54dd72290c30c13dd9e10d9e60a9b3c38a1353f52f2cc3baba5b2a5b8b8979a3

Analysis

max time kernel
111s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73514bb4c6ced1f324d6fa3262629f70N.exe
Size

246KB
MD5

73514bb4c6ced1f324d6fa3262629f70
SHA1

f68df9442b156e987859fb457e99bb691a31d33a
SHA256

54dd72290c30c13dd9e10d9e60a9b3c38a1353f52f2cc3baba5b2a5b8b8979a3
SHA512

c0b5047d804f4c5bf2818c8c8aacf5021b6fa29771f5d6f9bf0eb2793cf59d0bc71b3ddb1fd9a4b1477f8e4f3cd6c9dba34822e3f755955997ad1c1e17bbce3e
SSDEEP

3072:gmlrRl+x2B1xdLm102VZjuajDMyap9jCyFsWteYCWS3OF9HqoX:9lyx2B1xBm102VQlterS9HrX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moloidjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmkbfmpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opqdcgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqdcgib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oepianef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	73514bb4c6ced1f324d6fa3262629f70N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkcgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkcgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onfadc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oepianef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkconepp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncejcg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njobpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmkbfmpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqbdllld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqbdllld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	73514bb4c6ced1f324d6fa3262629f70N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onfadc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkconepp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncejcg32.exe

Executes dropped EXE 20 IoCs

pid	Process
1508	Moloidjl.exe
2224	Mkconepp.exe
2916	Mdkcgk32.exe
2284	Mgjpcf32.exe
2640	Nqbdllld.exe
2648	Nglmifca.exe
2168	Nbaafocg.exe
2184	Nccmng32.exe
2164	Nmkbfmpf.exe
1016	Ncejcg32.exe
2864	Njobpa32.exe
572	Nqijmkfm.exe
1028	Nmpkal32.exe
1740	Ncjcnfcn.exe
2296	Ojdlkp32.exe
1112	Opqdcgib.exe
2492	Opcaiggo.exe
1920	Onfadc32.exe
292	Oepianef.exe
1536	Ohnemidj.exe

Loads dropped DLL 44 IoCs

pid	Process
2552	73514bb4c6ced1f324d6fa3262629f70N.exe
2552	73514bb4c6ced1f324d6fa3262629f70N.exe
1508	Moloidjl.exe
1508	Moloidjl.exe
2224	Mkconepp.exe
2224	Mkconepp.exe
2916	Mdkcgk32.exe
2916	Mdkcgk32.exe
2284	Mgjpcf32.exe
2284	Mgjpcf32.exe
2640	Nqbdllld.exe
2640	Nqbdllld.exe
2648	Nglmifca.exe
2648	Nglmifca.exe
2168	Nbaafocg.exe
2168	Nbaafocg.exe
2184	Nccmng32.exe
2184	Nccmng32.exe
2164	Nmkbfmpf.exe
2164	Nmkbfmpf.exe
1016	Ncejcg32.exe
1016	Ncejcg32.exe
2864	Njobpa32.exe
2864	Njobpa32.exe
572	Nqijmkfm.exe
572	Nqijmkfm.exe
1028	Nmpkal32.exe
1028	Nmpkal32.exe
1740	Ncjcnfcn.exe
1740	Ncjcnfcn.exe
2296	Ojdlkp32.exe
2296	Ojdlkp32.exe
1112	Opqdcgib.exe
1112	Opqdcgib.exe
2492	Opcaiggo.exe
2492	Opcaiggo.exe
1920	Onfadc32.exe
1920	Onfadc32.exe
292	Oepianef.exe
292	Oepianef.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe
1860	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Opcaiggo.exe	Opqdcgib.exe
File created	C:\Windows\SysWOW64\Mgjpcf32.exe	Mdkcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Njobpa32.exe	Ncejcg32.exe
File created	C:\Windows\SysWOW64\Nqijmkfm.exe	Njobpa32.exe
File created	C:\Windows\SysWOW64\Khggofme.dll	Njobpa32.exe
File opened for modification	C:\Windows\SysWOW64\Opqdcgib.exe	Ojdlkp32.exe
File created	C:\Windows\SysWOW64\Jbkicgjf.dll	Mkconepp.exe
File opened for modification	C:\Windows\SysWOW64\Nccmng32.exe	Nbaafocg.exe
File created	C:\Windows\SysWOW64\Jceahq32.dll	Ncejcg32.exe
File opened for modification	C:\Windows\SysWOW64\Nqbdllld.exe	Mgjpcf32.exe
File created	C:\Windows\SysWOW64\Opcaiggo.exe	Opqdcgib.exe
File created	C:\Windows\SysWOW64\Njobpa32.exe	Ncejcg32.exe
File opened for modification	C:\Windows\SysWOW64\Ojdlkp32.exe	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Eehkmm32.dll	73514bb4c6ced1f324d6fa3262629f70N.exe
File created	C:\Windows\SysWOW64\Nqbdllld.exe	Mgjpcf32.exe
File created	C:\Windows\SysWOW64\Bllndljk.dll	Nccmng32.exe
File opened for modification	C:\Windows\SysWOW64\Nmkbfmpf.exe	Nccmng32.exe
File opened for modification	C:\Windows\SysWOW64\Onfadc32.exe	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Onfadc32.exe	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Mkconepp.exe	Moloidjl.exe
File created	C:\Windows\SysWOW64\Ojdlkp32.exe	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Kgggld32.dll	Ojdlkp32.exe
File opened for modification	C:\Windows\SysWOW64\Ncejcg32.exe	Nmkbfmpf.exe
File created	C:\Windows\SysWOW64\Plgojd32.dll	Ncjcnfcn.exe
File created	C:\Windows\SysWOW64\Jgjgfacn.dll	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Nmpkal32.exe	Nqijmkfm.exe
File opened for modification	C:\Windows\SysWOW64\Mkconepp.exe	Moloidjl.exe
File created	C:\Windows\SysWOW64\Ofilmn32.dll	Mdkcgk32.exe
File created	C:\Windows\SysWOW64\Gnhfacfn.dll	Nbaafocg.exe
File created	C:\Windows\SysWOW64\Hacdjlag.dll	Nmpkal32.exe
File created	C:\Windows\SysWOW64\Opqdcgib.exe	Ojdlkp32.exe
File created	C:\Windows\SysWOW64\Pbbfhefe.dll	Opqdcgib.exe
File created	C:\Windows\SysWOW64\Nafbcl32.dll	Onfadc32.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Oepianef.exe
File opened for modification	C:\Windows\SysWOW64\Mdkcgk32.exe	Mkconepp.exe
File created	C:\Windows\SysWOW64\Jabeia32.dll	Mgjpcf32.exe
File created	C:\Windows\SysWOW64\Jfqjjp32.dll	Nmkbfmpf.exe
File created	C:\Windows\SysWOW64\Moloidjl.exe	73514bb4c6ced1f324d6fa3262629f70N.exe
File opened for modification	C:\Windows\SysWOW64\Mgjpcf32.exe	Mdkcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Oepianef.exe
File created	C:\Windows\SysWOW64\Nmkbfmpf.exe	Nccmng32.exe
File opened for modification	C:\Windows\SysWOW64\Ncjcnfcn.exe	Nmpkal32.exe
File opened for modification	C:\Windows\SysWOW64\Moloidjl.exe	73514bb4c6ced1f324d6fa3262629f70N.exe
File created	C:\Windows\SysWOW64\Mdkcgk32.exe	Mkconepp.exe
File opened for modification	C:\Windows\SysWOW64\Nbaafocg.exe	Nglmifca.exe
File opened for modification	C:\Windows\SysWOW64\Nglmifca.exe	Nqbdllld.exe
File created	C:\Windows\SysWOW64\Nmjkbjpm.dll	Nglmifca.exe
File created	C:\Windows\SysWOW64\Ncjcnfcn.exe	Nmpkal32.exe
File opened for modification	C:\Windows\SysWOW64\Nmpkal32.exe	Nqijmkfm.exe
File created	C:\Windows\SysWOW64\Ncejcg32.exe	Nmkbfmpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqijmkfm.exe	Njobpa32.exe
File created	C:\Windows\SysWOW64\Idomll32.dll	Nqijmkfm.exe
File created	C:\Windows\SysWOW64\Oepianef.exe	Onfadc32.exe
File opened for modification	C:\Windows\SysWOW64\Oepianef.exe	Onfadc32.exe
File created	C:\Windows\SysWOW64\Ldcenn32.dll	Moloidjl.exe
File created	C:\Windows\SysWOW64\Nglmifca.exe	Nqbdllld.exe
File created	C:\Windows\SysWOW64\Nccmng32.exe	Nbaafocg.exe
File created	C:\Windows\SysWOW64\Fifjgemj.dll	Oepianef.exe
File created	C:\Windows\SysWOW64\Ceahlg32.dll	Nqbdllld.exe
File created	C:\Windows\SysWOW64\Nbaafocg.exe	Nglmifca.exe

Program crash 1 IoCs

pid	pid_target	Process
1860	1536	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opcaiggo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onfadc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73514bb4c6ced1f324d6fa3262629f70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgjpcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nccmng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njobpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpkal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjcnfcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moloidjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqbdllld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmkbfmpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncejcg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdkcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nglmifca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbaafocg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdlkp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkconepp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqijmkfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqdcgib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oepianef.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjgfacn.dll"	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	73514bb4c6ced1f324d6fa3262629f70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nglmifca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	73514bb4c6ced1f324d6fa3262629f70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	73514bb4c6ced1f324d6fa3262629f70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khggofme.dll"	Njobpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nafbcl32.dll"	Onfadc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	73514bb4c6ced1f324d6fa3262629f70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Oepianef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	73514bb4c6ced1f324d6fa3262629f70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofilmn32.dll"	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onfadc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmjkbjpm.dll"	Nglmifca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgggld32.dll"	Ojdlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oepianef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncejcg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jceahq32.dll"	Ncejcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjcnfcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojdlkp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcenn32.dll"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bllndljk.dll"	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hacdjlag.dll"	Nmpkal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moloidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkicgjf.dll"	Mkconepp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgjpcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfqjjp32.dll"	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbbfhefe.dll"	Opqdcgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opqdcgib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onfadc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oepianef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll"	Nqbdllld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nglmifca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njobpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opqdcgib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgojd32.dll"	Ncjcnfcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojdlkp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkconepp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmkbfmpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njobpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehkmm32.dll"	73514bb4c6ced1f324d6fa3262629f70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqbdllld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idomll32.dll"	Nqijmkfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncejcg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmpkal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkconepp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabeia32.dll"	Mgjpcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqbdllld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhfacfn.dll"	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nccmng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqijmkfm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1508	2552	73514bb4c6ced1f324d6fa3262629f70N.exe	29
PID 2552 wrote to memory of 1508	2552	73514bb4c6ced1f324d6fa3262629f70N.exe	29
PID 2552 wrote to memory of 1508	2552	73514bb4c6ced1f324d6fa3262629f70N.exe	29
PID 2552 wrote to memory of 1508	2552	73514bb4c6ced1f324d6fa3262629f70N.exe	29
PID 1508 wrote to memory of 2224	1508	Moloidjl.exe	30
PID 1508 wrote to memory of 2224	1508	Moloidjl.exe	30
PID 1508 wrote to memory of 2224	1508	Moloidjl.exe	30
PID 1508 wrote to memory of 2224	1508	Moloidjl.exe	30
PID 2224 wrote to memory of 2916	2224	Mkconepp.exe	31
PID 2224 wrote to memory of 2916	2224	Mkconepp.exe	31
PID 2224 wrote to memory of 2916	2224	Mkconepp.exe	31
PID 2224 wrote to memory of 2916	2224	Mkconepp.exe	31
PID 2916 wrote to memory of 2284	2916	Mdkcgk32.exe	32
PID 2916 wrote to memory of 2284	2916	Mdkcgk32.exe	32
PID 2916 wrote to memory of 2284	2916	Mdkcgk32.exe	32
PID 2916 wrote to memory of 2284	2916	Mdkcgk32.exe	32
PID 2284 wrote to memory of 2640	2284	Mgjpcf32.exe	33
PID 2284 wrote to memory of 2640	2284	Mgjpcf32.exe	33
PID 2284 wrote to memory of 2640	2284	Mgjpcf32.exe	33
PID 2284 wrote to memory of 2640	2284	Mgjpcf32.exe	33
PID 2640 wrote to memory of 2648	2640	Nqbdllld.exe	34
PID 2640 wrote to memory of 2648	2640	Nqbdllld.exe	34
PID 2640 wrote to memory of 2648	2640	Nqbdllld.exe	34
PID 2640 wrote to memory of 2648	2640	Nqbdllld.exe	34
PID 2648 wrote to memory of 2168	2648	Nglmifca.exe	35
PID 2648 wrote to memory of 2168	2648	Nglmifca.exe	35
PID 2648 wrote to memory of 2168	2648	Nglmifca.exe	35
PID 2648 wrote to memory of 2168	2648	Nglmifca.exe	35
PID 2168 wrote to memory of 2184	2168	Nbaafocg.exe	36
PID 2168 wrote to memory of 2184	2168	Nbaafocg.exe	36
PID 2168 wrote to memory of 2184	2168	Nbaafocg.exe	36
PID 2168 wrote to memory of 2184	2168	Nbaafocg.exe	36
PID 2184 wrote to memory of 2164	2184	Nccmng32.exe	37
PID 2184 wrote to memory of 2164	2184	Nccmng32.exe	37
PID 2184 wrote to memory of 2164	2184	Nccmng32.exe	37
PID 2184 wrote to memory of 2164	2184	Nccmng32.exe	37
PID 2164 wrote to memory of 1016	2164	Nmkbfmpf.exe	38
PID 2164 wrote to memory of 1016	2164	Nmkbfmpf.exe	38
PID 2164 wrote to memory of 1016	2164	Nmkbfmpf.exe	38
PID 2164 wrote to memory of 1016	2164	Nmkbfmpf.exe	38
PID 1016 wrote to memory of 2864	1016	Ncejcg32.exe	39
PID 1016 wrote to memory of 2864	1016	Ncejcg32.exe	39
PID 1016 wrote to memory of 2864	1016	Ncejcg32.exe	39
PID 1016 wrote to memory of 2864	1016	Ncejcg32.exe	39
PID 2864 wrote to memory of 572	2864	Njobpa32.exe	40
PID 2864 wrote to memory of 572	2864	Njobpa32.exe	40
PID 2864 wrote to memory of 572	2864	Njobpa32.exe	40
PID 2864 wrote to memory of 572	2864	Njobpa32.exe	40
PID 572 wrote to memory of 1028	572	Nqijmkfm.exe	41
PID 572 wrote to memory of 1028	572	Nqijmkfm.exe	41
PID 572 wrote to memory of 1028	572	Nqijmkfm.exe	41
PID 572 wrote to memory of 1028	572	Nqijmkfm.exe	41
PID 1028 wrote to memory of 1740	1028	Nmpkal32.exe	42
PID 1028 wrote to memory of 1740	1028	Nmpkal32.exe	42
PID 1028 wrote to memory of 1740	1028	Nmpkal32.exe	42
PID 1028 wrote to memory of 1740	1028	Nmpkal32.exe	42
PID 1740 wrote to memory of 2296	1740	Ncjcnfcn.exe	43
PID 1740 wrote to memory of 2296	1740	Ncjcnfcn.exe	43
PID 1740 wrote to memory of 2296	1740	Ncjcnfcn.exe	43
PID 1740 wrote to memory of 2296	1740	Ncjcnfcn.exe	43
PID 2296 wrote to memory of 1112	2296	Ojdlkp32.exe	44
PID 2296 wrote to memory of 1112	2296	Ojdlkp32.exe	44
PID 2296 wrote to memory of 1112	2296	Ojdlkp32.exe	44
PID 2296 wrote to memory of 1112	2296	Ojdlkp32.exe	44

C:\Users\Admin\AppData\Local\Temp\73514bb4c6ced1f324d6fa3262629f70N.exe
"C:\Users\Admin\AppData\Local\Temp\73514bb4c6ced1f324d6fa3262629f70N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\Moloidjl.exe
  C:\Windows\system32\Moloidjl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\SysWOW64\Mkconepp.exe
    C:\Windows\system32\Mkconepp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\Mdkcgk32.exe
      C:\Windows\system32\Mdkcgk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\Mgjpcf32.exe
        
        C:\Windows\system32\Mgjpcf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\SysWOW64\Nqbdllld.exe
        
        C:\Windows\system32\Nqbdllld.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Nglmifca.exe
        
        C:\Windows\system32\Nglmifca.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\SysWOW64\Nbaafocg.exe
        
        C:\Windows\system32\Nbaafocg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\Nccmng32.exe
        
        C:\Windows\system32\Nccmng32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Nmkbfmpf.exe
        
        C:\Windows\system32\Nmkbfmpf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\SysWOW64\Ncejcg32.exe
        
        C:\Windows\system32\Ncejcg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1016
        
        C:\Windows\SysWOW64\Njobpa32.exe
        
        C:\Windows\system32\Njobpa32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Nqijmkfm.exe
        
        C:\Windows\system32\Nqijmkfm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Nmpkal32.exe
        
        C:\Windows\system32\Nmpkal32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Ncjcnfcn.exe
        
        C:\Windows\system32\Ncjcnfcn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Ojdlkp32.exe
        
        C:\Windows\system32\Ojdlkp32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Opqdcgib.exe
        
        C:\Windows\system32\Opqdcgib.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Opcaiggo.exe
        
        C:\Windows\system32\Opcaiggo.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Onfadc32.exe
        
        C:\Windows\system32\Onfadc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\Oepianef.exe
        
        C:\Windows\system32\Oepianef.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:292
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mdkcgk32.exe

Filesize
246KB

MD5
aad59590469a6727aca65b02e366baf1

SHA1
4571a8fcb986a271e969a8d1211573fee75b23cc

SHA256
74c697bc28b5811a08027ebcd370afe536d41e2204d2345ae33b6e5ae0d94989

SHA512
047503f949f915ad3543f47c105351c5fcf0f95499b6a4cc41d6c0aa939f744a83d22d36457acc68fa0f2783b80a12136972d46bf3bafaf76085a764a299f6df

Download Submit
C:\Windows\SysWOW64\Mgjpcf32.exe

Filesize
246KB

MD5
d379e6d84935b4132398a384b2eaac82

SHA1
826a2998e0d0d64de13111987ebca3cb498b269a

SHA256
2b4f4018c5f18824bbb00c3dcfba7ee0787ed5f9a4ed69b9b635aae879a2956b

SHA512
dc891d6c5c1b04087e82dd43d6ff29f3ed0393017e49a7d2c39fb6158223b7b9d85bd34118d1745237c8362f9ce6aed0755bd29edb53efa194a1424cab6515a8

Download Submit
C:\Windows\SysWOW64\Moloidjl.exe

Filesize
246KB

MD5
e70f8910d2f8aedb95387fc66922ee00

SHA1
6e6fc2d0f380a21878113b5a44efe825dce975e2

SHA256
f104c2e75526a5a5b6ce7d2113ffd17b268b01447b12a187c47245bb3ad5f844

SHA512
3a9a501281fa3776265e2da0c0dd7f685e8ad2638001f2ddef7aaf1e3b42b02f7fd9abaa8dc0fb4660d05ddc3085e2b3fe6b58afe3ace802a00979c8f2b03a61

Download Submit
C:\Windows\SysWOW64\Nbaafocg.exe

Filesize
246KB

MD5
46f8607eb7dca533103006e2c3e17a58

SHA1
a9c7fafdf0f927210b994efc4fff4514c2892984

SHA256
652d45d9885dfedbbe4d4e3e2ed2985a943e7fcc15cdc15bfe1f4ccf5fd06ccb

SHA512
e2abc26978c7bce4c7724564d69846161e2b62a36949b7adc47f9747901387b69c37ec4a8f6bd8ed1594f53fa5397b0f7715af54ddacc156bbcf713cc90e09e4

Download Submit
C:\Windows\SysWOW64\Nccmng32.exe

Filesize
246KB

MD5
fe7809b94ca00d1c385e630a895328bc

SHA1
803be4c4809523c8ad1a6f57bd392e17534811ae

SHA256
c3c8fb67d2e16962a942c72735494e8857b4ee656e73e855f36dc2cdd93dcfed

SHA512
034645caa81a3ce5d3372b309208b1e8565aaad9ddc168b5c08bf434862ed6a54a2ea677714c82d34a67037255cc49c22cd59200d255cb138993e447b592f53e

Download Submit
C:\Windows\SysWOW64\Ncejcg32.exe

Filesize
246KB

MD5
a77c877ed6b6a7bb46969078416c8f08

SHA1
907e63aa7b31ae5fdf7f77b901c24f1c1443464b

SHA256
11ba99209f69d6ea7e5315ee8dd564ebe8423ead3691691a48837d67b7481120

SHA512
647e75110f6833c02759b337d8080b60c7fa7f7622bcd2007b1dc898af058064d6869e00a31a51b38a1df2a1c206d22704f4df46262071c436450b27e50e5265

Download Submit
C:\Windows\SysWOW64\Ncjcnfcn.exe

Filesize
246KB

MD5
009ce2e5737a3cdef37d045092c47870

SHA1
ffe9c5d5253867a45fc79cb39edbc2bddc00081d

SHA256
02cabb03bfd5c60c0ab34ccbdf1e5a552a5031f8f8b020fb7b7246baafecec19

SHA512
41b30ab1857776841998c55876e80c2bf56aad299e1f163febf0acfc6e89207f8f53b728725d624336d40581bc63a8bb05c91b9e05977bad77fd85d3c4cd703d

Download Submit
C:\Windows\SysWOW64\Njobpa32.exe

Filesize
246KB

MD5
7a7f6244c65be58b5493f81163fcdcc6

SHA1
fb8c44c576ce5625eb78a4abf58509f7977b4e51

SHA256
ea47f3c1daf930216f2bc63b7f8d65d8bb72595d1c01669551f3792542b66910

SHA512
9c514941a4e2e34ae6eec67ffd065b1321d52ab90eb0e065b002290aed69c46f1065ab730d1e84b5c01b606d55ba8f37320ff20ad47d437a3d919da085784114

Download Submit
C:\Windows\SysWOW64\Nmkbfmpf.exe

Filesize
246KB

MD5
0660c26f64ef7cc3e4a74e0389fa3491

SHA1
1dc4cb617ce83db12d59e1ffc5c8bd75abd840dd

SHA256
e02d0b01d439d63b0ec888156e8c1e7f13548969f26adbc7afd4f015a1df37ca

SHA512
251831421e924609d82df0a6054ee5800bedc78ba7d847e26fa26546304fcbd2fd5b795301f237e29e143f97284c6355223d5a8a206a069255a5a164c5f40325

Download Submit
C:\Windows\SysWOW64\Nmpkal32.exe

Filesize
246KB

MD5
5a75214d09e8beb8c70d05ede2cf29c0

SHA1
148c5c811d58c066b3fdd84460fc64dc0b1b729d

SHA256
bf6484877218309fe66fa891a2f0317f1deccd29d93c0c610e34ea12d6f08598

SHA512
060c5c4bcaefad90aed0c865156153373a07ec8d7f2c9afb546fef28b6784ea6f608389867672edb69ba4e2342ba86d798940fb3f0570614f1e745b8f59fd2bc

Download Submit
C:\Windows\SysWOW64\Nqijmkfm.exe

Filesize
246KB

MD5
1d22939489a6da5a690e9156caa729e7

SHA1
d228d9052509900d20dab81c2493c600959def70

SHA256
227f309338c93995f60d6ca225dc7cf936ced9cb52a4c6150174b508576daaff

SHA512
4735058a30f3a908a24bf27776d8eaa26d0ff012552bbf449b5f6e7fbdda55bd8036d5f04c63c0ac2def740355094854c0cd6280b3080005bc3cfc5436ef1a23

Download Submit
C:\Windows\SysWOW64\Oepianef.exe

Filesize
246KB

MD5
40d4db072264eff44a1ea2b255ad7684

SHA1
3c09013ebf52c5a5f0447f4d1fe84d9a78cdcd04

SHA256
270afb73c379ac408c3a3be7583703a9b088c2a922031c173a30e25906f13e30

SHA512
29a0d13d66dc82129fb0b2a677e2fca1c662ae716361eec4a84f5020939a11579b08591a06df9cd2a3f986a9630119a45f9c12ae2095eed60a350ef1f0200687

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
246KB

MD5
25ee7ff992b20008c3ab94830332f96f

SHA1
322af8a840b5b9d94363dfee204f5b7be60e3732

SHA256
e0deaeeb7b6f8e235773a6892ad45eb6fe85cd459be8c9f4628d2eff99720eb4

SHA512
50cb1c55bb3ee2152aaae17567c21d5ca38e4e838fcf3a63858bfb2115c3162e8100db10deba9e459cb318a4cf9d22103b251fa76781a7e1ba356703bbcbd4fe

Download Submit
C:\Windows\SysWOW64\Ojdlkp32.exe

Filesize
246KB

MD5
e5ec6175ba01d6524597c18534fb14e3

SHA1
7244c2fe743188e882eb1d86af1733067d8f3fb0

SHA256
d5f2a6c082bdd1c18b7f08201c99414443a7f0b01b41aab34562d6c7f8641c41

SHA512
05b4b1efb9d0103d8202510a8f7e072ecd4e2aa4591556951611c9dc0cc2aa0014aaa32d13a5cd2bc696e5f6a3b765bb15dd0b01f9bc58fbbf490f352106603b

Download Submit
C:\Windows\SysWOW64\Onfadc32.exe

Filesize
246KB

MD5
c3d5151e368bda93b44bdecf3e7b152d

SHA1
297070c642d9b9a3410ccc442a0c0f3dcdc67692

SHA256
f1f3b409f2a5f53cfe12b934a07637e2e768f17a7943b704518234732e0a82d8

SHA512
58cc2516d5ae0e7fc991e758afd759b24fe391cd7f8d49066a02ddde4af888aff6ea3959eaf44a274697b9311d3e0dacdae689417cba4f30239b98d3a3b0d5af

Download Submit
C:\Windows\SysWOW64\Opcaiggo.exe

Filesize
246KB

MD5
7dac540e51c786c7b430944f7667002f

SHA1
0101853a4e58177e1a0698a8d89da77ea1707607

SHA256
daffc07ca10fae37bb0bdf1bbef37f582d441f8742922a4f3941cfbb28a5515a

SHA512
8ff073f5e0da906d07e2a6fdf3ca6b3d7c5a1019d78cde3bbfd95a11875f787e1729a770753906e6a7c34259616c91cd199536f10ee7033d2789716ce627bf36

Download Submit
C:\Windows\SysWOW64\Opqdcgib.exe

Filesize
246KB

MD5
9af0559fe0105e69ccf67452e6295979

SHA1
97109a664cf1b2f2d60a9ddc7152472faa9409db

SHA256
59275710573b9da513df38bc4bb5339a7b0302e0093c0d44062f17a63ba46c4c

SHA512
69b2f49d7f4bd6246657f692eeb51d96d6dfc2b95d741fb15054f46b4940d97e4b6c3097469c29106d9d67b145ec2fa5ce7d5a72212d44fa70e0d6a06c10c900

Download Submit
\Windows\SysWOW64\Mkconepp.exe

Filesize
246KB

MD5
d43eef88b6577b148042165715e21a42

SHA1
5c8c18c25d18fa152995a1f8b3d67c9ee7cf2a87

SHA256
3d5c224d42a24cef66e85b856a4f96b18a83e6ba75f9d15ebfa28bb2f8a48cad

SHA512
c2f374635e8c95e5c575bd84fe72d5a8d9861948b21ab114b1c9e3ab612531b0ca6025ed81f871d8496af44c45d6ac95a8fdfec085b195f04e76a08fda243277

Download Submit
\Windows\SysWOW64\Nglmifca.exe

Filesize
246KB

MD5
c6de043ca82f011928b15a51fb1bcfaf

SHA1
d85092c9b22883c4b508cfa06860e9be2b938ab7

SHA256
942a39666938bac035986d285a40ffb450da5bf59587fcd657733f29f3396489

SHA512
244809d653c50d9384a9be149199c25fbf856479800b7f61f62b7a87c867c0028ece3f5f619fd512354ccc23eac599d9b650cf1d06c788f01f9e6fc1594bb5e6

Download Submit
\Windows\SysWOW64\Nqbdllld.exe

Filesize
246KB

MD5
1807feb905913cafbd0e4e906655da93

SHA1
6e1cd48eceb72b7a968ebcd31a4497bd4bf47663

SHA256
12c415eb51b4f45392712b9e52235b59208b1fd25cb4829089897b4dba1061b8

SHA512
eb4b3a0edcd3581845d6452505775412e36d9465a6ca60b6dd4416e0c91e837bea27f779b764f7cfe37366cd45e5e3c270a202e83a6d3fe76103842cd51dfc3a

Download Submit
memory/292-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/292-275-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/572-236-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/572-190-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/572-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/572-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-159-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1016-207-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1016-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1016-153-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1028-194-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-245-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1112-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-22-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1508-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1536-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-217-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1740-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1920-265-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2164-145-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2164-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2164-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2168-112-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2168-113-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2168-173-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2184-124-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2184-129-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2184-187-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2184-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-83-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2224-35-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2284-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-64-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2284-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2284-70-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2296-235-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2296-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-280-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2492-258-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2492-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2552-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2552-11-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2640-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-94-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2648-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-174-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2916-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-55-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads