e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b

Analysis

max time kernel
140s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Size

439KB
MD5

706e0179cfa2f9c1eb90eb55ab3f8152
SHA1

3e73dbabb57367ecf88bfaa448a288b0bbb47c94
SHA256

e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b
SHA512

59037021ef0007fb660cfec5fbc8b34b1a320c70b60f42b7d73029661531cc76f2cff26830a8c43f1b4d60b10a9729153ee13d91f92231536f5eae0fd2fbbf59
SSDEEP

12288:6VbYrVPeKm2OPeKm22Vtp90NtmVtp90NtXONt:6UpEkpEY

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe

Detects executables packed with ConfuserEx Mod 22 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023ba4-7.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/3540-9-0x0000000000400000-0x000000000049A000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bb8-15.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/memory/4452-29-0x0000000000400000-0x000000000049A000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bbc-32.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bbe-40.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bc0-46.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bcc-89.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bd0-103.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bd6-123.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bda-138.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bdc-145.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bd8-131.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bd4-117.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bd2-110.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bce-96.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bca-82.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bc8-75.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bc6-68.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bc4-61.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bc2-54.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral2/files/0x000a000000023bba-24.dat	INDICATOR_EXE_Packed_ConfuserEx

Executes dropped EXE 20 IoCs

pid	Process
3540	Mpdelajl.exe
1836	Ndbnboqb.exe
4452	Ngpjnkpf.exe
2732	Njogjfoj.exe
656	Nnjbke32.exe
1412	Nqiogp32.exe
3228	Ncgkcl32.exe
5100	Ngcgcjnc.exe
1612	Njacpf32.exe
4588	Nnmopdep.exe
2012	Nbhkac32.exe
3340	Ndghmo32.exe
1584	Ngedij32.exe
2916	Nkqpjidj.exe
4832	Nnolfdcn.exe
4892	Nbkhfc32.exe
536	Nqmhbpba.exe
4852	Ndidbn32.exe
3464	Nggqoj32.exe
2596	Nkcmohbg.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe

Program crash 1 IoCs

pid	pid_target	Process
3344	2596	WerFault.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 3540	212	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe	85
PID 212 wrote to memory of 3540	212	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe	85
PID 212 wrote to memory of 3540	212	e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe	85
PID 3540 wrote to memory of 1836	3540	Mpdelajl.exe	86
PID 3540 wrote to memory of 1836	3540	Mpdelajl.exe	86
PID 3540 wrote to memory of 1836	3540	Mpdelajl.exe	86
PID 1836 wrote to memory of 4452	1836	Ndbnboqb.exe	87
PID 1836 wrote to memory of 4452	1836	Ndbnboqb.exe	87
PID 1836 wrote to memory of 4452	1836	Ndbnboqb.exe	87
PID 4452 wrote to memory of 2732	4452	Ngpjnkpf.exe	88
PID 4452 wrote to memory of 2732	4452	Ngpjnkpf.exe	88
PID 4452 wrote to memory of 2732	4452	Ngpjnkpf.exe	88
PID 2732 wrote to memory of 656	2732	Njogjfoj.exe	89
PID 2732 wrote to memory of 656	2732	Njogjfoj.exe	89
PID 2732 wrote to memory of 656	2732	Njogjfoj.exe	89
PID 656 wrote to memory of 1412	656	Nnjbke32.exe	90
PID 656 wrote to memory of 1412	656	Nnjbke32.exe	90
PID 656 wrote to memory of 1412	656	Nnjbke32.exe	90
PID 1412 wrote to memory of 3228	1412	Nqiogp32.exe	91
PID 1412 wrote to memory of 3228	1412	Nqiogp32.exe	91
PID 1412 wrote to memory of 3228	1412	Nqiogp32.exe	91
PID 3228 wrote to memory of 5100	3228	Ncgkcl32.exe	92
PID 3228 wrote to memory of 5100	3228	Ncgkcl32.exe	92
PID 3228 wrote to memory of 5100	3228	Ncgkcl32.exe	92
PID 5100 wrote to memory of 1612	5100	Ngcgcjnc.exe	93
PID 5100 wrote to memory of 1612	5100	Ngcgcjnc.exe	93
PID 5100 wrote to memory of 1612	5100	Ngcgcjnc.exe	93
PID 1612 wrote to memory of 4588	1612	Njacpf32.exe	94
PID 1612 wrote to memory of 4588	1612	Njacpf32.exe	94
PID 1612 wrote to memory of 4588	1612	Njacpf32.exe	94
PID 4588 wrote to memory of 2012	4588	Nnmopdep.exe	95
PID 4588 wrote to memory of 2012	4588	Nnmopdep.exe	95
PID 4588 wrote to memory of 2012	4588	Nnmopdep.exe	95
PID 2012 wrote to memory of 3340	2012	Nbhkac32.exe	96
PID 2012 wrote to memory of 3340	2012	Nbhkac32.exe	96
PID 2012 wrote to memory of 3340	2012	Nbhkac32.exe	96
PID 3340 wrote to memory of 1584	3340	Ndghmo32.exe	97
PID 3340 wrote to memory of 1584	3340	Ndghmo32.exe	97
PID 3340 wrote to memory of 1584	3340	Ndghmo32.exe	97
PID 1584 wrote to memory of 2916	1584	Ngedij32.exe	98
PID 1584 wrote to memory of 2916	1584	Ngedij32.exe	98
PID 1584 wrote to memory of 2916	1584	Ngedij32.exe	98
PID 2916 wrote to memory of 4832	2916	Nkqpjidj.exe	99
PID 2916 wrote to memory of 4832	2916	Nkqpjidj.exe	99
PID 2916 wrote to memory of 4832	2916	Nkqpjidj.exe	99
PID 4832 wrote to memory of 4892	4832	Nnolfdcn.exe	100
PID 4832 wrote to memory of 4892	4832	Nnolfdcn.exe	100
PID 4832 wrote to memory of 4892	4832	Nnolfdcn.exe	100
PID 4892 wrote to memory of 536	4892	Nbkhfc32.exe	101
PID 4892 wrote to memory of 536	4892	Nbkhfc32.exe	101
PID 4892 wrote to memory of 536	4892	Nbkhfc32.exe	101
PID 536 wrote to memory of 4852	536	Nqmhbpba.exe	102
PID 536 wrote to memory of 4852	536	Nqmhbpba.exe	102
PID 536 wrote to memory of 4852	536	Nqmhbpba.exe	102
PID 4852 wrote to memory of 3464	4852	Ndidbn32.exe	103
PID 4852 wrote to memory of 3464	4852	Ndidbn32.exe	103
PID 4852 wrote to memory of 3464	4852	Ndidbn32.exe	103
PID 3464 wrote to memory of 2596	3464	Nggqoj32.exe	104
PID 3464 wrote to memory of 2596	3464	Nggqoj32.exe	104
PID 3464 wrote to memory of 2596	3464	Nggqoj32.exe	104

C:\Users\Admin\AppData\Local\Temp\e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe
"C:\Users\Admin\AppData\Local\Temp\e628807f57ba62c5a8f3e59785287f5474efb8cc2adecc1aa88776444cce903b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\Mpdelajl.exe
  C:\Windows\system32\Mpdelajl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\Ndbnboqb.exe
    C:\Windows\system32\Ndbnboqb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\Ngpjnkpf.exe
      C:\Windows\system32\Ngpjnkpf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4452
    - - C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        21⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 400
        22⤵
        Program crash
        
        PID:3344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2596 -ip 2596
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
439KB

MD5
9d570435d67b075e727262b56cdd5857

SHA1
85bde390ac278620906c20467ec639625c52d009

SHA256
1cc45a0d76b4ae86f4dec2f2bc51868312c5e88e4c38374febf6077e12f69ac7

SHA512
687f397d251b297c783bc93f6551af01e35039ab8a1333415d0eb8e41132292f940a8470fbd699e325949947c8b58baad723244253c5ae569b9f7708ac0da2d3

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
439KB

MD5
6c37cdc79400914e65ab13d8d4e384e7

SHA1
ac70b014de599491b614cdcc096406c46c2318c6

SHA256
4118c4fe68458b956f4c54d371ad01a0ebdf0ba55559177d996a439e0071431b

SHA512
2bb1035e6cbe7a52893b6a6707b497d20bdf385344085e72f780fe1fb12a5bef41f6ad2c4ae3ed257780c4d5d9024f70fa39b2092c649402b7fe32298c2db85b

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
439KB

MD5
705b65091b718644cd4ec3fcaa30e89a

SHA1
d4b296eea1e31764fb2b9b5031cbbe57414042ba

SHA256
e9e6dc80c9a808c2e93c574bd48967906b4bda3d679fbd17281439aea9305660

SHA512
4b3e83b787774efcbf136c80bb5585ea7714ea964d0ed4974087ccb3175876cacaa617e392b1e2f7a9bdac37e31098270ab74815df9681819c500f5067dd93f0

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
439KB

MD5
b3c5d55d0033c5d3a1cbd683e5a99031

SHA1
51823f48a9275d7b68e19e6fa5e51c39e185cf9d

SHA256
bfe1424a4702245ce0ce8f794e5c0755667e2dbf252d6085e04dfe4fd562d8ab

SHA512
9b70454c84d20f84300c3cd1578f27c8fbd3d9a9e66769fa9cd048350762edac42d72a71a85e03e129b900a99d7786c994156df154d6e7eaad6abc5fe84858f3

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
439KB

MD5
247c0483b885c4103743afbf670fe89d

SHA1
48fae6628b114ddf4482023601a1872463f05d7f

SHA256
ca61f790b2c3935190362a1ba15b3d967cba3962cf206a03ffd105431c9107a3

SHA512
0c3601a8aaa6f3adaaa9a1801f20288fa4e12d8523d85867dadf0ef2e5e60d14f6affbd1dc1828c752e95fae911328f7af70f539d7fa56f2e3a22f13e15919c7

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
439KB

MD5
4c549d7f3826cd6c02d639bb772f6f48

SHA1
18b4af30499c6977e6adaa2b9ae26e4f0bc6f66f

SHA256
0277a8a22392e938877b23478bcf1e14431e8809ba97966ee4f293c33b69ce60

SHA512
17816c158ce22a87504c662b76cda339e83fddb0596091e947001d4d25858e9b3c5c0331f70f6227184f059e4c8a334380a857736fa3557fde42440ca4a408fd

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
439KB

MD5
dc94997ca1f8a6cd536716ff8941f3a8

SHA1
fde5a3c2825061604ae4895bbdad13bcde6d2b5b

SHA256
031b18e4f236113abd541c7f5488b0b25b4cc63ecfec18d76322896e71ba1391

SHA512
6c49135a19d2648462f8376c6befba8804385299a06333bf88f7e9ce9fc1541d528a0cc1f456bfb39c062eaf124cf6ae7998dbf49e5ad50ea9ad23ec0e21ce89

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
439KB

MD5
876b595216d606142f145850bd196579

SHA1
bd1fed62710ecd8cc3670a1a6a31e3dbfbef24b4

SHA256
a61de7fdbd5e4fe907c3a73f101532c75b7ffa7b413b7d1b2eb8608d0483022e

SHA512
f5f7fd5d66f57146f4dc11c0fa7be47961baf3c4452abac4dd5c30a3b2277713480708cfd4a626a8a92247760ee4a6b6aa0f31816b0005d31ce35e28c45cb7c1

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
439KB

MD5
1026ab6e89ca7cecc41c73af038ae1d4

SHA1
4995b16f0f07f2f0860f5cd12c0c5028b3e562f6

SHA256
b8b76019eb08a75d0550c470cd4d1fbe27aa28f14a1268b81f8fc17d0675d16b

SHA512
295d77e7dd2952d9411ca586ab8315db203cc56f335665d5107f9e46df3c61ddc4e0d3be5fba14c6ad68a07881bf2aabd08b3444af964bf3746053e1e3d84ec2

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
439KB

MD5
93942799bdb91e13d096d3cf97bca87e

SHA1
f42acaafa918d95c8db9b966f845af16ed9568e9

SHA256
cbcd9f71bc57e29fc9d75f5c0302b47f5f97f00e40fafe1cc2a93bcfb38a8021

SHA512
892e0998d6c65139632fcb7fd329f0b621b97a3479e119efd1b9fdcf10e81baf1129200c9d3101784bb617dd757488e74e06f3ea3dad05d96a6cede9dedd6cc2

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
439KB

MD5
41d828699958523c4fcdfa83bed3450a

SHA1
04ad2dad70e34e8d258f47d1998f55c0bb4f655a

SHA256
2dbc9cd3cf9be58a8bdba4416e2b39c0d079ff81029344fa477f56e5ee6a40a6

SHA512
d5ffcc3c5aca04bcad67694e8cb397b4fa079a2a6f2a1bd5d6dec2a59e72eb185b31bbfbc3f8f60a21f7cf4ed435c6139878aa2179f9557e84cb553b21c69d61

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
439KB

MD5
6db93879e47896c6c0f4fdfc00df0b6f

SHA1
7385e27d2026bc488f0c327cdf73401ee6737135

SHA256
40d53855d048e1654696f67629956c7f15d0e9452588a4fde2f5875525bf1113

SHA512
1f50d96ca952fc7f8d5ca1f0e580123a065cfb0d2102226a34e83026c03e1659f558bd9f4afa5e6abbcb4c2330dbf5a63a8ca55abea921265d7cbfa5a366aa7b

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
439KB

MD5
31197a20378050ad1ce9865d6881de45

SHA1
56932ea47d5e9730d72eba765a24683566d64bd4

SHA256
3b6b31551eed6fc6eb685c4f64da2f7c0a1e42c5eaff70abd6bdec843314b8fc

SHA512
1ade4babc14317b19e34172ff58d34120305495bb53254e5ef7f29ef363f0eda95b04f360af69c9f23b33f4a84ac9654758c5d5290dff13093aad417b7f979ab

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
439KB

MD5
13f7eb38df7495909457ea8dd5409edd

SHA1
0649dea62eb89a8b52aa4d7568c5353294dfa4d4

SHA256
f3fd3ee1371c0275861e5298d4bee7462d53ee67906662044e2d67e89ac0dd40

SHA512
a7c273be356511bb58e85642e88f6559a79e2590cda0c79bc0d638ee17092be1e566acc78a7c96a8bc013843d6a31569e0a578237d6a7386344de488eeab37ce

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
439KB

MD5
24fab9f4cf774f579f119da019ba3f70

SHA1
f77849774f450fe94db4743ba19d18763adca874

SHA256
34686a5555ac208da755114470a76567d65640ac03755dcede3a33c92e9915d5

SHA512
305066d724a29ab55318cb0baed9b80273c54d9346e07bdfcc150b85260a58f2de7c1faa901f20cfd455ca2272b552a4da05f0766a98e7b63d21bb7a94ba5c66

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
439KB

MD5
02c8ac21ce1134790af286c8d3714df8

SHA1
a3e123f5ece85337ab951f2d557d99c8bbc6e0e6

SHA256
dc3474b1ecb5d2559eb6c8bf7f8620d9c9c6fda40c0431edbc9c9bb125105a73

SHA512
b82e3cd35d47223e1a6977e6bb4b73849a262189228b3d9a2c6268d8939431884962d21114d0bbe28e6f1b18a1a343123e60824a3fdfe7bee6e44a30f03191fd

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
439KB

MD5
bef711975d17925c3c9385c140d07dda

SHA1
b33fa6fef0479b1f34ec32bda52a42226b3a518b

SHA256
14f8b18e001e35cadabb2ffd1105f295f7ff7e8ab63cfda50b7a378dec1843f4

SHA512
6c78055ee030863e0c398123227fb3b2155c6dd5e2dc83b3e0eeb11de2f5ccd9593d6f5514cdb4a5b62fb8fa9039dd2e1d0bd0f4058f79c00fac253df80a4ba4

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
439KB

MD5
8793d97e51996a1f50d37a2bf33482d5

SHA1
d72cd3e8854eb8fbb7166f25ba0813ac13e4bc97

SHA256
0845aaa64b2bf1f8bc4fa9c7ca09bbe5ec6601f95645bf0d5d142832046fa533

SHA512
7163e6b91bfe95779643f82bd68334e3adcf582250ae574a91220b426467ef7c3e4623f5f30969673d71785344aae3a367227964e7547244df7a8001542950d9

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
439KB

MD5
046e061dab94927aba6925df751bbfed

SHA1
976faf10897fbc8bcc8563f10127d6f3a187a4f3

SHA256
6c1662fb14890d1556777016e70e9324bd55f1ea5c3b515f61610ac1e4277129

SHA512
e44c943f6549f86c109589788338462f7dc72778cd363daea17474b354e24464a4490fe52789bae1dd7d7eddb43d0a84c0f5241bf289233507aed2e1811caca0

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
439KB

MD5
b11b7cdf53856ad0bc9cb20d6b432bd3

SHA1
3416245cdfd445143e240f71e5eec14d8d07fbcd

SHA256
cff6ea9ab7e780dceaf9490b6fb804aa26b04c06562ce26e27d5c83fce47a404

SHA512
88d8e972ce1bd4026de752e215f922d217626188b881ab0a0e5f8b27fcebbd9e650e1d28f137c2fe842821810911ceb556a293ea0a1c3bfa50a508d0ba4da96b

Download Submit
memory/212-0-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/212-187-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/212-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/536-153-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/656-177-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1412-175-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1584-161-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1612-169-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1836-22-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/1836-183-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2012-165-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2596-147-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2732-37-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2732-179-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2916-159-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3228-173-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3340-163-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3464-149-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3540-9-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/3540-185-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4452-181-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4452-29-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4588-167-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4832-157-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4852-151-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4892-155-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/5100-171-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads