5f18effa53ca0d3dfaa7449e10a368afa24697da00a18f24297542b7b1d2882c

Analysis

max time kernel
68s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26-04-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

198b4cfd8d084d7bc58dfcf81fdb377e.exe
Size

115KB
MD5

198b4cfd8d084d7bc58dfcf81fdb377e
SHA1

46fbd735564604fb0aa2225da11ac2552258920a
SHA256

5f18effa53ca0d3dfaa7449e10a368afa24697da00a18f24297542b7b1d2882c
SHA512

c59f0813e023f9d44bfc6cefeddf83d3402057335c926ed75e58ea346d08b59ce4ca0e29d21b06a728e1078b12a491498a9df6433388dccc8b7ab9a2618aedce
SSDEEP

3072:KpmMQotlEyNoIIqFmcjvVeqVi62RtXvFW2VTbWymWU6SMQehalNgFuk0:5M9lEyNoIIqFmcjvVeqVi6OXvf6ymWUf

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Nbkhfc32.exeMgnnhk32.exeNafokcol.exeNddkgonp.exeNcihikcg.exeNcldnkae.exeMaaepd32.exeMdpalp32.exeNnhfee32.exeNkncdifl.exeNjcpee32.exeNgpjnkpf.exeNklfoi32.exeNbhkac32.exeNgedij32.exe198b4cfd8d084d7bc58dfcf81fdb377e.exeMglack32.exeNqfbaq32.exeNqmhbpba.exeNnmopdep.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	198b4cfd8d084d7bc58dfcf81fdb377e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	198b4cfd8d084d7bc58dfcf81fdb377e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe

Malware Dropper & Backdoor - Berbew 20 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

Processes:

resource	yara_rule
C:\Windows\SysWOW64\Mglack32.exe	family_berbew
C:\Windows\SysWOW64\Maaepd32.exe	family_berbew
C:\Windows\SysWOW64\Mdpalp32.exe	family_berbew
C:\Windows\SysWOW64\Mgnnhk32.exe	family_berbew
C:\Windows\SysWOW64\Nnhfee32.exe	family_berbew
C:\Windows\SysWOW64\Nqfbaq32.exe	family_berbew
C:\Windows\SysWOW64\Ngpjnkpf.exe	family_berbew
C:\Windows\SysWOW64\Nklfoi32.exe	family_berbew
C:\Windows\SysWOW64\Nafokcol.exe	family_berbew
C:\Windows\SysWOW64\Nddkgonp.exe	family_berbew
C:\Windows\SysWOW64\Nkncdifl.exe	family_berbew
C:\Windows\SysWOW64\Nnmopdep.exe	family_berbew
C:\Windows\SysWOW64\Nbhkac32.exe	family_berbew
C:\Windows\SysWOW64\Nqmhbpba.exe	family_berbew
C:\Windows\SysWOW64\Nbkhfc32.exe	family_berbew
C:\Windows\SysWOW64\Njcpee32.exe	family_berbew
C:\Windows\SysWOW64\Nkcmohbg.exe	family_berbew
C:\Windows\SysWOW64\Ncldnkae.exe	family_berbew
C:\Windows\SysWOW64\Ngedij32.exe	family_berbew
C:\Windows\SysWOW64\Ncihikcg.exe	family_berbew

Executes dropped EXE 20 IoCs

Processes:

Mglack32.exeMaaepd32.exeMdpalp32.exeMgnnhk32.exeNnhfee32.exeNqfbaq32.exeNgpjnkpf.exeNklfoi32.exeNafokcol.exeNddkgonp.exeNkncdifl.exeNnmopdep.exeNbhkac32.exeNcihikcg.exeNgedij32.exeNjcpee32.exeNbkhfc32.exeNqmhbpba.exeNcldnkae.exeNkcmohbg.exe

pid	process
212	Mglack32.exe
2920	Maaepd32.exe
4272	Mdpalp32.exe
872	Mgnnhk32.exe
3296	Nnhfee32.exe
1960	Nqfbaq32.exe
1148	Ngpjnkpf.exe
3876	Nklfoi32.exe
5076	Nafokcol.exe
4900	Nddkgonp.exe
3300	Nkncdifl.exe
1160	Nnmopdep.exe
4808	Nbhkac32.exe
2116	Ncihikcg.exe
4832	Ngedij32.exe
3708	Njcpee32.exe
2632	Nbkhfc32.exe
3660	Nqmhbpba.exe
1416	Ncldnkae.exe
3088	Nkcmohbg.exe

Drops file in System32 directory 60 IoCs

Processes:

Nqfbaq32.exeNklfoi32.exeNafokcol.exeNkncdifl.exeNcihikcg.exeNjcpee32.exeMgnnhk32.exeNbkhfc32.exeNnmopdep.exe198b4cfd8d084d7bc58dfcf81fdb377e.exeNnhfee32.exeNqmhbpba.exeNgpjnkpf.exeNddkgonp.exeMglack32.exeNcldnkae.exeMdpalp32.exeNgedij32.exeNbhkac32.exeMaaepd32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	198b4cfd8d084d7bc58dfcf81fdb377e.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	198b4cfd8d084d7bc58dfcf81fdb377e.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	198b4cfd8d084d7bc58dfcf81fdb377e.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4392 3088 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
4392	3088	WerFault.exe	Nkcmohbg.exe

Modifies registry class 63 IoCs

Processes:

Nddkgonp.exe198b4cfd8d084d7bc58dfcf81fdb377e.exeMaaepd32.exeNqfbaq32.exeNcldnkae.exeNkncdifl.exeNbhkac32.exeNbkhfc32.exeNafokcol.exeNgedij32.exeNqmhbpba.exeNnhfee32.exeNgpjnkpf.exeNcihikcg.exeNjcpee32.exeNnmopdep.exeMdpalp32.exeMglack32.exeMgnnhk32.exeNklfoi32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	198b4cfd8d084d7bc58dfcf81fdb377e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	198b4cfd8d084d7bc58dfcf81fdb377e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	198b4cfd8d084d7bc58dfcf81fdb377e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	198b4cfd8d084d7bc58dfcf81fdb377e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	198b4cfd8d084d7bc58dfcf81fdb377e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	198b4cfd8d084d7bc58dfcf81fdb377e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

198b4cfd8d084d7bc58dfcf81fdb377e.exeMglack32.exeMaaepd32.exeMdpalp32.exeMgnnhk32.exeNnhfee32.exeNqfbaq32.exeNgpjnkpf.exeNklfoi32.exeNafokcol.exeNddkgonp.exeNkncdifl.exeNnmopdep.exeNbhkac32.exeNcihikcg.exeNgedij32.exeNjcpee32.exeNbkhfc32.exeNqmhbpba.exeNcldnkae.exe

description	pid	process	target process
PID 2000 wrote to memory of 212	2000	198b4cfd8d084d7bc58dfcf81fdb377e.exe	Mglack32.exe
PID 2000 wrote to memory of 212	2000	198b4cfd8d084d7bc58dfcf81fdb377e.exe	Mglack32.exe
PID 2000 wrote to memory of 212	2000	198b4cfd8d084d7bc58dfcf81fdb377e.exe	Mglack32.exe
PID 212 wrote to memory of 2920	212	Mglack32.exe	Maaepd32.exe
PID 212 wrote to memory of 2920	212	Mglack32.exe	Maaepd32.exe
PID 212 wrote to memory of 2920	212	Mglack32.exe	Maaepd32.exe
PID 2920 wrote to memory of 4272	2920	Maaepd32.exe	Mdpalp32.exe
PID 2920 wrote to memory of 4272	2920	Maaepd32.exe	Mdpalp32.exe
PID 2920 wrote to memory of 4272	2920	Maaepd32.exe	Mdpalp32.exe
PID 4272 wrote to memory of 872	4272	Mdpalp32.exe	Mgnnhk32.exe
PID 4272 wrote to memory of 872	4272	Mdpalp32.exe	Mgnnhk32.exe
PID 4272 wrote to memory of 872	4272	Mdpalp32.exe	Mgnnhk32.exe
PID 872 wrote to memory of 3296	872	Mgnnhk32.exe	Nnhfee32.exe
PID 872 wrote to memory of 3296	872	Mgnnhk32.exe	Nnhfee32.exe
PID 872 wrote to memory of 3296	872	Mgnnhk32.exe	Nnhfee32.exe
PID 3296 wrote to memory of 1960	3296	Nnhfee32.exe	Nqfbaq32.exe
PID 3296 wrote to memory of 1960	3296	Nnhfee32.exe	Nqfbaq32.exe
PID 3296 wrote to memory of 1960	3296	Nnhfee32.exe	Nqfbaq32.exe
PID 1960 wrote to memory of 1148	1960	Nqfbaq32.exe	Ngpjnkpf.exe
PID 1960 wrote to memory of 1148	1960	Nqfbaq32.exe	Ngpjnkpf.exe
PID 1960 wrote to memory of 1148	1960	Nqfbaq32.exe	Ngpjnkpf.exe
PID 1148 wrote to memory of 3876	1148	Ngpjnkpf.exe	Nklfoi32.exe
PID 1148 wrote to memory of 3876	1148	Ngpjnkpf.exe	Nklfoi32.exe
PID 1148 wrote to memory of 3876	1148	Ngpjnkpf.exe	Nklfoi32.exe
PID 3876 wrote to memory of 5076	3876	Nklfoi32.exe	Nafokcol.exe
PID 3876 wrote to memory of 5076	3876	Nklfoi32.exe	Nafokcol.exe
PID 3876 wrote to memory of 5076	3876	Nklfoi32.exe	Nafokcol.exe
PID 5076 wrote to memory of 4900	5076	Nafokcol.exe	Nddkgonp.exe
PID 5076 wrote to memory of 4900	5076	Nafokcol.exe	Nddkgonp.exe
PID 5076 wrote to memory of 4900	5076	Nafokcol.exe	Nddkgonp.exe
PID 4900 wrote to memory of 3300	4900	Nddkgonp.exe	Nkncdifl.exe
PID 4900 wrote to memory of 3300	4900	Nddkgonp.exe	Nkncdifl.exe
PID 4900 wrote to memory of 3300	4900	Nddkgonp.exe	Nkncdifl.exe
PID 3300 wrote to memory of 1160	3300	Nkncdifl.exe	Nnmopdep.exe
PID 3300 wrote to memory of 1160	3300	Nkncdifl.exe	Nnmopdep.exe
PID 3300 wrote to memory of 1160	3300	Nkncdifl.exe	Nnmopdep.exe
PID 1160 wrote to memory of 4808	1160	Nnmopdep.exe	Nbhkac32.exe
PID 1160 wrote to memory of 4808	1160	Nnmopdep.exe	Nbhkac32.exe
PID 1160 wrote to memory of 4808	1160	Nnmopdep.exe	Nbhkac32.exe
PID 4808 wrote to memory of 2116	4808	Nbhkac32.exe	Ncihikcg.exe
PID 4808 wrote to memory of 2116	4808	Nbhkac32.exe	Ncihikcg.exe
PID 4808 wrote to memory of 2116	4808	Nbhkac32.exe	Ncihikcg.exe
PID 2116 wrote to memory of 4832	2116	Ncihikcg.exe	Ngedij32.exe
PID 2116 wrote to memory of 4832	2116	Ncihikcg.exe	Ngedij32.exe
PID 2116 wrote to memory of 4832	2116	Ncihikcg.exe	Ngedij32.exe
PID 4832 wrote to memory of 3708	4832	Ngedij32.exe	Njcpee32.exe
PID 4832 wrote to memory of 3708	4832	Ngedij32.exe	Njcpee32.exe
PID 4832 wrote to memory of 3708	4832	Ngedij32.exe	Njcpee32.exe
PID 3708 wrote to memory of 2632	3708	Njcpee32.exe	Nbkhfc32.exe
PID 3708 wrote to memory of 2632	3708	Njcpee32.exe	Nbkhfc32.exe
PID 3708 wrote to memory of 2632	3708	Njcpee32.exe	Nbkhfc32.exe
PID 2632 wrote to memory of 3660	2632	Nbkhfc32.exe	Nqmhbpba.exe
PID 2632 wrote to memory of 3660	2632	Nbkhfc32.exe	Nqmhbpba.exe
PID 2632 wrote to memory of 3660	2632	Nbkhfc32.exe	Nqmhbpba.exe
PID 3660 wrote to memory of 1416	3660	Nqmhbpba.exe	Ncldnkae.exe
PID 3660 wrote to memory of 1416	3660	Nqmhbpba.exe	Ncldnkae.exe
PID 3660 wrote to memory of 1416	3660	Nqmhbpba.exe	Ncldnkae.exe
PID 1416 wrote to memory of 3088	1416	Ncldnkae.exe	Nkcmohbg.exe
PID 1416 wrote to memory of 3088	1416	Ncldnkae.exe	Nkcmohbg.exe
PID 1416 wrote to memory of 3088	1416	Ncldnkae.exe	Nkcmohbg.exe

C:\Users\Admin\AppData\Local\Temp\198b4cfd8d084d7bc58dfcf81fdb377e.exe
"C:\Users\Admin\AppData\Local\Temp\198b4cfd8d084d7bc58dfcf81fdb377e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\Maaepd32.exe
C:\Windows\system32\Maaepd32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\Mdpalp32.exe
C:\Windows\system32\Mdpalp32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4272

C:\Windows\SysWOW64\Mgnnhk32.exe
C:\Windows\system32\Mgnnhk32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\Nddkgonp.exe
C:\Windows\system32\Nddkgonp.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900

C:\Windows\SysWOW64\Nkncdifl.exe
C:\Windows\system32\Nkncdifl.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\SysWOW64\Nnmopdep.exe
C:\Windows\system32\Nnmopdep.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\SysWOW64\Ngedij32.exe
C:\Windows\system32\Ngedij32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4832

C:\Windows\SysWOW64\Njcpee32.exe
C:\Windows\system32\Njcpee32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
21⤵
- Executes dropped EXE
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3088 -s 400
22⤵
- Program crash
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3088 -ip 3088
1⤵
PID:4992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe
Filesize
115KB

MD5
a2db093c4060776d6fa2fc0e9c03a9af

SHA1
c035522d9a7fa7fb28c74e473cf022266aedfe4c

SHA256
51324030f7e8a2baed1ab0f56289e0cb8054d5edd8d6af1b48ce4d0b051f824b

SHA512
55f0a1aa1f7014a755b703509089ee15395110b2c0479453e9b26bade3ac543d7473da8a7a5695741789a29214605c98f0e837f12d54430059963d036a118d4a

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe
Filesize
115KB

MD5
1c24d528c11038ee3199070344c9997f

SHA1
a53f4916f6e7f576d262c5ce1dfb6b36718957e5

SHA256
3b69d104fd92f4c7ae7d7b6d450e5374f8f0a15448d332bd500cf05d6391d177

SHA512
a4283b5a99c19dc7c9596a3e8df067019215ea0d15edd5bcfaddd0e5705453cc1b71e3c80e19bd636889914e7c116e4e5f0a71984f3ec960ddcb725913f4745c

Download Submit
C:\Windows\SysWOW64\Mglack32.exe
Filesize
115KB

MD5
1e9474c080cc31ac24bf61d5f34def59

SHA1
289f3a58e86260d1f4139ec3f1bae56bfb5f0950

SHA256
add56a0dbe711081583d14e02b2c69b5fc879bb9057981c7fbe41f7e4d7d55a4

SHA512
6dbddc062b7ac12f92d242c6e313c8510240f54f59fb2663f2b0b3b5e300a20a274bf27182db9b208ef0721fcceb780ded3ecc576c6ea65581049c49311138d1

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe
Filesize
115KB

MD5
f1c7526e808596c9ce5ef11460b100dd

SHA1
16ef0d5185bcf4e1c2db46dcd718f13c7501ee99

SHA256
5ec58efcd64080fb39032121afd175a320111b4847192621dc4cbde06d251612

SHA512
5b44a64907ffa1f48eeda3952bd19f0739a529841ac98b6fb9d916921be385318a7fd3cb45095127eb846833b34d351eef1c43851f6714fbe3a9f8fe99d57b27

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe
Filesize
115KB

MD5
4add1ce29af61f5792d95fd06e8db1da

SHA1
b627a634c92ad9f422f278fb353aedad3b61683f

SHA256
bd5de1db660230bc1da38fca775188efd55f34fdb3706cf27e3657edf14142c0

SHA512
34c215f91d083b3f41b6aa4e8ada8234eabae7bb60b3de1f37e5193f6dacf0125e5e79c8f2e8fee06dce16fcc7ae2787c04008cb8bb7503c0fc8b33a3f1fcaaa

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe
Filesize
115KB

MD5
45bcd824b0a087456c45544f5c851df1

SHA1
97cf56c099f48c0a27f6d2a7f946f07f906b63ca

SHA256
be46d22acb3c5fad3ba969a9c3197168bd26d0bdb6c2303bc6da04145bef67c0

SHA512
e1946d7ef74e2015f3384b0bc6ac78b1681863db6ee7c4bb5ada02759e62d3cd82da2131c3d9764ecf2f9c61bef0503a26117a530a85b608db4bd4ac4d73ffe3

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe
Filesize
115KB

MD5
387f1424ba289117ffed7ee15dc2f95b

SHA1
58b02d170e9c8f49814c3fec39e627d1bf561697

SHA256
b56d5e47cc8f9f8d617ef05cdadc54811689f6324b811601a581e64a877142f0

SHA512
07efb5cf807a40342135deb11bd7592fffb28fb20e622cf751e81676fffb5d3519cafa635656ac696d24e4e57128bf3dbf8fbc30de14a4e31fa8bac289f639dc

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe
Filesize
115KB

MD5
c866264b32bd80425a108a330004ea89

SHA1
10af1ac890bb865894ff5ab1e3bafd92daa5f3df

SHA256
8f1b8722077beccf0abeefbd66ebe8898740f7df96f6ea154792065af76fad2e

SHA512
9e13296f5d7c7ac9eeb50d0d438ec99ac6b0e6612197e616537b311df82c58c4805bc19790ad7370ff4788d9e34760bc7cfc19650899e5308c0d60c2cceea5fa

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe
Filesize
115KB

MD5
751625248fa3b787cbbc714010e86cb4

SHA1
ba90377af42f0ea3229d3761567ae4ca7085e28c

SHA256
7195d1c4fac232a7d734b25135417aaf6dbb8e677f3a9c2c2c8eb1bfd1e09329

SHA512
68ea24f48cc5cb6027ea4657189bba883cd7487c5558b0395016b082de661fa40f8cb2e8802307f26f3fc9b30b4c09810e206cb2363110e391d5c1a686519ef6

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe
Filesize
115KB

MD5
f5bd3db8814c4a081032e4ff44179061

SHA1
2981e7da67756079370355e0469915654bf8a5ab

SHA256
f4683c39b8e9e793785bab5a461f0aee5ac384309e90fc575dfbf38473ae13f8

SHA512
c7939447a444aa2f2cc032cd46b9e20887baffd1c060565e612d5c7dce2b58924223ebff3925fedc3d492aaa7bb98629ab09f1430fbeab91f2cbdd3bfaaf4f2f

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe
Filesize
115KB

MD5
1eaebad5cc77460a2a7cd1fdabaecea6

SHA1
ff0766db4df5413c823aaa38fdb6b92f28f91df6

SHA256
82295474798d7fc66bfc45f2bcb24c95e5add6eedaf8f71eed0e4060334a3cf8

SHA512
f96fe7ee2c6a2ba3bbe874b7bfe8989b4413980938ee58864db999fb2f9918cabe7ea0f950617b16f247c133aa4202fecf9621cc168f940a65f37e284002e4a4

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe
Filesize
115KB

MD5
156aca1bac3464b4c1c11d11c91e2f34

SHA1
c7574bb4835269df2b23c6523b4a35137f7ea245

SHA256
8406fbebefa7a7e950d9d44999d1f7ac1ca800a21ee58b1999b26ce1a6b722e4

SHA512
f5d7ac04a6218fa846cb415af48e8d491ca85abefae227728e0ff73eb1a031eeb92c460d960ee0f189273695d141760c16bb85ca43e6922e7ea65bf7579e707c

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe
Filesize
115KB

MD5
c0266c5e0bdb9cc70fc0a0548ee7691a

SHA1
b30fe1d784a18628f958d90d7a7777a84cd2ca02

SHA256
cbd1ac16f7a3bbc090dc8d95dc9a201f969037be8830d2517415652007045de1

SHA512
916a8085868714ca7b53a0ab144abf57b6c8e3ec00d8939fd93191d1a1bed93a7ff53e41644d55499ca4c420ac240c380531537ed28c05fcb64c47e153ce3a01

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe
Filesize
115KB

MD5
c32950b84dbc86596d90fc85ef2ab8aa

SHA1
53f2b70949cef0a60cef00c2fbad5763f64115ef

SHA256
002c8e8acd29bac5aedc5334bb6ea49fd16f9559176e472cb52f47eba521f2e3

SHA512
03a463e62f6128f934024519d473f68c5f3aed41d9b61ae3fc3306f1964a79af79c0d0c89bd470d488c66db37357f2df34bc73fc8044609a7e688913570253aa

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe
Filesize
115KB

MD5
676c452b0a843aa818dc2555025e4a2a

SHA1
d88660e5b0dc92f0252b7f29057e4aabe60a1fc7

SHA256
497c8c19f6a2c1e8ca70dc222102b0c843fdcf8272e98273c796c07814aba697

SHA512
163882d72e4f8a45069ee399e086002c4086dbc9101ca81156fc4dcd34a4a18eab2975b611a4d69db7c15e1801caa57248219c0e34c3df49809ca69c04a76cdd

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe
Filesize
115KB

MD5
6cae21dc8456f210baf7397a0c7ab7c6

SHA1
e6b45e1e029859f9576f8168731c4b43fffb9465

SHA256
a127d100a8cc843b9ab8fd7e33bdd4107b5c28bdb0085dbb15dee873d9f06876

SHA512
5cc195ece405b9f487cd60fe5f0fc041224732ecf2874da6cd6c4aa89983cc12e69bf9a5fff5d9bb29e3d76e6f44f5a4d76afe90f5767c93c431ac23a39bda36

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe
Filesize
115KB

MD5
169ed585632563177d1ba8e8be4dfba5

SHA1
b34f0b73923322befe0ff83d8b15f1bad0abaad3

SHA256
fc6e0d7bda1dced0384bdfd753080092e5433ab7f4332bb7df04eef58bf8a04a

SHA512
f28e521779bb43e3cfb43ad8291b68c3cae97100f631debd5816511a77f537c2592e3c3d0c459b908c4018b9169be65f3d7474fd434b307a38bcb2e1ff476de6

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe
Filesize
115KB

MD5
3b99203f573ce69e89ea6cc105a2d0f1

SHA1
fbb64d2e871c82ae0eb78c4b5bf0ea2c5dcf89d0

SHA256
5940cc01b0f99b93dfaa425e1bcd8c2e96823da5d1e06cd9b5d60181106da2f6

SHA512
d8ded0a02bbbcc5414aaf4c1e35a3069172d627c8fe5d86ed9ad227b958c502a6ef85b101de4ef0b742638be0532589ed1304dd5f5f65faec9b54d7d456c8df6

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe
Filesize
115KB

MD5
092a737f5cbc7955090d018cc620aeec

SHA1
8cf1b864bbe8cb1f226b20f3dc30eb7778de6571

SHA256
e8ae1f4d0b80c547d5e43007c63536ef6c0a3510763d37c4f238a8dcac370778

SHA512
ea047a59f0c53eece7d6a9e9485f4cf01a0e3571a50da45b9bcdff7b4e06ff5ae5aa02e080af36e0e9fd927ecb17b53febf1aa48f02b2946eeea1d21d2fbfdc5

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe
Filesize
115KB

MD5
e3800f786f1d65fb4cf6278608cd2b66

SHA1
113a6a7495e97630dbcffa61b663e632a61257eb

SHA256
f379f69423adbf8a59f9597325f87a87628f8ecb21c6719b07e00ed7429bb90e

SHA512
2b892760ef98448a6456db77a87709edfe9d78ebe446e8731c7e96ab910950d31e9cf036df6143ed0333c9ab09c805d52e10aef6715787942f712ae8933e31ec

Download Submit
memory/212-7-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/212-88-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/872-120-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/872-32-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1148-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1148-166-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1160-105-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1416-167-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-48-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1960-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2000-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2000-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2116-121-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2632-155-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2920-20-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2920-103-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3088-168-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-129-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3300-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3300-170-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3660-156-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3708-154-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3876-64-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3876-173-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4272-28-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4272-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4808-110-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4808-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4832-130-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4900-81-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4900-171-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5076-76-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5076-172-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download