fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 06:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe
Size

79KB
MD5

2d89df1e9e2f4892dbb7dfefd5b28875
SHA1

5877f167a76dae0a634d98efbd0970d4d3915202
SHA256

fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b
SHA512

ad4120156aada343c2afa4bc9f59c6760b26e921b97c2d829c08b76b3da073cf455e9c6ec599f2c19671eaf46ac253acba1ebba681b9dcc14ebabe76af091db1
SSDEEP

1536:stLvINUcHbS9NeMgh1HFrSInFUERiFkSIgiItKq9v6DK:s10b0fg95FUERixtBtKq9vV

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe

Executes dropped EXE 36 IoCs

pid	Process
3452	Mciobn32.exe
2836	Mjcgohig.exe
2260	Mpmokb32.exe
3080	Mdiklqhm.exe
60	Mgghhlhq.exe
932	Mnapdf32.exe
4932	Mamleegg.exe
3008	Mdkhapfj.exe
4580	Mcnhmm32.exe
3604	Mjhqjg32.exe
2156	Maohkd32.exe
2116	Mpaifalo.exe
2200	Mcpebmkb.exe
968	Mkgmcjld.exe
1748	Mnfipekh.exe
4512	Mpdelajl.exe
228	Mdpalp32.exe
3164	Mgnnhk32.exe
2904	Nkjjij32.exe
4164	Nnhfee32.exe
2428	Ndbnboqb.exe
3288	Ngpjnkpf.exe
4268	Njogjfoj.exe
2172	Nnjbke32.exe
2812	Nafokcol.exe
4940	Ncgkcl32.exe
4552	Nkncdifl.exe
1984	Njacpf32.exe
1784	Nbhkac32.exe
2112	Ndghmo32.exe
1528	Nkqpjidj.exe
1700	Nnolfdcn.exe
4424	Nbkhfc32.exe
5076	Ndidbn32.exe
3428	Ncldnkae.exe
3764	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mciobn32.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Njcqqgjb.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nnhfee32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4048	3764	WerFault.exe	119

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgengpmj.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 3452	3324	fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe	81
PID 3324 wrote to memory of 3452	3324	fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe	81
PID 3324 wrote to memory of 3452	3324	fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe	81
PID 3452 wrote to memory of 2836	3452	Mciobn32.exe	82
PID 3452 wrote to memory of 2836	3452	Mciobn32.exe	82
PID 3452 wrote to memory of 2836	3452	Mciobn32.exe	82
PID 2836 wrote to memory of 2260	2836	Mjcgohig.exe	83
PID 2836 wrote to memory of 2260	2836	Mjcgohig.exe	83
PID 2836 wrote to memory of 2260	2836	Mjcgohig.exe	83
PID 2260 wrote to memory of 3080	2260	Mpmokb32.exe	84
PID 2260 wrote to memory of 3080	2260	Mpmokb32.exe	84
PID 2260 wrote to memory of 3080	2260	Mpmokb32.exe	84
PID 3080 wrote to memory of 60	3080	Mdiklqhm.exe	85
PID 3080 wrote to memory of 60	3080	Mdiklqhm.exe	85
PID 3080 wrote to memory of 60	3080	Mdiklqhm.exe	85
PID 60 wrote to memory of 932	60	Mgghhlhq.exe	86
PID 60 wrote to memory of 932	60	Mgghhlhq.exe	86
PID 60 wrote to memory of 932	60	Mgghhlhq.exe	86
PID 932 wrote to memory of 4932	932	Mnapdf32.exe	87
PID 932 wrote to memory of 4932	932	Mnapdf32.exe	87
PID 932 wrote to memory of 4932	932	Mnapdf32.exe	87
PID 4932 wrote to memory of 3008	4932	Mamleegg.exe	88
PID 4932 wrote to memory of 3008	4932	Mamleegg.exe	88
PID 4932 wrote to memory of 3008	4932	Mamleegg.exe	88
PID 3008 wrote to memory of 4580	3008	Mdkhapfj.exe	90
PID 3008 wrote to memory of 4580	3008	Mdkhapfj.exe	90
PID 3008 wrote to memory of 4580	3008	Mdkhapfj.exe	90
PID 4580 wrote to memory of 3604	4580	Mcnhmm32.exe	91
PID 4580 wrote to memory of 3604	4580	Mcnhmm32.exe	91
PID 4580 wrote to memory of 3604	4580	Mcnhmm32.exe	91
PID 3604 wrote to memory of 2156	3604	Mjhqjg32.exe	92
PID 3604 wrote to memory of 2156	3604	Mjhqjg32.exe	92
PID 3604 wrote to memory of 2156	3604	Mjhqjg32.exe	92
PID 2156 wrote to memory of 2116	2156	Maohkd32.exe	94
PID 2156 wrote to memory of 2116	2156	Maohkd32.exe	94
PID 2156 wrote to memory of 2116	2156	Maohkd32.exe	94
PID 2116 wrote to memory of 2200	2116	Mpaifalo.exe	95
PID 2116 wrote to memory of 2200	2116	Mpaifalo.exe	95
PID 2116 wrote to memory of 2200	2116	Mpaifalo.exe	95
PID 2200 wrote to memory of 968	2200	Mcpebmkb.exe	97
PID 2200 wrote to memory of 968	2200	Mcpebmkb.exe	97
PID 2200 wrote to memory of 968	2200	Mcpebmkb.exe	97
PID 968 wrote to memory of 1748	968	Mkgmcjld.exe	98
PID 968 wrote to memory of 1748	968	Mkgmcjld.exe	98
PID 968 wrote to memory of 1748	968	Mkgmcjld.exe	98
PID 1748 wrote to memory of 4512	1748	Mnfipekh.exe	99
PID 1748 wrote to memory of 4512	1748	Mnfipekh.exe	99
PID 1748 wrote to memory of 4512	1748	Mnfipekh.exe	99
PID 4512 wrote to memory of 228	4512	Mpdelajl.exe	100
PID 4512 wrote to memory of 228	4512	Mpdelajl.exe	100
PID 4512 wrote to memory of 228	4512	Mpdelajl.exe	100
PID 228 wrote to memory of 3164	228	Mdpalp32.exe	101
PID 228 wrote to memory of 3164	228	Mdpalp32.exe	101
PID 228 wrote to memory of 3164	228	Mdpalp32.exe	101
PID 3164 wrote to memory of 2904	3164	Mgnnhk32.exe	102
PID 3164 wrote to memory of 2904	3164	Mgnnhk32.exe	102
PID 3164 wrote to memory of 2904	3164	Mgnnhk32.exe	102
PID 2904 wrote to memory of 4164	2904	Nkjjij32.exe	103
PID 2904 wrote to memory of 4164	2904	Nkjjij32.exe	103
PID 2904 wrote to memory of 4164	2904	Nkjjij32.exe	103
PID 4164 wrote to memory of 2428	4164	Nnhfee32.exe	104
PID 4164 wrote to memory of 2428	4164	Nnhfee32.exe	104
PID 4164 wrote to memory of 2428	4164	Nnhfee32.exe	104
PID 2428 wrote to memory of 3288	2428	Ndbnboqb.exe	105

C:\Users\Admin\AppData\Local\Temp\fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe
"C:\Users\Admin\AppData\Local\Temp\fd5b89ff03da3c52ec909589804a15717e9e55f269682526fc370f48eaa9847b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Windows\SysWOW64\Mciobn32.exe
  C:\Windows\system32\Mciobn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SysWOW64\Mjcgohig.exe
    C:\Windows\system32\Mjcgohig.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\Mpmokb32.exe
      C:\Windows\system32\Mpmokb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
      - C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        37⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 400
        38⤵
        Program crash
        
        PID:4048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3764 -ip 3764
1⤵
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mamleegg.exe

Filesize
79KB

MD5
916e59b5da7a24d074118767e7127dc7

SHA1
075a99af0bc017d5b194bcfb5e6b18c4338ccb1a

SHA256
22d3e97ebc2735c790f46416d1827716b8af8cffffd1be44cf5688880ed188d5

SHA512
f349e81cea406fedda5a93d10d3e4dadc6b44915ab47de010ceff977376b303662f384bcf6d0f2e404e85c062154415f7b03c9e3baebaea1ac8bc755d122225f

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
79KB

MD5
1785ab3da9731c9014c3e930ae6a787d

SHA1
e17897c832efa642a698eb429a1bbfde4aaace8a

SHA256
7b38719b37d9f0ab5563b2e568ca0307c3a08ef90751ac02d255f896a6f0fd1f

SHA512
8c816cbfe1e75fbff94f21a7c680786da1bee88a2a585989d5252b91b9365befbeb37ab2e9ff8f12796df8a8ad5895f3bbe8e2f9eaa9ab28efbc96c9357a7432

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
79KB

MD5
115dd843d1d590cd2b4d8eac505bb116

SHA1
979cacfbebc4a376952d1a696c46da82037e899e

SHA256
00bbbddcd2e5b4f9427a16e78a2b3e0e8be9cbd98c9ff0f8f8f4992c5c2e240f

SHA512
67f00b506de88ec4c1817aebd04a7780c7cc57188ff3ac397b5027db5cf70c312e46c406fe29094aac7958ff6f80184ae83a7e7717bb3b6f50d4bb096f810254

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
79KB

MD5
8af6cdd51639a294beab1a4ec428d28d

SHA1
0af2043b31af6b06589ff6448c83f1b6db230b5a

SHA256
b7319cedb1bcfeaca99f5047996873412d800e70335c7c0359bfee215bfb33d1

SHA512
06ff21ea6a769948bd2226f35c20b0f66787814d7258f2d158831ca1bb08534cf377f00455260db7f3593b32c59ce4484b259f0926f630708e2039ac4b62fa82

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
79KB

MD5
d620790ea084cb9016f2e1a84a149658

SHA1
293bc195ad8dbd0ca17d054c04ed5a4c5d25f2ce

SHA256
b09d71e4157a098b02e539bba17d76c8d96d18f9c9213ec38985b63e8a5be919

SHA512
efbb0d1372e8e22038e78c0ac0c02cf5af9e07f1f0dc3d0fc8e6860daf01b09bc09f0097109b48fb9a3c87b8e51541475ccd4066fa918fc77b7ca4954bbde304

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
79KB

MD5
9b2ad065d1160e73f6a13028a52be350

SHA1
eda4e94334fbd22680716dfceb347e3e69f66f3f

SHA256
0fa0f4fe160a3905bbfd0db37764f26b8fdb414c7373308cb9d3f22362d0a286

SHA512
957f76b479583b97e84be2398f8d9183d96338210aca734d14810ac8ecd78e41d6884ed286de5fd48eb549030755e5c0c216cb321e9e68d299ea1088fa050993

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
79KB

MD5
a3cb869f7f500aaa3115e4a26202a525

SHA1
708929043b18a38944660337111d34502abf7f5e

SHA256
08940275803ba2630ee5efbb343b6816e3b9faad9cdafeb124865fc3d75cd917

SHA512
19632d5d7c6fc2f6fe0e8be70666d7c58a3fe7cedd0291a5a97581690e771f777f4f66d856fd33a2ec04c0144aba001e5544fed65cfbdb80455a1d0bb4e21c1a

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
79KB

MD5
ab2c252601eb38ef1f8e7c848c6d3c6e

SHA1
ed760a3d641d766fb49e915efcfe84b50ab58dc7

SHA256
2eef6d6a0a932079b89927a52f6a5d068386c2b7529e1a38cfb1318856344acb

SHA512
eee70301c658ada1331b404dc85628f2300bc32e8658f0a289cb9e88f41a919386bbf7a1452f967e0c7bd2552b3ee566d6af27c9b13dfb9cbc00aa1922c96d40

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
79KB

MD5
2ec67dc6e45c3cab143990cee08f5e89

SHA1
16a4c5c459f134ddba2ef8560778f6d2f98f28f1

SHA256
f82adaf27e4efd0404618c779e651da792795740bc00d943c64e67fd0200a37a

SHA512
fbdb5615e9d4f7241ad2617ae46f9156d515ca604dab4a49c12d65f9bcdead6b4db875a51781d9ee766b723e38ab936ced7c9c277995ad4029d65adfc2ba663e

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
79KB

MD5
be96446b8668c6f5a56dec8e8cd8016a

SHA1
cfcee1ee8469c71f5a6b4e7ba99e2385fb0466a6

SHA256
3ea49acf533aa6c0696fdd0965d4a89c1575c4160ec715e24a609eddaf49ea83

SHA512
39edda187d70e66d4a0bd632e9eb4c63e5cc6f6fac2b4b3c2f44c6716b33ac8dcb86bad219f791566f42a450c41c7521b509b0c2dc1f04aa97a48446dc8b6385

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
79KB

MD5
e1175b834a8a6c7060e0a0c84f36f9e0

SHA1
d3b9653dd65e20062a5bec9af1e9cd792a29807b

SHA256
41ec94562680cda5c7caa5e6909d561b5bcb9e6421c71670c7a8e55411e58238

SHA512
724850097005da503d91707ba88c42495de5d67442128e19b7d5093017d0baf869c0763f9ae98aa39b9ae2a91aa3c4ed5383b8a7462bd92506f4e03717fc4395

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
79KB

MD5
19cc0ed103d6308357d76e880998400d

SHA1
440f19c332c044e642ccc0c8968a204b1d265e1a

SHA256
d6c7480970c81891d4157ce089214baf828d7a1f9b99b84159bc661956fa7b56

SHA512
de95159371124c8d0b9277d53cb800a74f04c263b27fd1ba237dfe1c53b7c46cff1db4566e594e20563f03eb9b08903d0cdc5d32387354ae20dd0b9c00979711

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
79KB

MD5
14555343714a0546632a57709b88d875

SHA1
91923abbf7379da201986ab8b98cd347262b3b9c

SHA256
1c77a283e2375ef614b235cb778f4c297411ea248a8190fc576311b1cfb03277

SHA512
5c313c2f134fbe6c4ce7a5a5bda6a84eaccc2eac9c4f57ad0d35811be2ff951ea5a0147267800d41fdaff8f49ba41c3899205507c9453979febeeb4a3aedf14c

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
79KB

MD5
dd02d1bc6bf3ab97bd4aa5e3045776ff

SHA1
de28d144b5e7caf01a38f55784b9caf0e2c56c2d

SHA256
7a3ae26859ca276307c82f0d5bfcaf13edca5ce09385584fd09d39305c291f82

SHA512
0070ed6be5fbcb3b4b273531514e0158e3b388b97ff1f6056561124a76278da973208cab10671df3643eea707d041353cabcd80931787dee0818365560b127ea

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
79KB

MD5
a2b3c7a4b8ba1318e1bfc2d610fd4497

SHA1
3bf0afde89f8a181f752d1d5b36499c31a87192d

SHA256
7fce4889b18c1b31898744f0dbc509fe484ee2ba695c64f5609689e3cd855053

SHA512
4b8fb5f1e799fa2594748cb09208bea2748d05b3916229366ff4033ffe911cf43543a468140966846c9d8cd327298cb92fc71fabbe4d64e286275e7ea98b9cf9

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
79KB

MD5
9836cc63b6f73882897cc300c3982092

SHA1
5a6e984eee40bcf01fcc6a7fb948fb14d848ee0e

SHA256
d8af40540f8df85b4b57ba83700c8d0d018a73add09231e9f5b94fb7784a2f5b

SHA512
c0bd6c755eedc984ed967e0c9f7f7159b56d03f4675e9c04ef835ceae92643d85f2056cd9f186031a5ab77afe147301797466ebd2aaec876198d529b9dcb8ad8

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
79KB

MD5
7d54ef90e26583805252f79f5196b1c7

SHA1
013719d50d891b04f47921f75a2b57435c4121aa

SHA256
3626c52947e61de17ecdc151539f5783b25d36c446984d8d16d9454874150a4f

SHA512
59dcd5225eb5f76b69bbc2618e73a7ebea8acf41aacd4eb822a5daca24bfd73b1c8232ce14ccc1a1b62d48368443cc169544f5cb578759d6caf0766d1779ab6f

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
79KB

MD5
e7a6d798cd5373b026ed58d369d1b6bb

SHA1
5fdb698e24e341d711d0d0b09ed4571e7224bf5c

SHA256
6ef8878d936daeebdcc64031e850932d745064b053ec7c4211afa4ef583c0663

SHA512
3ec32aec2534593933704ffce8bab95cb589b311cd4e5347638810a43b7f2e40241f98f80524822771334bb6be14717a6cb522baa03a29a4eb18f9b629850d1c

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
79KB

MD5
c6ed2e9c079eb5dc11a05d3311dcdf14

SHA1
6e29e034df8626f531a7c0c42164c232d61e17d9

SHA256
c7b84de6fa35c6123a6aa373f16b51c114ca8b901172ff311ac3f26f4d542edb

SHA512
b13882a450cb3cbd6f0f4b6c0fa92f6bd1ae88421e3bb57b1fcc589b3ada7d1c4b636b4f63e0e5805cbd3936c10718e31a89cdd6c755fb5123703f4927bd7769

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
79KB

MD5
cb0f48bcb5f48b870e39f0c6a7000aa4

SHA1
c7416091576039fb20caf363a2a5259d54756a07

SHA256
d9cf9386960e34eeebe26f095da7ecd9e0493513bb897aeb6bf08bcaacf72596

SHA512
f0d2ae1320f6564a4c428a32ba589c4a1cf5467c200e03cf3655e49457b1037595ad4a15dadd789b0710ed5ecb0a738e74f6bdc56c4477106ea3ecc706911722

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
79KB

MD5
2b32f858e15d1fb0c492855057941b75

SHA1
58d6e93c65647d4e22675b11f7b3ebe4eed63f66

SHA256
14465fc719339aabec79751e138c8b737047fba536760f0be315ddb68b139478

SHA512
92e9dce5c94c6649f99b98744d860a2e226db3e6efbaa4ee83fcb86aa1b6f49b384953ce81c532e269186c9438e1a84fd01e4f6578b7863aacc9a135f48eeaaf

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
79KB

MD5
b44d4be2bc3bbe653fdaf6184629e8e3

SHA1
78219d118ec5e1ed3ce32b1339055d95a684ec24

SHA256
e98b9e8da199304fa10f517f7640b54ca81066d26e3f1680c74c9af5c7775b49

SHA512
285abd24770ef6d899b48427da1accd277271aae30f8776fac456b5dfb037cc709f62b997489fed820f38fff09840fbdb544ca5f3247ee702700b7f65850db00

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
79KB

MD5
abd981fce988fb112372d9279a8b7c66

SHA1
b872d96f62831f7b294dd64704b83ba741cd5c7d

SHA256
ca847e7d2e3dbbcaa51d45fc0ae80028960d1c19ffcc8851cbf64b4e42fadf68

SHA512
733efabccbc62dc7a685d253535dc74ba4425d7a4465be2bc71d6e5c676025c4d091a75d82a6f058cbf37dab21cfac055aba14e253c3cc0281359bf63cb54d14

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
79KB

MD5
a9b661a65b28fb0b50ae9f2400564fcd

SHA1
55afca27186b913bfd0c962c375c15713333df40

SHA256
31f67af8e5fcecd864246ae998a451d9e67fb3438ab17d6643229a9f264fa9e0

SHA512
2ec45efc4e19b5b338be181df01a07223ce9d68e43499ae431eb8f45bf50033bc2c8905cbdbf893259c252d2e787c4810e342b7c882c447faef2222f82f1a144

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
79KB

MD5
7f82fa27c35b0146e09d2c3ef0c6e84d

SHA1
943ac64d348c2c87d18fa563186f70d20f9d4d51

SHA256
c4ff880cc1745eb12fe5ed833395f4167b069f0ffd4b34a3fafdb693d7f4ea01

SHA512
062d4e0272f616eab6f8f5744ddf8d2250b9d589fabb2195ff91fe9eed84a95928e7f916b8867eba0506831cd0021f61633ee4d510a1dd1e2e4b2997a1c23fb7

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
79KB

MD5
9de0644cbb74d8031ca19b6062379e24

SHA1
3850a7374615ef57900567ca15fed5e73374d745

SHA256
9908e2ff7a9390de24100a9bc33dbf3f46970daeda8f11ca7a66d26c2aaee8b2

SHA512
28c6b2cfec58567da86853e62eada057e764c7e48766a879dd81788b650741ab7f6ca8d8d69fd01324dc088fc9bf693b28b5735986ea13e6891eca25c73476f3

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
79KB

MD5
b43d38b67c805a9e125737ba74370147

SHA1
ec52cb0c6fde3c96f16a9c40ee8fa60203768c27

SHA256
f6d9f62412701f294689a90cbc5b0ef2525313eeb500e13f8cfb42ae48c0748d

SHA512
9cee6699c978dcc1903530f53a903a08c5de491ef8ab002bf6f94f2f124d2170114fcf00ee0ef12780e21913a4a46af5fe2c4fbf07a67a9902096acf57aaefa8

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
79KB

MD5
fa6ba5bb8cd8323c429c703c9d677162

SHA1
60188124d746065d465e74f6bb20a0b1a88757e5

SHA256
4a905eac02b6034932bb5da2cd2efff775b640ce3038fa0dc9e97055fbad5a3d

SHA512
53d7a84ef62f601b542896abe2cce2cefbd1b34d0a7171bbaaf6f5aa351058a8a19cffe97cf58bd4da3b99edc483b8c4795676736c68c0505b94a7b4dc02f4c9

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
79KB

MD5
57fce8299fb14609da50d14142c480f5

SHA1
d50a7e9adaabaf0ef452549fd9d9a1b0b34d3ec5

SHA256
755f3e73fff6c2af500aaf5e1c78640a8ad854745fc74a38e094023c9ee030c1

SHA512
7ce40fd322b63e43cc37d00ed5712159a98071da48d4299869dfb05d8ce8061664211b2dd20051d6f7e85655b1bcaad2c9732921cbabd1c02cf33bc78620caad

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
79KB

MD5
a56f49e7cd09df115294fa9a6a5d6364

SHA1
52150d23d263ccc12bdee1108cdf292ed6022627

SHA256
58ab373b522858488883037a58f85cc0c30b82637eb56b487fdfba9e41811e6d

SHA512
a3905a418b37f6a4469cbb355f8b82948718ae778213939c18ca85e661c1efdccf17729b68cb912ad2780742d9e143b53870faff40a54222bd9e69a48f09a8a6

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
79KB

MD5
00825f7d5d7d6cd2920528ce7068e272

SHA1
11549410bb123b6e5628384ba61c3ddc0998f8af

SHA256
500a64c40a79c1df6c5f88e131d3d6383af0037477caef9eb40e792e53f02c0c

SHA512
39d18f8fc93b8b41bb8ee19354b28c5349cbfd6defcf63d29c0eebeef40104b7c294829996123fee339f6af12fe6b20d2d1b541a7f20ef505eba7b2704ea54f3

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
79KB

MD5
26b83ad3cf3fbb18821f682cc9e20341

SHA1
50031638b4157977e5efd2baee17404ca86d486a

SHA256
eb2bec10c700606fc4758790acf2c38afb6712eaf20b2a66fad1d348bbf69422

SHA512
ff57c3e274baa1f52b083a8d9e8a79e9d30283f59af9567d7aeb0495f13f020382578c97932700c26c8c70f6326f6a79e44777f04125bd2b0861c5a737333e64

Download Submit
memory/60-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/60-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/228-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/228-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/932-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/932-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-117-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1528-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1700-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1748-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1784-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-288-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2112-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2156-302-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2172-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-29-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2812-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2836-21-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-157-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2904-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-35-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3080-308-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3164-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3324-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3324-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3324-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3428-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3428-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-309-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3452-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3604-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3764-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4164-295-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4164-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-291-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4424-284-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4512-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4932-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4940-289-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5076-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads