a30daebede7d50d6d303c0f7a86edff50eb51249d7f244fe4833bf70aef705ed

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b670d13016de98f70adb70c9af6e9e50N.exe
Size

64KB
MD5

b670d13016de98f70adb70c9af6e9e50
SHA1

e26f748883121853eadaecccc3f96d5b2e4f8b12
SHA256

a30daebede7d50d6d303c0f7a86edff50eb51249d7f244fe4833bf70aef705ed
SHA512

73031f49f86b740b1b684821ccef2ee959ae3c6c9eccf49630d087bee1382d78d21a486a44a403f092f0bdfb781b45aec743392f2f31d2cc832c6a061e78432d
SSDEEP

768:E3yqbw4nFk24yrOad3jZCWeKRqqohPoo1PpT2cb4IUeMFzrI2p/1H5wjXdnhYakT:SU324yrXvCf8QpoT44IZMJrI2L6AMCeW

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlfojn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b670d13016de98f70adb70c9af6e9e50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moidahcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmnace32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b670d13016de98f70adb70c9af6e9e50N.exe

Executes dropped EXE 21 IoCs

pid	Process
1652	Lfdmggnm.exe
2696	Mlaeonld.exe
2728	Mooaljkh.exe
2556	Mieeibkn.exe
2448	Mbmjah32.exe
1012	Mlfojn32.exe
972	Mbpgggol.exe
1740	Mlhkpm32.exe
2788	Mmihhelk.exe
2844	Mdcpdp32.exe
2244	Moidahcn.exe
1916	Mpjqiq32.exe
1192	Nkpegi32.exe
1980	Nmnace32.exe
1684	Ngfflj32.exe
2904	Nlcnda32.exe
2264	Ngibaj32.exe
3012	Nmbknddp.exe
2364	Npagjpcd.exe
2268	Ngkogj32.exe
1356	Nlhgoqhh.exe

Loads dropped DLL 42 IoCs

pid	Process
2736	b670d13016de98f70adb70c9af6e9e50N.exe
2736	b670d13016de98f70adb70c9af6e9e50N.exe
1652	Lfdmggnm.exe
1652	Lfdmggnm.exe
2696	Mlaeonld.exe
2696	Mlaeonld.exe
2728	Mooaljkh.exe
2728	Mooaljkh.exe
2556	Mieeibkn.exe
2556	Mieeibkn.exe
2448	Mbmjah32.exe
2448	Mbmjah32.exe
1012	Mlfojn32.exe
1012	Mlfojn32.exe
972	Mbpgggol.exe
972	Mbpgggol.exe
1740	Mlhkpm32.exe
1740	Mlhkpm32.exe
2788	Mmihhelk.exe
2788	Mmihhelk.exe
2844	Mdcpdp32.exe
2844	Mdcpdp32.exe
2244	Moidahcn.exe
2244	Moidahcn.exe
1916	Mpjqiq32.exe
1916	Mpjqiq32.exe
1192	Nkpegi32.exe
1192	Nkpegi32.exe
1980	Nmnace32.exe
1980	Nmnace32.exe
1684	Ngfflj32.exe
1684	Ngfflj32.exe
2904	Nlcnda32.exe
2904	Nlcnda32.exe
2264	Ngibaj32.exe
2264	Ngibaj32.exe
3012	Nmbknddp.exe
3012	Nmbknddp.exe
2364	Npagjpcd.exe
2364	Npagjpcd.exe
2268	Ngkogj32.exe
2268	Ngkogj32.exe

Drops file in System32 directory 63 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mlfojn32.exe	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Mgecadnb.dll	Mbpgggol.exe
File created	C:\Windows\SysWOW64\Jmbckb32.dll	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Afdignjb.dll	Mpjqiq32.exe
File opened for modification	C:\Windows\SysWOW64\Nmnace32.exe	Nkpegi32.exe
File opened for modification	C:\Windows\SysWOW64\Mlaeonld.exe	Lfdmggnm.exe
File opened for modification	C:\Windows\SysWOW64\Mooaljkh.exe	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Fpahiebe.dll	Mlfojn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdcpdp32.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Diaagb32.dll	Mlaeonld.exe
File created	C:\Windows\SysWOW64\Nmnace32.exe	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Fibkpd32.dll	Nkpegi32.exe
File created	C:\Windows\SysWOW64\Ajdlmi32.dll	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Nkeghkck.dll	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Lfdmggnm.exe	b670d13016de98f70adb70c9af6e9e50N.exe
File created	C:\Windows\SysWOW64\Mlaeonld.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Pecomlgc.dll	Lfdmggnm.exe
File opened for modification	C:\Windows\SysWOW64\Mbmjah32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Njfppiho.dll	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Fhhmapcq.dll	b670d13016de98f70adb70c9af6e9e50N.exe
File created	C:\Windows\SysWOW64\Mbmjah32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Mjkacaml.dll	Mdcpdp32.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Moidahcn.exe
File created	C:\Windows\SysWOW64\Nkpegi32.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Mooaljkh.exe	Mlaeonld.exe
File opened for modification	C:\Windows\SysWOW64\Ngibaj32.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Aeaceffc.dll	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Ngkogj32.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Mmihhelk.exe	Mlhkpm32.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Nmnace32.exe
File created	C:\Windows\SysWOW64\Ngibaj32.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Ngoohnkj.dll	Ngibaj32.exe
File created	C:\Windows\SysWOW64\Lfdmggnm.exe	b670d13016de98f70adb70c9af6e9e50N.exe
File created	C:\Windows\SysWOW64\Mmihhelk.exe	Mlhkpm32.exe
File opened for modification	C:\Windows\SysWOW64\Nmbknddp.exe	Ngibaj32.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Ngkogj32.exe
File opened for modification	C:\Windows\SysWOW64\Moidahcn.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Mpjqiq32.exe	Moidahcn.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Mieeibkn.exe	Mooaljkh.exe
File created	C:\Windows\SysWOW64\Mlfojn32.exe	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Mbpgggol.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Mlhkpm32.exe	Mbpgggol.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Hcpbee32.dll	Mbmjah32.exe
File opened for modification	C:\Windows\SysWOW64\Mlhkpm32.exe	Mbpgggol.exe
File created	C:\Windows\SysWOW64\Mdcpdp32.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Hljdna32.dll	Nmnace32.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Mbpgggol.exe	Mlfojn32.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Moidahcn.exe
File opened for modification	C:\Windows\SysWOW64\Nkpegi32.exe	Mpjqiq32.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngibaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b670d13016de98f70adb70c9af6e9e50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmnace32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mooaljkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlhkpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdcpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlaeonld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbpgggol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmihhelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfdmggnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlfojn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlhkpm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibkpd32.dll"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b670d13016de98f70adb70c9af6e9e50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdlmi32.dll"	Mooaljkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcpbee32.dll"	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgecadnb.dll"	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkacaml.dll"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Moidahcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmnace32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbknddp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlfojn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afdignjb.dll"	Mpjqiq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngoohnkj.dll"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngibaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecomlgc.dll"	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b670d13016de98f70adb70c9af6e9e50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b670d13016de98f70adb70c9af6e9e50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhhmapcq.dll"	b670d13016de98f70adb70c9af6e9e50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaagb32.dll"	Mlaeonld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmihhelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll"	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeghkck.dll"	Mlhkpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmnace32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b670d13016de98f70adb70c9af6e9e50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mooaljkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngibaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b670d13016de98f70adb70c9af6e9e50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"	Moidahcn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 1652	2736	b670d13016de98f70adb70c9af6e9e50N.exe	28
PID 2736 wrote to memory of 1652	2736	b670d13016de98f70adb70c9af6e9e50N.exe	28
PID 2736 wrote to memory of 1652	2736	b670d13016de98f70adb70c9af6e9e50N.exe	28
PID 2736 wrote to memory of 1652	2736	b670d13016de98f70adb70c9af6e9e50N.exe	28
PID 1652 wrote to memory of 2696	1652	Lfdmggnm.exe	29
PID 1652 wrote to memory of 2696	1652	Lfdmggnm.exe	29
PID 1652 wrote to memory of 2696	1652	Lfdmggnm.exe	29
PID 1652 wrote to memory of 2696	1652	Lfdmggnm.exe	29
PID 2696 wrote to memory of 2728	2696	Mlaeonld.exe	30
PID 2696 wrote to memory of 2728	2696	Mlaeonld.exe	30
PID 2696 wrote to memory of 2728	2696	Mlaeonld.exe	30
PID 2696 wrote to memory of 2728	2696	Mlaeonld.exe	30
PID 2728 wrote to memory of 2556	2728	Mooaljkh.exe	31
PID 2728 wrote to memory of 2556	2728	Mooaljkh.exe	31
PID 2728 wrote to memory of 2556	2728	Mooaljkh.exe	31
PID 2728 wrote to memory of 2556	2728	Mooaljkh.exe	31
PID 2556 wrote to memory of 2448	2556	Mieeibkn.exe	32
PID 2556 wrote to memory of 2448	2556	Mieeibkn.exe	32
PID 2556 wrote to memory of 2448	2556	Mieeibkn.exe	32
PID 2556 wrote to memory of 2448	2556	Mieeibkn.exe	32
PID 2448 wrote to memory of 1012	2448	Mbmjah32.exe	33
PID 2448 wrote to memory of 1012	2448	Mbmjah32.exe	33
PID 2448 wrote to memory of 1012	2448	Mbmjah32.exe	33
PID 2448 wrote to memory of 1012	2448	Mbmjah32.exe	33
PID 1012 wrote to memory of 972	1012	Mlfojn32.exe	34
PID 1012 wrote to memory of 972	1012	Mlfojn32.exe	34
PID 1012 wrote to memory of 972	1012	Mlfojn32.exe	34
PID 1012 wrote to memory of 972	1012	Mlfojn32.exe	34
PID 972 wrote to memory of 1740	972	Mbpgggol.exe	35
PID 972 wrote to memory of 1740	972	Mbpgggol.exe	35
PID 972 wrote to memory of 1740	972	Mbpgggol.exe	35
PID 972 wrote to memory of 1740	972	Mbpgggol.exe	35
PID 1740 wrote to memory of 2788	1740	Mlhkpm32.exe	36
PID 1740 wrote to memory of 2788	1740	Mlhkpm32.exe	36
PID 1740 wrote to memory of 2788	1740	Mlhkpm32.exe	36
PID 1740 wrote to memory of 2788	1740	Mlhkpm32.exe	36
PID 2788 wrote to memory of 2844	2788	Mmihhelk.exe	37
PID 2788 wrote to memory of 2844	2788	Mmihhelk.exe	37
PID 2788 wrote to memory of 2844	2788	Mmihhelk.exe	37
PID 2788 wrote to memory of 2844	2788	Mmihhelk.exe	37
PID 2844 wrote to memory of 2244	2844	Mdcpdp32.exe	38
PID 2844 wrote to memory of 2244	2844	Mdcpdp32.exe	38
PID 2844 wrote to memory of 2244	2844	Mdcpdp32.exe	38
PID 2844 wrote to memory of 2244	2844	Mdcpdp32.exe	38
PID 2244 wrote to memory of 1916	2244	Moidahcn.exe	39
PID 2244 wrote to memory of 1916	2244	Moidahcn.exe	39
PID 2244 wrote to memory of 1916	2244	Moidahcn.exe	39
PID 2244 wrote to memory of 1916	2244	Moidahcn.exe	39
PID 1916 wrote to memory of 1192	1916	Mpjqiq32.exe	40
PID 1916 wrote to memory of 1192	1916	Mpjqiq32.exe	40
PID 1916 wrote to memory of 1192	1916	Mpjqiq32.exe	40
PID 1916 wrote to memory of 1192	1916	Mpjqiq32.exe	40
PID 1192 wrote to memory of 1980	1192	Nkpegi32.exe	41
PID 1192 wrote to memory of 1980	1192	Nkpegi32.exe	41
PID 1192 wrote to memory of 1980	1192	Nkpegi32.exe	41
PID 1192 wrote to memory of 1980	1192	Nkpegi32.exe	41
PID 1980 wrote to memory of 1684	1980	Nmnace32.exe	42
PID 1980 wrote to memory of 1684	1980	Nmnace32.exe	42
PID 1980 wrote to memory of 1684	1980	Nmnace32.exe	42
PID 1980 wrote to memory of 1684	1980	Nmnace32.exe	42
PID 1684 wrote to memory of 2904	1684	Ngfflj32.exe	43
PID 1684 wrote to memory of 2904	1684	Ngfflj32.exe	43
PID 1684 wrote to memory of 2904	1684	Ngfflj32.exe	43
PID 1684 wrote to memory of 2904	1684	Ngfflj32.exe	43

C:\Users\Admin\AppData\Local\Temp\b670d13016de98f70adb70c9af6e9e50N.exe
"C:\Users\Admin\AppData\Local\Temp\b670d13016de98f70adb70c9af6e9e50N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\Lfdmggnm.exe
  C:\Windows\system32\Lfdmggnm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\Mlaeonld.exe
    C:\Windows\system32\Mlaeonld.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\Mooaljkh.exe
      C:\Windows\system32\Mooaljkh.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\SysWOW64\Mbmjah32.exe
        
        C:\Windows\system32\Mbmjah32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Mlfojn32.exe
        
        C:\Windows\system32\Mlfojn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Mbpgggol.exe
        
        C:\Windows\system32\Mbpgggol.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Mlhkpm32.exe
        
        C:\Windows\system32\Mlhkpm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
        
        C:\Windows\SysWOW64\Nmnace32.exe
        
        C:\Windows\system32\Nmnace32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Ngibaj32.exe
        
        C:\Windows\system32\Ngibaj32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mlaeonld.exe

Filesize
64KB

MD5
0b5e4c5aab968a65754e93c51ad94791

SHA1
7862d652f3154e824061a490704085546502f663

SHA256
5b7b330113a628511e47fafc299bc24a3fe26021e83177ac3293bf387064e8ad

SHA512
cd4799e6a1aac28adc21bad7034183a7638c9e76b48e33162fb2649b7090fbabe2594538f27db477db352ded5d7051764fd001544e47d1b18580d735e67f8cf4

Download Submit
C:\Windows\SysWOW64\Ngibaj32.exe

Filesize
64KB

MD5
a227070f51c47816428aafe99ceb6816

SHA1
3cb22eba87e21e4ffa59bb489326ca75128d1bff

SHA256
f5569740873a7e2f3bd80d64e93a313f283e04258aa62f72ff2b981305cb67ab

SHA512
ba5803f4280a3034ca34d7c8022f4e815a8eb75b9070317d42ee358ebeb57c65618193df2751ace30db1d17be331e1af7b6cf710bd58b1cbb2ca9766f92fbd6b

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
64KB

MD5
82f74031120d9c877090109cf8b6f08a

SHA1
ed24a1e84dd61a153082abe169a1d7adccbc2c86

SHA256
72f643796dbbf2f6f65b06e3057d70d2dc1a3d5dc489aa7f917551e58bf9d34d

SHA512
250fd0d31a88bc3288ba34ca26528521663b231ffc295b994f3177ce20433a0e145d14c405edaaa752233f7f2b2b1084cf114a62c14e22ec7c67f892f9683866

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
64KB

MD5
d5e040769217c0afc834e07ec021c6b7

SHA1
a28944646ba51ac9d917b5fba8a4881bffde693f

SHA256
afaa80c1881933b34debd2835066ea001d43f9a28023d06b986326de9dea238e

SHA512
206582692c102dd808698052da7e63fe970fc316182992c44d905cab81349bf4c4c54a9842cf5774bc06e1c8aa15ae5f02671c01a7c5a210b0f2e43fa60b9942

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
64KB

MD5
c10d7b113f8a0f3847694807585f45ba

SHA1
d5b32bd201223efd13267fe3355da0b8c367c364

SHA256
a246c54d0092d55e585a10c6d99f2ba35a6b87327ded722a92ac7a3a779afd3a

SHA512
c476663f0a9730dab73e590dcbacf847a3a33061aaf77a731ac38a1719eeffc5bad8e722e36ee544decf2f8ed6ee41c52b8b6528c79e8090c4cf6026b2484501

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
64KB

MD5
b09c68dda15190cbb2a5a5345d8d4a94

SHA1
41fff6310502e9d3291ae7839349b0e3b61c0df3

SHA256
e2b197eb45aa1e56f7c53fd7aed579fcb4af9a53769cb418d419eaf2780c936f

SHA512
4a3862edffbce710acae3fb87d68980f9983fe3661c5ac25b1b43e368a27ae2dfaa6ce8fc72e5c95a72d23b5f73e5238c068221d6d680f2b67c572a020176eae

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
64KB

MD5
750c5727a86df915678dea83c9071733

SHA1
352864a2ecf7dac2fc907103b7307618c5ee075c

SHA256
7b65cea14c5cbdc0a625b93c1f2ac9fca9bacbbf6daf032fa60068635f2db0b9

SHA512
a1df652e2ce75fad67609dafa7fda690ffd72e56ab216f3293ad7efd945c254d5cf0fb61ac0d8fc108d28984dce51a8b4d413dc104b297a4b5eb19bbf30606ed

Download Submit
\Windows\SysWOW64\Lfdmggnm.exe

Filesize
64KB

MD5
a4293b2aa331b587ef5ac2ba4e290c9f

SHA1
646a016cf80a68bc9e04890eb538299fbfb13885

SHA256
873290e8c8a9cf7abd13a5fe1ec7000de9a789a4fb4b428fb9e456b7c1b21e80

SHA512
d5cf31ca297dba3b3b6d2eba81e873017c1d1cc9d00fe8955863b42a63b4134d387da474f2aab0c4cca67e0231ee96e4da154815bda3f9d4de7a89c46d613d1f

Download Submit
\Windows\SysWOW64\Mbmjah32.exe

Filesize
64KB

MD5
6abb3f96aed55be23151d56d79c723a7

SHA1
8a6b97cd25816147695828bc4a88d5c3ebf87ab2

SHA256
1d7ecca2b00e56756c756a12d7097fab09d57ef8d9c6f4b9917c464ac647dfdc

SHA512
6d2a257b3a855385653444ef3aab9f886fce49c6158c13904f6ed87a05f99865385f542aefaff3ced673589e8fadd6462af87508f615855b551433766b3c05a9

Download Submit
\Windows\SysWOW64\Mbpgggol.exe

Filesize
64KB

MD5
8ed7ef73a468450ee16cbff968a6f4c4

SHA1
651e4531f2231c7ffab96b745bcc8f569f4beee7

SHA256
19748652713962738787e1d1de03a0d0f4b770784098b949ae982f45df645ba2

SHA512
41bc5b5c6f02df8061e48f1b8ec89abef76faacf61bf9d7ae2316de1010758e5ece893f2d7952a87bf2d3c6007e2a8a37d1436c4c3963746dcc031de76869ca6

Download Submit
\Windows\SysWOW64\Mdcpdp32.exe

Filesize
64KB

MD5
4878d768ea99e73de8d61da451983648

SHA1
9d9e192dd23bc264621d6ec92e80d55d33a00a1a

SHA256
82faa1a15c69d66cd274b70371f2bf27661cf7cc0e58515ce8bd58e49fb364d3

SHA512
925a61fc2c0af269164005185c14fca14f48fcf50e177d05a54e566ec7e846ec8d47d4be52f5cc9a81e03c6cc3c8821e53980f04e58d069b0275f93cbf2943e0

Download Submit
\Windows\SysWOW64\Mieeibkn.exe

Filesize
64KB

MD5
ffb2df3221d82b2c06873c50e362f92b

SHA1
699ed4163e417c1bf7f25abfe4dfc4b3beac2a7e

SHA256
5bf379b11282a365fde34d0e315f78084ddd3482ecbb71a800cbfba467606abd

SHA512
8f8e21baf453f687c11cadeab4579d13d7cedc1c7650170423665814cc2c56d2045192103624393474fe97f7dc436cfd46e7fb7b16ef0b4a1c598f74e77c6619

Download Submit
\Windows\SysWOW64\Mlfojn32.exe

Filesize
64KB

MD5
4b42e30153dff4c450fbbb7f9959c2f1

SHA1
7b55756c3ef6d5f9c530caea22913a82b3ad23c5

SHA256
967b9531cf89678f5772b6d56b2442ffbc556787684d8b3d6649912d929a8548

SHA512
2774538a811c0e062040cba36e6d38f4fb04ce259cd951dd64087badfa7dc18f882e5cdd07801135cb5b498fe55e768fe01764a7a4a91691221f0ae7c86cc0bd

Download Submit
\Windows\SysWOW64\Mlhkpm32.exe

Filesize
64KB

MD5
6af3110a9db652f9e216a28473aaef0d

SHA1
084c2142144d8113ff054029ecaa8cbaa5a80acb

SHA256
6ca8300243bfaed8e06bb9cf2f4bab85efb53ecb6bf4ef9cd17d5584c25801c4

SHA512
a73aca16d319b5736592cbffb432162902b6c65e67953244d0c68fbdd5bc1b0f232a1c5b9749842989e35ef33d6e094cacebe902658b5d49fe27a90955634ec0

Download Submit
\Windows\SysWOW64\Mmihhelk.exe

Filesize
64KB

MD5
cf4b5fd38db271321e5f95264cca3886

SHA1
4231355c84cb47ab70d4c5c3ab81887c56f4801b

SHA256
d26edc0fd7a6792b61a1e96d2fc821a70c1e52dd81d6c49c9773e15d01e986a2

SHA512
a0dc7d89a07f0ccdddc3a5bf29e9b39ca9c8bae2476b7513798e9e2881630ce4358f730e94cc1740355ff14dbc632e34d8b01cb43b7b4b00e395d5e88b4e134a

Download Submit
\Windows\SysWOW64\Moidahcn.exe

Filesize
64KB

MD5
1f9c1468e86555105c2081747143da48

SHA1
a32a40ff5404986dac8ae2817901b457c7391ae4

SHA256
69dd618dc1c120a25909cfcc42b501780bd6d538571cd7f3fe9c292395031ea0

SHA512
2179f6d81fc42b3499a8a911af70cbb2542edc8ed1158c37ee0233dec51f705c1606c2f074251933d38e5ab608c0a0d7ef65e0294cbc36ab5ed06a8ce5c1be27

Download Submit
\Windows\SysWOW64\Mooaljkh.exe

Filesize
64KB

MD5
9adcb41d5bad740cf171474a060c5bed

SHA1
766e51572945b49783abbd8e47f38b3e3ff84636

SHA256
362aefa90793670f6a8c319e2c2e0f4483629f60e47989788b1c646fecf67c6c

SHA512
0ef3c0ee16f803ce912b3a95efdc673e3d535a206575c0a8171957daedfe2d749184fe9b92c8e903610dc171adbdf70f01475c970a6f68e6678bf22814139198

Download Submit
\Windows\SysWOW64\Mpjqiq32.exe

Filesize
64KB

MD5
768ea3fa0043eb89d78f64a85ab1554b

SHA1
d048276e2203e3acdff766dbb917f316e64b7b86

SHA256
1c7e8b5d62cd5201804b71bcf474a1cf389c06a14f49c4e7805d47414bf1f69a

SHA512
b34cc36f0c1d9a78270eebbc5994690078e437fb1ead9015d52dc6f3db57c76fa8154f58d38cba8d63fe101cc5ff4d2dd6b2921c7c94c254dceeaf03657f7be5

Download Submit
\Windows\SysWOW64\Ngfflj32.exe

Filesize
64KB

MD5
768a75ec943e7136b15c09d5356153f8

SHA1
8b574da43d1f38a9d4f9bf4f3cc81f5ef387bc3e

SHA256
ea6d1932f963e62ed41203d5d1d07e1e97444529ae6e99920d6bddcaa902ef7e

SHA512
d807bdc2064ff414fc7d2301efe43f4c731921df7b230607884ba833521930bd1228f1f6c61daca38384ee2f03463bde2a88a70a6b1c3f7cd831ec8ae94b4e7a

Download Submit
\Windows\SysWOW64\Nkpegi32.exe

Filesize
64KB

MD5
efde48e62763dc8b93007db4381b4c26

SHA1
510ad2c187e2c72191ba91c180a0f2453e8c0366

SHA256
49f50a90c0754cb451889c186bb733316992a1495bf6491afe4cbd3ff41b6e41

SHA512
78c06ac990495ec49d9d7c56cbf575d1c15e226f4c2706bdfb8a7fa805bc152229c2f187045c39d2d01e4e7e89aa95103224e51103065c1a80523c6dab9a8b97

Download Submit
\Windows\SysWOW64\Nmnace32.exe

Filesize
64KB

MD5
667dedb889928d737eb9995a4e771831

SHA1
57c14c96dca3c807573a7d587b9d5228d1cb93d5

SHA256
5ec9a8189b05475d80f6154eb309f32abc23c2c0db4ff607f3c93ae263104eef

SHA512
331def4923cdf23e9bfa047ed6d110a40c281a46931b7dffae9a8653faca9c1efa09e30418e3a0273f7efaae5e8689bb2c30257058dfa57f5a8b3f6249b45044

Download Submit
memory/972-267-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/972-94-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1012-87-0x0000000000260000-0x000000000029A000-memory.dmp

Filesize
232KB

Download
memory/1012-280-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1012-80-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1192-182-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/1192-183-0x0000000000440000-0x000000000047A000-memory.dmp

Filesize
232KB

Download
memory/1192-179-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1356-261-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1356-282-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-276-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1652-14-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1684-212-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1684-271-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1740-272-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1740-114-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1740-107-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1916-263-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1980-194-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/1980-274-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1980-199-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2244-158-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2244-265-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2264-233-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2264-268-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2268-251-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2268-257-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2268-270-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2364-266-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-275-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2448-67-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2556-65-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2556-53-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2556-281-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2696-27-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2696-277-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2728-278-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2728-40-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2736-12-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2736-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2736-279-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2736-13-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2788-264-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2844-269-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2844-141-0x00000000002E0000-0x000000000031A000-memory.dmp

Filesize
232KB

Download
memory/2844-133-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2904-214-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2904-221-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2904-262-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3012-239-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/3012-273-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads