2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 02:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
Size

55KB
MD5

a19a85e22962ac6e4c829c3cd8465360
SHA1

515e42e710eeb1f1244d68087b288a570ff75fbc
SHA256

2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91
SHA512

d140ea0dfdf064ce970073b83228573d2ad4aa969dd22a5c26247ae612a9faca03367dec2c53c6a54131264787e96ae15df5656006b912dcf85287f9e7527d26
SSDEEP

768:kYbFUQfVobJWckDCOYegQ12oa5VjbYSqqUkXnjHZo47DIeUkTZlK522p/1H5vJX3:tbCQfVob3tpeKRfnYSPjskTZMs2LFr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkncdifl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe

Executes dropped EXE 24 IoCs

pid	Process
2900	Mcpebmkb.exe
380	Mjjmog32.exe
1316	Maaepd32.exe
4856	Mdpalp32.exe
3904	Mgnnhk32.exe
2232	Nkjjij32.exe
1992	Nnhfee32.exe
4560	Nqfbaq32.exe
2792	Nceonl32.exe
2016	Ngpjnkpf.exe
1680	Njogjfoj.exe
968	Nnjbke32.exe
2216	Nqiogp32.exe
3712	Ncgkcl32.exe
1384	Nkncdifl.exe
4108	Nnmopdep.exe
516	Nbhkac32.exe
4576	Ndghmo32.exe
3008	Ncihikcg.exe
3668	Njcpee32.exe
2144	Nbkhfc32.exe
3052	Ndidbn32.exe
3800	Ncldnkae.exe
1120	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Bebboiqi.dll	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
File created	C:\Windows\SysWOW64\Fhpdhp32.dll	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Nnmopdep.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Jkeang32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Cgfgaq32.dll	Nkncdifl.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Kmalco32.dll	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nqiogp32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nkncdifl.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Pkckjila.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Pponmema.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mdpalp32.exe

Program crash 1 IoCs

pid	pid_target	Process
2476	1120	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeang32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpfgd32.dll"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncihikcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgfgaq32.dll"	Nkncdifl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 2900	4524	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe	82
PID 4524 wrote to memory of 2900	4524	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe	82
PID 4524 wrote to memory of 2900	4524	2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe	82
PID 2900 wrote to memory of 380	2900	Mcpebmkb.exe	83
PID 2900 wrote to memory of 380	2900	Mcpebmkb.exe	83
PID 2900 wrote to memory of 380	2900	Mcpebmkb.exe	83
PID 380 wrote to memory of 1316	380	Mjjmog32.exe	84
PID 380 wrote to memory of 1316	380	Mjjmog32.exe	84
PID 380 wrote to memory of 1316	380	Mjjmog32.exe	84
PID 1316 wrote to memory of 4856	1316	Maaepd32.exe	85
PID 1316 wrote to memory of 4856	1316	Maaepd32.exe	85
PID 1316 wrote to memory of 4856	1316	Maaepd32.exe	85
PID 4856 wrote to memory of 3904	4856	Mdpalp32.exe	86
PID 4856 wrote to memory of 3904	4856	Mdpalp32.exe	86
PID 4856 wrote to memory of 3904	4856	Mdpalp32.exe	86
PID 3904 wrote to memory of 2232	3904	Mgnnhk32.exe	87
PID 3904 wrote to memory of 2232	3904	Mgnnhk32.exe	87
PID 3904 wrote to memory of 2232	3904	Mgnnhk32.exe	87
PID 2232 wrote to memory of 1992	2232	Nkjjij32.exe	88
PID 2232 wrote to memory of 1992	2232	Nkjjij32.exe	88
PID 2232 wrote to memory of 1992	2232	Nkjjij32.exe	88
PID 1992 wrote to memory of 4560	1992	Nnhfee32.exe	89
PID 1992 wrote to memory of 4560	1992	Nnhfee32.exe	89
PID 1992 wrote to memory of 4560	1992	Nnhfee32.exe	89
PID 4560 wrote to memory of 2792	4560	Nqfbaq32.exe	90
PID 4560 wrote to memory of 2792	4560	Nqfbaq32.exe	90
PID 4560 wrote to memory of 2792	4560	Nqfbaq32.exe	90
PID 2792 wrote to memory of 2016	2792	Nceonl32.exe	91
PID 2792 wrote to memory of 2016	2792	Nceonl32.exe	91
PID 2792 wrote to memory of 2016	2792	Nceonl32.exe	91
PID 2016 wrote to memory of 1680	2016	Ngpjnkpf.exe	92
PID 2016 wrote to memory of 1680	2016	Ngpjnkpf.exe	92
PID 2016 wrote to memory of 1680	2016	Ngpjnkpf.exe	92
PID 1680 wrote to memory of 968	1680	Njogjfoj.exe	93
PID 1680 wrote to memory of 968	1680	Njogjfoj.exe	93
PID 1680 wrote to memory of 968	1680	Njogjfoj.exe	93
PID 968 wrote to memory of 2216	968	Nnjbke32.exe	94
PID 968 wrote to memory of 2216	968	Nnjbke32.exe	94
PID 968 wrote to memory of 2216	968	Nnjbke32.exe	94
PID 2216 wrote to memory of 3712	2216	Nqiogp32.exe	95
PID 2216 wrote to memory of 3712	2216	Nqiogp32.exe	95
PID 2216 wrote to memory of 3712	2216	Nqiogp32.exe	95
PID 3712 wrote to memory of 1384	3712	Ncgkcl32.exe	96
PID 3712 wrote to memory of 1384	3712	Ncgkcl32.exe	96
PID 3712 wrote to memory of 1384	3712	Ncgkcl32.exe	96
PID 1384 wrote to memory of 4108	1384	Nkncdifl.exe	97
PID 1384 wrote to memory of 4108	1384	Nkncdifl.exe	97
PID 1384 wrote to memory of 4108	1384	Nkncdifl.exe	97
PID 4108 wrote to memory of 516	4108	Nnmopdep.exe	98
PID 4108 wrote to memory of 516	4108	Nnmopdep.exe	98
PID 4108 wrote to memory of 516	4108	Nnmopdep.exe	98
PID 516 wrote to memory of 4576	516	Nbhkac32.exe	99
PID 516 wrote to memory of 4576	516	Nbhkac32.exe	99
PID 516 wrote to memory of 4576	516	Nbhkac32.exe	99
PID 4576 wrote to memory of 3008	4576	Ndghmo32.exe	100
PID 4576 wrote to memory of 3008	4576	Ndghmo32.exe	100
PID 4576 wrote to memory of 3008	4576	Ndghmo32.exe	100
PID 3008 wrote to memory of 3668	3008	Ncihikcg.exe	101
PID 3008 wrote to memory of 3668	3008	Ncihikcg.exe	101
PID 3008 wrote to memory of 3668	3008	Ncihikcg.exe	101
PID 3668 wrote to memory of 2144	3668	Njcpee32.exe	102
PID 3668 wrote to memory of 2144	3668	Njcpee32.exe	102
PID 3668 wrote to memory of 2144	3668	Njcpee32.exe	102
PID 2144 wrote to memory of 3052	2144	Nbkhfc32.exe	103

C:\Users\Admin\AppData\Local\Temp\2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe
"C:\Users\Admin\AppData\Local\Temp\2ec0bcef13fa01552c1ae70295e0636ae7bb122b93e55dc9f324285aebe9cd91.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\SysWOW64\Mcpebmkb.exe
  C:\Windows\system32\Mcpebmkb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\SysWOW64\Mjjmog32.exe
    C:\Windows\system32\Mjjmog32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\Maaepd32.exe
      C:\Windows\system32\Maaepd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Nnhfee32.exe
        
        C:\Windows\system32\Nnhfee32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\Nkncdifl.exe
        
        C:\Windows\system32\Nkncdifl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        25⤵
        Executes dropped EXE
        
        PID:1120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 412
        26⤵
        Program crash
        
        PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1120 -ip 1120
1⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Maaepd32.exe

Filesize
55KB

MD5
1efdeaea8f49ecd7b13bb16c15fa7625

SHA1
49bcfe7280ed73f2d1f6e532310213f2f60b93c0

SHA256
5653289895b1ca05157768b9844d26b14b73d60fdc46db77cbcf67af271ac47e

SHA512
8a9367ed700132b9954e9d0a1f1bc54ded03d91cad8743557c9c64762de00f638a3da6f02563c053dbbcf1d0629aa5bb2c9ffd5275a1472ec99ee829e79d7711

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
55KB

MD5
5fbf5da1caea0aad181fda9be03000a9

SHA1
2fb0e041543e889a8a5a854ad2819e5a45f6b8a8

SHA256
007a2e327394014abf673016108a388e81896581c0b73947aa8b4b0768073d87

SHA512
00f015951dae40a6898f1ca56ee0d8bb2ddf6bc28d43e9682a386ca78e7b74e948ba11712d7a8d75d05b5976135598901e671efb9fa4856adaad227cc69dc2a0

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
55KB

MD5
635cb369fb0446f9828b656d53a34a6a

SHA1
203b201d753367f9dc3e792e15acbeec3f1726ef

SHA256
602845a980ca622c36c480ee7ecc0d4faf7989d67abf55f1f78083c992f81858

SHA512
9a76173bd72ecc67b90edba0a2c50184480fc5176d8ec4b42426759e81695a2feb59be74da9dd4fe50d192b5246c97201da4c0c77f4210cb3d6d16e3f02ae063

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
55KB

MD5
4e97eaece64430e3bf551df1be972090

SHA1
4dca0757dc916019d9addfd66f0c3b92eff32644

SHA256
244f2dd93077290500a6ebb13893edb34f23cc12356d7ff726acd7009032fe58

SHA512
de0b8d107d8e66b86eba176fe7f6203bb43991dc44249dcfe84622fd0121d59b1c91c3bb91bc77456e5d82b011b8624389b40f294052e5fceef4c38fe4110111

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
55KB

MD5
64bd674c104e7496b1f67c6d98fa8269

SHA1
2e5a7f3830e6fa3a1eeae1e34ef81c7e4f9df1d0

SHA256
0ccc4fe16a22a9322a76c4bef66f60e133154b883b8e3aa7ffd00c03a9737c65

SHA512
2935eff1fc98ca82e3261e9d5a6ed63a142fc2b72913682ec9c34b4525f17cc892b852816538d8e1682376a1e847cb7bff13a6a480397d256e3b1d5cc31b4b2e

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
55KB

MD5
1a533b9c077bc3fa3dffce5192689d87

SHA1
fee6e531cdb5c9573afa262bef806b651211a483

SHA256
7015653cd3b8a3b203558dbd260acd6d41efd38852e5df53326188616502aa16

SHA512
54eaec6f428700eda00ff28575d461c5373b805a2143f36c9596a4650fb18ada1069d2d1298b6426befffefeaeb67a98636af1c6160eab5187b1ca7dca3a555b

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
55KB

MD5
9d4549f249e59dea79ef07b9579eabc8

SHA1
404436c6c445bddcd80a6cad3b5c4fb850de164a

SHA256
a8f4033f803bd523e15c7152204614ba7ab5e471e3479349b9fa008b0cd5e800

SHA512
7c8839840371935a191c81d485ef55535b09aaac386a3696e889fbc8a2f320bfcfb82ce3348e27b3a9eafba8ec1cf00edc535e02800ec576f33caea2ec4ff71a

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
55KB

MD5
cd0445a092aac2f2e0e4da6fd254c0c6

SHA1
c7214c10926fd05e2a54d73b33c2dc3fe8f1c0f4

SHA256
8348fbcba41b079f6a2d29da69224a8b0aebdb58967533180f157fdd39208605

SHA512
4506498523e71b181e8fc8cd80dfaafdc576f8dd1e40c79d350a73ba262f37aa48dbfaf4f4e16f30e1d307ade4ce3fa0f1287a865b40cd5538a0631da1695ce1

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
55KB

MD5
4f9109b0fe9f6194bcddc365eaac8398

SHA1
4f17a99ab167c74292173a6290793fb24b543eeb

SHA256
06b3245166951194c5047b414a540fd1d9e1f2e57cf03f07c795b3fd9ed463c2

SHA512
370d589eddaee2d8c48df532252823c501e6d2966d091438b1a0d5f9cfeaf96776161f5e0ce859bad26d5933d2796140424485712d1e55bcc386e76304b341c9

Download Submit
C:\Windows\SysWOW64\Ncihikcg.exe

Filesize
55KB

MD5
aa58c12ceecc91add4342be41c0a6df6

SHA1
1718b20e53bc9844ae8542d9117dc2f53fec6ba6

SHA256
3eda55d422ccd7e305f167b349078013a8432b0a21bce39ba1cb32dc17425011

SHA512
5f6d27e03b71280d990555040d538f70641ac1ad975a638016f95c8de59e47e15d4a4379377eaa67bb526e38e85fbe75b6e1af970faab3fed8b73d74ea4fae56

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe

Filesize
55KB

MD5
01d61762e3fb142bfbe15796d4e3d318

SHA1
7ba3496f707da07dcf32b10ceed72098559a2359

SHA256
3f46dce4b8f85bcd30a20a76aeb9b4e19f918156482df1b68520bedd87080ef2

SHA512
1bd5a81f9617694290387b0755dccc69545d4cb356730e64493b03d20522508efa74eccec0973c327f610c8d004ddaf0223ebff913b0654afd39091fe1591656

Download Submit
C:\Windows\SysWOW64\Ndidbn32.exe

Filesize
55KB

MD5
fe1bdd20a4ae813cb455faf09615a18d

SHA1
604211363cb56153cb176787ff4014c116b7dbb7

SHA256
b853941e74a02d36f73991c1b076225c23bb0f15d09ad434392a5783cfbfd455

SHA512
ab560312e4e0fde7958cfd2671bbe4f24c1a6b7b77d423fc555d48f7add43f7532a523cb48fe3b343e8fdacaabc22e4bf7d1e529615392325663d5c8429adfd3

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
55KB

MD5
64d51dc0c2622802b6bf188a71bd2f5b

SHA1
941c520a4a041939247fa6c74e022b41e561a939

SHA256
5cc474f10965eff0fcb8b425a95fc06e1e6c3b18259fd01ddedbe1133d6e778b

SHA512
b7e1a7b453f4879cf95b733bdf7a72a40852f2bb1746d1ce0ccbb047b542799e08fb864475a5790b7e6d1ac39e195f9c32bc0fd0579d78cd115cb53d8e2a069d

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe

Filesize
55KB

MD5
a840367f567be1c2910b925173235c79

SHA1
197852d94c99129fb93dfe4f65df81b355643537

SHA256
df128407d6f0345e4dc5fb8e24750aaff3b645389a9c43d695594c92d9a5bc8b

SHA512
0f0b007980f903acbb88103b988ff80fd6f7b5990f0c0a71ce392f50ea419725dd9ec9b24713d57c1199ce350aedaadf6b7a3b0b05133f8aec268a94ff6e5f49

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
55KB

MD5
5c26dd16a9535d46652d8cb184c11e22

SHA1
dd178cd0926dd3563ed58f07da021092e7100bab

SHA256
d6b14d39340816eb21744f87b80d813b6e6d0b6a7a3a6f7bc8f3008b0173f53b

SHA512
fc288fbf0f0ca2743966ead89b8a7e7b55c1f05f294bcbbaace9e19fef4414358a98a5a2fce3edec90a6240dbfbf82d270116df6cab738df45635297f60528a5

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
55KB

MD5
48b76e1bd51e021543648dca10f9ad54

SHA1
abb0cb09a78e7eb2c2645e3f5de5107dd974ddc9

SHA256
6944bdc92733e40a6fb6da0cc9981d4470b2c4c263dc63607473870fa422b6a7

SHA512
afdaf814fe090a5114aa2e3bce1fca2990c28968fcd6af587cf06f6795ce7a8c0a94d2e883bf7495f23fa88d97dc17a70ec5cb7d2efa9348235038cf6cbd8254

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
55KB

MD5
fd4240cede2f625a865b712d15fa472d

SHA1
2c81d13a47b6991691c96ab21813b42d62482b59

SHA256
a7165b782eda6dd8f5e2e0d89bdf703a1c599837af46827119df6d742122691b

SHA512
f31acd7d0d4edfd18d01a0162087f4cb2f08972ec5b77d6f7ed30fc1c7a7015a074e91f2e704392d24501b1f931622e365fc37eb9bcbe595ed334714dbaddfc5

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
55KB

MD5
1aa8a23c0e892ad7b8b035e0d50a7dd6

SHA1
e0264846d4280740ef5b735222fbf9b76361b786

SHA256
f6166274b9700c5e94c93deb65489e5fe2d07553848da4557ca96f22cbd86a54

SHA512
3983c7b170ee60b2684d513ec00ebeb4ad3ad5d885b8a2d805fdaaa5d5d6d94e13f373b2beda1a385acdc280d4da3ca7127df561738579d607ec342661269eb4

Download Submit
C:\Windows\SysWOW64\Nkncdifl.exe

Filesize
55KB

MD5
219435997184fce06b238b8979d94ee6

SHA1
d3917187fc7dddd29baaaddd96fc1bad3aa51346

SHA256
7322152a3da8c8a30abd943d6cd2162a12257b4cf66f2532981d81dd9fd85f51

SHA512
ed35a3825413e0317908929b3c48d4ae0e77eda95dd38013a81c11549c0894a465a064be3f2043310ca5864cb83064dca4ca5c59189586c7da5def64b39929ed

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe

Filesize
55KB

MD5
6cd9bdb8d7997b878f7ed417995d8697

SHA1
4a32a267704e11e963c198a730fce3b6d8aa66f5

SHA256
7fd08100a96c7da7c5f703e2682f315a47d71da5697b4faa5d5d1d8cb9e996f0

SHA512
b9f72a534727d90f43cee3761790823e2ac39f7dc1f606c03871b15facd9565592fda698394d89b8625a34a3543e62ceaf428fd2a74c78dc0b05080273c32b7b

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
55KB

MD5
29ebddf6bf087ad87f5c7dd8edecc952

SHA1
e158329ad63454459ab340bf6e44b2ef1ea0a6a8

SHA256
e559ec387db342709bfc179cb22d1c28ea676d835a33f2e9a4b085de7559bcaa

SHA512
3edb5394554aea36931ff03bdf7ee3ea4804b4fdaeebe6537868b68f9cd374fe65877ceb830ff514a1d9a05a11f1806d9e636ccd4752f917670478b0a64ffc99

Download Submit
C:\Windows\SysWOW64\Nnmopdep.exe

Filesize
55KB

MD5
07c938713a1de77d0fa24a3e8ef35a43

SHA1
48ef0071e3280eb97872c7c110ca461bbceecd8c

SHA256
a8398e4c8df30bdf5fddb3e804a9953f1832597680d2a24bcb06caacce3bd9d5

SHA512
7071b8faae2ad200d1f41dfb4d0a0d3685a35791f949ea52c571de2de990fe03aa61e1cd471e22f315922092f06441fa062a014056639859fc483f01a312d4aa

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
55KB

MD5
329cc9aecce7984c166d611e05ae7727

SHA1
6d48b5288af552dd1faa8420bb1afba06a43acfa

SHA256
80a96edda94e9b54767092ca6d3723992b5af543f5f58d79504cf9bf2e04315f

SHA512
24fff542deaa669342d7cccf5a57055cd1dc8714fe5c7ed71cde90fdad0d2872121facf9928301fae6b1970a6a461f8e580a5b505a35ed9f4c6a4d3a59c0abe1

Download Submit
C:\Windows\SysWOW64\Nqiogp32.exe

Filesize
55KB

MD5
502846cf1ead60b41da6d069a1e510f1

SHA1
dac26f2d530bb4e836d7d4944885c82dfb5dc24f

SHA256
ac5f564eb3c6d12889a3d62ad94f8b13b445cb4736019fba3a574ffa6e5ff0cd

SHA512
ceb0525ed489a7de37ca34a1c97cce5ae479ad9a559ac90b54e9ee37d5206a1c399e8606fccf7b2fd5a57c6c592382d2dcfa68dc4a5d89929df8dea9a1cb4c8b

Download Submit
memory/380-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/380-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/516-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1120-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1680-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1992-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2016-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2216-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3904-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4108-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4524-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4560-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-206-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads