0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
Size

55KB
MD5

c345c5d0c1b9d169558a75478c89fa52
SHA1

4a35e51f2c48e6e99a207e537efadd6534d7332e
SHA256

0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6
SHA512

48d1535f4d303b34fc2cd7ad54e27ad31b043406f0d52754896d912e6fe0a9b60ab5d9a7f7dc091148be3a473fcf246e21a3a828545c3c7e764d7bc3db14f284
SSDEEP

768:Q02EfSrAmoTLx49B4nUNcB6yeNdCBpa6JyCzHQjFi7NDmPJZ/1H5EMmfXdnh:QsScX4r9+BphzHCFi5Dmh1I

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe

Executes dropped EXE 25 IoCs

pid	Process
2672	Mpolqa32.exe
1236	Mcnhmm32.exe
1888	Mkepnjng.exe
3400	Mncmjfmk.exe
4500	Mpaifalo.exe
3296	Mglack32.exe
1244	Mkgmcjld.exe
3680	Mnfipekh.exe
1948	Mdpalp32.exe
1548	Nkjjij32.exe
4380	Nnhfee32.exe
5012	Nacbfdao.exe
4168	Ndbnboqb.exe
2376	Nklfoi32.exe
2248	Nnjbke32.exe
4968	Nddkgonp.exe
1576	Ngcgcjnc.exe
60	Njacpf32.exe
4620	Nnmopdep.exe
468	Ndghmo32.exe
3592	Nkqpjidj.exe
2324	Nnolfdcn.exe
2196	Ndidbn32.exe
2180	Ncldnkae.exe
4992	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mkepnjng.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nnolfdcn.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Nddkgonp.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Jlnpomfk.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nnolfdcn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1744	4992	WerFault.exe	109

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihcoe32.dll"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 2672	1628	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe	82
PID 1628 wrote to memory of 2672	1628	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe	82
PID 1628 wrote to memory of 2672	1628	0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe	82
PID 2672 wrote to memory of 1236	2672	Mpolqa32.exe	83
PID 2672 wrote to memory of 1236	2672	Mpolqa32.exe	83
PID 2672 wrote to memory of 1236	2672	Mpolqa32.exe	83
PID 1236 wrote to memory of 1888	1236	Mcnhmm32.exe	84
PID 1236 wrote to memory of 1888	1236	Mcnhmm32.exe	84
PID 1236 wrote to memory of 1888	1236	Mcnhmm32.exe	84
PID 1888 wrote to memory of 3400	1888	Mkepnjng.exe	85
PID 1888 wrote to memory of 3400	1888	Mkepnjng.exe	85
PID 1888 wrote to memory of 3400	1888	Mkepnjng.exe	85
PID 3400 wrote to memory of 4500	3400	Mncmjfmk.exe	86
PID 3400 wrote to memory of 4500	3400	Mncmjfmk.exe	86
PID 3400 wrote to memory of 4500	3400	Mncmjfmk.exe	86
PID 4500 wrote to memory of 3296	4500	Mpaifalo.exe	87
PID 4500 wrote to memory of 3296	4500	Mpaifalo.exe	87
PID 4500 wrote to memory of 3296	4500	Mpaifalo.exe	87
PID 3296 wrote to memory of 1244	3296	Mglack32.exe	88
PID 3296 wrote to memory of 1244	3296	Mglack32.exe	88
PID 3296 wrote to memory of 1244	3296	Mglack32.exe	88
PID 1244 wrote to memory of 3680	1244	Mkgmcjld.exe	89
PID 1244 wrote to memory of 3680	1244	Mkgmcjld.exe	89
PID 1244 wrote to memory of 3680	1244	Mkgmcjld.exe	89
PID 3680 wrote to memory of 1948	3680	Mnfipekh.exe	91
PID 3680 wrote to memory of 1948	3680	Mnfipekh.exe	91
PID 3680 wrote to memory of 1948	3680	Mnfipekh.exe	91
PID 1948 wrote to memory of 1548	1948	Mdpalp32.exe	92
PID 1948 wrote to memory of 1548	1948	Mdpalp32.exe	92
PID 1948 wrote to memory of 1548	1948	Mdpalp32.exe	92
PID 1548 wrote to memory of 4380	1548	Nkjjij32.exe	93
PID 1548 wrote to memory of 4380	1548	Nkjjij32.exe	93
PID 1548 wrote to memory of 4380	1548	Nkjjij32.exe	93
PID 4380 wrote to memory of 5012	4380	Nnhfee32.exe	95
PID 4380 wrote to memory of 5012	4380	Nnhfee32.exe	95
PID 4380 wrote to memory of 5012	4380	Nnhfee32.exe	95
PID 5012 wrote to memory of 4168	5012	Nacbfdao.exe	96
PID 5012 wrote to memory of 4168	5012	Nacbfdao.exe	96
PID 5012 wrote to memory of 4168	5012	Nacbfdao.exe	96
PID 4168 wrote to memory of 2376	4168	Ndbnboqb.exe	97
PID 4168 wrote to memory of 2376	4168	Ndbnboqb.exe	97
PID 4168 wrote to memory of 2376	4168	Ndbnboqb.exe	97
PID 2376 wrote to memory of 2248	2376	Nklfoi32.exe	98
PID 2376 wrote to memory of 2248	2376	Nklfoi32.exe	98
PID 2376 wrote to memory of 2248	2376	Nklfoi32.exe	98
PID 2248 wrote to memory of 4968	2248	Nnjbke32.exe	99
PID 2248 wrote to memory of 4968	2248	Nnjbke32.exe	99
PID 2248 wrote to memory of 4968	2248	Nnjbke32.exe	99
PID 4968 wrote to memory of 1576	4968	Nddkgonp.exe	100
PID 4968 wrote to memory of 1576	4968	Nddkgonp.exe	100
PID 4968 wrote to memory of 1576	4968	Nddkgonp.exe	100
PID 1576 wrote to memory of 60	1576	Ngcgcjnc.exe	102
PID 1576 wrote to memory of 60	1576	Ngcgcjnc.exe	102
PID 1576 wrote to memory of 60	1576	Ngcgcjnc.exe	102
PID 60 wrote to memory of 4620	60	Njacpf32.exe	103
PID 60 wrote to memory of 4620	60	Njacpf32.exe	103
PID 60 wrote to memory of 4620	60	Njacpf32.exe	103
PID 4620 wrote to memory of 468	4620	Nnmopdep.exe	104
PID 4620 wrote to memory of 468	4620	Nnmopdep.exe	104
PID 4620 wrote to memory of 468	4620	Nnmopdep.exe	104
PID 468 wrote to memory of 3592	468	Ndghmo32.exe	105
PID 468 wrote to memory of 3592	468	Ndghmo32.exe	105
PID 468 wrote to memory of 3592	468	Ndghmo32.exe	105
PID 3592 wrote to memory of 2324	3592	Nkqpjidj.exe	106

C:\Users\Admin\AppData\Local\Temp\0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe
"C:\Users\Admin\AppData\Local\Temp\0c291d6ef99978e546b4544c8c512ca85bffa3071e2e1564c15c781c64243ac6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\Mpolqa32.exe
  C:\Windows\system32\Mpolqa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\Mcnhmm32.exe
    C:\Windows\system32\Mcnhmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1236
  - - C:\Windows\SysWOW64\Mkepnjng.exe
      C:\Windows\system32\Mkepnjng.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1888
    - - C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
      - C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:60
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        26⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 400
        27⤵
        Program crash
        
        PID:1744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4992 -ip 4992
1⤵
PID:912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
55KB

MD5
3b91fd32a796c13f63d7efd791caabaf

SHA1
88c2c8b041613eca390f3e27493d3d2ed33e5ec0

SHA256
178b4ebdc87018e7f61f05a48658f2d60f627b68d6897bd0931c086fcda21845

SHA512
126a157ed503f9e1b07515e4639949b96c4914cf9121d9efc66fc4ac5adcabc6820b1c8ad0988754aa19848c13dd4a18619833df2e059812d04e05344525c512

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
55KB

MD5
bf660b3aed1e8052a27c954384f26f3e

SHA1
4fc333cd0b72001a137126e955392a3848a9d67b

SHA256
f7deac1bc1bd2342f421dc5dbae6148e9c7020feba853ebb898e0314d4e06754

SHA512
83f13ee0dc1ffceee5619689e44608674bc012a0c67c2e909cece7a20c34b65ad7a920c52868e1612dc4a4764d31ba118842d31a1189748a3fb42dfa8d4f45f2

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
55KB

MD5
642e974d4d93414ff4c709cc24392049

SHA1
1092f94979e883a2de1c1d09d09bed29dcc2f783

SHA256
f0faf7e068d892d0ce8f4b32526fad6316acdbb2feb2f9478de190ccf6960a17

SHA512
66a9faf4a5ddcf12ae83533b11868374275740caa9dd00fbb7edc57e9f43eaead386513054c2ee49ad1b15e3e28e9b73dfaf9784576ead7e12c0441519d74cbc

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
55KB

MD5
406c23f2ee3b65679de6133715014b23

SHA1
abed73a5f3c1199566f2a52b2b3b47dd81144e91

SHA256
24abf86eb909654ce76ef7cac5defb4a1d21495d675d0f3f750ff462097eef44

SHA512
a8cd4f7fecddb792db330095460bc6290fb1019ad277fee8a5d66087d42e5253e33e237887499c167950d44489aeb0740258fa36e8d55684a7f746fd290a1453

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
55KB

MD5
521667265fac8a07c90381f46def8cb8

SHA1
f7b5ad33523d99b255f283f04ffdcf17aea3d3e2

SHA256
f395f54a21b8d75b55381c4bec0a52fb981843db892a726654af4139e08ab016

SHA512
adaa22f8a3b8557f2700831bb655a59f1e4edcde3b15e6922843a77e371d9463b136ea542bb2d0a1f239877b36afa2f3ce079708b2d3e0f5e160d88cc9e5c730

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
55KB

MD5
421000ab6245829a069b445fcd2792d8

SHA1
eb35b10e6b674c8229bdb215f7dfd39d190bb935

SHA256
8e953c5f01e31014547c59ae719289ca39e7da9334ab3b815908abe87c9f1ac3

SHA512
ce11cfa838bd189675c0ed2b6a02e21f4dd1e37a822a3a620b02dbfa88333b795cea66153ff771b7429711afd8737e7d2a4c1d06159fe579f4a58df68a0ea103

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
55KB

MD5
0287d16257175f09c85f8a1c54b768df

SHA1
a0fb7a1adf950adec7813b2a015a013ee7d93717

SHA256
f5808b6f5d0eacb7b8552a89b3e841aaf8f9eaf43b44e9c1c141b40c5be08cb8

SHA512
a2cfed61ae64920dc2fdae7c4af89fd24b662437e241b977010f54c39932099f26f808bbc11ad0ca176c5cfcc069d03f7275f831f2b3189ad34295594ca7d4bc

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
55KB

MD5
ba55178a39fbdd388cd8d4e105572125

SHA1
2da46bf2f360fb7dbe1e0d00bbeb9d1ae3aece2d

SHA256
fa7d12a9de0e8522f3b511e4e80ce4e3509d89f373827b84f635826510fe765f

SHA512
3bba76844323ea9f1f3884b518fc423fd7b0fd4175fff3bc5d293b0b8b50413e4aa065cb28598cc34bc5d2ca0b30da7cd429b182de59d95ed2eaa58b2d8c17a8

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
55KB

MD5
13c9472c9fc55dd2a3fdf16ad98ec4cc

SHA1
8aaba1909832fc21b7300e959349a5b46f435f80

SHA256
ad16c536e285fe2d2755c2434b78725290584a5986d5a6b6edc97f34415fce62

SHA512
6367a21a7ebbf993c67fd09ca434f65f2e0b4a9877ac5ed05cdfadf88ad89408dbc75b39b295d369b820637d7238c4eb5cfea596394720abfefae96b2ecf0f2f

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
55KB

MD5
cd7f59ef745711a3238f16cb28420d57

SHA1
131ce38abb6f9266df552592eb72bf251adaa947

SHA256
337a37c5c5f62be67cb0c35c032637c77dc3aa3677be6fe18d8997cf5d092f22

SHA512
a9ee62dbe97ec10c280cbabcb542580df7613d82af7f46e9a7a5cd1c54d0c0dd8394ec7256bf261cdbf050086c57a87b81ae7418d8a5b0623fbf8b9bc2413074

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
55KB

MD5
f71cf16a095b346101a75a731f0feadc

SHA1
6d7ccd1634e2fc978596b514c9e86e040f14fc7b

SHA256
f67701b4590503be42caee2b702e8a07b85f1aa7192b94b93edb31b993d07a2b

SHA512
3cc04e2cafe53f0ade8fba666af258133342e087fc993fd216b65aceb1d36657cd0893ed61ff434885f2a877f5c4fdd7c7e22762d9cb139551ede9ded17ea282

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
55KB

MD5
dccf91593feadc8be63135429c3d052b

SHA1
db8d164bb9a42b1011dfb3e8fd3537e4f28840f5

SHA256
6f1e0fb381e797263c0c2d063a789f80ba3e588d943eb7f5c41e14e0f20c928d

SHA512
14d5095f3d804e4f8fbfaaac6f0e8a12b67b7164d590d2bf97598ae4e6a08fe4b5965372c71a9274985295f5b448c80a347ba70a1aee4acbb3f644f04d7aab71

Download Submit
C:\Windows\SysWOW64\Nddkgonp.exe

Filesize
55KB

MD5
013ee822ab1125ffd0724349ff7e462d

SHA1
c2d1ca0afe72ee0bb57e06d69b021562e33019df

SHA256
7e8b860353b273f094a161ebaa14ac3c8dc0396bf9c8e2e8d6a350d26b8dfd17

SHA512
50e93a7dbe4b5b7a7d864d5e2dd1c2e69502e07436428728b2e65337fd377b1954b76f69018fd67b998667c395e7ffd2cbf47ed9faf29b012d2c3a7883f0d6c0

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
55KB

MD5
ad5cf01367e99ba361b6668452460405

SHA1
aa25da6484dd7a52cceff6cf4ab885a25f4954a3

SHA256
f0fede7f9b3625a8400bf29b6841864ecd7e42f7600ea9f8609cd6c5308476d6

SHA512
f613b7357871e572670819d7bafd626c1aedaaa3e64a58437a380d1759c2b4fcc19039cba7b4814fdfde0e555a2366ae3df2093afde62a99f3d0eefb7c0a70d1

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
55KB

MD5
1d1a8e646a1ae3b0e1b3008d067eb59b

SHA1
055ca6c90c390d7682c26b7ac4113aabf0b20763

SHA256
1d3398a1b3a80799afcb2b9c264212afc3a1210e0736b082437b420da8807bb2

SHA512
7ae3653e7b6a6e3ee47fd860a4dea764c3b7f2f615adac833c5cd8220bc7fcdb2066c6e847b5d70549f5b26b57df525f4c79762caa00f2a98edd5ac7fa74e047

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
55KB

MD5
fcd16bcc9499c876252056a6e0852727

SHA1
85270643421356f9c492cae854a0fdb44ebefccb

SHA256
0e6fadb33ba5039a16db2db68f96c404ceded780855b767a0dc3ce8ec86316d3

SHA512
c8c97336df7ca0a67535e8df8d7a7e59ad3ad556b29e60bc84066820f5a6b0a3b01ed9b543720bff4cf7f0e8ca7efbf3df35616c8cd7bfc4024325b938414efc

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
55KB

MD5
a952f166e80739f41af3415bf6078910

SHA1
78b42f675f378eca04fcef94b76f6916857a7aae

SHA256
0d18946767b9bfbfd2123dbab07908acb67fa8e7e500f3bb3ac10f501584788c

SHA512
7b5116ca6678f008a20515188e77899703e8fde764aadd13a5a78601120dca1a33a9cbcda8bb9cae117594b6c46316850ede0b919bed061c69de9a0e7cff5d2b

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
55KB

MD5
55340409c31c1b3e8d72f565d0a02416

SHA1
0b782aed58928fb53195e4c54cee5fbf77c21dfd

SHA256
f68a8395a93493d5e4a25f47ba21eb8c4639507beea9b8649d72d528f1e4e27f

SHA512
12a487ec8dbe7f4da3d1dda9d9ddf88b3f43b6c2d4b8bd218b78ac1e76870ddb4d2ec68db60b614ffe84dceeefca52f085dd4948e98e9db29d00ed8d31140c0e

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
55KB

MD5
4ed201ca4d23b1f51f86872a02048fa5

SHA1
c415c5e52489831f577f3af885c140aff991ebb3

SHA256
863c5a257a4be0a8306575bc756b67aa14b0e0e35633553406e84a1c457223e1

SHA512
011d4047141ebbea9929491912b1e74b530b4c3f52ce1fe15ed4c0d3b3d3fed45676131342b37c05097960e4cdad85da69d10fc6bbb783622fc8811b0187af49

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
55KB

MD5
eb802e6cc3fc75b652c553a3bb38da5b

SHA1
3528dd50c9827c15e109b7984b26a5b2201537f8

SHA256
9b0600b314328b4c63c495e1e83cb957f10e65c59ee4a5b7cfcce2b993cc6222

SHA512
8e584ad29b285a11bcce459ef03f661a13889b64e79584ae1949f2436ab31e8b82337d1b203216674537aa69a2d37771b629d06f80f7c61b40563dbfba96aff1

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
55KB

MD5
5a709618606432ff604741349546a72e

SHA1
9d9ee0cfb0e10d3ab7241e29555dfae50f22740f

SHA256
24c1c32d4ad5fa679cfed90d4f0962f7b7dfaff46988acf258cdac59c1059d98

SHA512
866902abe25f5dd2864e14be189520dccc23cea733038adfc51f31cca0fb712958557930a6620f9db80ce85defef2808fb5db008bf1e9db8383a919a46711734

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
55KB

MD5
779e4354be9f0b0ebdc361e0aaa6e3c8

SHA1
1500bbfbf3d40f1b592ed050356b795d9eb7d836

SHA256
316f3adc2f4c3ee3224124b61f1c511e634c80a7a38d93ff48843827b9787ff7

SHA512
86a96e97c7fd80ae4298da8e41b673961446e158971658df496ae786d04873a9c6e203242bbde29af515bd6e35f3dc262bec2ae2523ab29b93e51b9be2ec167f

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
55KB

MD5
802559f59d49729165ef082bd809e661

SHA1
8e859c9376ce26c01b5206236515a4079f794640

SHA256
1d633587106c39262660512c8cfe9b4608f723033736cd5e324c2aa9872cc909

SHA512
62e376b6c6c483e0d4c0e5e547f3a56c6c9665ccc60492b558fe490e5a849dd1ac9c0ffdba7903f17d89282329beb70829ed9f04c8933ef71d24e5c03ee48ebb

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
55KB

MD5
3661533c230ae4ce623bcabbdc08fd19

SHA1
a2d941e11f6da75128e21183a6a2eb4e7b6950c7

SHA256
607c4bc1e9288aa89fc4192edd634195bd58b2f3e68648b709f4e59e2906810d

SHA512
e87f7012831e65fe923bf74ffa7defc2d7b0bcc16d4f68d3f19c4e873c065055244fa811b13f9a11a9a9a1eea8303582b52d21a6122c6e3bb201a3770c05f468

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
55KB

MD5
10d2c5662396c0fb8cd9275ffcd30075

SHA1
542c1f3fa70673e333e856881bdb33f3c4c35a0c

SHA256
7fdf613f2ac42aec60cba1d49acb8447c90b3fb185ecc85a97a4e56030ab18a7

SHA512
4dc43c9f1d9f4f0d79ffa0b282765eae94ba8bb4c2e81e6b0ca3727b0a35bb7629d9a97e856ae296dfdca603a087ce9f0d1ce24122270da6e4179b77d8ffeca4

Download Submit
memory/60-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1236-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1628-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1628-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1948-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2180-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2324-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3296-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3592-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4500-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4968-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4992-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5012-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads