f2b314f9e73c0d205d63ce0b2d881a18efaeab1debbf2dc9f3f5b9c0ea1a214d

Analysis

max time kernel
137s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 09:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0697c985e43f9168bf312a4825c742d4_NEAS.exe
Size

320KB
MD5

0697c985e43f9168bf312a4825c742d4
SHA1

1e916487cda076998d124cd646e4f7dc05e4d21f
SHA256

f2b314f9e73c0d205d63ce0b2d881a18efaeab1debbf2dc9f3f5b9c0ea1a214d
SHA512

24215f8858b1e5def92f611f226207a1059543013216375b7f5b09b4eb15187b543ce665e46c55377a40c6cf5a8c5045e4402e310e63860999316f62934eb55d
SSDEEP

6144:GcmQWvl1Y/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:GcmQWvKm05XEvG6IveDVqvQ6IvP

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	0697c985e43f9168bf312a4825c742d4_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcgblncm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpkbebbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maaepd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncihikcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	0697c985e43f9168bf312a4825c742d4_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe

Executes dropped EXE 64 IoCs

pid	Process
452	Lpfijcfl.exe
2596	Ljnnch32.exe
4008	Laefdf32.exe
3252	Lddbqa32.exe
2332	Lcgblncm.exe
1072	Lgbnmm32.exe
2256	Lknjmkdo.exe
3048	Mnlfigcc.exe
4512	Mpkbebbf.exe
536	Mdfofakp.exe
2440	Mciobn32.exe
2012	Mkpgck32.exe
4888	Mjcgohig.exe
1712	Mnocof32.exe
3120	Mpmokb32.exe
1876	Mdiklqhm.exe
4956	Mcklgm32.exe
380	Mgghhlhq.exe
1400	Mkbchk32.exe
1380	Mjeddggd.exe
4064	Mamleegg.exe
5072	Mpolqa32.exe
4192	Mdkhapfj.exe
1564	Mcnhmm32.exe
1372	Mgidml32.exe
3880	Mkepnjng.exe
4656	Mjhqjg32.exe
2996	Mncmjfmk.exe
2056	Maohkd32.exe
700	Mpaifalo.exe
3480	Mcpebmkb.exe
4848	Mcpebmkb.exe
3180	Mglack32.exe
3124	Mkgmcjld.exe
3024	Mjjmog32.exe
4672	Maaepd32.exe
4056	Mpdelajl.exe
3976	Mdpalp32.exe
3944	Mcbahlip.exe
1312	Mgnnhk32.exe
4352	Nkjjij32.exe
5084	Njljefql.exe
2616	Nacbfdao.exe
4812	Nqfbaq32.exe
4268	Ndbnboqb.exe
3972	Nceonl32.exe
1000	Ngpjnkpf.exe
4732	Njogjfoj.exe
2444	Nafokcol.exe
2628	Nqiogp32.exe
2604	Ncgkcl32.exe
3028	Ngcgcjnc.exe
3436	Njacpf32.exe
4828	Nbhkac32.exe
2176	Nqklmpdd.exe
1148	Ndghmo32.exe
892	Ncihikcg.exe
3940	Nkqpjidj.exe
340	Njcpee32.exe
2468	Nnolfdcn.exe
1732	Nbkhfc32.exe
3688	Nqmhbpba.exe
4256	Ncldnkae.exe
1232	Nggqoj32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nqklmpdd.exe	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Laefdf32.exe	Ljnnch32.exe
File opened for modification	C:\Windows\SysWOW64\Mciobn32.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mgidml32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mkgmcjld.exe
File opened for modification	C:\Windows\SysWOW64\Maaepd32.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Dihcoe32.dll	Nqfbaq32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mpkbebbf.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Mkgmcjld.exe	Mglack32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ncihikcg.exe
File opened for modification	C:\Windows\SysWOW64\Lpfijcfl.exe	0697c985e43f9168bf312a4825c742d4_NEAS.exe
File created	C:\Windows\SysWOW64\Mpkbebbf.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nqklmpdd.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mncmjfmk.exe
File created	C:\Windows\SysWOW64\Majknlkd.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mkbchk32.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Laefdf32.exe
File created	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ngpjnkpf.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Cknpkhch.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lgbnmm32.exe	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Kcbibebo.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nqmhbpba.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	Lgbnmm32.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mjeddggd.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Plilol32.dll	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Lelgbkio.dll	Mdpalp32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Ngpjnkpf.exe
File created	C:\Windows\SysWOW64\Mecaoggc.dll	Lcgblncm.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Qcldhk32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mncmjfmk.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Ncihikcg.exe	Ndghmo32.exe
File opened for modification	C:\Windows\SysWOW64\Mpaifalo.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Lcgblncm.exe	Lddbqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mkpgck32.exe

Program crash 1 IoCs

pid	pid_target	Process
3244	3408	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqklmpdd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnlfigcc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkckjila.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfbhfihj.dll"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mncmjfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkgmcjld.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngpjnkpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mkpgck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhblb32.dll"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Njljefql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mncmjfmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcldhk32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	0697c985e43f9168bf312a4825c742d4_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkpgck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpjnkpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Nnolfdcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mkgmcjld.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lddbqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mdkhapfj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 452	212	0697c985e43f9168bf312a4825c742d4_NEAS.exe	83
PID 212 wrote to memory of 452	212	0697c985e43f9168bf312a4825c742d4_NEAS.exe	83
PID 212 wrote to memory of 452	212	0697c985e43f9168bf312a4825c742d4_NEAS.exe	83
PID 452 wrote to memory of 2596	452	Lpfijcfl.exe	84
PID 452 wrote to memory of 2596	452	Lpfijcfl.exe	84
PID 452 wrote to memory of 2596	452	Lpfijcfl.exe	84
PID 2596 wrote to memory of 4008	2596	Ljnnch32.exe	85
PID 2596 wrote to memory of 4008	2596	Ljnnch32.exe	85
PID 2596 wrote to memory of 4008	2596	Ljnnch32.exe	85
PID 4008 wrote to memory of 3252	4008	Laefdf32.exe	86
PID 4008 wrote to memory of 3252	4008	Laefdf32.exe	86
PID 4008 wrote to memory of 3252	4008	Laefdf32.exe	86
PID 3252 wrote to memory of 2332	3252	Lddbqa32.exe	87
PID 3252 wrote to memory of 2332	3252	Lddbqa32.exe	87
PID 3252 wrote to memory of 2332	3252	Lddbqa32.exe	87
PID 2332 wrote to memory of 1072	2332	Lcgblncm.exe	88
PID 2332 wrote to memory of 1072	2332	Lcgblncm.exe	88
PID 2332 wrote to memory of 1072	2332	Lcgblncm.exe	88
PID 1072 wrote to memory of 2256	1072	Lgbnmm32.exe	89
PID 1072 wrote to memory of 2256	1072	Lgbnmm32.exe	89
PID 1072 wrote to memory of 2256	1072	Lgbnmm32.exe	89
PID 2256 wrote to memory of 3048	2256	Lknjmkdo.exe	90
PID 2256 wrote to memory of 3048	2256	Lknjmkdo.exe	90
PID 2256 wrote to memory of 3048	2256	Lknjmkdo.exe	90
PID 3048 wrote to memory of 4512	3048	Mnlfigcc.exe	91
PID 3048 wrote to memory of 4512	3048	Mnlfigcc.exe	91
PID 3048 wrote to memory of 4512	3048	Mnlfigcc.exe	91
PID 4512 wrote to memory of 536	4512	Mpkbebbf.exe	92
PID 4512 wrote to memory of 536	4512	Mpkbebbf.exe	92
PID 4512 wrote to memory of 536	4512	Mpkbebbf.exe	92
PID 536 wrote to memory of 2440	536	Mdfofakp.exe	93
PID 536 wrote to memory of 2440	536	Mdfofakp.exe	93
PID 536 wrote to memory of 2440	536	Mdfofakp.exe	93
PID 2440 wrote to memory of 2012	2440	Mciobn32.exe	94
PID 2440 wrote to memory of 2012	2440	Mciobn32.exe	94
PID 2440 wrote to memory of 2012	2440	Mciobn32.exe	94
PID 2012 wrote to memory of 4888	2012	Mkpgck32.exe	95
PID 2012 wrote to memory of 4888	2012	Mkpgck32.exe	95
PID 2012 wrote to memory of 4888	2012	Mkpgck32.exe	95
PID 4888 wrote to memory of 1712	4888	Mjcgohig.exe	96
PID 4888 wrote to memory of 1712	4888	Mjcgohig.exe	96
PID 4888 wrote to memory of 1712	4888	Mjcgohig.exe	96
PID 1712 wrote to memory of 3120	1712	Mnocof32.exe	97
PID 1712 wrote to memory of 3120	1712	Mnocof32.exe	97
PID 1712 wrote to memory of 3120	1712	Mnocof32.exe	97
PID 3120 wrote to memory of 1876	3120	Mpmokb32.exe	98
PID 3120 wrote to memory of 1876	3120	Mpmokb32.exe	98
PID 3120 wrote to memory of 1876	3120	Mpmokb32.exe	98
PID 1876 wrote to memory of 4956	1876	Mdiklqhm.exe	99
PID 1876 wrote to memory of 4956	1876	Mdiklqhm.exe	99
PID 1876 wrote to memory of 4956	1876	Mdiklqhm.exe	99
PID 4956 wrote to memory of 380	4956	Mcklgm32.exe	100
PID 4956 wrote to memory of 380	4956	Mcklgm32.exe	100
PID 4956 wrote to memory of 380	4956	Mcklgm32.exe	100
PID 380 wrote to memory of 1400	380	Mgghhlhq.exe	101
PID 380 wrote to memory of 1400	380	Mgghhlhq.exe	101
PID 380 wrote to memory of 1400	380	Mgghhlhq.exe	101
PID 1400 wrote to memory of 1380	1400	Mkbchk32.exe	102
PID 1400 wrote to memory of 1380	1400	Mkbchk32.exe	102
PID 1400 wrote to memory of 1380	1400	Mkbchk32.exe	102
PID 1380 wrote to memory of 4064	1380	Mjeddggd.exe	103
PID 1380 wrote to memory of 4064	1380	Mjeddggd.exe	103
PID 1380 wrote to memory of 4064	1380	Mjeddggd.exe	103
PID 4064 wrote to memory of 5072	4064	Mamleegg.exe	104

C:\Users\Admin\AppData\Local\Temp\0697c985e43f9168bf312a4825c742d4_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\0697c985e43f9168bf312a4825c742d4_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212
- C:\Windows\SysWOW64\Lpfijcfl.exe
  C:\Windows\system32\Lpfijcfl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\SysWOW64\Ljnnch32.exe
    C:\Windows\system32\Ljnnch32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\Laefdf32.exe
      C:\Windows\system32\Laefdf32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3252
      - C:\Windows\SysWOW64\Lcgblncm.exe
        
        C:\Windows\system32\Lcgblncm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Lknjmkdo.exe
        
        C:\Windows\system32\Lknjmkdo.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Mpkbebbf.exe
        
        C:\Windows\system32\Mpkbebbf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Mciobn32.exe
        
        C:\Windows\system32\Mciobn32.exe
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Mkpgck32.exe
        
        C:\Windows\system32\Mkpgck32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5072
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3880
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4656
        
        C:\Windows\SysWOW64\Mncmjfmk.exe
        
        C:\Windows\system32\Mncmjfmk.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2056
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:700
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3480
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Mkgmcjld.exe
        
        C:\Windows\system32\Mkgmcjld.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3124
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4672
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3976
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Ngpjnkpf.exe
        
        C:\Windows\system32\Ngpjnkpf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4732
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:3436
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\Nqklmpdd.exe
        
        C:\Windows\system32\Nqklmpdd.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Ncihikcg.exe
        
        C:\Windows\system32\Ncihikcg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:892
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:340
        
        C:\Windows\SysWOW64\Nnolfdcn.exe
        
        C:\Windows\system32\Nnolfdcn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        64⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:1232
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        66⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3408 -s 400
        67⤵
        Program crash
        
        PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3408 -ip 3408
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hhapkbgi.dll

Filesize
6KB

MD5
abedc169165c409bdc8341b5948fb6de

SHA1
e9bf014bf065c94ff3c3124141dcec52532bce6b

SHA256
bd9b059158b855a174ea3ad2d44da2b5e34b9f48432658aa4670b23b95f6fdac

SHA512
2e9121f1a15afc255b8bebdb1b6e5f1f443834be66fdb3f00805afcbcb016697864fda380d856f1e4da58aae033ad9c91f9ed5a3b3f2be5c8887ea380d1f3021

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
320KB

MD5
e06e858903bd2300bc6bf6e321f8119a

SHA1
29da854908f4734d9e1ad03f88283f2a8abc7209

SHA256
a21a5723d20a08fcaf081765b6a57a28244d0e5cbb3922c70ec55692c84edf45

SHA512
8b9b209510e9d06429404a11aecf0e4c7a270d39d6986e6d1c64d59f41e25b208603de2ca56da3f5152cb5db300c0108b25c113eff6d5402a77d262422ebfbf6

Download Submit
C:\Windows\SysWOW64\Lcgblncm.exe

Filesize
320KB

MD5
3855ad99b760bf687fa3bd9d1346fd71

SHA1
98610005b8732f0751fb036e956c9e67d861dc90

SHA256
ab63ee1d17f62c4a301495b907d53167a09c4087a62d718977e98cd9aefb3f32

SHA512
c74e6761083a9e60cab4ab8552bf05af188b82bd5ae4d6baf99914344a7dc959cca1bad7a67735a4730c55fbb15b6be09a9117c9aa18cb4a6bb41753e5323f47

Download Submit
C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
320KB

MD5
fbf0f97098f3d610b19ac51e82f0274c

SHA1
239f7fe14361ae83509b0d82c6a97cac895d0b6a

SHA256
f3df8776d5343349904614e2b3db8531f060c11c606128b5b151345744fa4576

SHA512
231661b38e0308a6490d82ed212bd853a666d67df9eb36c06292591c859fa0a1e738691c7ab88d78c869ec54a93c053ecb4d7ab89862f59896a19c18b06c7509

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
320KB

MD5
bd8d3208ab5b317d674e636df41886f4

SHA1
a389a0888072e47501243f6859182ddbb55854c3

SHA256
739d7bb78656f8dfb74160799f997ac0a95458b6e0cdad5d8f74a8b1b6a1f7ac

SHA512
93ea69bd733d9fc0a44501d8ed27514209a469e068664a4cc6a37d96881f0e2540a67221a990345dca01209eecb19e4f4b9af450d2ce648dcfbfb55ffea4653d

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
320KB

MD5
51dc87fc5bf925e6fbfab0cdfa3a1948

SHA1
1947894b55a0eaf48dbe97a2536bc7873c152832

SHA256
a0e07317842e33650e1017a77584f87734b9d9a86528b2cdbd40b3240dfe235d

SHA512
a3ab8d1b24868a489895948669d5bb5a8c937b609332dee366ca9d10ee8c19acdecb8c2b449e015a116176384466feb0d0f3d8ab8bbd479335f198d7f955a989

Download Submit
C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
320KB

MD5
234160d59fb8ec55a1a824cf5db096fa

SHA1
c73973175b3261685cd6313d2e382c678132d3f3

SHA256
6adc6a17fc48bbef68e3683d4758ef2fd73b237c80a711ab6147d9adc3f65fa4

SHA512
c4631e06f60ad3a9d858c66d4781bbc64cb353831e03b4d4a3bbf902f2370fda385950eccd16b6714b14e2946d4252b228e43da3694755e24fa86bb1a0307d32

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
320KB

MD5
cb08b02baaf287e2307d7d3659d5ec5a

SHA1
d3022fb3235abd8ab3133aa924b5bae3cd5b8949

SHA256
75672a9609334ec5c2aaf469d27def687f56646d06e9ceb52f344a9c7319d274

SHA512
c127243f5a8b1426122efe872badf43c355dc6b6c4819ec78287d405b90abab829f01638ec3c9f2b6a02287421eff325e9a79cbf50226298556190b96cfd05ef

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
320KB

MD5
e84b6bb7cc64084c612fd6b5a1220917

SHA1
c5e23be2b18720dc0245795866a559ba516548f3

SHA256
d2a9903193b7d415e81e223ee4a57743b860c5ce217afb3ed2e604762e2eae3b

SHA512
d8be13869df8c33f5a878f8ff69306b9506eccf03409a5ac04037d12ded5f71f76a031b3a255a0e09094b3d3f9bebc1ba3b8d59ed13cc4a363b3f4cbfd703ecb

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
320KB

MD5
de32d7c65955638d375b3bb69f6c95b7

SHA1
2f6e8bac80bd213054af49e4598a77de463b9418

SHA256
72e05c9161a757ebf4a4ef7a17f836d560d45cebcc062f1ad881135a71910251

SHA512
2bca8b976ed18fe4af18078e2aa2a7ad39eb988850b7dd28f2b810fda27bca909d3768e6846502c51a31e5ae9ff12f9371cdd482f4172e1af23d5fb2f6aecbde

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
320KB

MD5
773cff66ee1df2cbd5ec2050a9504602

SHA1
97d221aef141003a4c6a227eedc31d4273b10f25

SHA256
4dd5cf7f4cdee3963cac53e421a5b83320bcfc41bb0606393ad09b32ca82cff5

SHA512
85be20e2f62f7d0920dbe0c4592dc7e78a5b525a52a28ab2d3ca0732023eebf6f71db63f0d15103c95d4fd8a271efbbe6a093c8c04cb35e00e198033829989f8

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
320KB

MD5
6ea7af04a44414e14c4bde91000b5428

SHA1
b2b556b03ebc12f55b372743390fdbe535f6807f

SHA256
665e52ab6bc80b517e9ac137f6f4704df0f360d5761c8d87ac4a6d225895a6fd

SHA512
c53b9d00601bcad732bbcd0d46d9303d7672161979ad6c7fc87d1c16d3091012099bdb51140aa2378c1d1bc2b7f56e909ef95d8b95ba5f3b19f9543752b115fd

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
320KB

MD5
b4466a5e97b8565c51dda2b5ae772a77

SHA1
5746992ef65ae2eb8a889ac9e0d221a68fb4d691

SHA256
060aa46ec3a541b018a8014c9133e4aff185106e0e6f8206f80c33e33cb784b9

SHA512
3e8e82a7d07bf25ffc90bd075ae2c8a8af647d82e3296efcd9fa4ee1e9fa1abc6270641dac50bd9268cd7bfca20ff9c28c6b8416ab75447986e8f8e9175384a9

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
320KB

MD5
e9875980a87cb51198543b22ac99fcdf

SHA1
7bc0b42a6445437aca69a124bac90641d4f2cfb2

SHA256
06f577825e9668de96e2d6ae6eb4448c14c122f5f30f0b28b589cf9127a9481e

SHA512
dd2e9668fe24ba2705703c8909b00d09509477066428253d4b0b3871a9a1a681289dcf995cef66b4cccb2e4f52ab04ceff40c6f54393f786fe5c2ce4dfc696f4

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
320KB

MD5
b0c4afc0dd13ede3fabd53620cf71641

SHA1
5a84468177252249913f5c7ce7ee9db2adc1e19c

SHA256
7672c46e5994d3f998fd039b9ca5c80ae34e46629111b90a43130260b68e29e4

SHA512
b8a6746556c61f36ea2dd13774a8bde1def90644ef38a74400172271c5c38460dddf0aa2f6468d68f1ec9d2d3008050cd102529dbaa2156f40d54efce56884a3

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
320KB

MD5
08086f3d423085c0f5203089e52d37cf

SHA1
9c9e6cdbc05b2d30a353ff804eca85a0f470ff23

SHA256
b68897d58834d82312143802b8f469d8af37cb87d5395059128669d7a73d4e06

SHA512
ae7d5a79dc2ddda6c3a1fce57a9ff07975c3cfcfda36c42b79fa5a4b189efd5038db2b9e7f77bc05fbd8c3567e11ae6daee258ba52458d2f92988bae5e3e270f

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
320KB

MD5
830fad6c05c7fb43ea4698d71f192f78

SHA1
7836ed102e982f405debe6d79246b4393dc3f6d3

SHA256
0cc1244a12bc0da83fd69aa9119e105e2f459e0337190b627450221d3b62e1ba

SHA512
acbd5ddb9622390b71f36463d93580ae4b7e4fba94cf528aea901116e9041ca4b921c444abdbf1513a130f17c2783009e081fbc1dc26a210ab59f055d8c5f8f5

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
320KB

MD5
9b87a03f28a7511ed52c3e4dcd669e77

SHA1
6de84dd12aa55c07ac412bd1118f1fad4e0cfd22

SHA256
8f52157e1c4a6ceb6b03f2c516725934727c3d4e70f658d7da2e11ed22377708

SHA512
9150c5d1f8a9a38ae0159d36add97477eeb459c67058128a649f9f129da1e13b8d1362f059de4a2905716e3832f69f2d8d1b095a5a607fb757eae66a62738054

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
320KB

MD5
3c6c27c52cda6dbc7dfe2e71b4705963

SHA1
f9934d954d4c44c81691ae0cb5e8994bff1924c3

SHA256
328be3bb477c385c4be4c9c92e3e6c4e2ecfdc3488c1d9117b62953ff8ab8df5

SHA512
0be5a5d2f526b1070f274efd3b76779e39eeef8d0d5f0c4d64f030315365bf66cb6393cdce472b4449fb54ac990483746e1b95fa3c8f8eff148dc6955cfa8e2c

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
320KB

MD5
a0777045ed449e677ac087aecca8d5d2

SHA1
f517d11b88f7ad8d652ba43e95d36063c97770ea

SHA256
851f5dd58f2ad38f1a921502cf8b951f111cb36771ce0256a6d0ec42a4cc98a8

SHA512
1c85c713e50033b89460e0357579bc339fa291793b0306a61922e1337d4e31ee916ca7cbf24af4982ca2cc8d96634124c09ecaae91ea44b03afcf0c3df3a1795

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
320KB

MD5
2a8a08bf7d3e8766327a04b88847b5ee

SHA1
fac46ec3337412e78f8bfc832719d52cc6fc65dc

SHA256
c2a36f844aae244c04bda264f2dcb49574b903aca2278565954eface5c1d0609

SHA512
9ba008949eb93464d6d08740125973c2edbd051b473426cf60d4723db46abfca6ce42aeb40822b562d92817767060b014d9417af1766f251dea94ce0581f1090

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
320KB

MD5
4beada9a7b9c0d67fc310648d044396e

SHA1
88be3a3c5049e4de6334fee2a71ddb2f25d5e327

SHA256
eb7a07e95e7f00065eed98dd53ec4e64167b576ff54fff2e8f0deb3ea9020dd6

SHA512
496859f6e88a5a0a61cb2d039c1cdded83188122632bbc0325451e9019506667aaa2a907f4f813daaaf5aa74938a11a4cd9b40df4bacaf2b13bfa7d823aa3047

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
320KB

MD5
610dbc316e343e3b4dd6ab84a813314f

SHA1
7280fdb585d01d7473978518604150475fb00f0e

SHA256
4f75821e343d604f3909e4f71661c9b3ff1f21674ca7ec285ae1f84fa47b1559

SHA512
d5e5b1e470f11419174831494683d9075934745946851dcd91e548e238137cd3d6ec19bd18660938dd85af13d754d768fac3d7f773f89305b85d6fdd5f8bdf13

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
320KB

MD5
e6ae38ee3e8eedbc58946ac9b84eaedf

SHA1
72351d25fe9332eb158af90585b7ccb506eebcb6

SHA256
352dbac9e07f8465a767a5ee86703bea87cc21d259cb85c161b5897aea0afca9

SHA512
50cbc4046239699d96d6cc749e7995d10af1ac5a90ca525a3e958d0ed35433926c363a0e4468ff068729a16de0ee6434f7398fba957b1bc767cbfd328bb27b84

Download Submit
C:\Windows\SysWOW64\Mkpgck32.exe

Filesize
320KB

MD5
b00e53c4d85f94173f06246dd6ebab8b

SHA1
b9d2fd9463f68337e9f77c4f1b9a918593abd759

SHA256
5f5ec1e95aac0e636f68797c17beab4b49a64a6d6f16cd63ad580db5de8a7847

SHA512
e71c48b82580910b9ff872863bf88523d60b7f10673f8176f7e6d4914281410c0efa2bc461b304a08cc4c565bd7d6a4d3bc46fb8491b0ba1fde666fc6b3ad91f

Download Submit
C:\Windows\SysWOW64\Mncmjfmk.exe

Filesize
320KB

MD5
12b57c8a7100795cd2739254c1a07ebf

SHA1
26087d5486689724871bd52aa107177835c9ab11

SHA256
6b1fbf5f5f984801a88ebc60145ef577e37e9a7203625a213846ec96a77b767a

SHA512
1e4842d97d12a99c1a35cde6f7015dbab65dc292e5b0da09a7544af84e68843258507f742f653bac94c713ae1059c97920113690ad6dfd0153937a91a0b1d0f5

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
320KB

MD5
e4c6b7380970b9b0125985aa73a05d41

SHA1
ef3a273842d45551d2fbf67b01fcb676ff6984bd

SHA256
a14bcb85e8484d458b5b5cc8713b3f03e39394ff2d8149642f07e4431e37e0ba

SHA512
34484ddcb28117ec7d71f75343c228edc3063dd6450a5afad350f68c3625dc9d4a6ad80d5e2da3a3d6bdd1f81bf9de17361c4f0902ce81bbb1ef6c48d046acbf

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
320KB

MD5
9e7151da86a7f190064ec9e42b67d4db

SHA1
6b2179a8866ced0ee5c59e9fd74b5bd41ef3c364

SHA256
e608feb48c20e936e11f183d137c379c4500416911808b782b09c7e263dd7d96

SHA512
6f2e760821a81f1fd2961584d572cabe5f280a44889928f6f165008233bc17b6ef34d36aae310a2231666b486f21552db6df527c603327bee7fe90db6981841e

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
320KB

MD5
8cd3742c825c056dc81752d92b7e5d31

SHA1
88d3c2991c75dbd30237d1698a9e05d0aedc6b75

SHA256
5a40e1650fc1c711ed87e5a0f206a1138ecd07da5a7038b03ea3ca096639b642

SHA512
72c48a0d5155403212ced0df3d927bdde9b980e9d94213c9e49535c838e364571ad1479c6a88e1c415288744d0c7dc81602902e461e0b63dfb57020444aeee26

Download Submit
C:\Windows\SysWOW64\Mpkbebbf.exe

Filesize
320KB

MD5
9835b632fc7d07576d0784152592840b

SHA1
10def9cb5382cbfa3e3cd98e858f1a2028824558

SHA256
5cca9704b1d8183f9e5611d8768fe1affcccf666f129b09982d54d13f27b1e88

SHA512
4ecad56ddcc52f946a1d55f3edcd9eebe59c10d01c0c9368974371507dd2957c8ac0a558e068ae37e72129c2759c608e4dac4d89d7ad923cb86444ad54cb7f1c

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
320KB

MD5
f74d2a357889dad5e6c5bf4e8f8dd704

SHA1
607dfb12d3f763766a5f79f6d945a017e7bfbdb3

SHA256
c7498db16630d233af6fc339ddf7fc66fb472316057c9d4f79c095a27b6edba7

SHA512
aee2b706227ef604399dc920cd9c8c98e34428b4f4bab24d2e5994d5828cbd2802f31907408571a89b438221ec005c252af4ea5904e9851681076e8d5228b8a4

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
320KB

MD5
e8b6eb8d32474946b8071282ce374263

SHA1
c807ed767aa840fc039a9219a6a59ad7f2b3faa3

SHA256
4d227bba76c7b2d35eb002a4acfec78d656a91ff92e4a803cf89dbb161a7979b

SHA512
67d657020ca777da12ea66e5f01371587f2df3bcb1ab4e34f99e612d25c2170dc50b7429910c9fb785bfbed1a22904e018be969107d09949baa20aa306e9bfa4

Download Submit
memory/212-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/212-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/212-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/340-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/380-404-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-396-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/700-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/892-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1000-451-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1072-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1148-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1232-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1312-426-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-406-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1400-405-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1564-410-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1712-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1732-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1876-402-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2012-398-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-415-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2176-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2256-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2332-52-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2440-397-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2444-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2468-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2596-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2616-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2996-414-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3024-421-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3028-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3048-394-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3120-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3124-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3180-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3252-38-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3408-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3436-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3480-417-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3688-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3880-412-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3940-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3972-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3976-424-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4008-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4056-423-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4064-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4192-409-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4256-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4268-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4352-427-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4512-395-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4656-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4672-422-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4732-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4812-430-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4828-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4848-418-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4956-403-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5072-408-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5084-428-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads