965453d18d90b6bfea5541e2aa0fe579ae8f6576153471502fca38115804ea5f

Analysis

max time kernel
133s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

85a41e4154186640cf912758262aa950_NEAS.exe
Size

90KB
MD5

85a41e4154186640cf912758262aa950
SHA1

591cff85b132d71032d6954149da8cefd072c2fd
SHA256

965453d18d90b6bfea5541e2aa0fe579ae8f6576153471502fca38115804ea5f
SHA512

a759588c8a3de5b148f1017f8fc8b4efed58ba5a83fe6bc5ce0e55e4f0075ebc8334a67ca0784dcd260303866888723ebb137cb28c3a3af3a20626b882445dfd
SSDEEP

1536:FevaaIFbhC5P3XWgHZ9/bnLs85t2Q4OdXXjtfOOQ/4BrGTI5Yxj:FeqhIWgHZxLs7Q155U/4kT0Yxj

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	85a41e4154186640cf912758262aa950_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	85a41e4154186640cf912758262aa950_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngcgcjnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgghhlhq.exe

Executes dropped EXE 24 IoCs

pid	Process
3012	Mahbje32.exe
2276	Mdfofakp.exe
4936	Mjcgohig.exe
3868	Mnocof32.exe
2496	Mdiklqhm.exe
4696	Mgghhlhq.exe
2600	Mpolqa32.exe
924	Mcnhmm32.exe
3440	Mjhqjg32.exe
2740	Maohkd32.exe
2964	Mcpebmkb.exe
4556	Mnfipekh.exe
2604	Mpdelajl.exe
3984	Mgnnhk32.exe
4460	Nkjjij32.exe
4828	Nacbfdao.exe
1328	Njogjfoj.exe
688	Nafokcol.exe
4912	Ngcgcjnc.exe
748	Njacpf32.exe
3880	Nbhkac32.exe
4004	Nkqpjidj.exe
2548	Nqmhbpba.exe
700	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Njogjfoj.exe
File opened for modification	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Mpolqa32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Lfcbokki.dll	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Hnfmbf32.dll	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mcnhmm32.exe
File opened for modification	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nbhkac32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bghhihab.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Nqmhbpba.exe
File created	C:\Windows\SysWOW64\Nqmhbpba.exe	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	85a41e4154186640cf912758262aa950_NEAS.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Odegmceb.dll	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Nbhkac32.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Egqcbapl.dll	Mgnnhk32.exe
File created	C:\Windows\SysWOW64\Ngcgcjnc.exe	Nafokcol.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mnocof32.exe
File opened for modification	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ngcgcjnc.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	85a41e4154186640cf912758262aa950_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Mnfipekh.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Nkjjij32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
404	700	WerFault.exe	108

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	85a41e4154186640cf912758262aa950_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbnmibj.dll"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbkdl32.dll"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nacbfdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	85a41e4154186640cf912758262aa950_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ngcgcjnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjhqjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	85a41e4154186640cf912758262aa950_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfmin32.dll"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ockcknah.dll"	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majknlkd.dll"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqmhbpba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	85a41e4154186640cf912758262aa950_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	85a41e4154186640cf912758262aa950_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqmhbpba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Nbhkac32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 324 wrote to memory of 3012	324	85a41e4154186640cf912758262aa950_NEAS.exe	83
PID 324 wrote to memory of 3012	324	85a41e4154186640cf912758262aa950_NEAS.exe	83
PID 324 wrote to memory of 3012	324	85a41e4154186640cf912758262aa950_NEAS.exe	83
PID 3012 wrote to memory of 2276	3012	Mahbje32.exe	84
PID 3012 wrote to memory of 2276	3012	Mahbje32.exe	84
PID 3012 wrote to memory of 2276	3012	Mahbje32.exe	84
PID 2276 wrote to memory of 4936	2276	Mdfofakp.exe	85
PID 2276 wrote to memory of 4936	2276	Mdfofakp.exe	85
PID 2276 wrote to memory of 4936	2276	Mdfofakp.exe	85
PID 4936 wrote to memory of 3868	4936	Mjcgohig.exe	86
PID 4936 wrote to memory of 3868	4936	Mjcgohig.exe	86
PID 4936 wrote to memory of 3868	4936	Mjcgohig.exe	86
PID 3868 wrote to memory of 2496	3868	Mnocof32.exe	87
PID 3868 wrote to memory of 2496	3868	Mnocof32.exe	87
PID 3868 wrote to memory of 2496	3868	Mnocof32.exe	87
PID 2496 wrote to memory of 4696	2496	Mdiklqhm.exe	88
PID 2496 wrote to memory of 4696	2496	Mdiklqhm.exe	88
PID 2496 wrote to memory of 4696	2496	Mdiklqhm.exe	88
PID 4696 wrote to memory of 2600	4696	Mgghhlhq.exe	89
PID 4696 wrote to memory of 2600	4696	Mgghhlhq.exe	89
PID 4696 wrote to memory of 2600	4696	Mgghhlhq.exe	89
PID 2600 wrote to memory of 924	2600	Mpolqa32.exe	90
PID 2600 wrote to memory of 924	2600	Mpolqa32.exe	90
PID 2600 wrote to memory of 924	2600	Mpolqa32.exe	90
PID 924 wrote to memory of 3440	924	Mcnhmm32.exe	91
PID 924 wrote to memory of 3440	924	Mcnhmm32.exe	91
PID 924 wrote to memory of 3440	924	Mcnhmm32.exe	91
PID 3440 wrote to memory of 2740	3440	Mjhqjg32.exe	92
PID 3440 wrote to memory of 2740	3440	Mjhqjg32.exe	92
PID 3440 wrote to memory of 2740	3440	Mjhqjg32.exe	92
PID 2740 wrote to memory of 2964	2740	Maohkd32.exe	93
PID 2740 wrote to memory of 2964	2740	Maohkd32.exe	93
PID 2740 wrote to memory of 2964	2740	Maohkd32.exe	93
PID 2964 wrote to memory of 4556	2964	Mcpebmkb.exe	94
PID 2964 wrote to memory of 4556	2964	Mcpebmkb.exe	94
PID 2964 wrote to memory of 4556	2964	Mcpebmkb.exe	94
PID 4556 wrote to memory of 2604	4556	Mnfipekh.exe	95
PID 4556 wrote to memory of 2604	4556	Mnfipekh.exe	95
PID 4556 wrote to memory of 2604	4556	Mnfipekh.exe	95
PID 2604 wrote to memory of 3984	2604	Mpdelajl.exe	96
PID 2604 wrote to memory of 3984	2604	Mpdelajl.exe	96
PID 2604 wrote to memory of 3984	2604	Mpdelajl.exe	96
PID 3984 wrote to memory of 4460	3984	Mgnnhk32.exe	97
PID 3984 wrote to memory of 4460	3984	Mgnnhk32.exe	97
PID 3984 wrote to memory of 4460	3984	Mgnnhk32.exe	97
PID 4460 wrote to memory of 4828	4460	Nkjjij32.exe	99
PID 4460 wrote to memory of 4828	4460	Nkjjij32.exe	99
PID 4460 wrote to memory of 4828	4460	Nkjjij32.exe	99
PID 4828 wrote to memory of 1328	4828	Nacbfdao.exe	100
PID 4828 wrote to memory of 1328	4828	Nacbfdao.exe	100
PID 4828 wrote to memory of 1328	4828	Nacbfdao.exe	100
PID 1328 wrote to memory of 688	1328	Njogjfoj.exe	101
PID 1328 wrote to memory of 688	1328	Njogjfoj.exe	101
PID 1328 wrote to memory of 688	1328	Njogjfoj.exe	101
PID 688 wrote to memory of 4912	688	Nafokcol.exe	102
PID 688 wrote to memory of 4912	688	Nafokcol.exe	102
PID 688 wrote to memory of 4912	688	Nafokcol.exe	102
PID 4912 wrote to memory of 748	4912	Ngcgcjnc.exe	104
PID 4912 wrote to memory of 748	4912	Ngcgcjnc.exe	104
PID 4912 wrote to memory of 748	4912	Ngcgcjnc.exe	104
PID 748 wrote to memory of 3880	748	Njacpf32.exe	105
PID 748 wrote to memory of 3880	748	Njacpf32.exe	105
PID 748 wrote to memory of 3880	748	Njacpf32.exe	105
PID 3880 wrote to memory of 4004	3880	Nbhkac32.exe	106

C:\Users\Admin\AppData\Local\Temp\85a41e4154186640cf912758262aa950_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\85a41e4154186640cf912758262aa950_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\SysWOW64\Mahbje32.exe
  C:\Windows\system32\Mahbje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\Mdfofakp.exe
    C:\Windows\system32\Mdfofakp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\Mjcgohig.exe
      C:\Windows\system32\Mjcgohig.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3868
      - C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\SysWOW64\Ngcgcjnc.exe
        
        C:\Windows\system32\Ngcgcjnc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\Nqmhbpba.exe
        
        C:\Windows\system32\Nqmhbpba.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        25⤵
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 700 -s 424
        26⤵
        Program crash
        
        PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 700 -ip 700
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mahbje32.exe

Filesize
90KB

MD5
e52f22aba1739f45f70fed8317c6862f

SHA1
24c3ada8195d776d88296a006458a15f9c0c71a3

SHA256
062f208e93497ad61427c724a1d3223f7df5c23142f896fa852e15687b1ce1c7

SHA512
c67f63eae15d5888194da7953887e220e6501cacc2285fb9de7c652d510f2e288c12c965c01b467120426bf01416927eb4258dee298c124aa2d9b4cd6ee73139

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
90KB

MD5
8adcb189dd8d49c4afc133d5c74c24bb

SHA1
4f93a20abbd4fd4027ee6c00386f74768498f690

SHA256
144f4174000973af1dfac2aebb73bc74ef9fcd4d5d3974fd66a49bd8d84d87f1

SHA512
9915044e11d16aa36cc7b4e443bb417221a0ae790c69793b748f3f6fb3cbd090c852d980adfe5803f068d630dafb96f23da40e6402b350cb13cc7ef22dfe654e

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
90KB

MD5
f79bc50c74ca0be7e6d1b30bd4929f0a

SHA1
6bcfd584839d962a5cf630df772aaa2eb1960e17

SHA256
c1ea15d9b380d0ef6cd33f4594c8509e23bab7af19b5adeb7f9c711dc34d6d08

SHA512
790c03e6b6d7fe1c241cee6f1604a8f0ef7d4fbe10ae2a7471e4c502f9d9234868727108004bf05bfb2a313e9c30ad3962270eb89f278240370980ae680cff14

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
90KB

MD5
b2250d365836b4d281f7a0645e4c3275

SHA1
9b3cf097b2e1739c32f2e68868e6a6aa00c83bd3

SHA256
f0d83766bf87fe625cd0cf70f514c4eb6c54c18a2e39c5ca1607a580807fbc35

SHA512
336d223369a67785d3570f391a51c3f29b15fe98a1f6e32770717f698074d645e366dbc032aa476013672ad45bb1ed03a429cbca8096e6af5d6cb4bec0d453d8

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
90KB

MD5
fac8463a09fb91504823af6e60371810

SHA1
e6eebc670f9041d6a4df3613ff71066fd68ad5d8

SHA256
9788a9e3b22b2798fa0d0a13f62e9006545acfc933a8acd68e1e8ee2e2267bfd

SHA512
542ffe45c2fb8e53d33e41e0ac0e87622b962376f36dffb4a63423a0a79e25db795a51d1ebf76226b3d4791b01892ab706570202cc0f6035139918d14a0f59e3

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
90KB

MD5
1cc3fb60553a2aeb33d48bffb5358c9a

SHA1
ed11188879ab3fb782fe4513d99a7b735334c1d5

SHA256
9d1d47dc54b2640097b838f217b3bb7c4c29f93e5b6a801bafc11e1c9280c906

SHA512
eec5938404c2c73b9770bd9a366ad59e6fd93d59a515629673f78b10ccfdd20e2700168d10ca92821bbf90deb4ad98726e2823c3c19937693645f4aded1df7a1

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
90KB

MD5
f8f6b0f113cc882871a056fe81e01679

SHA1
3e4ad312d6532f406ee4ccedb5dc33bd3c4d948f

SHA256
811f8b75a60a0c53632068f7f86c6c5d8bb09cf7747dde9132170d6637bd4c40

SHA512
804275ada7729768af8497aae278539b8e11e053cb894a8350b937934af35ddfc9638b51ed50537f743ff40416e6030ebefe64d2d7dd84b21e65171865a5adae

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
90KB

MD5
049e0c4782ac3b913a80eef2b8f027e3

SHA1
e59dabdfdbc485b7a6fd4bd7f0167ce3f4e73720

SHA256
d61a58554a5b370520ae33ac2dbdf770c06ec87d20fde5998500282b6243f3d8

SHA512
255d43b3df48148cfe182bf51869788c7cbacd13761e73a477135fe1ca9a8d7d67d3a50cdf2636319c2869b883e8b827b5403b0a0378dec996f84da37c0190e7

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
90KB

MD5
3afb76e5955f3621ae28c128b224c236

SHA1
897fcc57338ce3bbf9894b5bc6398fd106d6311a

SHA256
d7d152dd2fc3231485161664fa3a25e072f7124ec635d680d8132dc32919fc41

SHA512
9201c301bc8c64aa25226dc9b4dacf5867ea038ddb7df592c7ab39acea02f86c2dec94c92463110b5242a44cbc05e37b6222d646d5671773cbb4bd81e3e96793

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
90KB

MD5
895f0fdbcf2760caecd6f370e5b06429

SHA1
59844abf1a0d54261541815a21bdfcd1c39d6440

SHA256
715b81c9b52985fdceab7a6702d9ec8feaa6a0ae3f3ce7373866391d2e58b1b0

SHA512
2130e13d5ee20d687d71f811d66eb19a8034e6bf6f3ba93b02293ff594b04b61cfff8dc24e172862110e18d6acef1ed56caf4ee61fced088f40dbc99e1ab7a0c

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
90KB

MD5
2afb90d078edd774e39a0af83a3ba9f0

SHA1
4fde1184e49646e303d5041084fa8caefbf4aea4

SHA256
359f7d4488ea6e2109c212eb5de9d76baa879e87325b91482d3a40d76c2dccfd

SHA512
7deef753eb8f2c676bed5c94ac18b8c170f9d28b61cfe490af486aaac3f124db59d4c86b959cce24a0dd5762665610c909e84e6e2e283e41ba76559e6e284977

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
90KB

MD5
44fe5baffd64b17e1ba8dd3ebe45ef6f

SHA1
87a7457bba03e29a785357082fb84a600e2018d6

SHA256
f89f462a9bb90ff6eb438b9075e631af1c22716f03f00c8079add4cfa234e9ed

SHA512
3f34286211aa7700156c53b76afa5ec6f9c5ac14ba75a604fea08b7fd70f7a8ba39cdaeebdf9a594a3437127bfc0077cc0f65be66b8b8d8c356339039bf5c540

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
90KB

MD5
c31b1141029279fd941d2abf4c71db5f

SHA1
3858f50a7bb0c0b7818fb9c043408bcd43b015f6

SHA256
01ea43616740daedb08e9d53bc08d84d47bd2f8f76036c5cc6c44b9e7541b402

SHA512
f726c3172fa30f12bcad2217249065a6edab325e91772bbc4f429c862549fc30a9954985e618fc53e6d8a4bd2fe84c8efc3b91a303dcb8603742f258dd9025d2

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
90KB

MD5
e1e76f19a4790a61d2e9153a326d6d51

SHA1
63c3e8778e3d63ec948c71f7d7bf8a96e915dcca

SHA256
63dabe95091668c1c3fdb0ebc51f878b803541449e42e32542913e9cfd046fda

SHA512
57bc28ed9fe403900ab4659c570bcdfdbf25284bb0c1a20c992e666e91fc997875f92f949b441f2aa85d488c64659cca52e329bd5f3a0ef6dfd6eafc2ab1986a

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
90KB

MD5
ccfdedd5aba80a9b071cdd3d5dc4a36f

SHA1
9ba78441cbcabdedbeec960bd30b36a4dd60d7cb

SHA256
517456e5c8d4d16bc998f6d9d3e8607b27b4cb918f8feaa92896b60410b4ceb8

SHA512
d7d40e33e65c09c731d7207d095b8df340712c6919348cca54a8ac6aa0a41829d1611942db5a7b0624f5f54f98137f8a5f02c5ee61e500a271964d4cc271eedd

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
90KB

MD5
f31f3de20da68dd823da456705a1f513

SHA1
282b0fc78cfcc314678911d4d8960526271191a3

SHA256
8d2819149bfa9af4646abc415f9c90e8edb1aeb64f08c4bd6ce78caa2524dfe2

SHA512
21de10e1ed9ed24c3d49d4046c0b3651fc29e9284f89318dfd55a7409f5ec9c2e36a6a6850215859ed2fcfcd77cedbae8a692b5bff58002c2d878c41cd64f7ab

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
90KB

MD5
7079fbbe63b6b79862326aec83ca6491

SHA1
e59e17f4cbf02fb1a36ceef31d0ad1af5b9e50ef

SHA256
14f5cd179626813470bed5e8e76149c0eb714fd6fb31ca3ab34b8e0075ee86b2

SHA512
a50a9543a4f765d3c92ecf5e144c21f70c4d96b279c35c5c068dfa5c188c88693e3e7669de5673365279bdd220080125b8b2a9eb7534a44cf2198f6f94757eb5

Download Submit
C:\Windows\SysWOW64\Ngcgcjnc.exe

Filesize
90KB

MD5
ff24baca3dde8d39f80873b22f6c65ce

SHA1
a06badfdee46dff6fa64a60eafcb2b12b5cff182

SHA256
2200e7534ba583b314ac4cad025ecdd8b75be21ac720a9bba230f805b8699bc8

SHA512
25ba4bd390da1825e7109dcdb359a10bca0baf5e53bee62e95d7ad233c7983f6ee362799fda1925460b27e0943f70d877025d3c33e498acbed58bf126042deb9

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
90KB

MD5
fd2c048463076e732f6ea039db8dbf3e

SHA1
0ac1c655d8e94b55cff27adba80bd36491270cc6

SHA256
052e049ec1af054e99165446754b34b45f132e56f4ca41d6ebdeac734825b938

SHA512
33ed3dc13a942993ede867c04f6c25c7b63ba9397ef6d21e7d1bf3f965f81289699c0129d79f99583dbc5e0e6cbae995a761022b17114188d4cea6f24c79da32

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
90KB

MD5
df9783e69361f333c16523d72258f4ef

SHA1
37eb46a815b9217e743512111bece4a56daf93d0

SHA256
ad9d73f343ca1a702f3bc9d0959501353bdc89069ce7954449c64055a27234e6

SHA512
f555553ed93eed811471a13d9373d0ec8b02acb1227c0f60e92fd8933fc905761f2c568239ed7ea7da1000f84284a6be52f09374faf379c9532203561abfca9e

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
90KB

MD5
6d0c6a1916c9af5cd2c2da069173caf3

SHA1
3301d9bcf2f79b4029e82a02cba0651216c37cf4

SHA256
11677d38e9ca33d42effc6e6712e77f657a672bc3c1bb484aa5c9dca581a55ff

SHA512
2bd38517b134fa6ac8ddb33920c9e89d76f9efb4ef05f056af4be6f1ed9d8b27dfd062151ea44ad60657697e4829ef9465eb501a26c082d6b75bcd4ce41f7192

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
90KB

MD5
f14990387fc8468f1b1e5ec228ad0477

SHA1
e94a351964a5669698705ee1683637a6af968b01

SHA256
a93a2ea6807424510dc239ec38d55b5cdb6be178c3386a2453e5316794b12d22

SHA512
0f07e846ece14335a8aa1d321b3b447a1840846c9a40cbbe93d030a3556b6ad7376533821d92ff669cc314d1ea3579e86368eeda4f077f4b06ac014a983cce6d

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
90KB

MD5
6b3fe76424541f4850a0aa7bb1fffd34

SHA1
364e103d0b4e19ad6a9318b64d27df5dd23260bf

SHA256
e4b4547cfe4cfcbc17f6991443809c6fa1f21c909e1605162654f6aa0d4807f0

SHA512
c0296da0db09f4efdd8c92949297ef1cd03414ce19376c0b1c94043ea51ca666e024481af6dbeb31ec68ca1570110afa100a9987c5ca835593fa025ca03a8d75

Download Submit
C:\Windows\SysWOW64\Nqmhbpba.exe

Filesize
90KB

MD5
b27399c60dcd2c4d350a677808e1790d

SHA1
c30380d43a287db10402486332da87cec3427650

SHA256
f2f97d0b89cc34af07183c8b8a9b33417a7c334d573a7bb6bef8f8f8d9cf8b77

SHA512
9ff780741567386bc733c0031a968335587cd91e618ac97b0d6e745ba6d90f79f6eda47cb2fa8f7ef1a512d936ed3c7ffe4b156a00d9cc37f2773ec41340fe1c

Download Submit
C:\Windows\SysWOW64\Ockcknah.dll

Filesize
7KB

MD5
d1695aa46f3b5822e3e790557f933b1c

SHA1
f555a8e617313a5738f54c05e9e97d2c616371a0

SHA256
2feaf70ad486dd96f6757105249cce3fab4a26ea4ddb1612f954de04f729dd6f

SHA512
b0bceacce5da5db177179e3298e4422668555ad98ff66e780a6caed4ee31db453e03085847f17afe68d051b3085a42c12f49a7e9c6ec05529d4d166092d30d4c

Download Submit
memory/324-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/324-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-214-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/688-153-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/700-207-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/748-211-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/748-171-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/924-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/924-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1328-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1328-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2276-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2276-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2496-125-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2496-44-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2548-198-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-108-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2604-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-170-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-178-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2964-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3440-76-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3868-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3868-115-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3880-210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3880-179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3984-116-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3984-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4004-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4004-188-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-216-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4460-126-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4556-187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4696-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4828-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4828-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-212-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-162-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4936-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4936-107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads