44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07

Analysis

max time kernel
95s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe
Size

305KB
MD5

efc2ecdea4487027347d2af4fc307fd0
SHA1

52c8d1bb4c5735ae6fedc5a8fd8d969962fbf81d
SHA256

44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07
SHA512

9351ac7f795548755395048861c6593d453ac4f1cc3d88fa7a992ec3cbebda704b17966d2bc8a485c0e0c361708ce5a4a6e28a0b82c19deb68e502ff7ebe3d96
SSDEEP

6144:iuMI8ibucLLJFlc85dZMGXF5ahdt3b0668:yIfdLVLXFWtQ668

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe

Executes dropped EXE 37 IoCs

pid	Process
3924	Mnapdf32.exe
736	Mgidml32.exe
3252	Mjhqjg32.exe
2164	Mncmjfmk.exe
528	Mpaifalo.exe
3692	Mdmegp32.exe
1232	Mglack32.exe
4136	Mkgmcjld.exe
4756	Mnfipekh.exe
2076	Mpdelajl.exe
3356	Mcbahlip.exe
4944	Mgnnhk32.exe
4940	Nkjjij32.exe
2380	Nnhfee32.exe
2168	Nacbfdao.exe
1180	Nqfbaq32.exe
5016	Nceonl32.exe
768	Ngpjnkpf.exe
4576	Nklfoi32.exe
3540	Nnjbke32.exe
3896	Nafokcol.exe
1392	Nqiogp32.exe
5072	Ncgkcl32.exe
1432	Ngcgcjnc.exe
1528	Njacpf32.exe
1544	Nnmopdep.exe
5020	Nbhkac32.exe
3064	Nqklmpdd.exe
4948	Ndghmo32.exe
684	Ngedij32.exe
2176	Nkqpjidj.exe
1260	Nnolfdcn.exe
3124	Nbkhfc32.exe
4224	Nqmhbpba.exe
5112	Ndidbn32.exe
2752	Nggqoj32.exe
1092	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ngedij32.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ciiqgjgg.dll	Mjhqjg32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Mpaifalo.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mgidml32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe
File created	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ngedij32.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ngedij32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ljfemn32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mnapdf32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe

Program crash 1 IoCs

pid	pid_target	Process
1972	1092	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqklmpdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paadnmaq.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfemn32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciiqgjgg.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mnapdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghhihab.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3924	4584	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe	82
PID 4584 wrote to memory of 3924	4584	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe	82
PID 4584 wrote to memory of 3924	4584	44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe	82
PID 3924 wrote to memory of 736	3924	Mnapdf32.exe	83
PID 3924 wrote to memory of 736	3924	Mnapdf32.exe	83
PID 3924 wrote to memory of 736	3924	Mnapdf32.exe	83
PID 736 wrote to memory of 3252	736	Mgidml32.exe	84
PID 736 wrote to memory of 3252	736	Mgidml32.exe	84
PID 736 wrote to memory of 3252	736	Mgidml32.exe	84
PID 3252 wrote to memory of 2164	3252	Mjhqjg32.exe	85
PID 3252 wrote to memory of 2164	3252	Mjhqjg32.exe	85
PID 3252 wrote to memory of 2164	3252	Mjhqjg32.exe	85
PID 2164 wrote to memory of 528	2164	Mncmjfmk.exe	86
PID 2164 wrote to memory of 528	2164	Mncmjfmk.exe	86
PID 2164 wrote to memory of 528	2164	Mncmjfmk.exe	86
PID 528 wrote to memory of 3692	528	Mpaifalo.exe	87
PID 528 wrote to memory of 3692	528	Mpaifalo.exe	87
PID 528 wrote to memory of 3692	528	Mpaifalo.exe	87
PID 3692 wrote to memory of 1232	3692	Mdmegp32.exe	88
PID 3692 wrote to memory of 1232	3692	Mdmegp32.exe	88
PID 3692 wrote to memory of 1232	3692	Mdmegp32.exe	88
PID 1232 wrote to memory of 4136	1232	Mglack32.exe	89
PID 1232 wrote to memory of 4136	1232	Mglack32.exe	89
PID 1232 wrote to memory of 4136	1232	Mglack32.exe	89
PID 4136 wrote to memory of 4756	4136	Mkgmcjld.exe	90
PID 4136 wrote to memory of 4756	4136	Mkgmcjld.exe	90
PID 4136 wrote to memory of 4756	4136	Mkgmcjld.exe	90
PID 4756 wrote to memory of 2076	4756	Mnfipekh.exe	91
PID 4756 wrote to memory of 2076	4756	Mnfipekh.exe	91
PID 4756 wrote to memory of 2076	4756	Mnfipekh.exe	91
PID 2076 wrote to memory of 3356	2076	Mpdelajl.exe	92
PID 2076 wrote to memory of 3356	2076	Mpdelajl.exe	92
PID 2076 wrote to memory of 3356	2076	Mpdelajl.exe	92
PID 3356 wrote to memory of 4944	3356	Mcbahlip.exe	93
PID 3356 wrote to memory of 4944	3356	Mcbahlip.exe	93
PID 3356 wrote to memory of 4944	3356	Mcbahlip.exe	93
PID 4944 wrote to memory of 4940	4944	Mgnnhk32.exe	94
PID 4944 wrote to memory of 4940	4944	Mgnnhk32.exe	94
PID 4944 wrote to memory of 4940	4944	Mgnnhk32.exe	94
PID 4940 wrote to memory of 2380	4940	Nkjjij32.exe	95
PID 4940 wrote to memory of 2380	4940	Nkjjij32.exe	95
PID 4940 wrote to memory of 2380	4940	Nkjjij32.exe	95
PID 2380 wrote to memory of 2168	2380	Nnhfee32.exe	96
PID 2380 wrote to memory of 2168	2380	Nnhfee32.exe	96
PID 2380 wrote to memory of 2168	2380	Nnhfee32.exe	96
PID 2168 wrote to memory of 1180	2168	Nacbfdao.exe	97
PID 2168 wrote to memory of 1180	2168	Nacbfdao.exe	97
PID 2168 wrote to memory of 1180	2168	Nacbfdao.exe	97
PID 1180 wrote to memory of 5016	1180	Nqfbaq32.exe	98
PID 1180 wrote to memory of 5016	1180	Nqfbaq32.exe	98
PID 1180 wrote to memory of 5016	1180	Nqfbaq32.exe	98
PID 5016 wrote to memory of 768	5016	Nceonl32.exe	99
PID 5016 wrote to memory of 768	5016	Nceonl32.exe	99
PID 5016 wrote to memory of 768	5016	Nceonl32.exe	99
PID 768 wrote to memory of 4576	768	Ngpjnkpf.exe	100
PID 768 wrote to memory of 4576	768	Ngpjnkpf.exe	100
PID 768 wrote to memory of 4576	768	Ngpjnkpf.exe	100
PID 4576 wrote to memory of 3540	4576	Nklfoi32.exe	101
PID 4576 wrote to memory of 3540	4576	Nklfoi32.exe	101
PID 4576 wrote to memory of 3540	4576	Nklfoi32.exe	101
PID 3540 wrote to memory of 3896	3540	Nnjbke32.exe	102
PID 3540 wrote to memory of 3896	3540	Nnjbke32.exe	102
PID 3540 wrote to memory of 3896	3540	Nnjbke32.exe	102
PID 3896 wrote to memory of 1392	3896	Nafokcol.exe	103

C:\Users\Admin\AppData\Local\Temp\44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe
"C:\Users\Admin\AppData\Local\Temp\44e7c606fee179bc2a3d0e9f9abca997074ec6fc97e41fd812326900d92c7b07.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\SysWOW64\Mnapdf32.exe
  C:\Windows\system32\Mnapdf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3924
- - C:\Windows\SysWOW64\Mgidml32.exe
    C:\Windows\system32\Mgidml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Windows\SysWOW64\Mjhqjg32.exe
      C:\Windows\system32\Mjhqjg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3252
    - - C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\Mdmegp32.exe
        
        C:\Windows\system32\Mdmegp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1392
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3064
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4224
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        38⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 412
        39⤵
        Program crash
        
        PID:1972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1092 -ip 1092
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fnelfilp.dll

Filesize
7KB

MD5
a4444e09e0772fd96659d03049f683b6

SHA1
4546b853f23681ff83902aa0471d46448a35b441

SHA256
3d2be13fa3d2878e37c587e4376d078ddfd101262ac61d701180d5ba254355c8

SHA512
f3267c705110d74bd7418a57f71fbebe36b37067215b28cdd5715eaa207fc4e57542d18e95d4f0d6d5db1b9846c12f2bd8cdd712ba8113f411564576e3319a42

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
305KB

MD5
edae838c9cc198cf3014825cecc4c8ce

SHA1
ee223ee0d2f0f669797d020b47252cd12eb3e5a1

SHA256
404a395ea0b9f775d4ea131cb37bb2a3c049542fa33f58ac8ac9eb3026a3ea41

SHA512
e8ac2951168e3f187d474e4c436d4eb7fc101338b9da61f8a1087f4a9f3ec1b9485250b30a576374f0dd6688177ae31fe7cf948e77661dd7cb31772058eade25

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe

Filesize
305KB

MD5
bed8ad438d380ff0f0d1fe352453cbd1

SHA1
c571c4edb011d3262d5b34244abd83b98155f236

SHA256
bcaae4691d32a7997239b9fee4947ae5eef296de8d1e784dc183be1559d78b55

SHA512
9407d57a453f6a2511805aec7856d7a1fc7ea6a82d6ce23b95c3316c53c39a1231488668e36d1840774259b6bc9eb573495a936919ed89f6c4ecfee76552f694

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
305KB

MD5
538a49dd6cfbd5bb32d53c65ba485f0f

SHA1
1967b3e69e00bae7c0fce3fdc117160816e40b54

SHA256
43dfb0626af58296796548163a9506241dde99ed405d2ea1fb1741a9be8941bd

SHA512
a33fc6490424b5ceab3f987ade4dc5cd58b597868464fef1e1d7ce3426ef617f0f9ce7ed959ef5c60575c66b2e839c3be0332bb93ec5e4c9a7c21047fd4ea113

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
305KB

MD5
69eacc06f245857a242a349d82fe946c

SHA1
a4a5ca7b6f8145347e5d6a2dc5a15c70fb49d873

SHA256
a4469fa9bde7127f8a0c67b65a6d4dc7d2a3e0f595ad752bb5e68dc3f4d6c171

SHA512
0fd461c0d64aa76741ad52496f204d5c4532d0193253c642464d1dedfe013eefc52b1633815c73cce3db8a9ea2605935f003956023f39595d85d3cf3197c8a1d

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
305KB

MD5
2b0281e020ca98d5af176ebac8431190

SHA1
3998f4e29aacd7850a9f26e2eaa0b6257a54a465

SHA256
a64138eb62429a5300569cc6536a21d1acc47cb2516d9ab17026739617ea8cc1

SHA512
8132cad7dc0cd8ad3cc1622948e027a272f2ad8ccaa0292d1fae46b49bb13653e16f875d38c1314d68b6415a49686243323281ebd8af88614166c3e9d651c1b5

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
305KB

MD5
b845b6f0f1c5e58980cf5c056199819f

SHA1
f481ea782603a29ad290284ac2fb32f0ae235751

SHA256
0e811efe86e1f180a00159075e332c44be5a89d929cf43370fc74c68ce00b61c

SHA512
f2a0a6a020817d31c356b2028bc11524d354b91650278665288857ea645c1d30b9412510385807883e132e6a8c5e3f3dd8bee28295950a58480c1dd73329d68d

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe

Filesize
305KB

MD5
ba091c6bf61b23fbafee7ec67891cb71

SHA1
59554a9a40736b8a2eb58f752a50c5b52d00a1a0

SHA256
37dbc4aa7ad8ac474c1ee114e850807d81841ec8762a733951c74ba24ff64378

SHA512
bba8fba0bc1bd51e8b7e63fca9bee1398e8f7bd9a6693cb3603680d1cfd7a878db4ed331b1dc9f6d0e6dfe1147ae50e4231f44f82b53cd6e7da8bf7856bbf167

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
305KB

MD5
e12593b2fcdb8746098ed9ededbab0ed

SHA1
1faab16403eac635d3cc6b5edae77fa4baf478c9

SHA256
e51375c3529ebbb4377cc065aa1f5c7cf6f0a56bc25df7af635d9e8b29f97484

SHA512
2651c29234ac1a7fdda1240a8753b024745ced966c2b90fcf6ddd81e72125aa436693c997aa10842cf05609d697496abcb54415f760151c9a350de68ba821ee0

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
305KB

MD5
8ac48482bc7ea0802ebb70f55324a185

SHA1
334a27022c72f7a6d00afbefd538dfc000b2453d

SHA256
7c6cd30e7c0794c60a64bccc988e81f01ff1619275663a5c2b43e9dd8b234a1f

SHA512
5d9953f1073391a4732f666ed749dd37a41a3bfb51b34c2fc2bcb03e7d3ee4738283aa959510e3c33041d1194a44444eacd21a56ed57875c8df72382bbafaebf

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
305KB

MD5
ccde561dfb7a7d6d4f11bdb6a741a069

SHA1
9b1d1e0988e2b64d37b0cb38f9acfc94eb7e0a72

SHA256
44b0da19d98d7972539bd01cdd5238d54e924506cd0d8007ddb941556f1bcc9d

SHA512
44f4b336d2ad499f791343e6d360f17610965df22d52a6c2e38afd0fc2231ce04fb0c9f5a24c55b14384a843d722abde99d27be79198afc92cb8ae1bc4401149

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
305KB

MD5
e3f4d1e04cd2f1b114c16e143125b36c

SHA1
e7c3d48fd2282cf0d6728c3852265ac2ba51c0c8

SHA256
84a520a1b30bd8387585d0aa155a9601e79bb9057cc6a2cd7ff4e9459309190e

SHA512
57abc18f58fafee40e71766348c35f42d2deb9858248ebc7ed50c35ab1dba275eea28af27bf1aff7979d8bf7648ad40e00b4588c9d26496f73515c1564f200a6

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
305KB

MD5
6e39085e1524f616f625bd73fc6cb84f

SHA1
87c2a84ad135099ad74036c82d2e57657763e89e

SHA256
61ae9356d8df4879479df866c1c9150724590356d6a4219a75fca65759834d61

SHA512
7159741819a4c432ce4a472ea83c8533190f5ff5b696fb8a219d62d478dd2e38f231f94ce4b0310457b480a6fc097e1d62207c81f41ef3279742c1a8a5bbf021

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
305KB

MD5
d96ebbaa46c58133ef936d9d57ab55b6

SHA1
59dfb01329be1f967692260a6fff4c83bdc7e88f

SHA256
d32eea6457563680a7b32242714e063c4caafb9a9f1294f7d917acbc07d3991b

SHA512
dde20848d7b3a755ed5c574e74943bc8cc5a610b9305717f4f102d0dfb32e06db77a11bd0f253e03bec4dbf9f5df67aeabde95f1d348c3f08d5fd2833af96116

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
305KB

MD5
a75971871298e11b98623a07437b71de

SHA1
3455563e7b1012613177e504dcc6da3188c5de7a

SHA256
c90ba2fcce81b5804dcded2102ab8df5e71ab7bfebff50af39c6c08329a8b9fb

SHA512
51e2e6b2bf0d09ba65eba0fce9be39e0b28c1ecaf88f97f02a82ace3954b03e92a797afde997bcbb0a310d546b00f7bf4ac9bc66af3bc90f69b8a7139f44d0cf

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
305KB

MD5
990d53cd39c507aca92e94848349d9c6

SHA1
ecad13fe5608d2aadcd7fbe5c9e3fc55e304380e

SHA256
7d3bfa8455ddbf37b1b8b811d6b8b1f72f5f180d7725e302ce3a35a4cd70e8b7

SHA512
f8175f39cda688a38cba2351b395cb3b3924db4d54d92ac2c57c3bbe84e79bfbd66ed8bdeb1cfa2d345e9b541065740f977eaa847e12bfbda3d8ddfc5d549b44

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
305KB

MD5
50d66acf4792ef7dd40a8c1f66efe9bf

SHA1
8521364ce0ed175d990b43901185bd3f33caaf07

SHA256
2586f6fc303f0b0e9792927b0e03c823162f4c7fbe845e09ed6ba866646bba32

SHA512
756a83c5d74c2a0083017f913f3c6a2d313538b13ffc035c89023f6019a541b69c482b61e7c10e6fc0fad483d1819718bcce98fab7a04d0db0caf50bd996a61f

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
305KB

MD5
afae40a3da33c8fa7db48c9a9d5f1be8

SHA1
ce830905e0706fd506210b94ca1efd232e90b098

SHA256
31bc6df2f67dc85df831f8459a706afb6399262c665d37e0f73d95ba533ab701

SHA512
c6b97096fd69626ff65c164ff829c0ce120e6892acf4ff90c070e788309196c192b28f5491b80c5587b7a7d49a4018453287667f3e0cc82557f681e8249b154b

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
305KB

MD5
dab081c9f373173d04c2d236a03ba6cd

SHA1
1ba7462d7ba3c1c113fcb8fe585e0db6eb12389f

SHA256
55c4be2e6507e987d891cedb4149aaa9ee742d5ceea17ce959146ce0ce951db2

SHA512
6ac202a7b54cd7c163360c67c05fe07f1a18133d6b5402e1d5891bb4cc02307575651bad03f710b56939ab9d69dde0b8540ebfce28b2c11cc2f8d1da28107a5a

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
305KB

MD5
4e1bdf502136b8eb8cd8ea3922d2b589

SHA1
9c79d340bbf59c3f4051b43c8546941e94a4a4b1

SHA256
1085ec530926b73d0a94bddc3bb3f11f0aae734d8c4001e3d5823170764b898f

SHA512
2f3e9c10b0da29006fad504d27cc790d808cb951bab5cbb016b6d52cfafe3a5004b576e780831424869a6cf6d26e9c41537911e46f297bba7f2da273d015243e

Download Submit
C:\Windows\SysWOW64\Ngedij32.exe

Filesize
305KB

MD5
7b334f8190585bec2e67929da4e7ac64

SHA1
832b013b29a5cb52247f32e7ce80d8b3d627decc

SHA256
629f41cdad163ba664d768d57bda085a468fae39833d62b7d60eff01ec427ebe

SHA512
9d8a7d5111e5aeadbcf22918d993e470922ae82a7f1b9aa85fc43b635fd8fa94c39804365934bf9806b78f49e7c0231900c794bc2de2f079ec7ce5a6537ecb28

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
305KB

MD5
c839b7af583e62e5370d132bf0b6b719

SHA1
7a19bcd1468924303823fe73c24a3ae14ff9948e

SHA256
4afd0027019bd7b84348020bd25b642b47888601801aa77843ebb2ec0ecc2cea

SHA512
7819ee225cbe294c79399929fd48081f444ef8f735e13e9d14d7534d4a4df73c8136774fbcb8a23641d17abb0eaa6bd9210e66ad508d95db9824539a4913ddb8

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
305KB

MD5
68bb5b28bcf56dd5c1e2a3480e4c3288

SHA1
5737baac7c1036a4336d40add1ce4e638d39255e

SHA256
e9c479575cbc41c50a286aecd2e8550c368741c8c26de186fc3c1c97b8ed59bd

SHA512
12c155341505e3ac144c334f4a200a7e533c1dfff181c94ce98b687d8647b5819e5a94e008a75a20539f9fff89de1d99b5df0a2add59d30b7f94320848557309

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
305KB

MD5
c1299c2a32e5f0d91f12402702d34935

SHA1
865152ee7c1f368780d5bfe6e2a430a5d20fd8a3

SHA256
149bb8850255fc9a865fa38191ca910c09864639973c22cd6d48195dcd46922d

SHA512
6f20376ca919058c8be4b04dc65d42d992078fd0b8d54f17e12488d6799482ad69d9e2d197efacbcf66baea33c7ca603c8fbc7489f71e1706f6baa338e87dfab

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
305KB

MD5
6a63311aa39f99b3b0013c476c8e86a7

SHA1
967e9e7900cc35ca6a723c1663feaa06361e72ca

SHA256
32b3c49f53fdf16535617e0f72017d94efe0442c57e0e501a70f59f7f9caae4f

SHA512
451a19daa80ceb6e25691850c3df02a1a38358565b48a5f5783f4869e07a488c3ea4767547fb5fcb9d70c375c66fb777a0f26784b1ce60130dbc38032c13e694

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
305KB

MD5
a2d3eb9e1ed2ed84fe28038810ac7ab8

SHA1
90c9bad73f3dfbc3856cbb2e973d4865172386c8

SHA256
3507a66df03201376892030d52fbf3225015de5ba9936e1d82c0eee872cf1152

SHA512
df8364dd4e8ecf2a859bf1ab52a61303d237ff977e5f1585b6bd1d5c13dfeba473c44ce0ed596855f532eaca196f49ebf5cbf284ec4a546c496c08943a2f1bdf

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
305KB

MD5
965141df196997a0e16a5adb0fc2800d

SHA1
d53ef6fe354a2bf4895c25711b3df2be96d395db

SHA256
f05ea71c28bbb93bbb1e6f9903a182f64421dd954a99100c32256c1d5a2c5723

SHA512
2ab8d9e1737ecc09c4e6c3a277e55f65c1abc108f87c62e375d4ad442aa9f8d06ab0ea656604f9d721581af3138df98faa630846dbced3dd512a6f3c62684c43

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
305KB

MD5
be7c7bdbc21ec1f6cb7715500bbe909e

SHA1
e6f923c86c3abc718df0208c133a7988133a8fcc

SHA256
b83b289e46127f99404ce14bcb2f9adff1bab3be5f3b02935bffd8fd81c61efd

SHA512
ccbd5ba124776b43aad0bb7807c6e62e1f65bbd16326d6291585165ccd3818bb80795deec8352214d98d9e68ae33399cd792925ecea895091b10c3cd8ce46b05

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
305KB

MD5
9c9feaedaf331c1a404e024fe169de97

SHA1
44c5151993eccbc7fa7949f06a8a6230227b01bf

SHA256
93fb98b566ec26824b4b96fa58f78f0f88399f74f3481f34d321d595958ee1b3

SHA512
277d2f2aad9dcb58c84ad2e1ba2b6e9ee3e8ac684676d2f3f6640f60e94278af64d29e266f649947e8f2bfadcae185e7fdc13b961fd9be2d7329752342d333c4

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe

Filesize
305KB

MD5
e3f8bec0f3ffa43e9bbfc4cb5e12f13b

SHA1
28ed6a2b3e0b1ad788986d329a651eeffa94704f

SHA256
a7ec7ab12ea336ed94e3b6442e1be3cac376ca90f1941c29d9b0ce6e229f396c

SHA512
0b695bc5a181cda5106a77aad519c8c4f48b185a725700699b1f4052e3f9bb1bc29d6a995df4ecca45579fd122a88db95b022a6083195d21ab8a6c2f7547359e

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
305KB

MD5
24f03ace36374a6f6e869215c607c84a

SHA1
430ba23e03b31ff5029a0c74b8182375750c21b8

SHA256
162d241becec225dc4a7f9a8a6e36d826b62c7e2d89e1eda904eb96e5a470615

SHA512
856e1fc4619ea9cbdbfbfc44ce46f721179afb68938867e9fec416a5f5d23720022e43ee7dbd98667926e45accb3b7aa041e058776aa7fdb2cb327d9d19a82a1

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
305KB

MD5
6a5d9140bb0dcd6e93bcb5ccb7c71bbd

SHA1
3a76e648489b831865d83a14b97918f9cb6b1a9f

SHA256
b50865d0264f88eeda095c06b0187b8a5d6fb713182094331b605d21a844f36b

SHA512
c20d89cfb19b2c8cdd4c53ddea71e4798034532e81b3a81b26af82cfdb269feb78814c3e854faf96c1f582e28f533aa41984e4259e461f33621994a652856385

Download Submit
C:\Windows\SysWOW64\Nqklmpdd.exe

Filesize
305KB

MD5
e9bca20c9095712b3f70ca9cd8077763

SHA1
305e020c7eea28907a8174f704487ee78a16b416

SHA256
1767c245672f656162599143c9ba7093608b3ea9dbfc25a40434cece1e72afd8

SHA512
17dc7a72b64ee1649ba6950462babc4a97c81f6757003b54a35efe715e3a9bbf8ab7aa666698748cbf2b6c1bfa58c3723b5397ee50e4fa7df6c58aaf8e720db7

Download Submit
memory/528-44-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/684-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/736-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/768-277-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1092-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1180-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1232-266-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1260-260-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1392-281-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1432-283-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1528-289-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1544-285-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2076-269-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2164-36-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2168-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2176-261-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2380-273-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2752-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3064-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3124-259-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3252-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3356-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3540-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3692-265-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3896-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3924-287-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4136-267-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4224-258-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4576-278-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4584-4-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4756-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4940-272-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4944-271-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4948-263-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5016-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5020-284-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5072-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5112-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads