Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 23:33
Static task
static1
Behavioral task
behavioral1
Sample
63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe
Resource
win10v2004-20240508-en
General
-
Target
63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe
-
Size
80KB
-
MD5
b25b730a686c9e8c7c992b47d0c0ce6b
-
SHA1
9726771ec60857c53f68cd47c84000f03d48555a
-
SHA256
63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497
-
SHA512
d3e28a9da3e420cdd0745769178d43b13f96fffd2f55dc938f3186a5057e52376156c31ba8420441bd5188afab31a65e2f3e3c7ee8fdd975d743cd68eb64b88a
-
SSDEEP
1536:A+vVvTQjc5A9OXj5NfGyBZiNb2L6S5DUHRbPa9b6i+sIk:A+vRQjc5A9OXFNTBZc46S5DSCopsIk
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs
Processes:
63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exeMkbchk32.exeMglack32.exeMcbahlip.exeMnfipekh.exeNqfbaq32.exeNnjbke32.exeNgcgcjnc.exeNnolfdcn.exeNgedij32.exeNdidbn32.exeMnapdf32.exeMgidml32.exeMpaifalo.exeNjljefql.exeNceonl32.exeNklfoi32.exeNddkgonp.exeMdiklqhm.exeMamleegg.exeNdghmo32.exeMjhqjg32.exeMjcgohig.exeNjacpf32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mglack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbahlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfipekh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfbaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnolfdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnapdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpaifalo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljefql.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjbke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndidbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkbchk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mglack32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nddkgonp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdiklqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mamleegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngedij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnolfdcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdiklqhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjhqjg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndghmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nceonl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcgohig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mamleegg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nklfoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njacpf32.exe -
Executes dropped EXE 24 IoCs
Processes:
Mjcgohig.exeMdiklqhm.exeMkbchk32.exeMnapdf32.exeMamleegg.exeMgidml32.exeMjhqjg32.exeMpaifalo.exeMglack32.exeMnfipekh.exeMcbahlip.exeNjljefql.exeNqfbaq32.exeNceonl32.exeNklfoi32.exeNnjbke32.exeNddkgonp.exeNgcgcjnc.exeNjacpf32.exeNdghmo32.exeNgedij32.exeNnolfdcn.exeNdidbn32.exeNkcmohbg.exepid process 3940 Mjcgohig.exe 3468 Mdiklqhm.exe 1560 Mkbchk32.exe 4064 Mnapdf32.exe 3016 Mamleegg.exe 3068 Mgidml32.exe 3344 Mjhqjg32.exe 3284 Mpaifalo.exe 4448 Mglack32.exe 1192 Mnfipekh.exe 4560 Mcbahlip.exe 4404 Njljefql.exe 1808 Nqfbaq32.exe 4144 Nceonl32.exe 4692 Nklfoi32.exe 1796 Nnjbke32.exe 4872 Nddkgonp.exe 4904 Ngcgcjnc.exe 1444 Njacpf32.exe 536 Ndghmo32.exe 872 Ngedij32.exe 3564 Nnolfdcn.exe 3500 Ndidbn32.exe 2572 Nkcmohbg.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ndidbn32.exeNnjbke32.exeMamleegg.exeNklfoi32.exeNdghmo32.exeNgedij32.exeMjcgohig.exeMgidml32.exeMdiklqhm.exeMpaifalo.exeMglack32.exeNddkgonp.exeNgcgcjnc.exe63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exeMjhqjg32.exeMnapdf32.exeNjljefql.exeMkbchk32.exeMnfipekh.exeMcbahlip.exeNceonl32.exeNqfbaq32.exeNnolfdcn.exeNjacpf32.exedescription ioc process File created C:\Windows\SysWOW64\Nkcmohbg.exe Ndidbn32.exe File opened for modification C:\Windows\SysWOW64\Nddkgonp.exe Nnjbke32.exe File created C:\Windows\SysWOW64\Mgidml32.exe Mamleegg.exe File opened for modification C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File created C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe File opened for modification C:\Windows\SysWOW64\Ngedij32.exe Ndghmo32.exe File created C:\Windows\SysWOW64\Nnolfdcn.exe Ngedij32.exe File created C:\Windows\SysWOW64\Ockcknah.dll Mjcgohig.exe File created C:\Windows\SysWOW64\Kmalco32.dll Nklfoi32.exe File created C:\Windows\SysWOW64\Paadnmaq.dll Ndghmo32.exe File created C:\Windows\SysWOW64\Mjhqjg32.exe Mgidml32.exe File created C:\Windows\SysWOW64\Mkbchk32.exe Mdiklqhm.exe File created C:\Windows\SysWOW64\Gqffnmfa.dll Mdiklqhm.exe File created C:\Windows\SysWOW64\Cnacjn32.dll Mamleegg.exe File created C:\Windows\SysWOW64\Mglack32.exe Mpaifalo.exe File created C:\Windows\SysWOW64\Codhke32.dll Mglack32.exe File opened for modification C:\Windows\SysWOW64\Ngcgcjnc.exe Nddkgonp.exe File created C:\Windows\SysWOW64\Lmbnpm32.dll Ngcgcjnc.exe File created C:\Windows\SysWOW64\Ocbakl32.dll 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe File created C:\Windows\SysWOW64\Mnfipekh.exe Mglack32.exe File created C:\Windows\SysWOW64\Nnjbke32.exe Nklfoi32.exe File created C:\Windows\SysWOW64\Mpaifalo.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Jgengpmj.dll Mnapdf32.exe File created C:\Windows\SysWOW64\Fnelfilp.dll Mjhqjg32.exe File created C:\Windows\SysWOW64\Nqfbaq32.exe Njljefql.exe File opened for modification C:\Windows\SysWOW64\Nqfbaq32.exe Njljefql.exe File created C:\Windows\SysWOW64\Pdgdjjem.dll Mkbchk32.exe File opened for modification C:\Windows\SysWOW64\Mamleegg.exe Mnapdf32.exe File created C:\Windows\SysWOW64\Mcbahlip.exe Mnfipekh.exe File created C:\Windows\SysWOW64\Njljefql.exe Mcbahlip.exe File created C:\Windows\SysWOW64\Fibjjh32.dll Nceonl32.exe File created C:\Windows\SysWOW64\Nddkgonp.exe Nnjbke32.exe File created C:\Windows\SysWOW64\Mjcgohig.exe 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe File created C:\Windows\SysWOW64\Gpnkgo32.dll Mgidml32.exe File created C:\Windows\SysWOW64\Lelgbkio.dll Mnfipekh.exe File opened for modification C:\Windows\SysWOW64\Mnapdf32.exe Mkbchk32.exe File opened for modification C:\Windows\SysWOW64\Mpaifalo.exe Mjhqjg32.exe File created C:\Windows\SysWOW64\Nceonl32.exe Nqfbaq32.exe File created C:\Windows\SysWOW64\Nklfoi32.exe Nceonl32.exe File opened for modification C:\Windows\SysWOW64\Nklfoi32.exe Nceonl32.exe File created C:\Windows\SysWOW64\Mdiklqhm.exe Mjcgohig.exe File created C:\Windows\SysWOW64\Oaehlf32.dll Mpaifalo.exe File opened for modification C:\Windows\SysWOW64\Njacpf32.exe Ngcgcjnc.exe File created C:\Windows\SysWOW64\Opbnic32.dll Nnolfdcn.exe File opened for modification C:\Windows\SysWOW64\Mdiklqhm.exe Mjcgohig.exe File created C:\Windows\SysWOW64\Majknlkd.dll Nddkgonp.exe File created C:\Windows\SysWOW64\Cknpkhch.dll Ngedij32.exe File created C:\Windows\SysWOW64\Ndidbn32.exe Nnolfdcn.exe File opened for modification C:\Windows\SysWOW64\Nkcmohbg.exe Ndidbn32.exe File created C:\Windows\SysWOW64\Kcbibebo.dll Mcbahlip.exe File created C:\Windows\SysWOW64\Mamleegg.exe Mnapdf32.exe File opened for modification C:\Windows\SysWOW64\Njljefql.exe Mcbahlip.exe File created C:\Windows\SysWOW64\Jlnpomfk.dll Nnjbke32.exe File created C:\Windows\SysWOW64\Ndghmo32.exe Njacpf32.exe File opened for modification C:\Windows\SysWOW64\Ndidbn32.exe Nnolfdcn.exe File created C:\Windows\SysWOW64\Mnapdf32.exe Mkbchk32.exe File created C:\Windows\SysWOW64\Fcdjjo32.dll Nqfbaq32.exe File opened for modification C:\Windows\SysWOW64\Mglack32.exe Mpaifalo.exe File created C:\Windows\SysWOW64\Npckna32.dll Njljefql.exe File opened for modification C:\Windows\SysWOW64\Nnolfdcn.exe Ngedij32.exe File opened for modification C:\Windows\SysWOW64\Mgidml32.exe Mamleegg.exe File opened for modification C:\Windows\SysWOW64\Mjhqjg32.exe Mgidml32.exe File opened for modification C:\Windows\SysWOW64\Mnfipekh.exe Mglack32.exe File opened for modification C:\Windows\SysWOW64\Nceonl32.exe Nqfbaq32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1720 2572 WerFault.exe Nkcmohbg.exe -
Modifies registry class 64 IoCs
Processes:
Mkbchk32.exeNgedij32.exe63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exeMdiklqhm.exeNnjbke32.exeNdidbn32.exeMjcgohig.exeMpaifalo.exeMcbahlip.exeNklfoi32.exeNddkgonp.exeMglack32.exeNqfbaq32.exeMnapdf32.exeMamleegg.exeMgidml32.exeMnfipekh.exeMjhqjg32.exeNjacpf32.exeNnolfdcn.exeNceonl32.exeNjljefql.exeNgcgcjnc.exeNdghmo32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll" Mdiklqhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnjbke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll" Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll" Mpaifalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll" Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll" Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqfbaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngedij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnapdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mamleegg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgidml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglack32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfipekh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqfbaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhqjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mglack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngedij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnolfdcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjcgohig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdiklqhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpaifalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nceonl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll" Njljefql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njacpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndidbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mamleegg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpaifalo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njljefql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngcgcjnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll" Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njljefql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklfoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll" Nnolfdcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll" Mjhqjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbahlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndghmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njacpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcgohig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll" Mkbchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnfipekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll" Nnjbke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddkgonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngcgcjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll" Ndghmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll" Mnapdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgidml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjhqjg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exeMjcgohig.exeMdiklqhm.exeMkbchk32.exeMnapdf32.exeMamleegg.exeMgidml32.exeMjhqjg32.exeMpaifalo.exeMglack32.exeMnfipekh.exeMcbahlip.exeNjljefql.exeNqfbaq32.exeNceonl32.exeNklfoi32.exeNnjbke32.exeNddkgonp.exeNgcgcjnc.exeNjacpf32.exeNdghmo32.exeNgedij32.exedescription pid process target process PID 2540 wrote to memory of 3940 2540 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe Mjcgohig.exe PID 2540 wrote to memory of 3940 2540 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe Mjcgohig.exe PID 2540 wrote to memory of 3940 2540 63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe Mjcgohig.exe PID 3940 wrote to memory of 3468 3940 Mjcgohig.exe Mdiklqhm.exe PID 3940 wrote to memory of 3468 3940 Mjcgohig.exe Mdiklqhm.exe PID 3940 wrote to memory of 3468 3940 Mjcgohig.exe Mdiklqhm.exe PID 3468 wrote to memory of 1560 3468 Mdiklqhm.exe Mkbchk32.exe PID 3468 wrote to memory of 1560 3468 Mdiklqhm.exe Mkbchk32.exe PID 3468 wrote to memory of 1560 3468 Mdiklqhm.exe Mkbchk32.exe PID 1560 wrote to memory of 4064 1560 Mkbchk32.exe Mnapdf32.exe PID 1560 wrote to memory of 4064 1560 Mkbchk32.exe Mnapdf32.exe PID 1560 wrote to memory of 4064 1560 Mkbchk32.exe Mnapdf32.exe PID 4064 wrote to memory of 3016 4064 Mnapdf32.exe Mamleegg.exe PID 4064 wrote to memory of 3016 4064 Mnapdf32.exe Mamleegg.exe PID 4064 wrote to memory of 3016 4064 Mnapdf32.exe Mamleegg.exe PID 3016 wrote to memory of 3068 3016 Mamleegg.exe Mgidml32.exe PID 3016 wrote to memory of 3068 3016 Mamleegg.exe Mgidml32.exe PID 3016 wrote to memory of 3068 3016 Mamleegg.exe Mgidml32.exe PID 3068 wrote to memory of 3344 3068 Mgidml32.exe Mjhqjg32.exe PID 3068 wrote to memory of 3344 3068 Mgidml32.exe Mjhqjg32.exe PID 3068 wrote to memory of 3344 3068 Mgidml32.exe Mjhqjg32.exe PID 3344 wrote to memory of 3284 3344 Mjhqjg32.exe Mpaifalo.exe PID 3344 wrote to memory of 3284 3344 Mjhqjg32.exe Mpaifalo.exe PID 3344 wrote to memory of 3284 3344 Mjhqjg32.exe Mpaifalo.exe PID 3284 wrote to memory of 4448 3284 Mpaifalo.exe Mglack32.exe PID 3284 wrote to memory of 4448 3284 Mpaifalo.exe Mglack32.exe PID 3284 wrote to memory of 4448 3284 Mpaifalo.exe Mglack32.exe PID 4448 wrote to memory of 1192 4448 Mglack32.exe Mnfipekh.exe PID 4448 wrote to memory of 1192 4448 Mglack32.exe Mnfipekh.exe PID 4448 wrote to memory of 1192 4448 Mglack32.exe Mnfipekh.exe PID 1192 wrote to memory of 4560 1192 Mnfipekh.exe Mcbahlip.exe PID 1192 wrote to memory of 4560 1192 Mnfipekh.exe Mcbahlip.exe PID 1192 wrote to memory of 4560 1192 Mnfipekh.exe Mcbahlip.exe PID 4560 wrote to memory of 4404 4560 Mcbahlip.exe Njljefql.exe PID 4560 wrote to memory of 4404 4560 Mcbahlip.exe Njljefql.exe PID 4560 wrote to memory of 4404 4560 Mcbahlip.exe Njljefql.exe PID 4404 wrote to memory of 1808 4404 Njljefql.exe Nqfbaq32.exe PID 4404 wrote to memory of 1808 4404 Njljefql.exe Nqfbaq32.exe PID 4404 wrote to memory of 1808 4404 Njljefql.exe Nqfbaq32.exe PID 1808 wrote to memory of 4144 1808 Nqfbaq32.exe Nceonl32.exe PID 1808 wrote to memory of 4144 1808 Nqfbaq32.exe Nceonl32.exe PID 1808 wrote to memory of 4144 1808 Nqfbaq32.exe Nceonl32.exe PID 4144 wrote to memory of 4692 4144 Nceonl32.exe Nklfoi32.exe PID 4144 wrote to memory of 4692 4144 Nceonl32.exe Nklfoi32.exe PID 4144 wrote to memory of 4692 4144 Nceonl32.exe Nklfoi32.exe PID 4692 wrote to memory of 1796 4692 Nklfoi32.exe Nnjbke32.exe PID 4692 wrote to memory of 1796 4692 Nklfoi32.exe Nnjbke32.exe PID 4692 wrote to memory of 1796 4692 Nklfoi32.exe Nnjbke32.exe PID 1796 wrote to memory of 4872 1796 Nnjbke32.exe Nddkgonp.exe PID 1796 wrote to memory of 4872 1796 Nnjbke32.exe Nddkgonp.exe PID 1796 wrote to memory of 4872 1796 Nnjbke32.exe Nddkgonp.exe PID 4872 wrote to memory of 4904 4872 Nddkgonp.exe Ngcgcjnc.exe PID 4872 wrote to memory of 4904 4872 Nddkgonp.exe Ngcgcjnc.exe PID 4872 wrote to memory of 4904 4872 Nddkgonp.exe Ngcgcjnc.exe PID 4904 wrote to memory of 1444 4904 Ngcgcjnc.exe Njacpf32.exe PID 4904 wrote to memory of 1444 4904 Ngcgcjnc.exe Njacpf32.exe PID 4904 wrote to memory of 1444 4904 Ngcgcjnc.exe Njacpf32.exe PID 1444 wrote to memory of 536 1444 Njacpf32.exe Ndghmo32.exe PID 1444 wrote to memory of 536 1444 Njacpf32.exe Ndghmo32.exe PID 1444 wrote to memory of 536 1444 Njacpf32.exe Ndghmo32.exe PID 536 wrote to memory of 872 536 Ndghmo32.exe Ngedij32.exe PID 536 wrote to memory of 872 536 Ndghmo32.exe Ngedij32.exe PID 536 wrote to memory of 872 536 Ndghmo32.exe Ngedij32.exe PID 872 wrote to memory of 3564 872 Ngedij32.exe Nnolfdcn.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe"C:\Users\Admin\AppData\Local\Temp\63dfbfae2fce963463f0efcdd77c6febcbf5e005dba40abf74cce962150dd497.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Mjcgohig.exeC:\Windows\system32\Mjcgohig.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Mdiklqhm.exeC:\Windows\system32\Mdiklqhm.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\Mkbchk32.exeC:\Windows\system32\Mkbchk32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Mnapdf32.exeC:\Windows\system32\Mnapdf32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Mamleegg.exeC:\Windows\system32\Mamleegg.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Mgidml32.exeC:\Windows\system32\Mgidml32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Mjhqjg32.exeC:\Windows\system32\Mjhqjg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\SysWOW64\Mpaifalo.exeC:\Windows\system32\Mpaifalo.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3284 -
C:\Windows\SysWOW64\Mglack32.exeC:\Windows\system32\Mglack32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Mnfipekh.exeC:\Windows\system32\Mnfipekh.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Mcbahlip.exeC:\Windows\system32\Mcbahlip.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Njljefql.exeC:\Windows\system32\Njljefql.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\Nqfbaq32.exeC:\Windows\system32\Nqfbaq32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Nceonl32.exeC:\Windows\system32\Nceonl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\Nklfoi32.exeC:\Windows\system32\Nklfoi32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\Nnjbke32.exeC:\Windows\system32\Nnjbke32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Nddkgonp.exeC:\Windows\system32\Nddkgonp.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\Ngcgcjnc.exeC:\Windows\system32\Ngcgcjnc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Njacpf32.exeC:\Windows\system32\Njacpf32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Ndghmo32.exeC:\Windows\system32\Ndghmo32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Ngedij32.exeC:\Windows\system32\Ngedij32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Nnolfdcn.exeC:\Windows\system32\Nnolfdcn.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3564 -
C:\Windows\SysWOW64\Ndidbn32.exeC:\Windows\system32\Ndidbn32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3500 -
C:\Windows\SysWOW64\Nkcmohbg.exeC:\Windows\system32\Nkcmohbg.exe25⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 40026⤵
- Program crash
PID:1720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2572 -ip 25721⤵PID:904
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD5fcfb76e259a00b6f61ffc777c86dbf65
SHA1c0e412f87f014ec19e5b170e996a643da5154b46
SHA25654a901a413aa823230847237dd10e1da88d1e67cb7de2ec435286627ffa669b5
SHA5123b5be00d4f45faa7a4ecf5fe26f78c73c3ba1c7c768af54af3a01934b6277d33cbcd4b00260511ef739cae0679735a9fbaafdbb82115f5619556353d761ae869
-
Filesize
80KB
MD5081bbe41ba2bed9cef22f6d77575400c
SHA14087ca8cde5d6a0b25fc49c649372141a8b8e9df
SHA256adf03b4c0c279d7a0da379d8a2b66305bccb8cc8e1b0106dc685f59f75eecc40
SHA512cf1cf2e149e12736d572ff4f8eee316b767a5d730cfa2377009ddf6ac76b67f96861c32ad79995ffe3cce65da52cbf8bdeaa5ef3f63b9dea7440a7fbfdce0539
-
Filesize
80KB
MD5522db86e6ea30c1f9ceb58ceaccadf4e
SHA1c62ea5d8b220647aecd6bacf085ee011e638a67d
SHA256ecd27d609171872e42c6b8c1965fd00101c0c18eb79d23794970db190c69d0f5
SHA512897dc449d9c624bd8ec34d7813b80f796b844038df144760fd57ac6a82b12bf9a302db407333cf8c527a9f2711f4563e2ce89e9ca2bf3ff9eb64e1a914c656f7
-
Filesize
80KB
MD508b3b910bf6a6bca132378c67cefc5f1
SHA1105a6886addcab70262d0373e24ad0400d327956
SHA256d505f25a86342af03955d2b5393ad63bc4a44bf7ebd9ddf2a972dd4b96140a16
SHA51270ec6fbc331626d2117007159a7e10aa009d7c0356314db1f910970ded7600fc850939c42cef242da156134ec7f28246dc79ae1bfe5424d162fac873b87a0b62
-
Filesize
80KB
MD5dffe32384783189fbf0c22bd09170b7c
SHA1f6c80a86aac2b6cecbfae5eafa65053851b5c51c
SHA25668c1879cb1dfa7d82c5ca183ed911297ea7cc517be9c1d8d831fd336552d8efe
SHA512a2e06b16ab9e856a85fb7e181ae43b05e91ad0580a98cc624cd14d9a5a87165b7d78d9d9df1ddb2844c00a922c41a8d42175c97b854a5e0aa0c87ed959d37fb6
-
Filesize
80KB
MD586150f1c9125a5843d1d74bbd4ff42ac
SHA1e71712274f46b25758cf4f078bb039704103c4b5
SHA25619f8d574af74132791298ddbc247107e1d2ffe18aa14db9b6a546936c1e95f42
SHA5128adc5fd53179b2fd2479b0bffdb655d99313e24c866ce76578ec7f28f969136f67728a296077e5ed0df135d5d9241ed2a0ddb576ba8be51adfc49e9e9aa2951a
-
Filesize
80KB
MD51081755af681ced6156ecca622d471c7
SHA17a803863f9d2774ceccbbc50159fcff01169f4b5
SHA25615f8d282f74844e6d75c67214f3cca4ce84ea484e78ddaa4fd758e92bbbe993c
SHA5123e98dc7d1b48fa34816889c328d5fac0fe06ab3fd60b50d83bf914813f20d6b080c04aab0413ffffb2b1e99570899250c9d5657b9fee9824451ceb856cdcb831
-
Filesize
80KB
MD5c467d16a0ed40ef2c0224be09684a5a1
SHA18d7db4047e60036023458f877bbb4de2600eb0b1
SHA256745f75d654c78eb0c18ed0f3335ec5fb3652643129e13d8ed3194322a865d4bf
SHA51256999d004345c720b0fd4c41668131796500fd050d00e8def3b77d5ae241207abc40c6f46fbe99b4e69cb7b03be48132a87af0c047495c20476067edf1c78fbb
-
Filesize
80KB
MD5430cc56ec3c0e3c1e2203062432dc6e1
SHA16e96beb2b24c012f18b4855fe6ee27179964dcb7
SHA2562548673406539d49c3d02657dc3f55fc7b8c38c9f61894beca37d20ac73d1c76
SHA512db22eb75e6c116e84d7877c54e6969e245c7bc00702f60e7927fa376c0a8f6e4b9d792d8b793303c2d359d88ec84e099ac1000d17ea428e2af6e1c0941d30d3b
-
Filesize
80KB
MD5836c773554a52f7935a3db8072ae7851
SHA1b8c35f111b68d8d2ab3c69860bd7bb970fb6f9cb
SHA256eca1e368f7add1e92f575e310aede65cb996f0276e73d8d5d1dfc254bcb9413a
SHA512ee18b543a8822284d0a6ec54cdf397c9a860c4661a9ceb5d1d2bb15c9e3f8abb4150c6c397d18f0eede08da8d275bec71a9a885cc8e05739d70eadcfcf9b43da
-
Filesize
80KB
MD5050f1f2608640832dfc74d4ccb546002
SHA1013bca48b54b7ade87392568f57b91d3a19ce327
SHA2564d0bbf8d60ca6acbf8790c5129584849469d418882354f9c0177e84e9d93876d
SHA512bcddf72b5019c7cd306785349ab29106a9f6076b01f0accdc978ecf994b259e4a233ea9099dafa78038cfba1e0a89ecdd84e4008d177d45a8b892d75c07a6c3f
-
Filesize
80KB
MD54075848bb1dfdd2463c2286bf9610558
SHA10c0cde00d1ec35279ceb6e3a12497ee488c26f9f
SHA256c7501b4bbf7cc013d1aebc8057de5db4820051a4e08c7fce5b4081b32008e510
SHA512f3aab3f6f7344104a55fb06ca97137287c2fb0d00e0a3942ffa35c16265e8f1e4b8b04b407bf4c336fe24f9b5951601ae9ef0f2f4987ec98cc57730ca1f24fe6
-
Filesize
80KB
MD5fd551f31d939443ed44a34b5743647b9
SHA10a5537e1e3f0b55a21dc1988da2ed734200d0386
SHA25624c8341f73f78a51d4b7ed7d8b5cadb08971793e9f650e9ee02106f7da27cd0b
SHA512026c41aab390a87588c0d0d6e4f14b8b8ca80156cb64ff8d9b77df371027257f15f46fa7c85677f31b7d4c8cc6daa6b38d276190fb9082315d99695e36683f03
-
Filesize
80KB
MD5472c7a1e87b0f467978fbf462d87dff3
SHA19c86a3a1cc287b5278bb328cc52a1967ef1d51bf
SHA256f8a8fbd09f5300d72d43480cd58971d31c58353f62f2f6539e822748de1691b1
SHA5128d8cd5b30d2e12d97d1e0506d8aae558351d3b8592e449b3ea0a77fa52adf2ab9e239f550a1e6bcdaa0152e092006f099b3d8c2e6766fdafb83680644c4ad8a3
-
Filesize
80KB
MD5ef8b1a38da0191a0bafc34f210572fd6
SHA1ab8ff8e7224822b6dbe4a14a9a4ddbf0c59c281b
SHA256bf62a2312cd783fc18d1987e38ce7857af1ba493c8294e89b2d1b02afcb68c72
SHA512fb882eca15b07fe6363eecb560ac32826d2e32550cb2e7535e89612fbee6d6ba672cc9ee0f734552934dea6b0ea2057819524fd3d02f57b2d4365e92135bb0e3
-
Filesize
80KB
MD5ceb6a80c91778f4df0158522234a9dbe
SHA16d116a864213b1fcb8a5b841ddca9142383709d3
SHA256072f99b94e6fff7599f86b579b5f59d210606352c16f60f30be96255031a538b
SHA512caae819695b78df6562292ce7b4629dd43674ce2612b538b5d72fae3b5b4915d7883b4730dc9fd86eb21a595e9b1b2af2707056a7373529e4dca3d33eb69d691
-
Filesize
80KB
MD549cc86206567a8f8eb1b4e6cfe0ae507
SHA12b7181a938e117dea55f095edf1bfda4e24bb009
SHA2569965234086a065df3be0a8cd1fc78cffe788c741ab853310211c228c83d91143
SHA512e8151651046b130d512c04e6e7c10d32e716348416569a72bafb8a8269092db29c57200cd2482ec9afe5de3358dd9eb44f94c06502fc06faa9438bff12bc9cc7
-
Filesize
80KB
MD5c5d5b90bb4616f781b74f085c13a8270
SHA128396425b48ac618e7315408cf0df6619ed0f39e
SHA25635f49839e1b3372b3b6f9bc6e1040bb0496aacbae5f8b9a0302ace789952cd4c
SHA5128044f22e384dd6ef04d378f28afa2999df79edea7ec96bcc6db3f77d9fbbd2e1845656f1cf870078fff251cefed734123ecd18a1b763ccdc16ec46d366e048a6
-
Filesize
80KB
MD57f4ea54afbf4251a3199b9703811b385
SHA14c27781a424d75637f43b45998a6ea0296d2a923
SHA2562086e5339bb4bbf96361eb86006f4d8829b155a9ff54c9c0bf3dc986b4ab7054
SHA5125a5e9c2deb4657408c10458e08878a65a43f87b727a54f78fb2de15ddfa4a2046afa409146dd8f9344b4d9edf15e6282f4b6f6e1810da04d7b2735f1dcfd878e
-
Filesize
80KB
MD5ecf392813b9d3fb89904fd0875a12e50
SHA1bb3426755fe639dc2de455c1d36a7120546e0f05
SHA256de79aab8b9e257db11bf3694c36ae7b2173985fa9367b988b5cf568aea8efb60
SHA5122568d9adb94919a8ccb38d0908636a1e2dfdee3544c213ae04a9f8fbd0e6ec0c8b1f3e55a0a3efc4c1febace9cd0501224fab570e3c59a5e82ef330d7506657d
-
Filesize
80KB
MD55968b35ed8c491698f1a9b517f7b0fae
SHA1a130a5054afb5a04db13bc754d9abd25bc14db16
SHA256c446c98e8335365f4b3ae2d0bd3fa36898591ac1720a91813348129e2142d612
SHA512bcc4e002610e232354650aea9434602a2c23ef2fc9ee200b25d840aa50243a07d0bc61be22d259c4897fa24d33f7146330cd6632bb4d41f2ef236fa72da72eca
-
Filesize
80KB
MD56e1a05930401b9891cd0758f476ad937
SHA1225eebb1334d087bbfeae5c2bbdb6d79c31062e7
SHA256350ac485fa87bca22b06229219a34a988bd3f9394f9b8b6294aaccdbde142d37
SHA5125f143094d12900daa9c8bfbc75f5d3cd33d9e63f485e7f954e16cab7a6cf667e45301a579f54c7623c2a3457112fa6a6b29815bd1d32ffa05a305dff8dc62dc6
-
Filesize
80KB
MD5cb7800dd4a026d6882e8d2ae046cff03
SHA15271ba5ce24d199b16a7625aa8d4c27acc83fe51
SHA2564832f8584f58943aba96390e5379843987f4a54770b29be09d020ffb75716506
SHA512316fab62e14fd48e53cc30411084df859580dec0f1fbd3640f148017e6f7c4b2f7029b6dc48de8df862f82a412fa03e3168f2b0a264c510810113177c42f0d3c
-
Filesize
80KB
MD58f34fbf3821bfc2d2e72321327ae7239
SHA19fc93a57f0eaf24e6c1a780ffb334b764b950e8a
SHA2567b1071012d30162fb12c43bc98637906f9e1609b9db16bb43631fc6535878d51
SHA512169d9fb368729ca0912f95b3f99a4151464e0714687c4099be5d7d6fbb9913d10150c6f7ab3fc05e4360ce150e15a04d60fcc7f4638eef49eb15d628a5d52f8d