208	1060	Mdmegp32.exe	98
PID 1060 wrote to memory of 3208	1060	Mdmegp32.exe	98
PID 1060 wrote to memory of 3208	1060	Mdmegp32.exe	98
PID 3208 wrote to memory of 4604	3208	Mjjmog32.exe	99
PID 3208 wrote to memory of 4604	3208	Mjjmog32.exe	99
PID 3208 wrote to memory of 4604	3208	Mjjmog32.exe	99
PID 4604 wrote to memory of 2996	4604	Mdpalp32.exe	100
PID 4604 wrote to memory of 2996	4604	Mdpalp32.exe	100
PID 4604 wrote to memory of 2996	4604	Mdpalp32.exe	100
PID 2996 wrote to memory of 4840	2996	Nkjjij32.exe	101
PID 2996 wrote to memory of 4840	2996	Nkjjij32.exe	101
PID 2996 wrote to memory of 4840	2996	Nkjjij32.exe	101
PID 4840 wrote to memory of 2252	4840	Nnhfee32.exe	102
PID 4840 wrote to memory of 2252	4840	Nnhfee32.exe	102
PID 4840 wrote to memory of 2252	4840	Nnhfee32.exe	102
PID 2252 wrote to memory of 3920	2252	Nklfoi32.exe	103
PID 2252 wrote to memory of 3920	2252	Nklfoi32.exe	103
PID 2252 wrote to memory of 3920	2252	Nklfoi32.exe	103
PID 3920 wrote to memory of 3272	3920	Nnjbke32.exe	104
PID 3920 wrote to memory of 3272	3920	Nnjbke32.exe	104
PID 3920 wrote to memory of 3272	3920	Nnjbke32.exe	104
PID 3272 wrote to memory of 1956	3272	Nddkgonp.exe	105
PID 3272 wrote to memory of 1956	3272	Nddkgonp.exe	105
PID 3272 wrote to memory of 1956	3272	Nddkgonp.exe	105
PID 1956 wrote to memory of 436	1956	Ncgkcl32.exe	106
PID 1956 wrote to memory of 436	1956	Ncgkcl32.exe	106
PID 1956 wrote to memory of 436	1956	Ncgkcl32.exe	106
PID 436 wrote to memory of 4624	436	Njacpf32.exe	107
PID 436 wrote to memory of 4624	436	Njacpf32.exe	107
PID 436 wrote to memory of 4624	436	Njacpf32.exe	107
PID 4624 wrote to memory of 3692	4624	Nbhkac32.exe	108
PID 4624 wrote to memory of 3692	4624	Nbhkac32.exe	108
PID 4624 wrote to memory of 3692	4624	Nbhkac32.exe	108
PID 3692 wrote to memory of 3552	3692	Ndghmo32.exe	109
PID 3692 wrote to memory of 3552	3692	Ndghmo32.exe	109
PID 3692 wrote to memory of 3552	3692	Ndghmo32.exe	109
PID 3552 wrote to memory of 3168	3552	Ngedij32.exe	110
PID 3552 wrote to memory of 3168	3552	Ngedij32.exe	110
PID 3552 wrote to memory of 3168	3552	Ngedij32.exe	110
PID 3168 wrote to memory of 3800	3168	Nkqpjidj.exe	111

C:\Users\Admin\AppData\Local\Temp\1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe
"C:\Users\Admin\AppData\Local\Temp\1493b0b60879901b571348227033f00f1194166274a98f43e28290113a0c70c9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\Mahbje32.exe
  C:\Windows\system32\Mahbje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\Mgekbljc.exe
    C:\Windows\system32\Mgekbljc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\SysWOW64\Mpmokb32.exe
      C:\Windows\system32\Mpmokb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
      - C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        25⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 400
        26⤵
        Program crash
        
        PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4908 -ip 4908
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mahbje32.exe

Filesize
176KB

MD5
37858a8df8fee1f5973bbb6f155a16de

SHA1
a294981eb621edf7d71b7ed3387811510839ff04

SHA256
1a73a7c000147d80613db4435f2179a4676047fe2b7565de8630dee9f743a569

SHA512
90c5b07de2e03e1ebf843ac3bab18fd1b638dd15a252d190a4a806ed33f21c096a1a916678fa3e4e915cf78cf7d487c1d87be7ae4e93277eaf77f455513fcdcb

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
176KB

MD5
3b3a56f641cad7a1f42db22aadc798e5

SHA1
4e473ed6964b685dd82a2356f325526a3dfc523d

SHA256
df245794073d02d09fcee5aec8da97c326da482e9d73508250e193e10d1dd361

SHA512
4c96af8003fcd88205bef10cc50d3b9c8f642929082aacaae199dd11a5420df6b5f3705f6123936729872b7e1609c76d8768eb4ed8d239a00256834a36e9aad6

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
176KB

MD5
3008c538e8566337f1330c047508ea0f

SHA1
edcf38b3a87b033fd66bc5624a0bc43c9ed544e6

SHA256
7f5b1a91d9fde66ed8dcc2be4c3c6342f3606f0b75a69a03fac75b29d75379de

SHA512
48ca2373b5fec0dfa8db69ca9624858f77fa75cac5ae34aa783b586f8febb65c7a623f13b53149a6dbc7d77ed9955403d591e128db9ef1fcf63a25183fe3ab5f

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
176KB

MD5
9a404b22a74895eb2e2d4d6b87971f08

SHA1
3338ff57516b3823649961b99dba8b65acbfbf39

SHA256
712c661bd7fe810c7de431d336dfdffb631697267d0801766f180c9abf3cd8ab

SHA512
6dee19a0f5f0e76eaec6700f2ece4c56dd653026856ddcc9ca60594accf2f409f0072de1c2d6b59a564c9867638c2116ec0f55a84270954d2a2dee3cf60e467c

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
176KB

MD5
2873d684caacdfe3265ee58fda5dc614

SHA1
900fc81927956f2ee4c71b6e1d31270242b82efd

SHA256
cdb8c00905af63352f2a21d5a14f2c3a771e0b229675c920514b7c6fe09a564e

SHA512
7e55fbc06546c973a0ad97a718235a75f1e6741ffab781234df3888bf32e3600414fd0732347333baaa8930f069ab8ad508872edd33717457b78a25ee62887bb

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
176KB

MD5
03b946f5dadca5dd25a669c94ea89c16

SHA1
368522a4cff6e96607afd998b9dfe35cc367713a

SHA256
982b6ee5d3af4be296fa324fed27d8fbb11faf05dd35f4b43229a9b32d65f74b

SHA512
04a3b662469d7c2c2b23bb73ced1a3fbc1dfd3164b8832b3849e2454ffb2ca962d612b9cb7e2c731644132d50ea6a6518f22294a8d56f5c977631a0e8a336f66

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
176KB

MD5
29474eda53339dbd56bad7c45d347f92

SHA1
31ec96cd9248ed6e7ca75ed2adcad5f94f83d05b

SHA256
f3aa2ba8ca987cfb27e7a3d03e50a3e8868212a6fe627fbc902b2758c876d77b

SHA512
faa13f8663b31b8c5705ced92900b05afccc953051b6fd463a5c543a0db6fde58ecc83ba71259c318545a597e5c56af66f7234d9fcc5f3f1925244db5f7fabc4

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
176KB

MD5
f66b2b446f4d877dd11efb0c0ba0af69

SHA1
cfa0f210b28b56a647c071d5fdffb7f9a280ec15

SHA256
d148064203f637a42f69f5db25e9df15765a3074ffefeb108258180c0bbf09ae

SHA512
35e8ce1554e49ad8879251a64afd8d4607f4741a33a2e0f264f430b2df4f12e136a47fb50350f8439e6a02083b5afb689d1bea6c857bbd13ac93ee707d7931d0

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
176KB

MD5
f7511719fba9babfcb56f8982ba848a7

SHA1
bdaa8a31ab27535bf5632d40d253d8fe68612634

SHA256
fac56a1c4872128e6c3aeb917dcc52d8a4cf78ddfed4f458fe6b9b67a3c02cf0

SHA512
02787982a3c60ef1ffbddd2425ab6f57e016abd08a7caa27ec9a39e71aad0160cc4dbc0b5ae2e51c31c3613e01faa56a389594c5d922beaf7117d2c762ceae2a

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
176KB

MD5
77f1160b4da3b6fddbabd24bce6c2f12

SHA1
e73a2cda579b66be824005d7284a7475573fb3f3

SHA256
a57a57d369ab76a62ef0e7844a25da86d75f07427498fa2924d147116abaf6a7

SHA512
e13766a90c6107147c4b893219d2256df7c9df4f03e9912bd0d8eb50661c49941cf6dea5de6c893ea19327c5b98bdafbeff325625c565e6b98e602f85c1d1f8f

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
176KB

MD5
92a058737d75c6f9e0f1b7473ae24ba0

SHA1
bcdd795c52cb5e6e0bbe469cf53e9b54f8f7e53d

SHA256
fbdb3d65ed0c1233c91092e34c2b3b6082b812358cf3b4e265e363ee3120b587

SHA512
ce02d737826df678052dd3ae5f01db3db1c54b35972a88a0ce7ea38d1b1c7979b2a41f89c7013f9499c38e0f5c799973f07572e1b250a544c45dddcfdc37c475

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
176KB

MD5
0565a68224d9a42a422681aedf4617b2

SHA1
c92d1423d1eeb590d31adc63e6eba892578b8c2b

SHA256
1f643da63f296de6b85aaa848b46b4dff23952786e9fd1737dcb021e3c392b67

SHA512
26b80be7b18c755f5ca7f7d30cfb17cf2fd2d871dd633afdb30cd888032db6fa288b16c43a6f1e6a9f87886be1b67abd3542a0b4d8f7519783b96057067322b3

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
176KB

MD5
43312a3b46d9d8e624aed5c93003c3a7

SHA1
62e4eb015758d6ed4f50892500592e7ec9c2e6b1

SHA256
9e72a13377ffce9e56e094f0e5fed5b0c15137af52278ef5da5f0c846220875b

SHA512
15074d8137b36928c65271956e80de876c8b4dc24665b5bb8d672877989c1a470f3f1f7e7a773a0a0b755eebc67ae1155bf41a32775af00d4da88002f5169ff5

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
176KB

MD5
38d6d77f0b8ce665206319399171bef3

SHA1
7dc2961f4ef34c767b1886c7e93250b047bf1f3b

SHA256
89de3057df7469f577f8eed3bda061f9dffd5fbab9f1d3435a258a4e267de436

SHA512
23ec95463885a6a16a726b19f6b7ac90d28bb61848bf8b30a00d7962f77a9dcfe57b1c6076d45e0b563b1ffbd017a09ddd53babdb9d6c1f7e8486ff9a1b25b2f

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
176KB

MD5
5b6023ee6e5a914a5a481b9173a97cea

SHA1
316c322b66ef992db3fb7630cb14411c2d2833c8

SHA256
7a4a4fbbcf73e6e1c6c49d54631e6796cb24130502e4650c2185a24ced092b6c

SHA512
d4420bcfcf1740e639b35c377c1667a74907819aa63a495609e16aa4fda4f383400e0d17ec2fc15bb5057609d4dd00e1fa268ab4bc725c834c085276c3e673d3

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
176KB

MD5
25c460ba8ea9e080e7cd59065691e472

SHA1
854b861cb2edc486009c843221fae84c68334fa7

SHA256
1ac1441c76cebae38422f58f063d682ce7b38385270f2d0b695774cf78b368ad

SHA512
356f18e3399f04e0e5f75aaba180af8931023ce21c29bf41e8f15a4c3f8ae48eb266075f2737bcb9dd0c7a7ee3c092c6baa24607b5bf97fb7f55420ee73f4bb5

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
176KB

MD5
a79c7b1d361da858bd22181db8af3582

SHA1
9cba90af1f1702ca172262cd3068e92fea3140be

SHA256
f4f3de2093e2a33cc37f3ae1f96e818acfc71ded93d2c50ac2ace2e70d4f87db

SHA512
2e1cd3b204fb1dd89fa7087a7f26f207f9cf98f22d1a6227454748f0d5f26e04e270f87069df1ce4fe836264b70f54850f897e803e376c372de02fa117106379

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
176KB

MD5
9d3053891a5fa3f5bb5cc683fc766515

SHA1
82136219cb85238212d8929390355ed90776a985

SHA256
6602af5bb85915f1ac4e616a5a31ff96e54d23f3fd60f4eb6f4883ef4eea88e9

SHA512
eb7ea47ca662dbd1062c8c1db1213aecac5f39e38f82ac5c9916465f1cb9a4ed3ec2dff6a4f5aa5487bd5dcf9ac0c78da6383d1775c1e253d6c883c58d2b096f

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
176KB

MD5
6920f3f8cc61736eff16a8c2a5610a56

SHA1
0ae412d13cddfefc5d89ff4565ed95079feb35f7

SHA256
f38c3a5df628e9bab477d535c9d7c1d28a91e39eaf0c090e02325c172aca3fdf

SHA512
d056841ac96291690d639d4115f48c2dc54692f02c49f54c380d6b8eaca6c956e402fb08ff07607e69af3803ed40752cc11414e1f5d5bbaa9187d0b9960219d0

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
176KB

MD5
04c3696121afb2e619f2ef3845f1fd2b

SHA1
ef9f9d32c131df5c1ddae0f40de85b47aefdf623

SHA256
67d4d31dd76cadf451c1f510ea6165e598bf99e3933cd1d1db8c05b87f5a4df1

SHA512
a10057bdee0c6f5019a5d2115e0962185e5a6b291b1678fe9afb7f24abb701fcd0f1cd22d55e1985016b5a48ccfa7af85c5f771ecfe948a7efb7291ccc91d0ba

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
176KB

MD5
221bf55d654c5016d14de1634fba6dce

SHA1
3b5d3e0e2d8433b91aa32ffc135d1e8da09c68f4

SHA256
7347a22118fbab416e3296e67062fab96d8915f248f9a7ecd9983c9680486235

SHA512
5ea2549fb99e5beae91c721eecc3d909f5fcd7aceae4e6c5ff2accade670814ee53fcec4f80a13375df776481141186f556c07d2e0cbb9132a2823f41781e3e4

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
176KB

MD5
33c7c9f63a03c887b7953a9f02e06713

SHA1
bbfe47d497eff44e77277d986da78520e91e843d

SHA256
f44ffbc212a4f24015e187d2fe4f611701c0644f1f5efe1d8e8a5d13af02a4ce

SHA512
4705ff80ecced0fd58e56b8c81fdf82c3595c5eaa0c88e76f4bb02f70c8b5e1cef8f00b92efa1b4509e3870bc41fb39df5e6a474a8c3a9d26536795e783df44e

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
176KB

MD5
733554c349896b88226fa8be4f647467

SHA1
47bdd8e708db8adf8dc3b1d47b22f85f9e6f800c

SHA256
557528866c0d23de6414e2a78a6f31171cee3464072c355c8149c749be8479d9

SHA512
3ad8cc228c3d8005eca4da368208503662ea5ca8e2df5f67ca34e74ebf672619d7db3960f8e42a6b66beffc3e79ccfe5ba2f36814c8acd8dc97bc24f2d3c65d2

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
176KB

MD5
ee02cd653ccde0f07173ac19adee97f7

SHA1
06064f1200df7f344b9d72a069e65b1927a4ce5c

SHA256
e8bda1396b223054af15ca360ab668cfa7e7fd7c4675805bbd3f52968e761afb

SHA512
ff6b420f78355e259239a3f883304fef2ecbba1b5d3252f2f36e7ceee8d755d3654600d2bf904436e95ed373bb87007c5d89e53aac8d7cd2873f48b867682695

Download Submit
memory/436-188-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1008-60-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1060-64-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1060-198-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1752-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1752-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1760-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1760-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1956-187-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2252-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2252-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2300-44-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2300-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2580-204-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2580-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-195-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2996-88-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-203-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3060-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3168-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3208-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3208-197-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3272-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3552-171-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3692-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3800-190-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3920-123-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4148-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4604-196-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4604-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4624-189-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-202-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4840-194-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4840-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4908-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5016-28-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads