e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
Size

89KB
MD5

c0c9cabf8d7bb964efb7f7eedc85a988
SHA1

d6b3babcd9f0417bb1a1cd5b43950cbc8311a019
SHA256

e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14
SHA512

5af22316bef134c52fde3a5c9544ef29ea02dcaea998ad4471a780d42c1997321f545743d4fa230841ce6cbaa72b0ff4d872d5532e13c272e69ed0fefab80fd7
SSDEEP

1536:2GrYTjBWZNfW4j0W5/lLCDhv00i6hbYDSIcUlExkg8Fk:2GrojBcWvWxluDhNi6h4cUlakgwk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Nnhfee32.exeNdghmo32.exeMcpebmkb.exeNkjjij32.exeMpdelajl.exeNqfbaq32.exeNafokcol.exeNjacpf32.exeMkgmcjld.exeNbhkac32.exeNbkhfc32.exeMdmegp32.exeMnfipekh.exeMcbahlip.exeNklfoi32.exeNcgkcl32.exeNnolfdcn.exeMaohkd32.exeNkqpjidj.exeNgpjnkpf.exeNcldnkae.exee86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe

Executes dropped EXE 22 IoCs

Processes:

Maohkd32.exeMdmegp32.exeMcpebmkb.exeMkgmcjld.exeMnfipekh.exeMpdelajl.exeMcbahlip.exeNkjjij32.exeNnhfee32.exeNqfbaq32.exeNgpjnkpf.exeNklfoi32.exeNafokcol.exeNcgkcl32.exeNjacpf32.exeNbhkac32.exeNdghmo32.exeNkqpjidj.exeNnolfdcn.exeNbkhfc32.exeNcldnkae.exeNkcmohbg.exe

pid	process
1628	Maohkd32.exe
4808	Mdmegp32.exe
3104	Mcpebmkb.exe
3272	Mkgmcjld.exe
2800	Mnfipekh.exe
3816	Mpdelajl.exe
2888	Mcbahlip.exe
4048	Nkjjij32.exe
4520	Nnhfee32.exe
3056	Nqfbaq32.exe
1680	Ngpjnkpf.exe
968	Nklfoi32.exe
2216	Nafokcol.exe
3712	Ncgkcl32.exe
1384	Njacpf32.exe
4108	Nbhkac32.exe
516	Ndghmo32.exe
4576	Nkqpjidj.exe
3008	Nnolfdcn.exe
3668	Nbkhfc32.exe
2144	Ncldnkae.exe
3052	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

Processes:

Mnfipekh.exeNgpjnkpf.exeNnolfdcn.exeNbkhfc32.exeMpdelajl.exeNkjjij32.exeNjacpf32.exeMcpebmkb.exeMkgmcjld.exeNafokcol.exeNdghmo32.exee86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exeNnhfee32.exeNkqpjidj.exeNqfbaq32.exeNcldnkae.exeNbhkac32.exeMdmegp32.exeMcbahlip.exeNcgkcl32.exeMaohkd32.exeNklfoi32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Ekipni32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nafokcol.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Nnolfdcn.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File opened for modification	C:\Windows\SysWOW64\Nnolfdcn.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fneiph32.dll	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mdmegp32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmcjld.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Ncgkcl32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Hlmobp32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Dlddhggk.dll	Nbkhfc32.exe
File opened for modification	C:\Windows\SysWOW64\Mdmegp32.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mkgmcjld.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Npckna32.dll	Nnhfee32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mlhblb32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nnhfee32.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nqfbaq32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

4272 3052 WerFault.exe

pid	pid_target	process
4272	3052	WerFault.exe

Modifies registry class 64 IoCs

Processes:

Nnhfee32.exeNafokcol.exeNbkhfc32.exeMcpebmkb.exeMnfipekh.exeNkqpjidj.exeMcbahlip.exeNqfbaq32.exeNbhkac32.exeNdghmo32.exee86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exeMaohkd32.exeNcgkcl32.exeNcldnkae.exeMdmegp32.exeMpdelajl.exeMkgmcjld.exeNkjjij32.exeNnolfdcn.exeNklfoi32.exeNjacpf32.exeNgpjnkpf.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cknpkhch.dll"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdmegp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nnolfdcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codhke32.dll"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmobp32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoegc32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdmegp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlddhggk.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fneiph32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekipni32.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnhfee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exeMaohkd32.exeMdmegp32.exeMcpebmkb.exeMkgmcjld.exeMnfipekh.exeMpdelajl.exeMcbahlip.exeNkjjij32.exeNnhfee32.exeNqfbaq32.exeNgpjnkpf.exeNklfoi32.exeNafokcol.exeNcgkcl32.exeNjacpf32.exeNbhkac32.exeNdghmo32.exeNkqpjidj.exeNnolfdcn.exeNbkhfc32.exeNcldnkae.exe

description	pid	process	target process
PID 2544 wrote to memory of 1628	2544	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe	Maohkd32.exe
PID 2544 wrote to memory of 1628	2544	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe	Maohkd32.exe
PID 2544 wrote to memory of 1628	2544	e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe	Maohkd32.exe
PID 1628 wrote to memory of 4808	1628	Maohkd32.exe	Mdmegp32.exe
PID 1628 wrote to memory of 4808	1628	Maohkd32.exe	Mdmegp32.exe
PID 1628 wrote to memory of 4808	1628	Maohkd32.exe	Mdmegp32.exe
PID 4808 wrote to memory of 3104	4808	Mdmegp32.exe	Mcpebmkb.exe
PID 4808 wrote to memory of 3104	4808	Mdmegp32.exe	Mcpebmkb.exe
PID 4808 wrote to memory of 3104	4808	Mdmegp32.exe	Mcpebmkb.exe
PID 3104 wrote to memory of 3272	3104	Mcpebmkb.exe	Mkgmcjld.exe
PID 3104 wrote to memory of 3272	3104	Mcpebmkb.exe	Mkgmcjld.exe
PID 3104 wrote to memory of 3272	3104	Mcpebmkb.exe	Mkgmcjld.exe
PID 3272 wrote to memory of 2800	3272	Mkgmcjld.exe	Mnfipekh.exe
PID 3272 wrote to memory of 2800	3272	Mkgmcjld.exe	Mnfipekh.exe
PID 3272 wrote to memory of 2800	3272	Mkgmcjld.exe	Mnfipekh.exe
PID 2800 wrote to memory of 3816	2800	Mnfipekh.exe	Mpdelajl.exe
PID 2800 wrote to memory of 3816	2800	Mnfipekh.exe	Mpdelajl.exe
PID 2800 wrote to memory of 3816	2800	Mnfipekh.exe	Mpdelajl.exe
PID 3816 wrote to memory of 2888	3816	Mpdelajl.exe	Mcbahlip.exe
PID 3816 wrote to memory of 2888	3816	Mpdelajl.exe	Mcbahlip.exe
PID 3816 wrote to memory of 2888	3816	Mpdelajl.exe	Mcbahlip.exe
PID 2888 wrote to memory of 4048	2888	Mcbahlip.exe	Nkjjij32.exe
PID 2888 wrote to memory of 4048	2888	Mcbahlip.exe	Nkjjij32.exe
PID 2888 wrote to memory of 4048	2888	Mcbahlip.exe	Nkjjij32.exe
PID 4048 wrote to memory of 4520	4048	Nkjjij32.exe	Nnhfee32.exe
PID 4048 wrote to memory of 4520	4048	Nkjjij32.exe	Nnhfee32.exe
PID 4048 wrote to memory of 4520	4048	Nkjjij32.exe	Nnhfee32.exe
PID 4520 wrote to memory of 3056	4520	Nnhfee32.exe	Nqfbaq32.exe
PID 4520 wrote to memory of 3056	4520	Nnhfee32.exe	Nqfbaq32.exe
PID 4520 wrote to memory of 3056	4520	Nnhfee32.exe	Nqfbaq32.exe
PID 3056 wrote to memory of 1680	3056	Nqfbaq32.exe	Ngpjnkpf.exe
PID 3056 wrote to memory of 1680	3056	Nqfbaq32.exe	Ngpjnkpf.exe
PID 3056 wrote to memory of 1680	3056	Nqfbaq32.exe	Ngpjnkpf.exe
PID 1680 wrote to memory of 968	1680	Ngpjnkpf.exe	Nklfoi32.exe
PID 1680 wrote to memory of 968	1680	Ngpjnkpf.exe	Nklfoi32.exe
PID 1680 wrote to memory of 968	1680	Ngpjnkpf.exe	Nklfoi32.exe
PID 968 wrote to memory of 2216	968	Nklfoi32.exe	Nafokcol.exe
PID 968 wrote to memory of 2216	968	Nklfoi32.exe	Nafokcol.exe
PID 968 wrote to memory of 2216	968	Nklfoi32.exe	Nafokcol.exe
PID 2216 wrote to memory of 3712	2216	Nafokcol.exe	Ncgkcl32.exe
PID 2216 wrote to memory of 3712	2216	Nafokcol.exe	Ncgkcl32.exe
PID 2216 wrote to memory of 3712	2216	Nafokcol.exe	Ncgkcl32.exe
PID 3712 wrote to memory of 1384	3712	Ncgkcl32.exe	Njacpf32.exe
PID 3712 wrote to memory of 1384	3712	Ncgkcl32.exe	Njacpf32.exe
PID 3712 wrote to memory of 1384	3712	Ncgkcl32.exe	Njacpf32.exe
PID 1384 wrote to memory of 4108	1384	Njacpf32.exe	Nbhkac32.exe
PID 1384 wrote to memory of 4108	1384	Njacpf32.exe	Nbhkac32.exe
PID 1384 wrote to memory of 4108	1384	Njacpf32.exe	Nbhkac32.exe
PID 4108 wrote to memory of 516	4108	Nbhkac32.exe	Ndghmo32.exe
PID 4108 wrote to memory of 516	4108	Nbhkac32.exe	Ndghmo32.exe
PID 4108 wrote to memory of 516	4108	Nbhkac32.exe	Ndghmo32.exe
PID 516 wrote to memory of 4576	516	Ndghmo32.exe	Nkqpjidj.exe
PID 516 wrote to memory of 4576	516	Ndghmo32.exe	Nkqpjidj.exe
PID 516 wrote to memory of 4576	516	Ndghmo32.exe	Nkqpjidj.exe
PID 4576 wrote to memory of 3008	4576	Nkqpjidj.exe	Nnolfdcn.exe
PID 4576 wrote to memory of 3008	4576	Nkqpjidj.exe	Nnolfdcn.exe
PID 4576 wrote to memory of 3008	4576	Nkqpjidj.exe	Nnolfdcn.exe
PID 3008 wrote to memory of 3668	3008	Nnolfdcn.exe	Nbkhfc32.exe
PID 3008 wrote to memory of 3668	3008	Nnolfdcn.exe	Nbkhfc32.exe
PID 3008 wrote to memory of 3668	3008	Nnolfdcn.exe	Nbkhfc32.exe
PID 3668 wrote to memory of 2144	3668	Nbkhfc32.exe	Ncldnkae.exe
PID 3668 wrote to memory of 2144	3668	Nbkhfc32.exe	Ncldnkae.exe
PID 3668 wrote to memory of 2144	3668	Nbkhfc32.exe	Ncldnkae.exe
PID 2144 wrote to memory of 3052	2144	Ncldnkae.exe	Nkcmohbg.exe

C:\Users\Admin\AppData\Local\Temp\e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe
"C:\Users\Admin\AppData\Local\Temp\e86c1c799e09757425ad2472d05b024a69cd7a07eff5c4194a57dfaa36fa8b14.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2544

C:\Windows\SysWOW64\Maohkd32.exe
C:\Windows\system32\Maohkd32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\Mdmegp32.exe
C:\Windows\system32\Mdmegp32.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\SysWOW64\Mcpebmkb.exe
C:\Windows\system32\Mcpebmkb.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\SysWOW64\Mkgmcjld.exe
C:\Windows\system32\Mkgmcjld.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3272

C:\Windows\SysWOW64\Mnfipekh.exe
C:\Windows\system32\Mnfipekh.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\Mpdelajl.exe
C:\Windows\system32\Mpdelajl.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\Mcbahlip.exe
C:\Windows\system32\Mcbahlip.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\Nkjjij32.exe
C:\Windows\system32\Nkjjij32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4048

C:\Windows\SysWOW64\Nnhfee32.exe
C:\Windows\system32\Nnhfee32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\SysWOW64\Nqfbaq32.exe
C:\Windows\system32\Nqfbaq32.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\Ngpjnkpf.exe
C:\Windows\system32\Ngpjnkpf.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\Nklfoi32.exe
C:\Windows\system32\Nklfoi32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\SysWOW64\Nafokcol.exe
C:\Windows\system32\Nafokcol.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\Ncgkcl32.exe
C:\Windows\system32\Ncgkcl32.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\SysWOW64\Njacpf32.exe
C:\Windows\system32\Njacpf32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384

C:\Windows\SysWOW64\Nbhkac32.exe
C:\Windows\system32\Nbhkac32.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\SysWOW64\Ndghmo32.exe
C:\Windows\system32\Ndghmo32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\Nkqpjidj.exe
C:\Windows\system32\Nkqpjidj.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\SysWOW64\Nnolfdcn.exe
C:\Windows\system32\Nnolfdcn.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\Nbkhfc32.exe
C:\Windows\system32\Nbkhfc32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\Ncldnkae.exe
C:\Windows\system32\Ncldnkae.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\SysWOW64\Nkcmohbg.exe
C:\Windows\system32\Nkcmohbg.exe
23⤵
- Executes dropped EXE
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 412
24⤵
- Program crash
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3052 -ip 3052
1⤵
PID:2680

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Codhke32.dll
Filesize
7KB

MD5
d7de8c6b963e500efebe54bbd2dd3e06

SHA1
b48d0e8375c1479b7c82264ffe28cfa4f2aafc11

SHA256
0f3d55e42ed9d1e5d91865c6c4e538062ccbee84f99ab0fa3849dac43ea73de9

SHA512
608dd7e5f049a1efc786e999b09308803f6429825e84f04a7159fa50b7e1d0164e7bf860429e91394084f396120dcc340197ae23c9cc8d9ee160755f927e1ba7

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe
Filesize
89KB

MD5
5519ce55017c5d91bdc3c41e14579404

SHA1
672007578156638bb83abdfb900564d5bfd8eff5

SHA256
466086676a3fea2d38ced316869509d81c020bfa01c07106e55b5e6df36741cd

SHA512
2a920eb88ea483c3fee48b4b6ca0f4f9463107efd19e3af69e3baa9275d873ceb8f5ff8eb755b681786a0d1050d2b8f05188c71a3550d70d2bcbb695627b5e50

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe
Filesize
89KB

MD5
d31458b7cef12714c4e0cce7e80815fd

SHA1
e841f455f1b12bb7069b4917cb0efc7a493c10e9

SHA256
62f77998883b58342d5fb5866142e8e9bf5eba2cc9335bd84baadf68e5953578

SHA512
11317d60c1db5ab7614270aedd051520b01e5338fa4b7a234faefd23f227b528f85a0220f4429943c00e03546644c71416e10759b9594305ad5dfff9c78e48c7

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe
Filesize
89KB

MD5
613672e71f61d057ee6d6d2b9f80d142

SHA1
7e4cdd90c2456536d743a150ac6c45e3e81134e8

SHA256
d1096b08b6b7b262eb59640f40142765aa6a01c89526528fa3f835887653cca2

SHA512
38041a611663a922a8cb41e8e6bc9164f72f6df4a05c8d893c4406c31193182a5d418e233e0ce708d5b5e6f4fd0674f6fbb0cc89cf576af5fc58b829cec523f3

Download Submit
C:\Windows\SysWOW64\Mdmegp32.exe
Filesize
89KB

MD5
d281a82290125c29194956a6a40faa1e

SHA1
55a481970443cf1d12ff9a4985a45100f34a24bf

SHA256
baab7ca379441475cc38f36a5f4df930b528b51050a487d3c9bdc65ad4bb313d

SHA512
4df15cc14fa7ce7622df1ea4c7070e8b6d0f03caa997e5836d154c084849f845eeb33747518ed22b64f2e3c289937ad5affe59f67fd05339b559db61c64ad8e5

Download Submit
C:\Windows\SysWOW64\Mkgmcjld.exe
Filesize
89KB

MD5
eada6d0e69e80e1233b59cedbe5251f7

SHA1
4b44db187f624532d134bcf04297afbab4007d2b

SHA256
00baf1c87a738fa8aa211dc4df250061780b2034deed65c1e2d24b7768cd0545

SHA512
0823d287110834ed1f25ac362e7aaec32f5783425f05b7aa8a461d6f10bf96c7e8c07f478b245953da9bc84e4ebd3af67c08dd585779f9c67082c492fa34371e

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe
Filesize
89KB

MD5
b07e1dd699a6739992fa991fd5c126ba

SHA1
16aa652cb19bd7ad290c0b271a577a90808961af

SHA256
4ab1bb8c357dc46c92e44c947d6943f325829435dce6f37f8ded3c5b9c2b26ff

SHA512
9348d1bb44f7660b29a0de0c9c75fb1f44e6c466e66f47592dac0661416f6b21a1a2aef1324d610a79ef3a817b1db0531b18099e5a7ddca1bad3593631455939

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe
Filesize
89KB

MD5
841d17d6bd71f9c93963dcb33e2b17b5

SHA1
74b64151fd8a6ff659dd4cb2fde3ea53d341f2f4

SHA256
dfd8e6401a2938a9c51d0acb220bbd93ae14ca425fa668c3267d00247e2db6c9

SHA512
17aa1cd2992ad1aa9ee2281192a38b65d5b9f888f05a7aefa32a31d8e0cdbc1cf453eb165021ef643375d867e7a8aac6602cf3e9114080ccd2f1124f8d2e6cac

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe
Filesize
89KB

MD5
4856bd55256d12718c46d1129c3c8874

SHA1
22fa80cb87f146272a608295db863f33b0ede4c1

SHA256
5345188cec2df894b2abd26e5babdfeb99e261f46703f03f9191b9e97db047ec

SHA512
d246b175e5ce7e5188b4d712a3fb073e679e195eea78d337e3e53fa0e0a14c180f877d534184ad40870efd7e568f53a5135fa2d5aa2911cfaaaf766c796566f2

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe
Filesize
89KB

MD5
acac627a3fb6921eaf3fd2e8cb6020d6

SHA1
18d3b8fcad1b7c563105b9db96f831e0e69ffecd

SHA256
d910921057e4aefdbbc4da2dbcdd94d80bd7c41b60d25ed44736e0f6f33b9c7f

SHA512
a0e3cfea5e0022a2258a3e48914318fa317732be0d048dddec09bc2831a5befc872d6c9efd695aba2843c9fa92b45ca3d55c421f878ed39b9f27bf0ccbed6853

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe
Filesize
89KB

MD5
c262e70c2f8ab643d84ef0ee95f37bb0

SHA1
88c04a37890b20e9f52a05d55159d2273ae68ca7

SHA256
c3a7002873b22cecb31c8bacd07724d767c0fa2f13fd6d637e0e7b11bf2026bd

SHA512
fff4a84a9d691fe35d03012240af343d4f85a98d2a0e30f1d95447ac78929332f59050f9e7bc139227acb97b6b4adf2e9429bc216c265ea9539b6611b0c4a775

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe
Filesize
89KB

MD5
c2d1e80c4eb14be2828b6299d8247356

SHA1
15f2f196bb5ccbe682d1eafd223848566043deb8

SHA256
ebbcaf59bb2c270e187962e33e41b633d589b48b31521f6d9a0adf2a3cd05426

SHA512
722df5a9ecb5fa84f021ff82b3c4778a3a8fe1f046acabf678514b6b46252c986eff52e38f46b35cf6f4601777205fc9f49858c02033a5ad00e778cdca4f06c8

Download Submit
C:\Windows\SysWOW64\Ncldnkae.exe
Filesize
89KB

MD5
4479d715a046764d6639be0eb5f03ac8

SHA1
9d7b7ceb27234d86b36be66091593614261dec31

SHA256
45535811460f5a0a09685ad530199d457ebc692a7584ce11921f383165e7f3d4

SHA512
f004ad5090113cd495cf4318a661353eef30e77d17cee3dad494d7045b345ed0378015cb310782eced443be43d70539a07501453861b29317b34addafea1517b

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe
Filesize
89KB

MD5
7848a762972d16a2a76aa7f12bc86af9

SHA1
b1104b8f04e31c4e1d5dcf184dc87bb7ad7ce6a8

SHA256
07c609ad37f6e1799e3456bff02f53a3240724dd4ff52d565379cd2837368753

SHA512
601cf6ab27a6b02735e300b621385491adfe60d39d68c8cbfcfc796b1b4c145eb1856404b16fd335e1dde82cc12b8ee4ecb2d0959247a218025cce9590654263

Download Submit
C:\Windows\SysWOW64\Ngpjnkpf.exe
Filesize
89KB

MD5
9869936ab31faa7bb966627c6f02c041

SHA1
7ca79afdf288602526baaa3041707029d7f46844

SHA256
e87ffe3ce6c0d3b4eab55d753545d053010527639ff2095cffc414e71797921a

SHA512
c7bd724e60435fa27e7143cd2a25013f7c16a560253ea8edcdf435a511aba8ed81bd3cf1b8e9bdf1cd5413d887948064c089c0599c1039a20a36184bf59ba5f9

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe
Filesize
89KB

MD5
f5287b043f1be39396c3e1b34d3afaab

SHA1
77d57ceb0b059a89ecaac192c01dc9f44fee9837

SHA256
3a1fe6e814827a0a2a2d2ef9f579a6663de66d269ab084be38ebbc1533f174d1

SHA512
42de34568a5f713592635411c942d7265dd6b7e8f3fc1e466884fddc3b1483c5ef07b046841e8a3b8243250d429c02eebf274431f48e40451373dbfffa6b33cf

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe
Filesize
89KB

MD5
8cdee737e769be1b2e150a6ca42c3594

SHA1
198b5911c6dc2444962415bebdb37ebd0831000c

SHA256
40b904de470e46faabe0fa01724259ea124a0bc94e62b0781b50ea6c7a2f0287

SHA512
a951b1ac09090b89dd56d68500fb4daf694ca5787a42747f1d30207118870a527a8539afa823c82db108fe76b989616b6ebe05b058fa7cd709315af47afb285f

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe
Filesize
89KB

MD5
4f6f6132f5c524327d041a7d87415c37

SHA1
a5d227d3088b8f5e0e23541070801e53624d35fa

SHA256
93aca0f6478a073359db8e5e8d0ab577f9d4ac0a2dcce30314298ed6c1f2b6e3

SHA512
16aef61ab117321b832040cd8d6148768a0169a8c48684e74538a6677a4edd9c5253ac64425587c9a338860dbb2b9b3e745369432fc7cd811be608c7ef8d28a9

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe
Filesize
89KB

MD5
998f950f5ca8799027ad8707844b5e03

SHA1
23ceaeb4b78c95b7a01c09ca56dd73d9bf1181a5

SHA256
a961854fd40d88d21ea257288f20f96f80460f47ed9b049363753b8db5205e67

SHA512
582f42a7bf487c407a2b589766185fe0368589e087207fbe553307e66aecbd1e02846ed1d02db5bda6f88232ec79b5f554f7a0aa6317341ba5830468b34569ea

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe
Filesize
89KB

MD5
28d7056a66805af04bc2cc8b73d775cb

SHA1
a23dc3e37fc78df10f731a3736f2d0bb0556a3c4

SHA256
46f7c9ba36777c7a8049262d3cf67830032b971fba643575e1f3feb6f0302370

SHA512
090ec2da876f0a82f6c575e5175588c0afd33449d943ee3b8c9ffddb9a8b3a5b823ccbf7d92ec4a0f5181212f704d74e7168be57605bfbaa05d9bcc8d2fc445b

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe
Filesize
89KB

MD5
3a7081e50c2d3aa819f163bdda29ae40

SHA1
35c74fa1e7bd88a895f3529db2c668b4389abcb2

SHA256
6327827015332381d24262fa47f58d30a7592a6f20305e4b4d22153b477272fa

SHA512
29a1ecc2ef62bcfc8d26517e211d9125e8c8f674934279522a878c90934765ab730709e0ef37901d1807af327f41bf6cf40f888e8a3bab39a28bdce8b6956bd7

Download Submit
C:\Windows\SysWOW64\Nnhfee32.exe
Filesize
89KB

MD5
9fa49b8e25688900f0ea9adb30945c3f

SHA1
54979eabbdc00a021e594006fbb5087734f94880

SHA256
4a72a6696b34b7c9a19fe283c5be7f45f112bd8244fc51c3de8277518e6cf0c2

SHA512
8d233e3384e6972f1a57f3ac9350bad8f8614eca71bf0a8d045dbe675b92f4e4611cc9f84b9eb58602fa63426dfbef43c90d7293d95c6af13b4d3ff378380f8e

Download Submit
C:\Windows\SysWOW64\Nnolfdcn.exe
Filesize
89KB

MD5
a472d6093db652d1b0395f2e6b8efe75

SHA1
1fd65685df333e7fa9c6b5b9c51cc4ab262f1015

SHA256
7afb752a51d11b1674b914f21dee4adfa89e549d8132334eb6f07a645739fbbc

SHA512
9f56d3591cfc5fe904dd881efec3e665cc9bf16fbb49fb9ada69bb67508fa0e718a73a6af91fcf22d268ba0dac9491cb24aa954c115a81fcdffc7204b18f23c4

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe
Filesize
89KB

MD5
3bea7ae36c6410469c8c079d7faee087

SHA1
8db6597b12b57065574f14c448e1d36a789fd042

SHA256
5d1d73254a4bdd0aeb44fa49cb738bd8fc02ec07f8f4aa341a01ef7b9bd183e5

SHA512
1c6a90fe2bd0439ed24b0180c62bac90e7ab0ca5898e3d8aa2895c8992662c7793155136602b2b3e5f598cdefcd2a24577743db19b131ff2b20157d604107094

Download Submit
memory/516-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/516-182-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1384-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1628-198-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1680-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2144-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2216-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2544-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2800-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3008-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3104-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3272-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3272-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3712-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-191-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4108-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4108-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-190-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4520-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-181-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4808-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads