165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0

Analysis

max time kernel
142s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
Size

264KB
MD5

0e1536991ee24481c103b06671afc6cb
SHA1

b0d6c57711170506a12992ab0d066b24436ce19d
SHA256

165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0
SHA512

58c78d5e78eafce90b850dac650e73016f04b731a0f9fc5a5b68cd29bae4da79bf22eed6e0f40be487758bc441e50a9327a5ec9dfe8f97fea2adb41bc8534ac1
SSDEEP

3072:KoFqzEAnDV8n3824ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho1mtye3lg:KoUzEAnDVi3RsFj5tPNki9HZd1sFj5tw

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe

Executes dropped EXE 26 IoCs

pid	Process
3100	Maohkd32.exe
3604	Maaepd32.exe
1328	Mdpalp32.exe
2708	Nnhfee32.exe
5080	Nqfbaq32.exe
436	Nceonl32.exe
2732	Ngpjnkpf.exe
1140	Njogjfoj.exe
1548	Nnjbke32.exe
4180	Nafokcol.exe
3976	Nqiogp32.exe
5012	Ncgkcl32.exe
2104	Ngcgcjnc.exe
4100	Nkncdifl.exe
4816	Nnmopdep.exe
3300	Nbhkac32.exe
5024	Nqklmpdd.exe
1372	Ndghmo32.exe
1204	Ncihikcg.exe
3500	Nkqpjidj.exe
4924	Njcpee32.exe
2220	Nnolfdcn.exe
2996	Nbkhfc32.exe
1484	Ndidbn32.exe
4568	Ncldnkae.exe
4740	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe

Program crash 1 IoCs

pid	pid_target	Process
2100	4740	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 3100	4264	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe	83
PID 4264 wrote to memory of 3100	4264	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe	83
PID 4264 wrote to memory of 3100	4264	165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe	83
PID 3100 wrote to memory of 3604	3100	Maohkd32.exe	84
PID 3100 wrote to memory of 3604	3100	Maohkd32.exe	84
PID 3100 wrote to memory of 3604	3100	Maohkd32.exe	84
PID 3604 wrote to memory of 1328	3604	Maaepd32.exe	85
PID 3604 wrote to memory of 1328	3604	Maaepd32.exe	85
PID 3604 wrote to memory of 1328	3604	Maaepd32.exe	85
PID 1328 wrote to memory of 2708	1328	Mdpalp32.exe	86
PID 1328 wrote to memory of 2708	1328	Mdpalp32.exe	86
PID 1328 wrote to memory of 2708	1328	Mdpalp32.exe	86
PID 2708 wrote to memory of 5080	2708	Nnhfee32.exe	87
PID 2708 wrote to memory of 5080	2708	Nnhfee32.exe	87
PID 2708 wrote to memory of 5080	2708	Nnhfee32.exe	87
PID 5080 wrote to memory of 436	5080	Nqfbaq32.exe	88
PID 5080 wrote to memory of 436	5080	Nqfbaq32.exe	88
PID 5080 wrote to memory of 436	5080	Nqfbaq32.exe	88
PID 436 wrote to memory of 2732	436	Nceonl32.exe	89
PID 436 wrote to memory of 2732	436	Nceonl32.exe	89
PID 436 wrote to memory of 2732	436	Nceonl32.exe	89
PID 2732 wrote to memory of 1140	2732	Ngpjnkpf.exe	90
PID 2732 wrote to memory of 1140	2732	Ngpjnkpf.exe	90
PID 2732 wrote to memory of 1140	2732	Ngpjnkpf.exe	90
PID 1140 wrote to memory of 1548	1140	Njogjfoj.exe	91
PID 1140 wrote to memory of 1548	1140	Njogjfoj.exe	91
PID 1140 wrote to memory of 1548	1140	Njogjfoj.exe	91
PID 1548 wrote to memory of 4180	1548	Nnjbke32.exe	92
PID 1548 wrote to memory of 4180	1548	Nnjbke32.exe	92
PID 1548 wrote to memory of 4180	1548	Nnjbke32.exe	92
PID 4180 wrote to memory of 3976	4180	Nafokcol.exe	93
PID 4180 wrote to memory of 3976	4180	Nafokcol.exe	93
PID 4180 wrote to memory of 3976	4180	Nafokcol.exe	93
PID 3976 wrote to memory of 5012	3976	Nqiogp32.exe	94
PID 3976 wrote to memory of 5012	3976	Nqiogp32.exe	94
PID 3976 wrote to memory of 5012	3976	Nqiogp32.exe	94
PID 5012 wrote to memory of 2104	5012	Ncgkcl32.exe	95
PID 5012 wrote to memory of 2104	5012	Ncgkcl32.exe	95
PID 5012 wrote to memory of 2104	5012	Ncgkcl32.exe	95
PID 2104 wrote to memory of 4100	2104	Ngcgcjnc.exe	96
PID 2104 wrote to memory of 4100	2104	Ngcgcjnc.exe	96
PID 2104 wrote to memory of 4100	2104	Ngcgcjnc.exe	96
PID 4100 wrote to memory of 4816	4100	Nkncdifl.exe	97
PID 4100 wrote to memory of 4816	4100	Nkncdifl.exe	97
PID 4100 wrote to memory of 4816	4100	Nkncdifl.exe	97
PID 4816 wrote to memory of 3300	4816	Nnmopdep.exe	98
PID 4816 wrote to memory of 3300	4816	Nnmopdep.exe	98
PID 4816 wrote to memory of 3300	4816	Nnmopdep.exe	98
PID 3300 wrote to memory of 5024	3300	Nbhkac32.exe	99
PID 3300 wrote to memory of 5024	3300	Nbhkac32.exe	99
PID 3300 wrote to memory of 5024	3300	Nbhkac32.exe	99
PID 5024 wrote to memory of 1372	5024	Nqklmpdd.exe	100
PID 5024 wrote to memory of 1372	5024	Nqklmpdd.exe	100
PID 5024 wrote to memory of 1372	5024	Nqklmpdd.exe	100
PID 1372 wrote to memory of 1204	1372	Ndghmo32.exe	101
PID 1372 wrote to memory of 1204	1372	Ndghmo32.exe	101
PID 1372 wrote to memory of 1204	1372	Ndghmo32.exe	101
PID 1204 wrote to memory of 3500	1204	Ncihikcg.exe	102
PID 1204 wrote to memory of 3500	1204	Ncihikcg.exe	102
PID 1204 wrote to memory of 3500	1204	Ncihikcg.exe	102
PID 3500 wrote to memory of 4924	3500	Nkqpjidj.exe	103
PID 3500 wrote to memory of 4924	3500	Nkqpjidj.exe	103
PID 3500 wrote to memory of 4924	3500	Nkqpjidj.exe	103
PID 4924 wrote to memory of 2220	4924	Njcpee32.exe	104

C:\Users\Admin\AppData\Local\Temp\165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe
"C:\Users\Admin\AppData\Local\Temp\165117c6af52774146f3071dfe9c263c0bbdb1921ab27cde47fe0c7b4aa854b0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\SysWOW64\Maohkd32.exe
  C:\Windows\system32\Maohkd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\Maaepd32.exe
    C:\Windows\system32\Maaepd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\Mdpalp32.exe
      C:\Windows\system32\Mdpalp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1328
    - - C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3300
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        27⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 400
        28⤵
        Program crash
        
        PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4740 -ip 4740
1⤵
PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
264KB

MD5
fdbc11fe465faf210ff5fc12d78c5cdc

SHA1
a690658ad58c0e8c1cb1bb881ee59d592e3eebca

SHA256
216081a6399d575a41e27346f55d04bb648b5cbe1aa93d981d736c9292b124cb

SHA512
83437c42e321f2f7846a856d792d7f9ad1175898d6f6803f3360bf1a8dce5e10ea5312308bdb4e06b3d1aa4dbf61066c10a267bb552f69191948fa75fbfcac50

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
264KB

MD5
e9082e79c02484d66cfbd4870c641817

SHA1
3b1b0c7811cb47f594536d1380684a0ef6c3cda4

SHA256
062baded768081d912100d8541b7b955aafd8a7d6da2bef4433a66f5755a1bbe

SHA512
2be196abcf502ebb8df0f91086443485c92abdfbce805da15117e6dc0ab39643771141dd31a1a3a1d7628d47c2c14c8db9fa39aaaaaebf0a1a74e7b0a65e1bde

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
264KB

MD5
4b33268be5dd4a2d39c8339985aa15f7

SHA1
260e302a61e0c9b8751eceb348929309b55933a5

SHA256
60db1f94706a6bb1508196bd5d9bf3bab1dc12e8b7896b9c66419331fce9fded

SHA512
a0d8fa62d1da53112f8fe8f12cf373ca143dfcce166353c56e1675693762df339e45a936e78f5e4ba24bbf71d10420fe18011da7beace4f9fa0cb1dd28ddb3af

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
264KB

MD5
e35879ff21facc2fb3c78dd8ba151dae

SHA1
3d7e6881063f46b929f3441e4807525423ec4886

SHA256
25b93542beb71772653f7a5286af0821702e24fe82031dccb46cc76680003139

SHA512
9fafc42e693b72119287e844b42b6210f84fd9b94e09dd5d0549b86a44e6083d23e1290e29634e2319a8dce4a0c0a9854aeb5213ac4418b75e8a78fffb83ecb9

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
264KB

MD5
5f6f68129def32a754eb239fc9e0263e

SHA1
03d0a0154cf71fa9ebdc97ab39bbacd698fd127d

SHA256
e42ea22e8459a1f006f126289c6094040f0095155782474defad1f601547052f

SHA512
e0923f9c4b037b5f26c9a1cc26fa0c5bb30888dde222c6260770dd8259b003e967e1489faa1fedac1d5e429a86636a6a244f96809e68478844fa4d685e7f27d5

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
264KB

MD5
754e3d29902db1d8d1fb3f0d6c5c8b5f

SHA1
5662cf03eda46707162b7f343e8e75d96a07a909

SHA256
a2be1962b3cafbabafa490d0b4fec9f35211b46b4847690b1094974ad5c8b2f0

SHA512
d85faa8576935c4e9d966d593a7cd6c4b8c33701b29286d581718dc1192680a5451de7fbc06f2dac714bdc962bcdb95f758ea82980779f7ea28dc69b04a6dd81

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
264KB

MD5
a5a564d1796b8531c28a68039bc309d0

SHA1
4f9e31bfe757df6f064f1a24b6ed3c31803e668f

SHA256
f017a30092e6d5bc7386d40ddb76df2ad26078aa6f7660af5512a3aba6c909c6

SHA512
09b5a745e8d8094b0500e5036b8ebc0d8bd748054e65269f79c7f0e185eda3060046e250a0b13b46e2ff9d86c7e0aaf1edd334cf70e3f9de16d65a52ad66a50b

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
264KB

MD5
cf4149260ad10d1df2eec4a19c1f07bf

SHA1
c965b0a8f15770a98ff1968e50790343f8e09971

SHA256
828a148da4da5b38d0e20f633428be21b4d631645ab7864bbdcd0af4c58888de

SHA512
43c27b9fa7f864e6db6f44a86d8ed82ba5d1c18c1d58c51dc0451d309c96a06942a7baae9b9288935846e0f8b218c04518839f633165f7f91e7e4f4c64dab97a

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
264KB

MD5
cbe7c12d78c728b7a54d31101c4f6e15

SHA1
5c6b1e33dbf05b28bd647dc929b788644af869f9

SHA256
d1705428740dee9950a9586da0df0498a396b5310d93ca29350d413e8ee57fc4

SHA512
f3b3f87bcd936a9ac29f5abb23762f34259035041261d36b97a29c8cf209f4537c8899b51a7d7a201245f90611abedff8baed1b9bb504c98613589bdacc1a398

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
264KB

MD5
2eaedd640e0ba048bda043a62af5945e

SHA1
0c95aa24768b493c4a6df9c70b0c97606762aecd

SHA256
c909df2edd7c513a051f10064a977cb84c0c2e68d8ca6813c0b83e361d9b63bb

SHA512
3e9aea73c1af25a94521fbcaa41d7bbc3165ff2535a03492045f2be16233f8fe2e7a3efb65dccb0efad6ce87b3fa31d092215310251166f4451f1eac26a89307

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
264KB

MD5
69d08703be7191155b127d3b6b56149a

SHA1
18709926d39a61f09ce5a407c7fe0ed847efae08

SHA256
d5684d46b201550de67b55ed0d360ed7d1d555e36b173be0ce681856fa381374

SHA512
69756c27d03658efcb04d66b5095833d5f6474043289db87bfff2ceab33c00de92ee78485bf231f0089e14883c9d5a1dd90df19c44f68d4777eec0c8d5f1227d

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
264KB

MD5
350095147a3a59506eff617d4390bb99

SHA1
90c0794c7a0c0f3ae0177802c4a4fc4a20f686c7

SHA256
0ed240afdfe827d7f0ae8da6936a9b8c4bed47d66e59534607e2b5849e0aa5b5

SHA512
50be1f7669715a32a84e102dbe372de085ccc2263d3b5ea49c0cba796b6c32c45fa4461c66da3f6505c5def9a7503a6ceb58f62cb0024b55abcceda0e5d8884f

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
264KB

MD5
3d35cb7b0a7c2ff50e774f7bb4adb538

SHA1
a9708974efb1d622b4227b78f9252743710106e9

SHA256
cdb49332fedaf8d1c3442793ad95cbe80ad6ff0e8fe2608f28a5db97b1b26f7b

SHA512
5df10a4b31b23c5a08be013a1979f975b9c1efc7a1ad3a15723f45e71708adea83b6b51d4bea06953c379e75e6071bdf266833557afd303da051b37e343a0b5b

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
264KB

MD5
8953a653b66a603216cb41fd769fbab0

SHA1
baabc740e899b38f10532a4da7f5381bdec2ad92

SHA256
56c6b6cacd8615d9031f7b6cdea104d6d360c6ca51467a6b474f5f705e7991ea

SHA512
ed16066323ab2805f823c9f9316ddd891238721e0d494463701053cbebacca11e060aee1e0a5e569799469bfd67ce0a0d7b6c827b1b4b871c37c13de1a4139d8

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
264KB

MD5
e54729585a4c05e6a54958b45ffda729

SHA1
4e134390300d394f29aa5847544a994cfd884707

SHA256
cfcd2909484459602771c356083c9dbbccc1e8fcde41830443ef6a3e48727ced

SHA512
22b4e73213a2c42bfaf12bdfb6b0f7f807edef90936534a9be28338055ae2a27a310b9e91b5103ddf90ffa1d4e46cc97a5644c9100041d3ba3f89e7088af2627

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
264KB

MD5
08bb6f8bced052f01a55f8f2a92e917c

SHA1
ab0c87d6b6b1e6d6afbcec51fb76f7555897b10e

SHA256
7489b5cf9cf768191606442b4bbe37688745e003ec72c748e0629066557c8218

SHA512
23156bc9f5f761cc979fbfae648bd6ad799ff2eb60089efcde0cc349e92bc6dde21bfb97b3925a3702687f0460297e1de5901541e2809d1f382b20115e71023d

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
264KB

MD5
59acc653723efcbb20efd76d9e09dc76

SHA1
d95b219a63d00c1bc05f309376af6caa9251b548

SHA256
51f5e7ee0198f4b12f8e78544de8b2df16bea311e07bd6c73e2c1588e5576a2e

SHA512
95aef5f1bc992dff8a6d5264cd8d5c193a38731efa92033f0887d7f894c3450e2b7c07ce2a2cd6c87d1126ff977c60a1d7d84e16f951e497bbdb3a4b6e43b84a

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
264KB

MD5
560d109a674b6e8558716672c2be6a31

SHA1
bc9938f7431625d75522511b5556fc7d5e000ba9

SHA256
3f21b760501b8ff7ba6f5359933d7404a0d053cb022ee4e1fcce3bb2b24bfcd5

SHA512
2f8038639f44dce0011b376b8ff036fba56ceb61f6eb4e58307f2563e28b2291a3a1d571ebee51bccabf0baa44d19a35d373dcfbbc8f6231914df33af6368446

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
264KB

MD5
0cc46006db9f85ff8ca52981d13f6122

SHA1
b192072c3e6b14fe4fc43a0e86cc177307c791f8

SHA256
2bc9a40b462560ca714b6e849ee7bc710c6d4e3095046f1d78f35e1787c38eb0

SHA512
c85668690e375cc9c8ee635ddff8c7da836ba7db8fc4a0ab32393ffbde250d4e64ea56487cae923021eb9f7e0a924d553b25bfefd0d9887c43374116b1ecc584

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
264KB

MD5
987f31d0820063e9b12987a68bfd2810

SHA1
227240e8f54d0fe062576c10a6f212bc314b5d7d

SHA256
8ec3b086a0f4807dc0bc2876ec181d4c914e1d75c9815439ce1099478b279519

SHA512
4d9bba6b28a2991ead50ccd4ef08dcc8341aeea563b6c1d6e228087ba6c5b361914e59670a744274a579369775d7fa057d46c01187921aa9f194335fb333d029

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
264KB

MD5
335a874c665c69ba247ede549a68e17c

SHA1
40a5c2b85755ef3d9cfd4c73b56809c00ade0348

SHA256
47c8ebac2d9dd82f58e34e13e3b952fe04f28134bdc7943cf3a0ed184186b121

SHA512
a2a2d9fdc14a85e12fcc12c667f3134ec0f72dab665b2db75e468543f11c87fc388007a9e8fb3d7fac995f471207c2ae993421b841018b5033f6973bb8996636

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
264KB

MD5
c482f99db4c3e31a6730eb1f60dd6ece

SHA1
74b3f67bf6d1c16fc97cde3412ffe7df3b345fe4

SHA256
a7155bca65782edecef59acf9de88e05407eccb5a7376c22646a06f082413099

SHA512
20aea38be05370e965d112d9a3e5a200566a3f5f10e0e039033304cc51a34ac8c3c8a303deaed27f8f4d65b620fc023a3a205626aa33cac5581d26c8c3991062

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
264KB

MD5
bae83d93ce0cc59131ea989c4f30e832

SHA1
d6a415c99710de1841901419de3764c2f96bdae7

SHA256
6e05565565c30991a36840489fd95b16101919f2514dbacfdeb84b86d5301572

SHA512
ea6df3b499c49ba4a51fae0ac874dd76567e876319701c6f42fb759d41bbcbf352f2be01e5cd923fd64d2a081b0730d9d1de5cd3a5ed6dc1e75c1c93eb8f7887

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
264KB

MD5
47484d1fe5c42d56df3e756060073dc0

SHA1
cfc06f9ac692c8768840c970ac1e940b91adc450

SHA256
27c1e027c16d1b788983783fbf611dac8dd4573c21e15e2c0fda31f695e73120

SHA512
bde5c5a976a002e7c0c047b292c247783498d0f681c0eab80ff9e59542bd44e9e37843a144f7bfb4471ac1df70f33245c796c8954723b01fdec29961c2d23b17

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
264KB

MD5
ed6e2df04e34e37ce9703f92f9cfc8ce

SHA1
f7cce01e09cae59c5d78c8c37cf548def08b1858

SHA256
1e9f8610a6a44209660bdf07dd7717bd622632935cf7131a980bbcfaa244f983

SHA512
f634822366392ef5263a79a39d5586ba70d8f70ec5aac20d4c355d8b8b6b993882eb0f2bc22e3b54d463bffbb5df951a7c54d18c30975b4424dec81bbdc97ad1

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
264KB

MD5
a5228ecf8eee77c2b49cb0debfb30f42

SHA1
f7540bc89417998dc20f0bae5d5d587ad92a8980

SHA256
50c87b6564033c222dba49c83eb5b41e4e2dc297a27401c7e76e1499cd724099

SHA512
3b8d743ef26a81a5ba85ac9fe06809f5fc28cef1f9fbd5d6f63700b055330532279f77167cd015c024f88e1e81b5974742f29c3c42938b9bf3fb44b43f0f7b1f

Download Submit
memory/436-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1328-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1372-207-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-225-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-217-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2220-199-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-38-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2996-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3100-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3300-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3500-203-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3604-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3604-237-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3976-221-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4100-215-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4180-223-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4264-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4568-193-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4740-191-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4816-213-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-201-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5012-219-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5024-209-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-232-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5080-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads