1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
Size

71KB
MD5

241bba7c7ea26a52b0d1762ba951c8a0
SHA1

3f87d04dc3cb19c61015c77e7c08c3bfd3568812
SHA256

1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43
SHA512

a5138e872bd5ca39d04557926a405189644ea40470bc24e2cae2ebc87f318e2e819d05e5a3a79c6138404cef0be0d9559a263e11d12feeb9d90800e6b5bd539b
SSDEEP

1536:gEx2oGqvlIf5CMkW3j/mShFkrGZYfp59ZONRQbDbEyRCRRRoR4Rk:gEx2ugCkzukFHYBOeLEy032ya

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Nklfoi32.exe1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exeMglack32.exeMcbahlip.exeNcldnkae.exeNnjbke32.exeNqklmpdd.exeNcihikcg.exeNkqpjidj.exeMkepnjng.exeNdbnboqb.exeNgcgcjnc.exeMpdelajl.exeMnfipekh.exeNnhfee32.exeNjacpf32.exeMncmjfmk.exeMpaifalo.exeNqmhbpba.exeNqiogp32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nklfoi32.exe

Executes dropped EXE 20 IoCs

Processes:

Mkepnjng.exeMncmjfmk.exeMpaifalo.exeMglack32.exeMnfipekh.exeMpdelajl.exeMcbahlip.exeNnhfee32.exeNdbnboqb.exeNklfoi32.exeNnjbke32.exeNqiogp32.exeNgcgcjnc.exeNjacpf32.exeNqklmpdd.exeNcihikcg.exeNkqpjidj.exeNqmhbpba.exeNcldnkae.exeNkcmohbg.exe

pid	process
2848	Mkepnjng.exe
4368	Mncmjfmk.exe
220	Mpaifalo.exe
860	Mglack32.exe
4752	Mnfipekh.exe
4948	Mpdelajl.exe
3512	Mcbahlip.exe
2300	Nnhfee32.exe
4040	Ndbnboqb.exe
3624	Nklfoi32.exe
3952	Nnjbke32.exe
5088	Nqiogp32.exe
4312	Ngcgcjnc.exe
2976	Njacpf32.exe
656	Nqklmpdd.exe
2144	Ncihikcg.exe
1284	Nkqpjidj.exe
944	Nqmhbpba.exe
3416	Ncldnkae.exe
2516	Nkcmohbg.exe

Drops file in System32 directory 60 IoCs

Processes:

Mkepnjng.exeMpdelajl.exeNgcgcjnc.exeMnfipekh.exeNqiogp32.exeNjacpf32.exeNkqpjidj.exeNqmhbpba.exe1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exeNnhfee32.exeNqklmpdd.exeNcldnkae.exeMglack32.exeNklfoi32.exeMncmjfmk.exeNcihikcg.exeMpaifalo.exeNdbnboqb.exeMcbahlip.exeNnjbke32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1920 2516 WerFault.exe Nkcmohbg.exe

pid	pid_target	process	target process
1920	2516	WerFault.exe	Nkcmohbg.exe

Modifies registry class 63 IoCs

Processes:

Mpaifalo.exeNjacpf32.exeNnjbke32.exeNqklmpdd.exeNcldnkae.exeNnhfee32.exeNqiogp32.exeMnfipekh.exeMpdelajl.exeNkqpjidj.exeNqmhbpba.exe1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exeMncmjfmk.exeMglack32.exeMcbahlip.exeNdbnboqb.exeNklfoi32.exeMkepnjng.exeNgcgcjnc.exeNcihikcg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nklfoi32.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exeMkepnjng.exeMncmjfmk.exeMpaifalo.exeMglack32.exeMnfipekh.exeMpdelajl.exeMcbahlip.exeNnhfee32.exeNdbnboqb.exeNklfoi32.exeNnjbke32.exeNqiogp32.exeNgcgcjnc.exeNjacpf32.exeNqklmpdd.exeNcihikcg.exeNkqpjidj.exeNqmhbpba.exeNcldnkae.exe

description	pid	process	target process
PID 1588 wrote to memory of 2848	1588	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe	Mkepnjng.exe
PID 1588 wrote to memory of 2848	1588	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe	Mkepnjng.exe
PID 1588 wrote to memory of 2848	1588	1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe	Mkepnjng.exe
PID 2848 wrote to memory of 4368	2848	Mkepnjng.exe	Mncmjfmk.exe
PID 2848 wrote to memory of 4368	2848	Mkepnjng.exe	Mncmjfmk.exe
PID 2848 wrote to memory of 4368	2848	Mkepnjng.exe	Mncmjfmk.exe
PID 4368 wrote to memory of 220	4368	Mncmjfmk.exe	Mpaifalo.exe
PID 4368 wrote to memory of 220	4368	Mncmjfmk.exe	Mpaifalo.exe
PID 4368 wrote to memory of 220	4368	Mncmjfmk.exe	Mpaifalo.exe
PID 220 wrote to memory of 860	220	Mpaifalo.exe	Mglack32.exe
PID 220 wrote to memory of 860	220	Mpaifalo.exe	Mglack32.exe
PID 220 wrote to memory of 860	220	Mpaifalo.exe	Mglack32.exe
PID 860 wrote to memory of 4752	860	Mglack32.exe	Mnfipekh.exe
PID 860 wrote to memory of 4752	860	Mglack32.exe	Mnfipekh.exe
PID 860 wrote to memory of 4752	860	Mglack32.exe	Mnfipekh.exe
PID 4752 wrote to memory of 4948	4752	Mnfipekh.exe	Mpdelajl.exe
PID 4752 wrote to memory of 4948	4752	Mnfipekh.exe	Mpdelajl.exe
PID 4752 wrote to memory of 4948	4752	Mnfipekh.exe	Mpdelajl.exe
PID 4948 wrote to memory of 3512	4948	Mpdelajl.exe	Mcbahlip.exe
PID 4948 wrote to memory of 3512	4948	Mpdelajl.exe	Mcbahlip.exe
PID 4948 wrote to memory of 3512	4948	Mpdelajl.exe	Mcbahlip.exe
PID 3512 wrote to memory of 2300	3512	Mcbahlip.exe	Nnhfee32.exe
PID 3512 wrote to memory of 2300	3512	Mcbahlip.exe	Nnhfee32.exe
PID 3512 wrote to memory of 2300	3512	Mcbahlip.exe	Nnhfee32.exe
PID 2300 wrote to memory of 4040	2300	Nnhfee32.exe	Ndbnboqb.exe
PID 2300 wrote to memory of 4040	2300	Nnhfee32.exe	Ndbnboqb.exe
PID 2300 wrote to memory of 4040	2300	Nnhfee32.exe	Ndbnboqb.exe
PID 4040 wrote to memory of 3624	4040	Ndbnboqb.exe	Nklfoi32.exe
PID 4040 wrote to memory of 3624	4040	Ndbnboqb.exe	Nklfoi32.exe
PID 4040 wrote to memory of 3624	4040	Ndbnboqb.exe	Nklfoi32.exe
PID 3624 wrote to memory of 3952	3624	Nklfoi32.exe	Nnjbke32.exe
PID 3624 wrote to memory of 3952	3624	Nklfoi32.exe	Nnjbke32.exe
PID 3624 wrote to memory of 3952	3624	Nklfoi32.exe	Nnjbke32.exe
PID 3952 wrote to memory of 5088	3952	Nnjbke32.exe	Nqiogp32.exe
PID 3952 wrote to memory of 5088	3952	Nnjbke32.exe	Nqiogp32.exe
PID 3952 wrote to memory of 5088	3952	Nnjbke32.exe	Nqiogp32.exe
PID 5088 wrote to memory of 4312	5088	Nqiogp32.exe	Ngcgcjnc.exe
PID 5088 wrote to memory of 4312	5088	Nqiogp32.exe	Ngcgcjnc.exe
PID 5088 wrote to memory of 4312	5088	Nqiogp32.exe	Ngcgcjnc.exe
PID 4312 wrote to memory of 2976	4312	Ngcgcjnc.exe	Njacpf32.exe
PID 4312 wrote to memory of 2976	4312	Ngcgcjnc.exe	Njacpf32.exe
PID 4312 wrote to memory of 2976	4312	Ngcgcjnc.exe	Njacpf32.exe
PID 2976 wrote to memory of 656	2976	Njacpf32.exe	Nqklmpdd.exe
PID 2976 wrote to memory of 656	2976	Njacpf32.exe	Nqklmpdd.exe
PID 2976 wrote to memory of 656	2976	Njacpf32.exe	Nqklmpdd.exe
PID 656 wrote to memory of 2144	656	Nqklmpdd.exe	Ncihikcg.exe
PID 656 wrote to memory of 2144	656	Nqklmpdd.exe	Ncihikcg.exe
PID 656 wrote to memory of 2144	656	Nqklmpdd.exe	Ncihikcg.exe
PID 2144 wrote to memory of 1284	2144	Ncihikcg.exe	Nkqpjidj.exe
PID 2144 wrote to memory of 1284	2144	Ncihikcg.exe	Nkqpjidj.exe
PID 2144 wrote to memory of 1284	2144	Ncihikcg.exe	Nkqpjidj.exe
PID 1284 wrote to memory of 944	1284	Nkqpjidj.exe	Nqmhbpba.exe
PID 1284 wrote to memory of 944	1284	Nkqpjidj.exe	Nqmhbpba.exe
PID 1284 wrote to memory of 944	1284	Nkqpjidj.exe	Nqmhbpba.exe
PID 944 wrote to memory of 3416	944	Nqmhbpba.exe	Ncldnkae.exe
PID 944 wrote to memory of 3416	944	Nqmhbpba.exe	Ncldnkae.exe
PID 944 wrote to memory of 3416	944	Nqmhbpba.exe	Ncldnkae.exe
PID 3416 wrote to memory of 2516	3416	Ncldnkae.exe	Nkcmohbg.exe
PID 3416 wrote to memory of 2516	3416	Ncldnkae.exe	Nkcmohbg.exe
PID 3416 wrote to memory of 2516	3416	Ncldnkae.exe	Nkcmohbg.exe

C:\Users\Admin\AppData\Local\Temp\1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe
"C:\Users\Admin\AppData\Local\Temp\1431a5fbc605199371f37c085dd193f66a346cc1c1539411791be95e5400ad43.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\SysWOW64\Mkepnjng.exe
C:\Windows\system32\Mkepnjng.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\SysWOW64\Mncmjfmk.exe
C:\Windows\system32\Mncmjfmk.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\Mpaifalo.exe
C:\Windows\system32\Mpaifalo.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\Mglack32.exe
C:\Windows\system32\Mglack32.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:860

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\Ndbnboqb.exe
C:\Windows\system32\Ndbnboqb.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\SysWOW64\Nnjbke32.exe
C:\Windows\system32\Nnjbke32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\SysWOW64\Nqiogp32.exe
C:\Windows\system32\Nqiogp32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\Ngcgcjnc.exe
C:\Windows\system32\Ngcgcjnc.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976

C:\Windows\SysWOW64\Nqklmpdd.exe
C:\Windows\system32\Nqklmpdd.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\Ncihikcg.exe
C:\Windows\system32\Ncihikcg.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\Nqmhbpba.exe
C:\Windows\system32\Nqmhbpba.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:944

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
21⤵
- Executes dropped EXE
PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 420
22⤵
- Program crash
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2516 -ip 2516
1⤵
PID:3464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Codhke32.dll
Filesize
7KB

MD5
d29dc87a118bfce35059d47206772dc5

SHA1
f7563c84c13691b81e445462433fdbe11aa52215

SHA256
20540a269db5c9c873cbdcaa993532605fd86efcabc999aed13d93711671980c

SHA512
3ff889ccd2d43fa58dc1c79bebefafdd77a747093ac3144197259421af23b3c2d6ed1a03b2a986ae17c0ac868325703f015d97e963ed969005bdf69b345388ca

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe
Filesize
71KB

MD5
603f3ead56849ba564d06af0b4c1b7c9

SHA1
eafebe57345846b7571754870497b7e12cf1febe

SHA256
8d82df5d3e4afc9ff4ec27001b13b0a1e3092c8c6e3a6192c71f8a945da6d08e

SHA512
e525e25c14b3f1b0dbacf0aefeba5ae4505b77f76093ded2b255c76e9012dcb54983b548f996038607c344631db0d6674448f270e036a2d92c5c188a7f6a8b80

Download Submit
C:\Windows\SysWOW64\Mglack32.exe
Filesize
71KB

MD5
692aa08f2024e01698042e01b40f27e7

SHA1
3264ad2c7b53bcd72256d79be0387625f1a14cec

SHA256
3b8921ae5ffc018801d040984aa5838aff3c58836928bec313b3f8c03a0e772a

SHA512
8519f05ee0c8b175091ee89c6f9d8e635bf5f05c444c64e329694229d024f2683efa786524bd1c0975ee39e0a68c2f7cb8702a158c172ac598b07936ecb39066

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe
Filesize
71KB

MD5
eb823f906eb95a89173af21e0214324f

SHA1
2959dfa68334bcdc1469d5589db011ec66ff918c

SHA256
50327d234ad2fc88351f878f41ae5414951ed85d321a7da5397deef347e58618

SHA512
ac4d0d23d8f33519c7b8fe2e95ffa258942cf241550939dfcfdf568208866024da067acd8086a69b3b149b237c2e76491d21d9e53e3381c943c3634022ad6b06

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe
Filesize
71KB

MD5
0d9a189bc050ff61ac9710ae71e82def

SHA1
78488da6781e9a9d152f54137a94b273ca05f864

SHA256
046749238b9ace1a1afc7b9fca10d198d4a26148cf31bd54cddfd1365aaea238

SHA512
1b79d49dce28b03de53d6f57a2f84a6f6356f0768b1c8920f9560fa0ce9724950713f1f09155617d2004fc92e21a95bc3c2a450f32554d0c19745c9b494c9c56

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe
Filesize
71KB

MD5
d9c460b73590ccc1a751e8f472f8ebda

SHA1
523ea4b56514c840bf786fdeb08006bf45395249

SHA256
62ba883899ab874e6221e1a585cfe7f47b25d03cdaabb324c45538d2e0390a2a

SHA512
e117f85bb191898f5ae3bdaedb7fed4babd29e193e83f016bc2abff2b36c91944985e96ca622c53be6afb2b73a08a65afcf2d0fb8b0d46011d5e4d4621b55c14

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe
Filesize
71KB

MD5
32351f433a8a69823a2932fc78b1580f

SHA1
70fcab1c6dca643f9507207b7fe889ed576ae6ca

SHA256
38c6e05f07e2d2da56a6190c7934a847f35fba9c1a3747736cfb3e16c64c57be

SHA512
293726576c64422d5ec7d2ae7ad23d98b825d5860b9605f926d83c6d578d3121fbcc20eca02f8c7270df46d5022170e263ce473df2909cdaada2e29347f8bb87

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe
Filesize
71KB

MD5
fdb34c44bdbff193a8bb2320d71ca657

SHA1
fa1863949a2ae95546243d6a680b3ca8d2db1086

SHA256
9de4713f6245e159b429bff37bec07f817c0eb1d4e33c49b74ddf1464a34af4c

SHA512
b464b58bddd193c82951d5e4884d51ac6383844a12e9ea24c6ed38dbba218848f29ca2c45c11bad3d2e0d31f8778c6ee9072a7ebcd1db6238377da1a28e61a5c

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe
Filesize
71KB

MD5
6dfa34119b74a34b8fe5366e9d7f7c80

SHA1
3d5aa1272560f2c59dc33161731caf88523f2275

SHA256
7a9b6b9487d3261ab07fca624116982cc2b499bb2a22b479b304539c6993527e

SHA512
88401fab564461f8adf71192c679c06cfd9ca8f9cb16b7c6b2def2b3fb2d7ffb1f6265d97fe55d06905341b2c65af88581defab3072da2548b35de755af92b6d

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe
Filesize
71KB

MD5
5e557e29239c8e35a2eb7cae7970d190

SHA1
ffb358cafce10a22d7c16aeb90409b28d8d57d9f

SHA256
a07f0d2b4eaa8be79eb1299933acfec11d323170559dc7b5904e046720ed3d86

SHA512
2e98871a22dd0099b9eac8c503edadabbd7b30d99717d2ee22f12ac62e34aa9f283635e265621ac9fb266afdeb7831efd321e055693fd71757409f0733c0686d

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe
Filesize
71KB

MD5
9436958fb251a9eca934e6d528573ab8

SHA1
6a01ef20e8196c7ec4d99eb5069feacd2aeae926

SHA256
69c74d7a6a37d083d120aa45821e75287e4e8554421f5f23b95081f922c2d20f

SHA512
838398644ae1b44ae3a6229cea904f1fa451967d74f9925543f04f67827c9300e69f4f6bea9b83dfd72d4b7d1ba32c2e26601f3d445cb72be21fa734d303e9e2

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe
Filesize
71KB

MD5
58ba22211f5f9bbce89770d5a7f9ba8b

SHA1
9727b1a75c9856bcf136993ab2a3295cd8dab447

SHA256
b3f57cf5bf2804836374c3a3164137c811c093569e3510ac9944f43da20c3001

SHA512
215639ec9f3859504cccffc92333dcb0df2377d153788a449a42aab3829da49b39db9676f20338f1e867204f8dbe96c2df130e75bcb01f4aff4d72621c4067ef

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe
Filesize
71KB

MD5
9d28c4964ba7c064b4c6afaa58a05b90

SHA1
c8cd84c1eb802b8ccccb2284b43f336a09d55f5c

SHA256
4062dd5ffe215432212934e9e22ac02ede4d775f9dc24aa8dba07c5aa8f94c4f

SHA512
8800ee057265b76c2a95037e66335816e186c8b7137f514ed1f537fb9a044e49a7ac65883977a831381c6a02714bf9ed22141392deaf36ef9a2bd56f7d70e79a

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe
Filesize
71KB

MD5
5d1229d5c005c24b5d64292bbde10d93

SHA1
61d7af1962fd63b4feb884eab2c54262c668bd92

SHA256
0081e762b8f0bd88e75ce1ab525c2b6e6a3c1e9b872363bb898f0307af416259

SHA512
20b63d00953acdee965f1830d88c359730be0754b6f077f6871e8b9aa61f3003b9f44d1878b177bb29f9c7fdb3242280ede19c12db3a8780c07f196af28b3db8

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe
Filesize
71KB

MD5
174007413ebd6a6c9f426a58e1d5b527

SHA1
189442847705fa88dcab098f0ac216bbec80248d

SHA256
aa248f70700ece90783228f10d4e886a06b7b852500dfb741a7e09995ef359ea

SHA512
7300a4b0cb6af6feba175b39ae6002c1f14cd141b89e73478eaba0329bf08244a9f81b6dd0254c3afcfb866139c709f9639305a7323b6a83451648521dc78a46

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe
Filesize
71KB

MD5
0808366698a35892a9f8b29c0c66ac58

SHA1
d71c33aa767046b78b6f06c6e8ef76b25f8eff39

SHA256
05142db29a5c995c8bfc03b35866f96e2cb42db0632c69c78bae0cd13ef27ecf

SHA512
992448a309177517880984065077b0b55fe871012cee10c219206f2f6e5ef942aeb86fb68ffc8d6c2fa0f611b7796f87b9e1638770040125f530636b8de59b1d

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe
Filesize
71KB

MD5
3393c885c7ebf0cfae2aabea4a9035ef

SHA1
79b935d728c9cc2e23ea855dd65226f3f12734d1

SHA256
53d08746c48ca6bfd565892daf1c1d919856824fe9ef98b0b14b72b53ca92fd0

SHA512
92104258c044d251081e71449ee4b7393dcf7cc16f352c3ec06e3dacee0940a874c9b867171e259fc1a56c5d3f902a441355a3cfcace9b44037b6b00b08bea4b

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe
Filesize
71KB

MD5
d3f192c96e9370f4387626c6cd76a2ac

SHA1
5467cf9a70e4119940d92df94c1688cf42e1ff70

SHA256
a57ba64e24dadff845c0c93a0eae4f738da8f597d4e5750d80fb86fd709fb606

SHA512
c2c48ee6ca0259bacbfefa8355407b913ace90f12895f386ed82493579f8a6f0cd4642ba8253b601599aeaadd7200cab1ba2b1c82f630608c5c01e1f1bac2824

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe
Filesize
71KB

MD5
e6667acde5b91fbfca8ad536e24993c0

SHA1
c6a151b207e221db98bfc877dc30d8d3a92043e5

SHA256
2adb50c80ff3561a9f17e29c752f49eac906ba644334d44c8c6c46a108c99698

SHA512
51a529e9b65eba21480520cf5e2250ace830d05d9e07a5d9aaf940400552f73c259f4ac06dc42c5d94cc406c3890fc28fb14b3d5923a2f2e67de8d1fe2fc3326

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe
Filesize
71KB

MD5
6dd28d2aa8c940fff45585431bdafabf

SHA1
2a674039692828fe6887d9cec0ac6ff00cdf5dc1

SHA256
e53e5d93dc641f5492acefe1373728f4e448ba77785b5759ada8d838fb3f76b5

SHA512
85e0ae118b5d9e01b5f6a1cd9aafe53614645723264d60d17ac4c59885318e0a25eafde9e163f2bfefe7f18c829bce3469781d031c926e88ea137989922b97a5

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe
Filesize
71KB

MD5
ecdc6bb95fd312d67cb7ac15c7922a48

SHA1
b8548c6d3922be0614be3f83939fa6fdc5432506

SHA256
f055d12c9530863852435dfc52c717d1b2dcaf9a9e18ce1d839d2cf9a1fb33fc

SHA512
5a7fc3175c8602d2c5d254e219106f97c7c13cf5213129a3500550231d4e28bcac65677577fd8ec0fa25f658fcbf972eedeb773abba88144575a476dd11f7e12

Download Submit
memory/220-177-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/220-24-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/656-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/656-166-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/860-176-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/860-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/944-162-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/944-144-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1284-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1284-164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1588-180-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1588-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2144-132-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2144-165-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2300-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2516-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2516-161-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-12-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2848-179-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-111-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-167-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3416-163-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3416-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3512-174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3512-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3624-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3624-171-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3952-170-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3952-88-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4040-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4040-172-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4312-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4312-168-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4368-178-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4368-16-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4752-44-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4948-175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4948-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5088-169-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5088-96-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download