51b122fd2ea2fe44d6e4af629be42bd42677d396f070b8e0017e042227487775

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fad890bcc4f4db0645f3c086baac4160N.exe
Size

62KB
MD5

fad890bcc4f4db0645f3c086baac4160
SHA1

237cd2eb5ce702b6acab57d4b156e1dcd82a1c0a
SHA256

51b122fd2ea2fe44d6e4af629be42bd42677d396f070b8e0017e042227487775
SHA512

b97213bd7054fcf29c8f53cbd3f5d92dee2193e644897a57648e00165e0778e514ac4360fa43cb00db0856c3218402d3c5638d7634e8bf552d6d5ba06b60d607
SSDEEP

1536:sqfxDfJEKxeYz8Q0C5ReYi14w0BJzdLYywve8Cy:nfdfJhxzjRe30BJzdLYZve8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	fad890bcc4f4db0645f3c086baac4160N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	fad890bcc4f4db0645f3c086baac4160N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Melfncqb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlcbenjb.exe

Executes dropped EXE 20 IoCs

pid	Process
2536	Lbiqfied.exe
2628	Mlaeonld.exe
2524	Mpmapm32.exe
2580	Mieeibkn.exe
1984	Mlcbenjb.exe
2864	Melfncqb.exe
2424	Mlfojn32.exe
1828	Mencccop.exe
2000	Mhloponc.exe
2032	Meppiblm.exe
2376	Mholen32.exe
2208	Mpjqiq32.exe
2156	Nhaikn32.exe
2232	Ndhipoob.exe
1176	Ngfflj32.exe
2248	Ngibaj32.exe
1296	Nigome32.exe
1500	Ngkogj32.exe
1648	Niikceid.exe
680	Nlhgoqhh.exe

Loads dropped DLL 44 IoCs

pid	Process
2824	fad890bcc4f4db0645f3c086baac4160N.exe
2824	fad890bcc4f4db0645f3c086baac4160N.exe
2536	Lbiqfied.exe
2536	Lbiqfied.exe
2628	Mlaeonld.exe
2628	Mlaeonld.exe
2524	Mpmapm32.exe
2524	Mpmapm32.exe
2580	Mieeibkn.exe
2580	Mieeibkn.exe
1984	Mlcbenjb.exe
1984	Mlcbenjb.exe
2864	Melfncqb.exe
2864	Melfncqb.exe
2424	Mlfojn32.exe
2424	Mlfojn32.exe
1828	Mencccop.exe
1828	Mencccop.exe
2000	Mhloponc.exe
2000	Mhloponc.exe
2032	Meppiblm.exe
2032	Meppiblm.exe
2376	Mholen32.exe
2376	Mholen32.exe
2208	Mpjqiq32.exe
2208	Mpjqiq32.exe
2156	Nhaikn32.exe
2156	Nhaikn32.exe
2232	Ndhipoob.exe
2232	Ndhipoob.exe
1176	Ngfflj32.exe
1176	Ngfflj32.exe
2248	Ngibaj32.exe
2248	Ngibaj32.exe
1296	Nigome32.exe
1296	Nigome32.exe
1500	Ngkogj32.exe
1500	Ngkogj32.exe
1648	Niikceid.exe
1648	Niikceid.exe
328	WerFault.exe
328	WerFault.exe
328	WerFault.exe
328	WerFault.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Mlaeonld.exe	Lbiqfied.exe
File opened for modification	C:\Windows\SysWOW64\Mpjqiq32.exe	Mholen32.exe
File opened for modification	C:\Windows\SysWOW64\Nigome32.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Pecomlgc.dll	Lbiqfied.exe
File created	C:\Windows\SysWOW64\Mlcbenjb.exe	Mieeibkn.exe
File opened for modification	C:\Windows\SysWOW64\Mlfojn32.exe	Melfncqb.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Mholen32.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Ombhbhel.dll	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Nigome32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Mlaeonld.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Mpmapm32.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Mlcbenjb.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Djdfhjik.dll	Mlcbenjb.exe
File opened for modification	C:\Windows\SysWOW64\Mhloponc.exe	Mencccop.exe
File opened for modification	C:\Windows\SysWOW64\Lbiqfied.exe	fad890bcc4f4db0645f3c086baac4160N.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Mlaeonld.exe
File opened for modification	C:\Windows\SysWOW64\Meppiblm.exe	Mhloponc.exe
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Nigome32.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Melfncqb.exe	Mlcbenjb.exe
File created	C:\Windows\SysWOW64\Lhajpc32.dll	Mhloponc.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Mholen32.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Lbiqfied.exe	fad890bcc4f4db0645f3c086baac4160N.exe
File created	C:\Windows\SysWOW64\Diceon32.dll	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File created	C:\Windows\SysWOW64\Mencccop.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Fnqkpajk.dll	Mencccop.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Nhaikn32.exe	Mpjqiq32.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Niikceid.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Poceplpj.dll	fad890bcc4f4db0645f3c086baac4160N.exe
File created	C:\Windows\SysWOW64\Mlaeonld.exe	Lbiqfied.exe
File created	C:\Windows\SysWOW64\Hcpbee32.dll	Melfncqb.exe
File created	C:\Windows\SysWOW64\Mhloponc.exe	Mencccop.exe
File created	C:\Windows\SysWOW64\Nldodg32.dll	Meppiblm.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Melfncqb.exe	Mlcbenjb.exe
File opened for modification	C:\Windows\SysWOW64\Mencccop.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Ngkogj32.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Mlfojn32.exe	Melfncqb.exe
File opened for modification	C:\Windows\SysWOW64\Nhaikn32.exe	Mpjqiq32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Hendhe32.dll	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Meppiblm.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Nhaikn32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
328	680	WerFault.exe	49

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbiqfied.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlaeonld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhloponc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meppiblm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhipoob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fad890bcc4f4db0645f3c086baac4160N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mholen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhaikn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlcbenjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpmapm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Melfncqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hendhe32.dll"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nigome32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdfhjik.dll"	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diceon32.dll"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll"	Lbiqfied.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poceplpj.dll"	fad890bcc4f4db0645f3c086baac4160N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fad890bcc4f4db0645f3c086baac4160N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldodg32.dll"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	fad890bcc4f4db0645f3c086baac4160N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Melfncqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll"	Mencccop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqaedifk.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombhbhel.dll"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	fad890bcc4f4db0645f3c086baac4160N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbiqfied.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	fad890bcc4f4db0645f3c086baac4160N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	fad890bcc4f4db0645f3c086baac4160N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljdna32.dll"	Ndhipoob.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2536	2824	fad890bcc4f4db0645f3c086baac4160N.exe	30
PID 2824 wrote to memory of 2536	2824	fad890bcc4f4db0645f3c086baac4160N.exe	30
PID 2824 wrote to memory of 2536	2824	fad890bcc4f4db0645f3c086baac4160N.exe	30
PID 2824 wrote to memory of 2536	2824	fad890bcc4f4db0645f3c086baac4160N.exe	30
PID 2536 wrote to memory of 2628	2536	Lbiqfied.exe	31
PID 2536 wrote to memory of 2628	2536	Lbiqfied.exe	31
PID 2536 wrote to memory of 2628	2536	Lbiqfied.exe	31
PID 2536 wrote to memory of 2628	2536	Lbiqfied.exe	31
PID 2628 wrote to memory of 2524	2628	Mlaeonld.exe	32
PID 2628 wrote to memory of 2524	2628	Mlaeonld.exe	32
PID 2628 wrote to memory of 2524	2628	Mlaeonld.exe	32
PID 2628 wrote to memory of 2524	2628	Mlaeonld.exe	32
PID 2524 wrote to memory of 2580	2524	Mpmapm32.exe	33
PID 2524 wrote to memory of 2580	2524	Mpmapm32.exe	33
PID 2524 wrote to memory of 2580	2524	Mpmapm32.exe	33
PID 2524 wrote to memory of 2580	2524	Mpmapm32.exe	33
PID 2580 wrote to memory of 1984	2580	Mieeibkn.exe	34
PID 2580 wrote to memory of 1984	2580	Mieeibkn.exe	34
PID 2580 wrote to memory of 1984	2580	Mieeibkn.exe	34
PID 2580 wrote to memory of 1984	2580	Mieeibkn.exe	34
PID 1984 wrote to memory of 2864	1984	Mlcbenjb.exe	35
PID 1984 wrote to memory of 2864	1984	Mlcbenjb.exe	35
PID 1984 wrote to memory of 2864	1984	Mlcbenjb.exe	35
PID 1984 wrote to memory of 2864	1984	Mlcbenjb.exe	35
PID 2864 wrote to memory of 2424	2864	Melfncqb.exe	36
PID 2864 wrote to memory of 2424	2864	Melfncqb.exe	36
PID 2864 wrote to memory of 2424	2864	Melfncqb.exe	36
PID 2864 wrote to memory of 2424	2864	Melfncqb.exe	36
PID 2424 wrote to memory of 1828	2424	Mlfojn32.exe	37
PID 2424 wrote to memory of 1828	2424	Mlfojn32.exe	37
PID 2424 wrote to memory of 1828	2424	Mlfojn32.exe	37
PID 2424 wrote to memory of 1828	2424	Mlfojn32.exe	37
PID 1828 wrote to memory of 2000	1828	Mencccop.exe	38
PID 1828 wrote to memory of 2000	1828	Mencccop.exe	38
PID 1828 wrote to memory of 2000	1828	Mencccop.exe	38
PID 1828 wrote to memory of 2000	1828	Mencccop.exe	38
PID 2000 wrote to memory of 2032	2000	Mhloponc.exe	39
PID 2000 wrote to memory of 2032	2000	Mhloponc.exe	39
PID 2000 wrote to memory of 2032	2000	Mhloponc.exe	39
PID 2000 wrote to memory of 2032	2000	Mhloponc.exe	39
PID 2032 wrote to memory of 2376	2032	Meppiblm.exe	40
PID 2032 wrote to memory of 2376	2032	Meppiblm.exe	40
PID 2032 wrote to memory of 2376	2032	Meppiblm.exe	40
PID 2032 wrote to memory of 2376	2032	Meppiblm.exe	40
PID 2376 wrote to memory of 2208	2376	Mholen32.exe	41
PID 2376 wrote to memory of 2208	2376	Mholen32.exe	41
PID 2376 wrote to memory of 2208	2376	Mholen32.exe	41
PID 2376 wrote to memory of 2208	2376	Mholen32.exe	41
PID 2208 wrote to memory of 2156	2208	Mpjqiq32.exe	42
PID 2208 wrote to memory of 2156	2208	Mpjqiq32.exe	42
PID 2208 wrote to memory of 2156	2208	Mpjqiq32.exe	42
PID 2208 wrote to memory of 2156	2208	Mpjqiq32.exe	42
PID 2156 wrote to memory of 2232	2156	Nhaikn32.exe	43
PID 2156 wrote to memory of 2232	2156	Nhaikn32.exe	43
PID 2156 wrote to memory of 2232	2156	Nhaikn32.exe	43
PID 2156 wrote to memory of 2232	2156	Nhaikn32.exe	43
PID 2232 wrote to memory of 1176	2232	Ndhipoob.exe	44
PID 2232 wrote to memory of 1176	2232	Ndhipoob.exe	44
PID 2232 wrote to memory of 1176	2232	Ndhipoob.exe	44
PID 2232 wrote to memory of 1176	2232	Ndhipoob.exe	44
PID 1176 wrote to memory of 2248	1176	Ngfflj32.exe	45
PID 1176 wrote to memory of 2248	1176	Ngfflj32.exe	45
PID 1176 wrote to memory of 2248	1176	Ngfflj32.exe	45
PID 1176 wrote to memory of 2248	1176	Ngfflj32.exe	45

C:\Users\Admin\AppData\Local\Temp\fad890bcc4f4db0645f3c086baac4160N.exe
"C:\Users\Admin\AppData\Local\Temp\fad890bcc4f4db0645f3c086baac4160N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\SysWOW64\Lbiqfied.exe
  C:\Windows\system32\Lbiqfied.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\Mlaeonld.exe
    C:\Windows\system32\Mlaeonld.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\SysWOW64\Mpmapm32.exe
      C:\Windows\system32\Mpmapm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\SysWOW64\Mlcbenjb.exe
        
        C:\Windows\system32\Mlcbenjb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Melfncqb.exe
        
        C:\Windows\system32\Melfncqb.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Meppiblm.exe
        
        C:\Windows\system32\Meppiblm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\SysWOW64\Mholen32.exe
        
        C:\Windows\system32\Mholen32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 140
        22⤵
        Loads dropped DLL
        Program crash
        
        PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mholen32.exe

Filesize
62KB

MD5
df03d2107fb9190f52bec8a9442a4ad3

SHA1
ec81a1e80ba2490375ec97f4d31904c8e895a141

SHA256
06d95f30a34528b8cb47ddf829816b9eafdcd846069f7d328bdeabd86444f5b2

SHA512
39acdaf9dd528c93c2bedb8ab27c4f9a06c5f4d3010ce8d97e4fb92872c0a8e71d1f959db9e9a9134501f648ea2d52ff54efda68c5a6988661fdcee671d62bce

Download Submit
C:\Windows\SysWOW64\Mieeibkn.exe

Filesize
62KB

MD5
bf457dbe6f49ea80276c42fe1786a177

SHA1
16414b6b00f35592f83a5106b8c46890c32f656e

SHA256
8936a7bcadb8c424401f9433410d7185e439a9b7435eeaae4e2ab64c67b88780

SHA512
66280675d08fb68907296500d3c2b9c48bde887d09647475b142f23659f346ccc98f65989ab713c6bf91dd2a53eee92208019e2a44f3f014c23cda378447bfef

Download Submit
C:\Windows\SysWOW64\Mlcbenjb.exe

Filesize
62KB

MD5
dd96d64c897f35a65d3ff7fc8808ccb0

SHA1
4acb72a781bfafd78a1c15c6cebf878d1f611a6a

SHA256
c2c20276142a46a981c3473be3dbbc15386dcfaa78e9acdb149bab4007379473

SHA512
70689ecd5a747eab3354954ad157fc818fee8a4a08b85e21d3866d8b32014b1fb535886a6e1dd82f0076339b532c9a770e7b09f6ff7513e99e9336df2c08bedb

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
62KB

MD5
2a4d3bee96519c046e91485f7e02f166

SHA1
c88baf82b47f54d136c39e92bd07a37ea7765d69

SHA256
a83d0fa52560a50962e52436537c91c923168d4e600d4c38224dc342b4157e51

SHA512
3b2710329cf402a1ae583bbe28d512dc43eed396e4afacd3539cc04387d65804a4915295474a4ee1bc530f95a75d323ce5e2c9237e42aa074c40ed728be5dd95

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
62KB

MD5
ff1c0bcb84d91dad1b4e6a0bf82412d8

SHA1
12cf080c97ea8a1b3ad3e177598e5059f08e1bd6

SHA256
700e4cd967220fb5cac4b4135fb56722ea6f68e8719111b56d7e2a99eaabf2a9

SHA512
c4b60eaddcc60e2fb3fa31b9a27b31afa8d917d8ea505f855882ded1e5b574c26d56ea5f128406551b0ebf26446d04230c2d66e4d39b712e53e87b355fa416d2

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
62KB

MD5
72e72392c841fe32292fecbe400ae746

SHA1
208abf94f594d978d5f6eaa2c9a892cd7a794d6a

SHA256
61291c65e867953356a5855dab41f65d011c77eb508cf83aecf0ef0456b8845a

SHA512
f2b4a01dac884add3fa58632254e3602be8699af5eefa94b396aeb4fe0a7a4c51510086ec79c58755ec87c6707da3236ca813c1eeaa3a5201c2e1a8ac250cf92

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
62KB

MD5
097d84c59e1b80dc02e381b86df4fdd5

SHA1
863a2cea6bb089dd0875ae1969e6af7bb8093c04

SHA256
b4c594c405e93a63f700c75fb5991e2702c6e48cbbbe08623817559d9089484e

SHA512
ad24419988d1be15652b01dd43e9663e147b0de754ccfa58353054b6911d61bc3dd4abebc486ce956c242d4f9e77d32e46a5d9d5b370088fae30151a893e35ed

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
62KB

MD5
a4f1f588fd0722f433e9f02e685a79dc

SHA1
a3d008c1f1474fe30d65bd4fbd433b570450c1a8

SHA256
58a9b643e22fe05941f6a985d33b1cf85bccba5c2dd1bd8b51dfea6a3170dde7

SHA512
358b20608308bd4feac02570d9a06c486fce873824c1b195162aea8b1119ba38ffc62ed478c085d476021f0bc9baf21e5dd0411f7cc4e0d52dc2834d67b6a83f

Download Submit
\Windows\SysWOW64\Lbiqfied.exe

Filesize
62KB

MD5
82c599db1cdae915d917a71276cd7678

SHA1
3c721f014bfdab6f67c0f317af49e5f967aa2a4f

SHA256
6f3f7e2819fe4bf74665077ae65da570ee4ab261a9a77f6b6fa0c93d7cd65521

SHA512
b8fc02b7eedc6d18fd707932a76928a0ea645d19fbd26cffed869bf4c3b577e3970402654607019ddb469fc45ec77189a83aa64ad8729c9012a77c295cdd3fc0

Download Submit
\Windows\SysWOW64\Melfncqb.exe

Filesize
62KB

MD5
d79586e2c2934023956a0b5f4594fa25

SHA1
924fa6ba48dab6bede46a5232bb0f4a40fc460c8

SHA256
4e928a4555838a98ea0fda8e34872c800a69a23ebdd69fc704ca93aa55dac363

SHA512
202af41a0aebefacf02e5543dcd540118a81dc906ec52143cb8e7c5352aa85bba54ae04b6d7d53c0c049e773e264f31c5fbebf349e414095eae371da82b5611e

Download Submit
\Windows\SysWOW64\Mencccop.exe

Filesize
62KB

MD5
2f03d39ffaabf2c324e2d5822fe639d9

SHA1
89386326297a96dad9719c619306dde3c1d2e7cf

SHA256
98e7f82f177a5d2457e33dbfa740ce71349220dabb458c47f1709c25f26d4b06

SHA512
7773b294ab7c21e0f9e5316eb14dbe7c68c91d85a14a730b6135ff3d9349526c33d562e354176830e9871f05707bb2a1e39c631d334c25174e7f6af4cecb5b76

Download Submit
\Windows\SysWOW64\Meppiblm.exe

Filesize
62KB

MD5
bb07b6396a47bddf9698557bad7fe408

SHA1
178dd2b422deb2eafd87a43c62f7fb64e4e9b583

SHA256
327662b378b308051fa486db2f4bf6e2093818934f90cdaf6800da200780482f

SHA512
77f741cd8b760c61da469875600c3c595f767ed91c5a88c445c7cfc855f38ac101f292aaac9e30d82276b609a351bee389b61351074305644b3209c6044d2659

Download Submit
\Windows\SysWOW64\Mhloponc.exe

Filesize
62KB

MD5
92b5a75b639fb2f9c1445de03c4d1a95

SHA1
344f15c0b537cbb1cd29b7324f2b11e4a0a3815f

SHA256
964aeb086c532724c7a43f7cbda68b091b5519f27611eb3398cd23d7d4ec8567

SHA512
324afa4686439ca39b43d0b1e6cc009ebb3b69befabacf78f07d6ef15eb8ddc82e8f7e0aac3a6fc90cf5fd01403699f1e5ba255575ccdee580bf9c356281717c

Download Submit
\Windows\SysWOW64\Mlaeonld.exe

Filesize
62KB

MD5
924c34d5c25c28a857d9454138a6a712

SHA1
ac01033c4ba807c1bb138602e0a7bf139dd02abf

SHA256
744153e051799538efc80a2c1e5166f59e7888bc1bf13e5f8dc076f932ca19b1

SHA512
450d32fdbd9afa371e74baaa949ad6bc73851da044255f33c7ec20173b98417d372b2cd011602e052ef4c6ca242ae742fcc3523ad853303e5835047abac3af41

Download Submit
\Windows\SysWOW64\Mlfojn32.exe

Filesize
62KB

MD5
eb7c4fc4350450c7ad03197d1ca1f664

SHA1
aa7fa10bccb1fa405ae9d0c5eca555176c5ca865

SHA256
96ff790a15ca068e6dab308e580bdb690341b65320131cb3664e1994f755fbc2

SHA512
dbd4165c4cebae846e56c5239f7cfd9e66ce47ee5dfcc4d2b4b3e02ee3eb65d9671a2e2c21fcfc60fbac72cffa33a1da85fc3d99f5c7d35c1187e9ff4641afb5

Download Submit
\Windows\SysWOW64\Mpjqiq32.exe

Filesize
62KB

MD5
13a26fd035d1d09fa74e17a6b98cdd3d

SHA1
740b209f7ba090e90b9f2e5b64355e3ba63c01d0

SHA256
cd0f3f04d9303e7d2203078bb44ca1639c057d50f9df0f73a97920f99d0efaff

SHA512
9719aefcf24ce2d8f1e479691baa3f688ab81724ef3c89ec7ff85009ffa0be0a174d1a948923dbc7a98e86a0dfef0eff116dd2933c93b99c61f51262bd74f3ef

Download Submit
\Windows\SysWOW64\Mpmapm32.exe

Filesize
62KB

MD5
7338ae1c3789e151bad1f7c201e68c4e

SHA1
fc595c52b0f06de14a5aaa3b573c664ca43cfc62

SHA256
aadcab616c608a531b94c4a16bc2c33fd77c9f31a82fb3439c264fb38cb9fa04

SHA512
40e84469e2753a36e0da1933d930e05bbd1331deb0aa5036a7b90ebecb4e8d7813ab5b38fc1f5ec3a370297a75c22ecc706384afca0f997d2edde124c967c3fe

Download Submit
\Windows\SysWOW64\Ndhipoob.exe

Filesize
62KB

MD5
0fba6beb52ae486a1984aedf8fb4f516

SHA1
8fe9021dd638d4b735c3481205362fafb327d6f5

SHA256
2ce2502415f8b7856247637242598438942ae0e9a529a6d07a2ee7a3de75a498

SHA512
13e0f4efdd0b25d36f2827aeada694807cc1d6148b6ea74e208bcd72c5e3f11a1fb6ccab0da8bb9f74854d7bec4e4adaf83c9cecc4b1e8f1b1ccd1e5543a7bd9

Download Submit
\Windows\SysWOW64\Ngfflj32.exe

Filesize
62KB

MD5
d81cadbc7a8c84f83ebac3fdc2c5e275

SHA1
8348a0632906e08cc6d4f79b4510faf9794f2c89

SHA256
44d8c70bf2cd9ff84a2a9c2306f9c083876fda049ec06f23cdfe6204d0bc1e88

SHA512
432673555535f600aada0457c37dc186346b08daa8d9ef9e7e67c70d41c4c5f17fa9b6612e2a50871d21a31ffcb05b79233133dc02303497e8fe00b40bfc80a0

Download Submit
\Windows\SysWOW64\Ngibaj32.exe

Filesize
62KB

MD5
66796c5f01d7221fe9957c01e94d60db

SHA1
97eceb4a23cd8fea32712918297137fef96b089b

SHA256
81ff7a845db08a2407a55965e35479e9af97192ec80c64297a6a26bd74d79338

SHA512
cc1592bdeafb190471396e37ae88edad3a18e1907769c0debb639fa360bcbcbeb114648666c07db13cc33e5362c4f937fcb3fd4d9f1c7c6f5310633eb4c7e574

Download Submit
memory/680-283-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1176-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1176-234-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1176-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1296-286-0x0000000000330000-0x000000000036A000-memory.dmp

Filesize
232KB

Download
memory/1296-250-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1296-285-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1296-258-0x0000000000330000-0x000000000036A000-memory.dmp

Filesize
232KB

Download
memory/1500-271-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1500-287-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1500-288-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1500-289-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1648-279-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/1648-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1648-290-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-118-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1828-180-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1984-82-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1984-128-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1984-83-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1984-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1984-122-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/1984-121-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2000-143-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2000-142-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2000-192-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2000-191-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2000-129-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2000-205-0x0000000000300000-0x000000000033A000-memory.dmp

Filesize
232KB

Download
memory/2032-145-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2032-217-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2032-160-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2032-212-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2032-211-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2032-159-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2156-190-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2156-256-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/2156-244-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2156-204-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/2156-251-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/2208-181-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2208-189-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2232-213-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2232-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2248-284-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2248-245-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-224-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2376-173-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2376-218-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2376-161-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2424-111-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2424-158-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2424-99-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2524-98-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2524-41-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2536-25-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2536-68-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2536-69-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2536-13-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2580-60-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2628-35-0x00000000005D0000-0x000000000060A000-memory.dmp

Filesize
232KB

Download
memory/2628-32-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-54-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2824-7-0x00000000002D0000-0x000000000030A000-memory.dmp

Filesize
232KB

Download
memory/2864-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2864-85-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads