Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 07:32
Behavioral task
behavioral1
Sample
242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe
Resource
win10v2004-20240508-en
General
-
Target
242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe
-
Size
1000KB
-
MD5
04bfde39252aa9c4fdd304ce2b19ba50
-
SHA1
93e79dd38f3827bd2832318f5966e1aed5b26ccb
-
SHA256
242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249
-
SHA512
455be64c71d6ffd147ca75a7dda82e1539de021574889cdcf0e86dc8911005e39297125eb6b331b49081e67336b0eb19fea013ddeeaa60c4cec4f8ff8fa4a890
-
SSDEEP
12288:s2KNY9ykjtHBFLPj3TmLnWrOxNuxC97hFq9o7:slY91tHBFLPj368MoC9Dq9o7
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njogjfoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnhmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaifalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdpalp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcpebmkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcpebmkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nddkgonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkgmcjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkncdifl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkac32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkgmcjld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcnhmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngpjnkpf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbhkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njacpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njljefql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjjmog32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndghmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggqoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjhqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnhfee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njacpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe -
Malware Dropper & Backdoor - Berbew 29 IoCs
Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.
resource yara_rule behavioral2/files/0x000a0000000233f2-6.dat family_berbew behavioral2/files/0x00070000000233fc-14.dat family_berbew behavioral2/files/0x00070000000233fe-22.dat family_berbew behavioral2/files/0x0007000000023400-31.dat family_berbew behavioral2/files/0x0007000000023402-39.dat family_berbew behavioral2/files/0x0007000000023404-47.dat family_berbew behavioral2/files/0x0007000000023406-54.dat family_berbew behavioral2/files/0x0007000000023408-61.dat family_berbew behavioral2/files/0x0007000000023410-88.dat family_berbew behavioral2/files/0x0007000000023412-96.dat family_berbew behavioral2/files/0x0007000000023414-103.dat family_berbew behavioral2/files/0x0007000000023416-110.dat family_berbew behavioral2/files/0x000700000002341a-124.dat family_berbew behavioral2/files/0x000700000002341e-137.dat family_berbew behavioral2/files/0x0007000000023426-166.dat family_berbew behavioral2/files/0x000700000002342a-180.dat family_berbew behavioral2/files/0x0007000000023430-200.dat family_berbew behavioral2/files/0x0007000000023432-208.dat family_berbew behavioral2/files/0x000700000002342e-194.dat family_berbew behavioral2/files/0x000700000002342c-187.dat family_berbew behavioral2/files/0x0007000000023428-173.dat family_berbew behavioral2/files/0x0007000000023424-159.dat family_berbew behavioral2/files/0x0007000000023422-152.dat family_berbew behavioral2/files/0x0007000000023420-145.dat family_berbew behavioral2/files/0x000700000002341c-131.dat family_berbew behavioral2/files/0x0007000000023418-117.dat family_berbew behavioral2/files/0x000700000002340e-82.dat family_berbew behavioral2/files/0x000700000002340c-75.dat family_berbew behavioral2/files/0x000700000002340a-68.dat family_berbew -
Executes dropped EXE 29 IoCs
pid Process 752 Mcnhmm32.exe 2472 Mjhqjg32.exe 3496 Mpaifalo.exe 3640 Mcpebmkb.exe 4600 Mkgmcjld.exe 2792 Mjjmog32.exe 3608 Maaepd32.exe 3628 Mdpalp32.exe 4724 Mcbahlip.exe 4564 Njljefql.exe 3780 Nnhfee32.exe 996 Nqfbaq32.exe 3952 Nceonl32.exe 3020 Ngpjnkpf.exe 3972 Njogjfoj.exe 4740 Nnjbke32.exe 3148 Nddkgonp.exe 4528 Ncgkcl32.exe 2144 Nkncdifl.exe 1284 Njacpf32.exe 3800 Nbhkac32.exe 1120 Ndghmo32.exe 3736 Ngedij32.exe 2964 Nkqpjidj.exe 4732 Nnolfdcn.exe 4276 Nbkhfc32.exe 5084 Ndidbn32.exe 3180 Nggqoj32.exe 4200 Nkcmohbg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mcpebmkb.exe Mpaifalo.exe File opened for modification C:\Windows\SysWOW64\Mkgmcjld.exe Mcpebmkb.exe File created C:\Windows\SysWOW64\Kcbibebo.dll Mcbahlip.exe File opened for modification C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe File opened for modification C:\Windows\SysWOW64\Mjjmog32.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Nqfbaq32.exe File opened for modification C:\Windows\SysWOW64\Njacpf32.exe Nkncdifl.exe File created C:\Windows\SysWOW64\Opbnic32.dll Nbkhfc32.exe File created C:\Windows\SysWOW64\Nkcmohbg.exe Nggqoj32.exe File opened for modification C:\Windows\SysWOW64\Nkqpjidj.exe Ngedij32.exe File created C:\Windows\SysWOW64\Gpnkgo32.dll Mcnhmm32.exe File opened for modification C:\Windows\SysWOW64\Mdpalp32.exe Maaepd32.exe File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe Nnhfee32.exe File created C:\Windows\SysWOW64\Ngpjnkpf.exe Nceonl32.exe File opened for modification C:\Windows\SysWOW64\Ngpjnkpf.exe Nceonl32.exe File created C:\Windows\SysWOW64\Nkncdifl.exe Ncgkcl32.exe File created C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe File opened for modification C:\Windows\SysWOW64\Maaepd32.exe Mjjmog32.exe File created C:\Windows\SysWOW64\Njljefql.exe Mcbahlip.exe File created C:\Windows\SysWOW64\Nnhfee32.exe Njljefql.exe File created C:\Windows\SysWOW64\Npckna32.dll Nnhfee32.exe File created C:\Windows\SysWOW64\Bdknoa32.dll Nbhkac32.exe File created C:\Windows\SysWOW64\Paadnmaq.dll Ndghmo32.exe File created C:\Windows\SysWOW64\Nbkhfc32.exe Nnolfdcn.exe File opened for modification C:\Windows\SysWOW64\Mcnhmm32.exe 242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe File opened for modification C:\Windows\SysWOW64\Njljefql.exe Mcbahlip.exe File opened for modification C:\Windows\SysWOW64\Njogjfoj.exe Ngpjnkpf.exe File created C:\Windows\SysWOW64\Njacpf32.exe Nkncdifl.exe File created C:\Windows\SysWOW64\Lkfbjdpq.dll Nnolfdcn.exe File created C:\Windows\SysWOW64\Mkgmcjld.exe Mcpebmkb.exe File created C:\Windows\SysWOW64\Jkeang32.dll Ncgkcl32.exe File created C:\Windows\SysWOW64\Nbhkac32.exe Njacpf32.exe File created C:\Windows\SysWOW64\Nkqpjidj.exe Ngedij32.exe File created C:\Windows\SysWOW64\Ogpnaafp.dll Ngedij32.exe File created C:\Windows\SysWOW64\Addjcmqn.dll Ndidbn32.exe File created C:\Windows\SysWOW64\Fnelfilp.dll Mjhqjg32.exe File created C:\Windows\SysWOW64\Jlnpomfk.dll Nnjbke32.exe File created C:\Windows\SysWOW64\Lmbnpm32.dll Nkncdifl.exe File opened for modification C:\Windows\SysWOW64\Ndghmo32.exe Nbhkac32.exe File created C:\Windows\SysWOW64\Nnolfdcn.exe Nkqpjidj.exe File created C:\Windows\SysWOW64\Cknpkhch.dll Nkqpjidj.exe File created C:\Windows\SysWOW64\Hnibdpde.dll Nggqoj32.exe File created C:\Windows\SysWOW64\Ekipni32.dll Mcpebmkb.exe File created C:\Windows\SysWOW64\Lelgbkio.dll Mdpalp32.exe File created C:\Windows\SysWOW64\Njogjfoj.exe Ngpjnkpf.exe File created C:\Windows\SysWOW64\Kmalco32.dll Njogjfoj.exe File created C:\Windows\SysWOW64\Ncgkcl32.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Ndghmo32.exe Nbhkac32.exe File opened for modification C:\Windows\SysWOW64\Nggqoj32.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Mcpebmkb.exe Mpaifalo.exe File created C:\Windows\SysWOW64\Hlmobp32.dll Njljefql.exe File opened for modification C:\Windows\SysWOW64\Nkncdifl.exe Ncgkcl32.exe File created C:\Windows\SysWOW64\Mjjmog32.exe Mkgmcjld.exe File created C:\Windows\SysWOW64\Maaepd32.exe Mjjmog32.exe File created C:\Windows\SysWOW64\Fhpdhp32.dll Maaepd32.exe File created C:\Windows\SysWOW64\Mlhblb32.dll Nceonl32.exe File created C:\Windows\SysWOW64\Mjhqjg32.exe Mcnhmm32.exe File created C:\Windows\SysWOW64\Hhapkbgi.dll Mpaifalo.exe File created C:\Windows\SysWOW64\Geegicjl.dll Mkgmcjld.exe File created C:\Windows\SysWOW64\Nceonl32.exe Nqfbaq32.exe File opened for modification C:\Windows\SysWOW64\Nceonl32.exe Nqfbaq32.exe File created C:\Windows\SysWOW64\Ipkobd32.dll Njacpf32.exe File created C:\Windows\SysWOW64\Lfcbokki.dll Ngpjnkpf.exe -
Program crash 1 IoCs
pid pid_target Process 2844 4200 WerFault.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll" Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll" Ndidbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkgmcjld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Nggqoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnhfee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" Nnjbke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcpebmkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndghmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjjmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nkncdifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll" 242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll" Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbkhfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcnhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbhkac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" Nkqpjidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll" Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnolfdcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcnhmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll" Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkgmcjld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjjmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Njogjfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" 242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njljefql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nggqoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll" Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll" Maaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll" Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll" Mcnhmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll" Njljefql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnhfee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngpjnkpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" Nbhkac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbkhfc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1816 wrote to memory of 752 1816 242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe 84 PID 1816 wrote to memory of 752 1816 242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe 84 PID 1816 wrote to memory of 752 1816 242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe 84 PID 752 wrote to memory of 2472 752 Mcnhmm32.exe 85 PID 752 wrote to memory of 2472 752 Mcnhmm32.exe 85 PID 752 wrote to memory of 2472 752 Mcnhmm32.exe 85 PID 2472 wrote to memory of 3496 2472 Mjhqjg32.exe 86 PID 2472 wrote to memory of 3496 2472 Mjhqjg32.exe 86 PID 2472 wrote to memory of 3496 2472 Mjhqjg32.exe 86 PID 3496 wrote to memory of 3640 3496 Mpaifalo.exe 87 PID 3496 wrote to memory of 3640 3496 Mpaifalo.exe 87 PID 3496 wrote to memory of 3640 3496 Mpaifalo.exe 87 PID 3640 wrote to memory of 4600 3640 Mcpebmkb.exe 88 PID 3640 wrote to memory of 4600 3640 Mcpebmkb.exe 88 PID 3640 wrote to memory of 4600 3640 Mcpebmkb.exe 88 PID 4600 wrote to memory of 2792 4600 Mkgmcjld.exe 89 PID 4600 wrote to memory of 2792 4600 Mkgmcjld.exe 89 PID 4600 wrote to memory of 2792 4600 Mkgmcjld.exe 89 PID 2792 wrote to memory of 3608 2792 Mjjmog32.exe 90 PID 2792 wrote to memory of 3608 2792 Mjjmog32.exe 90 PID 2792 wrote to memory of 3608 2792 Mjjmog32.exe 90 PID 3608 wrote to memory of 3628 3608 Maaepd32.exe 91 PID 3608 wrote to memory of 3628 3608 Maaepd32.exe 91 PID 3608 wrote to memory of 3628 3608 Maaepd32.exe 91 PID 3628 wrote to memory of 4724 3628 Mdpalp32.exe 92 PID 3628 wrote to memory of 4724 3628 Mdpalp32.exe 92 PID 3628 wrote to memory of 4724 3628 Mdpalp32.exe 92 PID 4724 wrote to memory of 4564 4724 Mcbahlip.exe 93 PID 4724 wrote to memory of 4564 4724 Mcbahlip.exe 93 PID 4724 wrote to memory of 4564 4724 Mcbahlip.exe 93 PID 4564 wrote to memory of 3780 4564 Njljefql.exe 94 PID 4564 wrote to memory of 3780 4564 Njljefql.exe 94 PID 4564 wrote to memory of 3780 4564 Njljefql.exe 94 PID 3780 wrote to memory of 996 3780 Nnhfee32.exe 95 PID 3780 wrote to memory of 996 3780 Nnhfee32.exe 95 PID 3780 wrote to memory of 996 3780 Nnhfee32.exe 95 PID 996 wrote to memory of 3952 996 Nqfbaq32.exe 96 PID 996 wrote to memory of 3952 996 Nqfbaq32.exe 96 PID 996 wrote to memory of 3952 996 Nqfbaq32.exe 96 PID 3952 wrote to memory of 3020 3952 Nceonl32.exe 97 PID 3952 wrote to memory of 3020 3952 Nceonl32.exe 97 PID 3952 wrote to memory of 3020 3952 Nceonl32.exe 97 PID 3020 wrote to memory of 3972 3020 Ngpjnkpf.exe 98 PID 3020 wrote to memory of 3972 3020 Ngpjnkpf.exe 98 PID 3020 wrote to memory of 3972 3020 Ngpjnkpf.exe 98 PID 3972 wrote to memory of 4740 3972 Njogjfoj.exe 99 PID 3972 wrote to memory of 4740 3972 Njogjfoj.exe 99 PID 3972 wrote to memory of 4740 3972 Njogjfoj.exe 99 PID 4740 wrote to memory of 3148 4740 Nnjbke32.exe 100 PID 4740 wrote to memory of 3148 4740 Nnjbke32.exe 100 PID 4740 wrote to memory of 3148 4740 Nnjbke32.exe 100 PID 3148 wrote to memory of 4528 3148 Nddkgonp.exe 101 PID 3148 wrote to memory of 4528 3148 Nddkgonp.exe 101 PID 3148 wrote to memory of 4528 3148 Nddkgonp.exe 101 PID 4528 wrote to memory of 2144 4528 Ncgkcl32.exe 102 PID 4528 wrote to memory of 2144 4528 Ncgkcl32.exe 102 PID 4528 wrote to memory of 2144 4528 Ncgkcl32.exe 102 PID 2144 wrote to memory of 1284 2144 Nkncdifl.exe 103 PID 2144 wrote to memory of 1284 2144 Nkncdifl.exe 103 PID 2144 wrote to memory of 1284 2144 Nkncdifl.exe 103 PID 1284 wrote to memory of 3800 1284 Njacpf32.exe 104 PID 1284 wrote to memory of 3800 1284 Njacpf32.exe 104 PID 1284 wrote to memory of 3800 1284 Njacpf32.exe 104 PID 3800 wrote to memory of 1120 3800 Nbhkac32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe"C:\Users\Admin\AppData\Local\Temp\242718d23bafc101e292e3f18c9c3a304bcd568430039e6d2682adb4743ad249.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Mcnhmm32.exeC:\Windows\system32\Mcnhmm32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Mcpebmkb.exeC:\Windows\system32\Mcpebmkb.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Mkgmcjld.exeC:\Windows\system32\Mkgmcjld.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\SysWOW64\Mjjmog32.exeC:\Windows\system32\Mjjmog32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Maaepd32.exeC:\Windows\system32\Maaepd32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Mdpalp32.exeC:\Windows\system32\Mdpalp32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Nnhfee32.exeC:\Windows\system32\Nnhfee32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Ngpjnkpf.exeC:\Windows\system32\Ngpjnkpf.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Njogjfoj.exeC:\Windows\system32\Njogjfoj.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Windows\SysWOW64\Ncgkcl32.exeC:\Windows\system32\Ncgkcl32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Nkncdifl.exeC:\Windows\system32\Nkncdifl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Nbhkac32.exeC:\Windows\system32\Nbhkac32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3736 -
C:\Windows\SysWOW64\Nkqpjidj.exeC:\Windows\system32\Nkqpjidj.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Nbkhfc32.exeC:\Windows\system32\Nbkhfc32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4276 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5084 -
C:\Windows\SysWOW64\Nggqoj32.exeC:\Windows\system32\Nggqoj32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3180 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe30⤵
- Executes dropped EXE
PID:4200 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 41231⤵
- Program crash
PID:2844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4200 -ip 42001⤵PID:3976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5d4532d04266eb6f97e3e7b9b33796ad4
SHA13b946a9da5ba8d391287aaac278eeed71f529b64
SHA2564c2abb9faa0276ea13bcd68c416f1c14deb009d5ef36e385e912dff7ea7ce9b9
SHA512b843ef51ee5f18d2c77a7483d9f35b62283b1298aa7c5c1e3e01b352b6a6d08114434b17cf7d641326cca29182ed64901215523bdd5d7b5d4189bf0e311645a1
-
Filesize
1000KB
MD5d84ad5f437d1b0225c7ccef6abf30d79
SHA1f1dc888a5c68264f104e15f353ed8711d83451c7
SHA2563544a8d69fdc2258bc451a7038025a35436d7842104adb12e37672d72699bbb1
SHA5121a8d388ba59fd980f584a91cc83a8b807be45dd43f57c422cb9a79146af7afc07c79d2bf27904cc8e7c5f03956a7ad54cba984512b95db9a60a079a5dd3249b9
-
Filesize
1000KB
MD502c0214a5abd828dafc505b133ba8aeb
SHA120844a883c6ab95506dc52d2cf6452c3675b9241
SHA256c54adb20ce907fc78ebed7e84afe77d9fa693a9034a2304d3e525c66fbe109cf
SHA512db1c26786e4ed33ce6a0b31fca42e333569161d1224774e12182c8f9d6763befdb86ab14fae0899e27e5c97283d4e63106b5b7f77fd6946a44bd91c139483ad5
-
Filesize
1000KB
MD56b2e39a0cd89215273176e411338f789
SHA1a359218bc349f40b6652ec1b413f17a65f7d3089
SHA25609dc9a161f48c66981f93c2e8190b8327f3a99a75e62a3f0c59e8bf40bfa4969
SHA512956c226b616f0b4980ef079685261ddee4da4ab30baabf7bb8d469134e3e20fb3b2f0fc9465d0d3416b344328fe4334f1f8c62ec490bc367aa24e39cb4a36242
-
Filesize
1000KB
MD5b8db16de360794c1e9db537b52980ded
SHA1c2122dfac095ed0519ab7b1a0df0d9849c5979b1
SHA256437dec9e35cfd2ef47b87379ef7731229500a0271c2f44f05dca24ef6e0fb5c6
SHA5120f3de3e752a22e161b3ec1ef6bf8b5c8da6d3621f6b247ecd8036a9e9c3c5d69e44791d587f3c53e1f99aea54db6de43ff7febf567a382a30507943f975d3ac8
-
Filesize
1000KB
MD5bda77eb1e913a929ebef55675e33cae6
SHA1c762e41eb372d659315a5dcc0e68b879daafbb00
SHA25631f90112950644b9def81fc6baec24118c9183bd84cf01ea1cd101287d185778
SHA51265b0b68e5b268f4d3cd43a72e7f02062a08d676dcd66d8d7cf1a847bd99c31f3ef20630a13b0b54afbb4d655572b4d3c3c115a5fccf5bb42a7443720696e0cad
-
Filesize
1000KB
MD5381e5b17639cec91d2b89e4b4b67fb81
SHA1ea14a4a48e58016604dabdfdf00b6c04089b1a22
SHA256cb82b972ce888f2caa07c03014d96a73ebae257ec301f6854be6c5d127a22094
SHA512d4097e6a43694adaa1dce65c670043dc795a1f299516e52149af8f3d2c22f2ac36266bc8a1c0d5f9f2cd2adb4e682ab50a28f7111530f9c421c05bc1ba6f7ded
-
Filesize
1000KB
MD5f8f27968c74d22a4728c80e3f47dcd9a
SHA1b83a207969d58b59d465399025cebaaa9ed9fc70
SHA256b07df09028c8f9adb0eb431175db390837c8a5dcb88089e98d3a6297ab39e985
SHA51233a99f562804427f014c0f58e1b6b587c1178345bfe525c4f2591197b925dabaf3013d15b122a72fd3f7e06b98b29c3f152f8967bc4bcd5bb7160b8e5baa346e
-
Filesize
1000KB
MD52889be5de698c089b7fe2ee2e39c276e
SHA12610b766765d2a2b097a1a3f6767efd0ea5cb121
SHA25684f56e33ff36474c0aca17d7d0255231aa615c2108be6159210f90fdebf6ee31
SHA512fae8d1cf6bc9c665abb25b8e4173763191d74ce9002eb6c7c90ff05792b0921dd1479a98a816f49b86bd9d1b86e0ec80e397cd357664b5816031b4b1836ad57a
-
Filesize
1000KB
MD5ec83b4e8ccd080cca32b339619054411
SHA104003494ba7b91355653b4629610b8a5b8296db9
SHA25631726b78fb52ae4f6f74a32b50eae0886e9664df95bee1406a564a011354da9b
SHA512f87080dd3a2cc500375248f46f1189713adfc7a90f222ac2760e6f14a31a1ce87828025bd2a2e308ef539aba94b053907dc8af70250dacc11d9e4cfcb5b0cd90
-
Filesize
1000KB
MD5706cc9f8b2c70db4b286836305bc0045
SHA1508818328a624a386c18b63d67fb9dcc1896a6f0
SHA256cb2728aee55ddc8742f90dbc05f0912ccb8716083091f0f3285c9504f2f7bf6e
SHA512a782d72d2b82776adcc5a53159f5457ae26597db6334f48258edd7621a27d88ada3c801f214843160022627f447656398f6ef755b8e12a52250065b89f77ba48
-
Filesize
1000KB
MD5392df90e434eca459aa8dd9d0049ae99
SHA1ffa654b352c768ad324aebe85516a4e5ea627f83
SHA2566eab183b10f9a66487179a9a7eebcec3bdaa48241cf310710388b518473e831d
SHA51296598881350f102c5cf6af74b7b36bf76d6bd6f1a3aaa116ba77f1436704f0fb98fded5701f0e427efdba148b849e5c795fa853569b3b39963543ae206352003
-
Filesize
1000KB
MD5b4ae40c36d788a91315de1d4fb1d73e8
SHA17db56a1887e3012bb8a9690eac4e15da2bebd0d7
SHA25659fea1e03e39acb8de782f24eaab3e6dbb879e71aa3029439fbd984d0b113f74
SHA512a651edd332b73f0c474852a7ddf16f410b7a11f35bbbc46e560908ce8a4cf3a41236ff28b44a4352f32509167a5d4c839ee6a524d323c8e8e1809fe48f85bb43
-
Filesize
1000KB
MD50795ad12af7e7555f9c615d2efc17e1a
SHA11a47ec24f501f4381c74a572086410d16cad8490
SHA2566deef19b03cdebd26b6e40a9bd43834f20d87819c43a225550555caa9690c109
SHA512e78bed244cf702f5fad0dfaed1b7d7bf2043b123f4fd64b28638518cc8ab3860c10b895b1bf52e00c254d5b42ee8c9b10e4321badfbc5319dd9dc9b7dca7caca
-
Filesize
1000KB
MD51d12571d08fce29eab02f53c4cc0243d
SHA19d31c087fedaf87059531a67114fb466cfe40206
SHA256abb3e711870a98bf5ba3158cadcb02f0b474d74ffe314a4b00671f27e267a9d6
SHA512cb0f2eee7a2bdbcb0474572dec564435da8603f20812c9aacfd2efe5af7320876d4af8f1b662a6a903e989346a08b13e97a01bff057a464175c2f084aaa43564
-
Filesize
1000KB
MD5db50e0cdd25040f41879e5648f67ba27
SHA1086dd2e59c1dc00e1b01311bfeb4d8b8854b827c
SHA25630b054d04f19be972190e1fc577334a6134584d51555d60c10f88735838df0b1
SHA5127ee463ef96d072dca924b578d7bd7ce2044c71f9dbc38e5cdcb39a6c2ac051b6b04df3fb32895cbc24c94ffbd924b0f5253712c19d1d7868fce235491cd3e446
-
Filesize
1000KB
MD5c9676c83111077c16d288cae68deb3b1
SHA10198bd4e260a25b8886ecbb8547e7d737c243076
SHA256aca52c847cab200ec08766bf095bed88bf72fc38ba8fbaf03dcc4c83c05dac5a
SHA5122b68051c38cbf5246685c2c3f6576596c7ad0afd71f45a62d030b7fecc8ea02be8f6fdfcea0302b310847d692291a63db35df227c37b66dba69cf8cd0731dd8f
-
Filesize
1000KB
MD503d88f52952d962182a34cdba5bbe0eb
SHA10dba5ca89d4b3a00c433b5255adebcc39c0fb299
SHA256856fb979cfb0f1ce5fb036e8b23f9b79777320567f5c96e6ccc3adb7acad2aaa
SHA512f0f5a73d52711bb151606ef389f6950cbc554e29c774f193f03eb99c31e5589898e8fd18c9b316428c5913b02d3dc9987491569deb7096ab9cd6b817a51011f6
-
Filesize
1000KB
MD5c6172a7c19b588aacbb08e09d19fdb39
SHA1f2a74107fe96dcf109d8aaae900562d13d7b13a1
SHA256d9b076ea81607777f1c6e3226e16bdb1f8e579202144a5b01972c1d8e875cf16
SHA512cd95d510f98524a67a678327d15f12b34a820d87d6b121539ff20816a2e09fee4b6248c9c1da00d80d43128830cef3f74924762f10e1f1dc762174a377e4c3ba
-
Filesize
1000KB
MD5d2df34eb11837e796ae7d7d94db49a02
SHA1ff2588c30dbb2a20a1f9e8191f28059690a4805d
SHA256421ab0bea7fc16374f77166cedcba6cbb505e0e44ecf96d9a23a169d36575cb6
SHA51235ce4ca56e4200c722004ef8d0827df6e9b57a1eaf18e6ce585f281f9aa3f4d2af38631f21abaf97bbe5c350627b437551f55bc1bfac9258e070b61857e1a755
-
Filesize
1000KB
MD5fc69adfa9d9af50d4c512dc739bc24d5
SHA16c08e636c0b3d21e140e139a8e87b51b2f573ca2
SHA256e16a2db639d1150fdf1ca757bd2f97f985c38665b6b05d28f0253df64430917a
SHA51221c7e12f90e3e08686484ebf60bba752ddc95f95cf06a8c9117ff5e0dbb50793236f6c87f850c8a00c51e9cc168c171f6a6c7a49a7c0645b24d539ee7f2175f7
-
Filesize
1000KB
MD5cc5e522d5bb721ec1c12fcf129164109
SHA1668fa384a43afd1d24e223ab977e771c485df623
SHA256aa20585477ef02cf21a14599e253c5c310e72ee0561a80886101c0e33b1df77b
SHA512e9a0142a49ea4385d89ce0fb305a127534d4b613674d140125756d636b6deb4bbc093d574dbc80d7d5f0bb8745dd0865f88ead6f827e4e6835c3003c2d0d6330
-
Filesize
1000KB
MD5fb64fe545c671cc850ea12a49cb5740e
SHA1341011fb7312a75d1b01387d6713d665f5b0e088
SHA25654667ae3be930814bed4668a58c4406854409ed6faf52feb82ad2ca2faa88f56
SHA5125895982000b6b4271f0a8b047e17d2f8cb49783ffb5574fdfa7951aa3d1dc95c3071ae4c2cf28cbc91a50ecc453c4017621bccaabe5933e56d600409b54a5754
-
Filesize
1000KB
MD56cd9d5fb6cfc2b2340db13537a30b1e1
SHA163576d9f6fe89d4ef3dedc09c4251afa338eede9
SHA2560b458c532941b3749ce60f51a260850f2dc8bbd3abe1dcd1891b8d84928f157a
SHA512ff3eeb36308fd83d8c3c8a74bbdf5a70a9d269bae10c4d72fbd42b42271933438dfe4bc7c0fd415c3141892f0f27dfd57c1ad3c80b197d026ef12a7ce477443f
-
Filesize
1000KB
MD5abe61da9a968a5de4dcce669337a5447
SHA10299d6d837c9e279befb700164fd38b53b9f44fd
SHA256f3802a069af4ee0af45628bfeee18cce7252b47dd2be02eefe71da90e1d40397
SHA512ed8b3eb57a9d19d6feea1e80d66c89c6b5e8aa0b55401577df84726d662d5bb03b41345a17f37009b41ee3a80a1766fec8ec181d1ca61c4650384f9793c126e6
-
Filesize
1000KB
MD5f83b374f360223c112e1a0282f2e954a
SHA14dace96d6a0f9560d06636dc53c411f3c28206bb
SHA256b0b35a4b57250d583c997a8e22fb30fbb09cccaffa0eb8b7aee1f60fc3b342c2
SHA5121957378f7df10cd9a93c133071299b2d62491f15bf9bfde40fb4bac90c85388cd4cfa9d2e94be5c61c3f7c0999d1be3c0dfc5d77fbf3c65643a8c1473d1ba6cc
-
Filesize
1000KB
MD55ff6dfadfd1072b312ccf4a3124f6284
SHA185541e6a8aaac7211ea93c6bb7c6dd2ac403da7e
SHA256d0a1c46708cd901accbec0d05f2e38127f046beb80fe786da3e8471130d6349c
SHA512242563485548d347816da6f1a2d9d617a7b699b842bf0452d21553870984e1796b44289955a073c62c7941a92b9da7486b40b15be87baeff57a6449475cf2984
-
Filesize
1000KB
MD5978ca49c16cfb38496ba003a0a4a8c13
SHA1b9d6f5d9dcac24ae9524c43fd308f804fd2aa82a
SHA2564761515fc2caf2f9423adc9b9babc803749bd3ba4e9e85fe7b3500cfc2c9c999
SHA512fffddd7c446affff06ce799d7d21edc5f7b229c22f3e8bac4f6f984560cc4eb2a9b8013ab0d1561cb9ae63dee71bdb5b135df2a757b8a4bac851347fdca652c9
-
Filesize
1000KB
MD5fc3be53a00e3cdb33af0ddee72e51dfd
SHA18dfd8b9ced082276cd6134904788554b4947402b
SHA2566420ef9d2d585e09a7106712e77f4d3dad58348daa71fdaa0fc09cc5251fe7ac
SHA512f563c5524461f1472bee32907f699b83aeac69e7f7f060a192d67c0bbb8cc2b0c1ffde6378294e1047a242b1232221cc173ec6fa6f91b61006fac1d3130b92bc
-
Filesize
1000KB
MD5602123dbb8abf1adbd793e3574c25a61
SHA14535553099b5cf2de2d7502776916a786da34ac1
SHA256e07f14fa30f6786d951dae1c25f27bd1003f2c7e915efac003e03627f8ee7b22
SHA5128206f81d59a878a0021ee29ce7a06cf45f8173212517808ab7ee16741996f668d5677ae6840dbc2b481a8af8dd3d69cd613b9fa2e20f308d6f19857ca88906ff