9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 00:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
Size

94KB
MD5

dbdf0e415d63009ea666191fbbd3b1a3
SHA1

f53ad427abb95ea482620a8dbb672ce7cba8eced
SHA256

9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0
SHA512

386f5fa61700a8b6e7ff379c2c4a0a35bc63d8043dbd96492097da0244ca39b432e5adb6febd1b681256be6e74c3e1334d6062fc1be9d36155779dc7335b64fc
SSDEEP

1536:IJ022YIC1y681qtgxfKVbtZHlNVNe3vakV6wE7BR9L4DT2EnINs:IO22nP688tgxfQttbe3iAE6+ob

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njcpee32.exe

Executes dropped EXE 22 IoCs

pid	Process
4148	Mdkhapfj.exe
2908	Mcnhmm32.exe
1316	Mkepnjng.exe
3904	Mpaifalo.exe
3840	Mcpebmkb.exe
1428	Mkgmcjld.exe
3056	Mdpalp32.exe
2408	Mgnnhk32.exe
1908	Njljefql.exe
3200	Nacbfdao.exe
4996	Ngpjnkpf.exe
3384	Nnjbke32.exe
2500	Nqiogp32.exe
5048	Ngcgcjnc.exe
2716	Nnmopdep.exe
4432	Nqklmpdd.exe
1480	Ngedij32.exe
4420	Njcpee32.exe
932	Nbkhfc32.exe
5064	Ndidbn32.exe
3604	Nggqoj32.exe
3596	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mdkhapfj.exe	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nqklmpdd.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Paadnmaq.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
456	3596	WerFault.exe	108

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njcqqgjb.dll"	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ngedij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 4148	2712	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe	84
PID 2712 wrote to memory of 4148	2712	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe	84
PID 2712 wrote to memory of 4148	2712	9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe	84
PID 4148 wrote to memory of 2908	4148	Mdkhapfj.exe	85
PID 4148 wrote to memory of 2908	4148	Mdkhapfj.exe	85
PID 4148 wrote to memory of 2908	4148	Mdkhapfj.exe	85
PID 2908 wrote to memory of 1316	2908	Mcnhmm32.exe	87
PID 2908 wrote to memory of 1316	2908	Mcnhmm32.exe	87
PID 2908 wrote to memory of 1316	2908	Mcnhmm32.exe	87
PID 1316 wrote to memory of 3904	1316	Mkepnjng.exe	89
PID 1316 wrote to memory of 3904	1316	Mkepnjng.exe	89
PID 1316 wrote to memory of 3904	1316	Mkepnjng.exe	89
PID 3904 wrote to memory of 3840	3904	Mpaifalo.exe	90
PID 3904 wrote to memory of 3840	3904	Mpaifalo.exe	90
PID 3904 wrote to memory of 3840	3904	Mpaifalo.exe	90
PID 3840 wrote to memory of 1428	3840	Mcpebmkb.exe	91
PID 3840 wrote to memory of 1428	3840	Mcpebmkb.exe	91
PID 3840 wrote to memory of 1428	3840	Mcpebmkb.exe	91
PID 1428 wrote to memory of 3056	1428	Mkgmcjld.exe	92
PID 1428 wrote to memory of 3056	1428	Mkgmcjld.exe	92
PID 1428 wrote to memory of 3056	1428	Mkgmcjld.exe	92
PID 3056 wrote to memory of 2408	3056	Mdpalp32.exe	93
PID 3056 wrote to memory of 2408	3056	Mdpalp32.exe	93
PID 3056 wrote to memory of 2408	3056	Mdpalp32.exe	93
PID 2408 wrote to memory of 1908	2408	Mgnnhk32.exe	94
PID 2408 wrote to memory of 1908	2408	Mgnnhk32.exe	94
PID 2408 wrote to memory of 1908	2408	Mgnnhk32.exe	94
PID 1908 wrote to memory of 3200	1908	Njljefql.exe	95
PID 1908 wrote to memory of 3200	1908	Njljefql.exe	95
PID 1908 wrote to memory of 3200	1908	Njljefql.exe	95
PID 3200 wrote to memory of 4996	3200	Nacbfdao.exe	96
PID 3200 wrote to memory of 4996	3200	Nacbfdao.exe	96
PID 3200 wrote to memory of 4996	3200	Nacbfdao.exe	96
PID 4996 wrote to memory of 3384	4996	Ngpjnkpf.exe	97
PID 4996 wrote to memory of 3384	4996	Ngpjnkpf.exe	97
PID 4996 wrote to memory of 3384	4996	Ngpjnkpf.exe	97
PID 3384 wrote to memory of 2500	3384	Nnjbke32.exe	98
PID 3384 wrote to memory of 2500	3384	Nnjbke32.exe	98
PID 3384 wrote to memory of 2500	3384	Nnjbke32.exe	98
PID 2500 wrote to memory of 5048	2500	Nqiogp32.exe	99
PID 2500 wrote to memory of 5048	2500	Nqiogp32.exe	99
PID 2500 wrote to memory of 5048	2500	Nqiogp32.exe	99
PID 5048 wrote to memory of 2716	5048	Ngcgcjnc.exe	100
PID 5048 wrote to memory of 2716	5048	Ngcgcjnc.exe	100
PID 5048 wrote to memory of 2716	5048	Ngcgcjnc.exe	100
PID 2716 wrote to memory of 4432	2716	Nnmopdep.exe	101
PID 2716 wrote to memory of 4432	2716	Nnmopdep.exe	101
PID 2716 wrote to memory of 4432	2716	Nnmopdep.exe	101
PID 4432 wrote to memory of 1480	4432	Nqklmpdd.exe	102
PID 4432 wrote to memory of 1480	4432	Nqklmpdd.exe	102
PID 4432 wrote to memory of 1480	4432	Nqklmpdd.exe	102
PID 1480 wrote to memory of 4420	1480	Ngedij32.exe	103
PID 1480 wrote to memory of 4420	1480	Ngedij32.exe	103
PID 1480 wrote to memory of 4420	1480	Ngedij32.exe	103
PID 4420 wrote to memory of 932	4420	Njcpee32.exe	104
PID 4420 wrote to memory of 932	4420	Njcpee32.exe	104
PID 4420 wrote to memory of 932	4420	Njcpee32.exe	104
PID 932 wrote to memory of 5064	932	Nbkhfc32.exe	105
PID 932 wrote to memory of 5064	932	Nbkhfc32.exe	105
PID 932 wrote to memory of 5064	932	Nbkhfc32.exe	105
PID 5064 wrote to memory of 3604	5064	Ndidbn32.exe	107
PID 5064 wrote to memory of 3604	5064	Ndidbn32.exe	107
PID 5064 wrote to memory of 3604	5064	Ndidbn32.exe	107
PID 3604 wrote to memory of 3596	3604	Nggqoj32.exe	108

C:\Users\Admin\AppData\Local\Temp\9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe
"C:\Users\Admin\AppData\Local\Temp\9390d068ff6e7f8024d84d89323a415b7d0450a39d17bbe98733c97e81c5cbb0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\Mdkhapfj.exe
  C:\Windows\system32\Mdkhapfj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Windows\SysWOW64\Mcnhmm32.exe
    C:\Windows\system32\Mcnhmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\Mkepnjng.exe
      C:\Windows\system32\Mkepnjng.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
      - C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3200
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4420
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        23⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 412
        24⤵
        Program crash
        
        PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3596 -ip 3596
1⤵
PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hhapkbgi.dll

Filesize
7KB

MD5
cb533ac42ec34de85e830e1142eb6008

SHA1
1c2661d069fcd29bc1858ad4c75bdaa5517835b1

SHA256
73b70fd95e8f4f83ce5e21f91bb0f5b1dd803708ede443d0cde3f3d316e431d3

SHA512
7fc4c1886d6a8183143016e6e97f5ef1359fd5cefbb42e83a49038d1abf37b67981d36d05b69796826c434527c1840fe52971756a17eb509c3d60f68c79c3fcf

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
94KB

MD5
d8c07c289009a603786f96e533d16624

SHA1
ad674dbb880d8010f65d3263f3b1edf8d088cfef

SHA256
c9b4ac86c821fb5293e9330a88220c0a35daefdf1f6b5322c6810749f7b540e9

SHA512
4bf6792bc45fc05b7e1aa069fa08eee10798ce1d07d8492335070e453e520f16fe1b08543e8fc59ffc27030128bd1dc6c0850b522b552bad7ff36438a462da7a

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
94KB

MD5
17e3fbef1698aab6c4097ea0fcdff23e

SHA1
2c4b4f212be7f36f8aa881faf9577b686c043b79

SHA256
3251526d0b8a27c4500474dbf919af87d53319605906d32f378539e28f4c64e6

SHA512
e4c0d4d34d902daf928f923da282436569f5b8a13f6f903d1abb1dbd5126e6da795c70945feeefebea9e976dd9a94faabf398ea5e7313fbff71a723fe935c32f

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
94KB

MD5
3192aac0886494949cf38cec9537808d

SHA1
f811df98a40462ecd50de323ab90dc3828d15680

SHA256
44a4131d0d39936f4ca34fa8ae80f59ee77854363f3713225c745b44dc917a57

SHA512
bb20def11e3222a25fbd26e8eb4fb6feb066d5d58744c76beb70153a12db91d56084bf28d1821a23f248bfbc73c324adff60005ef83589218a8b1e8aae56e29e

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
94KB

MD5
4d6f0da347f062f26a706aff2f362e5b

SHA1
d66ddac8334abc4b108579489238f20d3d13a048

SHA256
ba8e3c1ff9cff3170f0ebd9e9f417518a0365fa89efeea07cbc6965fc5b1af1d

SHA512
0b7289400b239f775d3ea2ebec51930a860bfddd63ff1197691c48fa07cf7080c96063cc166c6cd6653212cd0d361250dde03ec56fbf1d89c8143e4ecb81e2ca

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
94KB

MD5
f72380f3ee03fbad79ded0d5c7a7686d

SHA1
c65fe5fa1b5f23928f1db18bd45d7dafb4e9b2c4

SHA256
ee27e9fa2797edadcf92c65152d316233bc48dccfe456aeb29af32b3b838b98a

SHA512
af1ef7a1a2f796c044c6f58527bfa5f7e404543f2bb9b2dc15182c1424edcc250d66f9c2ddf13c69c86006b2dc84d3589a3eaf96e7afc354086b0af7b6bbb55f

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
94KB

MD5
b1ac5a71af222e45601284d08d908a72

SHA1
0a83abe792ab0070b6a84d50742d4c1ddf7e9b7e

SHA256
2bfcee60629aa8d07bb08ef88a8e3224ef63a9b380f0feb7eff5ae076f8a9b74

SHA512
c161e01b359b5c0a0dcdf5e75e798271aa7e7642d9511e15034dd1ec9326ec639a1942e97f93e8e9d3d7c30d152a6da1362a0354420b8085508c34ead93fa2d6

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
94KB

MD5
c37519b1cc1718fda8b828f94b72d969

SHA1
804e22a58dcff92eac7e7e3c7203bbca5e7d6bae

SHA256
178d0d35a574b5c588a76bfee87b2fad1433429cbd58f80a347c96916e22be5a

SHA512
e742715ac1c54b03ca183aee413b98dcca4c91178ceb138167e020352ccf3c5317eea9d945045d3f948afabaa70b3405fbf0acdc826521d8644b7f421a7d31b3

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
94KB

MD5
bca54971a456d66fd78aea7df6e1a10f

SHA1
a651869d4d824e6dbdb6df137b1aea0ea9316b7e

SHA256
d2291cc3e86f2b91aee9e3808e2e42dedcec3fb704b600ee9ffc34d87dde768a

SHA512
20342b0d7cbcf485893a2fb83a46771fe64b27b0167449b9fb64e68738e03c710390115e38a440376cfe981a9fd8c345b1fd5d47090a8c01af1d91256e8f740d

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
94KB

MD5
55d8f44974d7f408e235d818e40eca20

SHA1
f7d1e870760ac968821033bc293e4671444638ac

SHA256
163868a8eaa68d3ec979e59ea5ef33471c3b58701be3a7d12f432cc296abec43

SHA512
3e57eea17a0a210dcd1c77cd0fd2e2a9d617ffdbd56db42c9cfd136bd3a6221cd2eeeb3b9fb68675752f102f1f6d2f9f2081a799f5ae5690bce21cdc8ed4af13

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
94KB

MD5
7c82e5f5ec94fdeffb5461e1931ae823

SHA1
5a8478bf150dc6f1b6e73a3b3d5d52504640058f

SHA256
6f4f3423b2e7044608bce035b56e97a6135a18b2e80ec1e1e77f6fe7168d2bca

SHA512
828e30cabaa51bf65acb72bc398150ba264fcd9adad0e75b401341c4e0d02d260deb1e634bf82da039540d35531f1d542812bb3c945f8ffee8ac961a7cd7cbf1

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
94KB

MD5
ced6883fd3e2268edab9fd007983e159

SHA1
385a43eb96dd0d0478237204a7bb54bdbe90c876

SHA256
0224a23d95750f9c7ad2e705b22fceea6bac9f658acbb13c4603c803992f05ff

SHA512
3e543bbbc3006aa2db228f07d63390e1172e9eabf0991efd02196a1b264b9f9efda81993210f307f53622785ef2a796c991f5acebaf41068eaee9e6e1e5824ee

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
94KB

MD5
595032c20e4e6127f79995ba037f012d

SHA1
79aa07a6d798b3267dc1852dcae7b1e3d7cb08ed

SHA256
6b9f929b568f370debbf6c05a0a239681b08caa5fc9c3d08e335b1d9e046a6d0

SHA512
ce79a40043ba87cd17c431014a2744d766b61f098b86dbb9b14b72b38b4fbc19f104cc95e6200e1fc87504311d598efe5e8626c1f8f935d3ae6d4db4d2c032ef

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
94KB

MD5
693cb00bf6e2182e5191b2da365be50c

SHA1
4280d959562b93977714bd77896407be9af27255

SHA256
dbf81d23f29fe7128aee5606563afae6cd55d2dba6ea0a0b9be5b7d320f039e6

SHA512
67345f85a46cd8ca1dc83d624c81eec4f9f50f4c21b54e2d94a2722f2f65a7e394cea9d6747cf8c8df77bb2d4671e929646032e23b0b577b110c889060731794

Download Submit
C:\Windows\SysWOW64\Nggqoj32.exe

Filesize
94KB

MD5
de1f910e04e9363e10a282ec4125745b

SHA1
01ad6e7322bc382d2f90d20f5eaf293f7f8633d8

SHA256
cae865ee29df468ce1cd93f1639e3b566700cef2f968386da513c857fa307396

SHA512
5e02faac518bb5d3f30f4f649532dab8681def9ad07505e4a61342dd0ece7372f14ab4881b0d3ba8d718218c9e16b3295eb758f38b058727094f399d86085f39

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
94KB

MD5
945a5dda52bc74be6c2c6655d13c1651

SHA1
2f4d52d3b327da91aede6983724ce6e803f8ef55

SHA256
ef4f7bd973be74a3e44afb871222dd4a586250682a386ff545217db264c2d348

SHA512
4456b61593fe18b4d252865fb7d2a320ca73198e6e3d5a03693bdac19160081dcfd7ef2e01db6e107aa451f62870df4a01f1dd5e6c82534c271feceb27ab7bcb

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
94KB

MD5
755efbefca2d2bc3323890377fd0d795

SHA1
79888ec599bebf064e068d930110787e71b2dd3c

SHA256
c475f01f0d48da29db562650980e39c341a432d970316a24be58a24044cadf88

SHA512
2b25451a88387d6f827639ada600605fe029da718f7308b32e2c9e8db80d154c41aa1592345e8d817cf87e6327b01e2064c3caf2201bee6501a9ba31e2d6c4c1

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
94KB

MD5
58b642e3fcdeb1c920c200bbccab1de3

SHA1
cedaeb76c4ab858b768a7a5f7dca979e18d78151

SHA256
cf65430c2288c44e184c7f16daf7fbb4199e9e9332735d371372fb46c78d7dfa

SHA512
6091207a74c75b93cde478ab1f5deb21eec686b849878d4f0f07b7c58ff9947e02a73913a88f98d4afa2a7350b90ec47f786bf26cbe77cb3e38ef52922fdd3ea

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
94KB

MD5
ab55fc3f24084971529483200c88f9dd

SHA1
51eaea2221e16d0b0e84ec097e89ed5185c937c7

SHA256
02e4972b7cfaefcd54ccb1793df4f972b1ca392d98a1d74506ef0476f50ea803

SHA512
bc6f6f2baa866a5afa24b2a472c38346554d590c6050971abbabcdfd6fefd70821654e0f0234bb30209b60b255cc48bf1af3df4614c9db52784764ce19ba2071

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
94KB

MD5
b979eea0b21ac5204011cd4f9d61c0de

SHA1
444382f0710c7eaaa27afe5e29584f8923d75521

SHA256
d9ab3007b04ada50f6c301fb213fb53fa29755eb75732d5b398ba59d1814c739

SHA512
2a45ea6f8a942f5bc8821048e4dd54b8c87a6b3f50836e65fed0bfaab7479d906d040f43028c312827bf9608126f99e65e059ff0d8ac2b9f7242097b5c17aea0

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
94KB

MD5
743eb4311baf6053d7dbc816556afe31

SHA1
a5c9ab014bc440535d2925308c544a0db7ee2837

SHA256
3467f57c1623da764b04228af511c7336906fc44a2e5ac87cf1230148a842893

SHA512
240b89b995570157fadf795b0731873c72b7343facb2dc3f1d7b94a69c4971e96a1782b52b6ecee27019eba7df928efbe1e6833a79d6e3ea638780a47c4bbd1b

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
94KB

MD5
dc787595b9c1ab6ae9d50cb0bec8608f

SHA1
99aec3e8033fab2542eef796c78fbf7acab49091

SHA256
ef83d2b4b68ae89d639aedcdbeb778029231edc86287f38a6b57fad23c93b448

SHA512
3d0f25fc6cf92f162459e195bc8afa1143ac055455e94d296bb6f693dfe40f69ce126297f2edaaf3d23fe39fa5bfe28fa99213dbe8b936d71212682cb004c38f

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
94KB

MD5
63ab81c2a00045f6be00e31f1104bb2c

SHA1
703779a64e97215e08de6788b4a151a2dfe792ca

SHA256
668460f1daad7b167d78584cfd55c5d81dd0bb8dc2704170d6b1a21f5469bccd

SHA512
8971602cb4d65d4ff008552e67c99f6c4c46e86a0ac614df01cd103bae0dfaed8af2717154d134c1f07eafffadf8e461bc6472d47685f998a1d50b43d2aaa19f

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
94KB

MD5
8b903b4f51fb872a76f86b3885c23eaf

SHA1
66e4f5a22145bc1c075cfefbb1724f27c26c21e0

SHA256
d4aadf8853023ae35e203fa9093561e8d518200e6e3e9cff8ab5d45102adb0b7

SHA512
935aa9b49274a733eeee32736c7d10205937660f297b4010ee990fa0ce5422cdf671deaddd850815bf01e7dfd4faa13e49df180fe7685ec4925d11e1a38751f0

Download Submit
memory/932-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-28-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-190-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1428-47-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-180-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1908-76-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-188-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2408-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-184-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2500-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2712-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-181-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2716-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2908-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-189-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3056-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3200-79-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3200-187-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3384-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3384-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3596-176-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-170-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3840-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3904-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-191-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4148-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4420-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4432-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4996-186-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4996-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5048-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-178-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads