b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a

Analysis

max time kernel
135s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe
Size

273KB
MD5

653d39da9e587db13b74ad0aa0097c4d
SHA1

4ef9df7e2ff94b063099ab42fa40ab3851df92cb
SHA256

b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a
SHA512

7a802e02a1c93cd3620430d5fc116542b14913f8488992fe224f574e05f1ddada332fb269a510308c2c28bec2c57b8a9ce44ea6ec1d174aa71b03fd3d296a0e1
SSDEEP

6144:LafoajIo50hcibfvlsZRkTebwBhGv4dC+1R8pvBgL0eXkUbGKl9veOPSV3uo97fq:2pC

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe

Executes dropped EXE 33 IoCs

pid	Process
4212	Mjeddggd.exe
1600	Mpolqa32.exe
4472	Maohkd32.exe
1408	Mdmegp32.exe
4764	Mglack32.exe
1164	Mkgmcjld.exe
1508	Mnfipekh.exe
3624	Mpdelajl.exe
4528	Mcbahlip.exe
1716	Nkjjij32.exe
2824	Nnhfee32.exe
3128	Nqfbaq32.exe
4240	Ndbnboqb.exe
396	Ngpjnkpf.exe
3848	Nklfoi32.exe
1128	Nnjbke32.exe
4156	Nafokcol.exe
4392	Nddkgonp.exe
2276	Ngcgcjnc.exe
1340	Nkncdifl.exe
4868	Njacpf32.exe
1588	Nnmopdep.exe
1864	Nqklmpdd.exe
392	Ndghmo32.exe
3232	Ncihikcg.exe
2852	Ngedij32.exe
3060	Nkqpjidj.exe
2084	Nnolfdcn.exe
3376	Nbkhfc32.exe
4660	Nqmhbpba.exe
1216	Ncldnkae.exe
4736	Nggqoj32.exe
4168	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mjeddggd.exe	b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mjeddggd.exe	b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe

Program crash 1 IoCs

pid	pid_target	Process
3208	4168	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4404 wrote to memory of 4212	4404	b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe	84
PID 4404 wrote to memory of 4212	4404	b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe	84
PID 4404 wrote to memory of 4212	4404	b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe	84
PID 4212 wrote to memory of 1600	4212	Mjeddggd.exe	85
PID 4212 wrote to memory of 1600	4212	Mjeddggd.exe	85
PID 4212 wrote to memory of 1600	4212	Mjeddggd.exe	85
PID 1600 wrote to memory of 4472	1600	Mpolqa32.exe	86
PID 1600 wrote to memory of 4472	1600	Mpolqa32.exe	86
PID 1600 wrote to memory of 4472	1600	Mpolqa32.exe	86
PID 4472 wrote to memory of 1408	4472	Maohkd32.exe	87
PID 4472 wrote to memory of 1408	4472	Maohkd32.exe	87
PID 4472 wrote to memory of 1408	4472	Maohkd32.exe	87
PID 1408 wrote to memory of 4764	1408	Mdmegp32.exe	88
PID 1408 wrote to memory of 4764	1408	Mdmegp32.exe	88
PID 1408 wrote to memory of 4764	1408	Mdmegp32.exe	88
PID 4764 wrote to memory of 1164	4764	Mglack32.exe	89
PID 4764 wrote to memory of 1164	4764	Mglack32.exe	89
PID 4764 wrote to memory of 1164	4764	Mglack32.exe	89
PID 1164 wrote to memory of 1508	1164	Mkgmcjld.exe	91
PID 1164 wrote to memory of 1508	1164	Mkgmcjld.exe	91
PID 1164 wrote to memory of 1508	1164	Mkgmcjld.exe	91
PID 1508 wrote to memory of 3624	1508	Mnfipekh.exe	92
PID 1508 wrote to memory of 3624	1508	Mnfipekh.exe	92
PID 1508 wrote to memory of 3624	1508	Mnfipekh.exe	92
PID 3624 wrote to memory of 4528	3624	Mpdelajl.exe	93
PID 3624 wrote to memory of 4528	3624	Mpdelajl.exe	93
PID 3624 wrote to memory of 4528	3624	Mpdelajl.exe	93
PID 4528 wrote to memory of 1716	4528	Mcbahlip.exe	94
PID 4528 wrote to memory of 1716	4528	Mcbahlip.exe	94
PID 4528 wrote to memory of 1716	4528	Mcbahlip.exe	94
PID 1716 wrote to memory of 2824	1716	Nkjjij32.exe	95
PID 1716 wrote to memory of 2824	1716	Nkjjij32.exe	95
PID 1716 wrote to memory of 2824	1716	Nkjjij32.exe	95
PID 2824 wrote to memory of 3128	2824	Nnhfee32.exe	96
PID 2824 wrote to memory of 3128	2824	Nnhfee32.exe	96
PID 2824 wrote to memory of 3128	2824	Nnhfee32.exe	96
PID 3128 wrote to memory of 4240	3128	Nqfbaq32.exe	97
PID 3128 wrote to memory of 4240	3128	Nqfbaq32.exe	97
PID 3128 wrote to memory of 4240	3128	Nqfbaq32.exe	97
PID 4240 wrote to memory of 396	4240	Ndbnboqb.exe	98
PID 4240 wrote to memory of 396	4240	Ndbnboqb.exe	98
PID 4240 wrote to memory of 396	4240	Ndbnboqb.exe	98
PID 396 wrote to memory of 3848	396	Ngpjnkpf.exe	99
PID 396 wrote to memory of 3848	396	Ngpjnkpf.exe	99
PID 396 wrote to memory of 3848	396	Ngpjnkpf.exe	99
PID 3848 wrote to memory of 1128	3848	Nklfoi32.exe	100
PID 3848 wrote to memory of 1128	3848	Nklfoi32.exe	100
PID 3848 wrote to memory of 1128	3848	Nklfoi32.exe	100
PID 1128 wrote to memory of 4156	1128	Nnjbke32.exe	101
PID 1128 wrote to memory of 4156	1128	Nnjbke32.exe	101
PID 1128 wrote to memory of 4156	1128	Nnjbke32.exe	101
PID 4156 wrote to memory of 4392	4156	Nafokcol.exe	102
PID 4156 wrote to memory of 4392	4156	Nafokcol.exe	102
PID 4156 wrote to memory of 4392	4156	Nafokcol.exe	102
PID 4392 wrote to memory of 2276	4392	Nddkgonp.exe	103
PID 4392 wrote to memory of 2276	4392	Nddkgonp.exe	103
PID 4392 wrote to memory of 2276	4392	Nddkgonp.exe	103
PID 2276 wrote to memory of 1340	2276	Ngcgcjnc.exe	104
PID 2276 wrote to memory of 1340	2276	Ngcgcjnc.exe	104
PID 2276 wrote to memory of 1340	2276	Ngcgcjnc.exe	104
PID 1340 wrote to memory of 4868	1340	Nkncdifl.exe	105
PID 1340 wrote to memory of 4868	1340	Nkncdifl.exe	105
PID 1340 wrote to memory of 4868	1340	Nkncdifl.exe	105
PID 4868 wrote to memory of 1588	4868	Njacpf32.exe	106

C:\Users\Admin\AppData\Local\Temp\b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe
"C:\Users\Admin\AppData\Local\Temp\b03eeec551908d7fdaa694913855918cc1eca99e22528e5f27180bbdcb5c079a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\SysWOW64\Mjeddggd.exe
  C:\Windows\system32\Mjeddggd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\Mpolqa32.exe
    C:\Windows\system32\Mpolqa32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\SysWOW64\Maohkd32.exe
      C:\Windows\system32\Maohkd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4472
    - - C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
      - C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3624
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4156
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        34⤵
        Executes dropped EXE
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 400
        35⤵
        Program crash
        
        PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4168 -ip 4168
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maohkd32.exe

Filesize
273KB

MD5
3df3e08f002c2101fca49358a43e485a

SHA1
6585b8e4563a4da609ea30ab69f2386a9f69ef2c

SHA256
49e768b17f8bceec98136e8c59976ce6e5beaefaccc6dd4869277756dd19bd0d

SHA512
b70f1ada5b0ce132d78027d3a61524531750e175c6d66b2bf564b533c2b20ac859e883019c8a84c7b374b060901f778312d4fa059bdd321cedf437390a42e0bb

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
273KB

MD5
2fb501190d1a22fe8757249bfe21e356

SHA1
98ede54a62dc140faa56d4b7e4fdb36677e711bf

SHA256
1be63ff42f724e02c8656b679b983aabe85ef2a0071322ab0209e0e40d27e251

SHA512
1f2c57526e0d577c61d9d85672729b8651355eb0b9a79b5bc6596783218c2993affda70c20ed916e35e660ebd547f3b96eac478597f1c3848ff210d506e73885

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
273KB

MD5
5a0f6449f2991c35d91ff67f695abb74

SHA1
846c17bcf0420fb932a7c271edb13216997fdb96

SHA256
637ae5359ad3f3fd98cea31728abc2810f9769f0d3317a9a626a34da9e1ed3d2

SHA512
79f9e73cfbbbaba8ba5075be4359cf999a23d61d6d2e4a795a7f4e04f776179571b24c65b0ddb8a9ef3ad34a62c39f20b4ad94d54d3423315da9a086939f7fc0

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
273KB

MD5
a8b1aa25e1e2bb1dbeac8af8c70589b9

SHA1
3afc34fcec6406d12009980b126ab7e4f331f884

SHA256
a376bb4f42cab372fd3cbfe5eee809d1b8b62a1aa72e53f608953a6496f185b4

SHA512
7211358192d1d6df9085535505f298f3db458716ff429e5258f8b215a31a6f6cf94f8449a4ca257673983b1ee385b4f2cf00141ec41e7d63a2807aaeefb34eba

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
273KB

MD5
822e32fc0731e00627101f22b2a039d4

SHA1
bae9478ab6e69d8f06da2f7c45898ac5ab7d6d11

SHA256
8fba872d2fe3e07a1e59306305df72f3e85cb7b3b8f2dcadd8b61a11fd1ae37a

SHA512
5c72354d879841b50bb911979fbb0bd818e88b65a9d3b1fafee8e04fa0787450dd23394f810451f2030c19bd3c885702ac5ce39e3b7428d04529621a433e389d

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
273KB

MD5
bbacb67d0f2a77ee5897338148e183ed

SHA1
6a70fa66776cc7855070aca1b706245e284238c5

SHA256
721103ab3cc6ae5abe1daac4dd07822eae914ac69fc47ff8848db2971f626e7d

SHA512
e96a161b134e74a99e1283c74857fdb9c353ce060993c266ced37d02518177f321ab7888be601ca0893088d8e5296734fd059f888412cab7b51b6a833a305bc0

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
273KB

MD5
099e1b9611f4148508bfce03f1afb528

SHA1
d748e8b3661854512323a9067a3d55f25dda4b61

SHA256
bd58e0de05e368613b289cef7862a61d29530b7aab8132b4fea8e0f9ebf7b3d5

SHA512
7aa2e5955988e495aac870733579779c2cb8cfd788f80df1a5a24647f7ac06da61d3c4d4fdfc2144407cb14e7dcf1545d758b4b05c3aabe4d5dbc8df8c2a3047

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
273KB

MD5
597fcb1bbd639ccf798234882692dbbc

SHA1
cc5b653cda1f00169c03463fac55b0fbd423e89a

SHA256
881d03cd0c13a6173d3b2b2e3710bd79d1fa13e6dabf68e2d798c6172d612c88

SHA512
cb1ed10c7154ffc7385c6c0516e00412caf3878d98b3e8baefa2899ccc956763447be94026830399da88a81991715e34fa35f1c0dacdfeec3fc948d2223d9664

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
273KB

MD5
b3096ff12bf1f9238df4361878be9590

SHA1
27532faafb868d744aefa92364d568f5bebe2170

SHA256
d6ecd2e10b528c2ec24780f8bf811c6e6906d81e03941d9779a40c345595ea3b

SHA512
719a5c5746e3fd81733c2442b885a95ccb01d87c416dc313933ec5d481745f896a307628cda04e4f32aad2ecd64b79fac09f1ce445fe0976b7c4c05875c14126

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
273KB

MD5
1904e1a40219e476703f2af51d49ff37

SHA1
994fb785017a946512a96b7540d024e5c893e18f

SHA256
ab71f208e03368b4e78865e44a91ee210a9c46850f21298413c3e9c211a7a0f3

SHA512
c48fd416558244e4afa1e794483dcd87e93f0bee96802228f67e8ff357149adbf0a4a8a73b8323b7fe26fdbf53f6d8fcb32542033597a69ca929f43123e8e16a

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
273KB

MD5
75098d3c7a907dc608f1ff6f50f4a0ad

SHA1
dfb4b3884bafe55d2358b2eae363da1a018ac4bb

SHA256
461b05bd32da6c2a41ba989d4f4360ff9703c95f630cde560f1e61e1ec80ae8b

SHA512
2efb920e0ba0ea9ca0b53e9e6553dfdadddea08691b9c300326f58fc5c4521a07a637157961e32b6572cd15d0aa1f04876f112e72a9d88d34d086e470d810c83

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
273KB

MD5
f8c01ae55f20b8304fe7c0d57a57eca2

SHA1
79fdc18691e39e3d5a1381c15b3bb39665c210b5

SHA256
aee5d3feceacf45ab611aa7cca07f24540b0b43d1e39f039c2c4574d6c9929bb

SHA512
837b62f3e81c9134b0bb5e3fd825bbad6b6757772baed708b1b7f583e8a4894d2e1e97c9d6dd8ee61371b06abaf71cee2542f621c7ad74d16666f38f657c024b

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
273KB

MD5
02d02dc14216cee72c06f463b7946234

SHA1
2e4566e345c972c35da537a7b8795feffe452d93

SHA256
4d2534a7d440f8f07d22c23305bc2e85f6aa078c5710b59c2326ca7ae44d4abe

SHA512
a41e4226bc25f9b1fff37f597a8ae2fe52afe09437004f512640406916cbf1830a0245d37555273be01cc9ac3ca4a350f6b142bd74642f21c5f7794dc9d3969d

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
273KB

MD5
2faef0a7814cd3b90613f7ba6afae19c

SHA1
6bbd08ce89ac50825eab05b287502693541baf75

SHA256
08690631930d977b18fa31fbc69c527701668cf10ee1e4ef9fbed6b768c19015

SHA512
c785f808f8367189f99cb6c37f427e77662c0ac9cd127a3f4779c7b9e1433f2c77bdbe15f72e44e94935c52cbc6a3cf712c47021be778fa15d5451aced56a66f

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
273KB

MD5
9d402fddb0508ae13673545af25589f8

SHA1
c34be5a81457c1c9633af5581f88cd89cb8b68f7

SHA256
a30401ffcbac3c9337fc645e386327dd0e9f095230471d7c38d207ba83903b75

SHA512
9a5046de0272ad18b962557a196e8c711dc44276116f6d9c820df3e40afdb716a92320f73843b6149ffcc5c67aae90ea9b97dcbcca93453163a6699ca490d832

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
273KB

MD5
b2ba528e767e4da882ba436e6074ab01

SHA1
283257ee9a0d3fc45251400a4e966d647bddd984

SHA256
48522ec85dcf6c0f40ecd846f2531be9ca903224f64a33a1debe04299cde39fe

SHA512
cab17bce3f07300224e313406cfb9eb7ac7257bbb7edea56598d64e88c96b92dbc6078883d61f0ba31b40002144a673b870705f820a26d649ded1d40d2b8af7f

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
273KB

MD5
88a1675c1e1706b69b0d3331d4ec1a25

SHA1
e44cca1d0e193f76cae8d8097e71febc1eeb7d77

SHA256
9b90cbec682f52626ac1f42912cf3617528d4b11769ba30de67fa347b5027d9f

SHA512
7b9df63ea4190d8b9b9febac539bb4dcc2e95b96719cdc17ded4a7cef238617f892e0ddeb5b64bab0d96ed6cb922d738104e6db0f224c7ec5b53fe863dc040df

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
273KB

MD5
0126eafe24439ffecb848060fefac641

SHA1
3b9050bc9bffa409d81d75e9d1aa8a3d453fd29b

SHA256
0cfb8952bf194843a60861b43848a10f9865d15d84a58ce4cdb7b2d3c5b30f06

SHA512
3665127e1434c1973903238faf4c4ab9e8914d9cd182852050eb7eb4293c832d9b2a0a98968a851a5cc6d6d28e7fcf6b18dd7d7340897e4d03b0bfd738e9d79a

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
273KB

MD5
54b111d0e192391c5ba14396333f1498

SHA1
857a6a771f0ce62e244470e06845cd23afa10817

SHA256
11fb02196372792ca3f46c7d31899c713ead10d51f3e2d6a947e6d6d8fdb40bf

SHA512
d7d05065c4793570287868f0907b9cf693aea42389895df8b4ed4a2e6af417902b0e93cff045b40dac40c3455afc02495afd59146c267543c2555365c9f4a46d

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
273KB

MD5
a2429fb87278a1a1d1318d3c7dd8afb5

SHA1
668f11262d084900bd023e960d13d747abc3a86d

SHA256
fd46ba27fc67a5e73458421480e392b76360d71e798a513bbdc3c816248a6d47

SHA512
3efdfd5fa9b9b6f6b4d3070a18595744a28d2e59b848b1d45fa71e0f252ebbb288121cc01165e067b9318e9b7154bc4d4fc85b4d0400dcac6a0e22cb19e12e66

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
273KB

MD5
afb6dfe0cefe47036e93dd2784262a02

SHA1
01340bd66d92b9471cb91ad48e14908f34224b97

SHA256
0ca3af6ad729c917769e19a80c0cae12947789bf61415a4af594c4a0da3dc1a5

SHA512
e97f9fc0908028206cca82b59f5fa9633106ed8cadcd98018427e5c82e4cc95d552b0feded2435e51fb1f75dc31a03de94beb5efc03d80aa26ddbd30301ceabd

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
273KB

MD5
656f5da88fec287c6db29451b727ff1e

SHA1
92d868348a504629d91950c6af544b1005cc137c

SHA256
37abd01b241523342ad3404edd1a59208d4434f141de621a67d44ac76c9e3660

SHA512
8d25d92b50152aa2c2579a1e9233130db47d6494daa975f9939ba5882b7a77ec811f017d61fc1af9bfaf4744d006e9f318e71d6e0e16aa62f3bac4048f6cb68d

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
273KB

MD5
ad2092bfb714722d812a11f887bd1d69

SHA1
c567425c43fd6c4d37841738abe91582391355d4

SHA256
5e52f733aca958304e6da31e7fa8aec3d23e98814040ce128ab1eff97707a5e1

SHA512
b3635157c26ca290f519b5bf81b7f1cee27038690539e1be7a779f9bf86ff4fa5680469f3737ea4a5bb50a5bf890f17a274e95aceef4c4cef1b96900c48f5a85

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
273KB

MD5
5565fa86e1fc6c722f30b74a5baf2312

SHA1
0da2387090c19b49a5db73aef05c4846f382c652

SHA256
62bead4da1f09167a95799bf07ece4a6ecbe8cb7de7f6c3b3aa23992f76276fd

SHA512
77397bfd2a093df1b5e0df149d9d0a14f9b8343fa96ba3a4743c714285e7911e315bf5c2c0bda164d714fc8675cedd4802a6a01f8429d6a08a1602cf24359857

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
273KB

MD5
d60a33b46c7679e0f8db713336c07e72

SHA1
5c25ffb2e1b592d88bfde75219d208d7c2624688

SHA256
6fdce8ba944ccaf5e3fff9bbce25a83c60dc009b44d9a2c5b04758d8b192e39f

SHA512
39cda2ed3eb8b1fcb93ee38084698d190aade3574bab7e996b46d7c554dc7accf64f7e0c53a099af5bdc5fd74172bf16f94fe89eaec983d2a25c4410110a0541

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
273KB

MD5
3c097f871e954cdf173f72c04fb1964e

SHA1
b73ee0c3971e2b4019a632580985567418dc48da

SHA256
ffda8a35b867e8fd5fac06022e1d54ec76e028d4ccd5de5cdd57efe50818be66

SHA512
37903e3d41320aaf3e6c2e2c60490ba15d6bcf0a65abe20fde88c2e7237a26f9388be1abc2be37a0f4897a950bdd826845d5d086e0f87937cf018f63eb4a2081

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
273KB

MD5
1d8fcb1fddfd6d8fa0256b01ab85e70a

SHA1
f7c0e27a998e5c5017e723350108d8ddd9be57b3

SHA256
0f8dcc800dd4c424f3fe214c08e4140d923005c1fab0df499835fa9b46633e9a

SHA512
dacd0c2ea8ee50c172c3d3216266c25a069a233b064feae2d81bfa1c2972377056d8ce04e02631311dd6e1b8b26d0795d09e07fd7a206a4fd60f8262f6af5580

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
273KB

MD5
05293f46d73173e058c2a558b2f65440

SHA1
1f41c4c53d7ed3c253b8b09c11dabd49499a6f40

SHA256
228b57c1ba276352bcf2e002b45383fe644a048afdd342125672d2401f831887

SHA512
c4dd53da6bc3ad3bb5170c6533ce6fa393570464cf0726ec65290b144000d77a0561a3ea750194b25075c893ba452e63163c5e82f220459ed5ec0da498cd1214

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
273KB

MD5
ecf2382132c034df66a64571e2c6447b

SHA1
b04f15c3c2d18a357b1fa0985b5d2db51705f26c

SHA256
86bddfc8485e11ec4d8a708eae72795e19028f00ca8e2e6607f139d6c3e1adb9

SHA512
34d33692b0ae600d03c7fb1bc557752272f8c24c5f1742e7625ed4a81fa91f7c9fd99dd1e7b5638b7dbf21e769daf288dc11c28dadf9e86edd49ca8eaeb9a22c

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
273KB

MD5
760a272942bd4677e329a9ce0603b2dc

SHA1
661383a68663d0cdfca677fedcaef8e9e0bd1278

SHA256
8fb052b74a4c1de50d0b79a15646c77ffcff511dadbb893915cf9b0a733e859a

SHA512
f31ffbdc02cf5424cdbd23ece60f994bf6f0ad560f4d48cbccf63173ac07be96bda92a6167500b41af870797e2d15e49e686d70f528677b63168fd3db4ff67b9

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
273KB

MD5
17d1aa650efcb88f5b307f1dadc1275e

SHA1
1ffdd9019b4d09970496621b4ab458f367c8ec14

SHA256
328451e2102f718f17ae068f2e60bef263e073a41c2a2a3368305147d8efa6d4

SHA512
e431d01ec8fc044a772f8bdede724b16803c48cbd8af085c4fbb7f88382d6d79696c38c5f9224e12fd6930ffac2b5a813676a0c4e6599e5efebf5cb16658c54e

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
273KB

MD5
bcbea67ef7e892d6751b8f6fe6b3788a

SHA1
379a6a5087366e96b46f194a75864f76ce5adc0f

SHA256
a6e77ff83a6f8e76a12b3bd144f83fc9e52088b83cb72f7356c881995852c7de

SHA512
aa8234b6cbb74a12155de6e09c2449dbef7e798f011658fe2aa5c37bde462e62837fa71559044986c1a0045f444e4d232ca434ec913cbfd97262bca25303264e

Download Submit
memory/392-254-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/392-274-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/396-244-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/396-294-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1128-246-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1128-290-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1164-310-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1164-48-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1216-261-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1340-282-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1340-250-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1408-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1408-314-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1508-64-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1508-308-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1588-252-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1588-278-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1600-17-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1600-318-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1716-302-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1716-240-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1864-276-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1864-253-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2084-267-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2276-284-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2276-249-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2824-241-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2824-300-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/2852-323-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3060-269-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3128-298-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3128-242-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3232-255-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3232-272-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3376-265-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3624-65-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3624-306-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3848-245-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/3848-292-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4156-247-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4156-288-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4168-257-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4212-12-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4212-320-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4240-243-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4240-296-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4392-248-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4392-286-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4404-322-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4404-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4404-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4472-316-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4472-29-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4528-304-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4528-77-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4660-263-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4736-259-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4764-312-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4764-47-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4868-251-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4868-280-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads