872d1a0b864ccbcb04d21fe372603ac99c6ccabf8d285e6acf1c6b4edee2955f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe
Size

80KB
MD5

6db7247ad7b092a69b3d60cf37dedf60
SHA1

21771a06c55b5732d45977ad40f7e0eeec888f40
SHA256

872d1a0b864ccbcb04d21fe372603ac99c6ccabf8d285e6acf1c6b4edee2955f
SHA512

b62611ac8f719b2c8bb5ffa48b731f9c48e5b9a8f1938fae1e039a99940b75f7fed4fcaeb1d476f651fab12bcf6c176555f0538593ef4a5240d46c7186146d94
SSDEEP

1536:s2F9ZzbjtuHPier/JVSPzDfWqdMVrlEFtyb7IYOOqw4Tv:vF9rh8/HSPzTWqAhELy1MTTv

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndbnboqb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkhapfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjjij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nafokcol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Majopeii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljnnch32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkbchk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nafokcol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lddbqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe

Executes dropped EXE 38 IoCs

pid	Process
320	Lnhmng32.exe
380	Lpfijcfl.exe
3960	Lgpagm32.exe
1992	Ljnnch32.exe
840	Lnjjdgee.exe
4524	Lddbqa32.exe
1928	Lgbnmm32.exe
2448	Mjqjih32.exe
5012	Mahbje32.exe
3516	Mdfofakp.exe
3804	Mgekbljc.exe
4404	Majopeii.exe
3368	Mpmokb32.exe
2488	Mcklgm32.exe
4936	Mkbchk32.exe
2056	Mamleegg.exe
4388	Mdkhapfj.exe
2272	Mgidml32.exe
616	Mjhqjg32.exe
4072	Maohkd32.exe
3348	Mcpebmkb.exe
3932	Mglack32.exe
3376	Mnfipekh.exe
4572	Mpdelajl.exe
2844	Mcbahlip.exe
4024	Nkjjij32.exe
2492	Ndbnboqb.exe
2068	Nklfoi32.exe
1140	Nnjbke32.exe
4876	Nafokcol.exe
3632	Ncgkcl32.exe
1612	Ndghmo32.exe
1620	Nkqpjidj.exe
2232	Njcpee32.exe
2756	Nbkhfc32.exe
1380	Ndidbn32.exe
2648	Nggqoj32.exe
4364	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Nafokcol.exe	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Ndbnboqb.exe
File created	C:\Windows\SysWOW64\Jpgeph32.dll	Lnjjdgee.exe
File opened for modification	C:\Windows\SysWOW64\Majopeii.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Jcoegc32.dll	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Oaehlf32.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Mbaohn32.dll	Lnhmng32.exe
File created	C:\Windows\SysWOW64\Mdfofakp.exe	Mahbje32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Nggqoj32.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Bbgkjl32.dll	Lpfijcfl.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mdfofakp.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mjhqjg32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Maohkd32.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Ndbnboqb.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Gpnkgo32.dll	Mgidml32.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Lgbnmm32.exe
File created	C:\Windows\SysWOW64\Lnohlokp.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Cnacjn32.dll	Mdkhapfj.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File opened for modification	C:\Windows\SysWOW64\Nkjjij32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Ndbnboqb.exe	Nkjjij32.exe
File created	C:\Windows\SysWOW64\Fldggfbc.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Opbnic32.dll	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Flfmin32.dll	Mahbje32.exe
File created	C:\Windows\SysWOW64\Mkbchk32.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Ndbnboqb.exe	Nkjjij32.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Gefncbmc.dll	Lgpagm32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File opened for modification	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Lnhmng32.exe	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe
File created	C:\Windows\SysWOW64\Lddbqa32.exe	Lnjjdgee.exe
File created	C:\Windows\SysWOW64\Pbcfgejn.dll	Mjhqjg32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Bdknoa32.dll	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Mjqjih32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Addjcmqn.dll	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Nggqoj32.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mdfofakp.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Majopeii.exe
File opened for modification	C:\Windows\SysWOW64\Mdkhapfj.exe	Mamleegg.exe
File created	C:\Windows\SysWOW64\Codhke32.dll	Mglack32.exe
File created	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Nkqpjidj.exe	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Gqffnmfa.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Lnjjdgee.exe	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4824	4364	WerFault.exe	124

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lppbjjia.dll"	Lgbnmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lgbnmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkbchk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pipfna32.dll"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgkjl32.dll"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkjjij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nggqoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgpagm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqffnmfa.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnjjdgee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lnjjdgee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lnhmng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nafokcol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnkgo32.dll"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnapla32.dll"	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Ndbnboqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Nggqoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpnaafp.dll"	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Majopeii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkqpjidj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addjcmqn.dll"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lpfijcfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdfofakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lpfijcfl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egqcbapl.dll"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdkhapfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjhqjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglack32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 320	1480	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe	84
PID 1480 wrote to memory of 320	1480	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe	84
PID 1480 wrote to memory of 320	1480	6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe	84
PID 320 wrote to memory of 380	320	Lnhmng32.exe	85
PID 320 wrote to memory of 380	320	Lnhmng32.exe	85
PID 320 wrote to memory of 380	320	Lnhmng32.exe	85
PID 380 wrote to memory of 3960	380	Lpfijcfl.exe	86
PID 380 wrote to memory of 3960	380	Lpfijcfl.exe	86
PID 380 wrote to memory of 3960	380	Lpfijcfl.exe	86
PID 3960 wrote to memory of 1992	3960	Lgpagm32.exe	87
PID 3960 wrote to memory of 1992	3960	Lgpagm32.exe	87
PID 3960 wrote to memory of 1992	3960	Lgpagm32.exe	87
PID 1992 wrote to memory of 840	1992	Ljnnch32.exe	88
PID 1992 wrote to memory of 840	1992	Ljnnch32.exe	88
PID 1992 wrote to memory of 840	1992	Ljnnch32.exe	88
PID 840 wrote to memory of 4524	840	Lnjjdgee.exe	89
PID 840 wrote to memory of 4524	840	Lnjjdgee.exe	89
PID 840 wrote to memory of 4524	840	Lnjjdgee.exe	89
PID 4524 wrote to memory of 1928	4524	Lddbqa32.exe	90
PID 4524 wrote to memory of 1928	4524	Lddbqa32.exe	90
PID 4524 wrote to memory of 1928	4524	Lddbqa32.exe	90
PID 1928 wrote to memory of 2448	1928	Lgbnmm32.exe	91
PID 1928 wrote to memory of 2448	1928	Lgbnmm32.exe	91
PID 1928 wrote to memory of 2448	1928	Lgbnmm32.exe	91
PID 2448 wrote to memory of 5012	2448	Mjqjih32.exe	92
PID 2448 wrote to memory of 5012	2448	Mjqjih32.exe	92
PID 2448 wrote to memory of 5012	2448	Mjqjih32.exe	92
PID 5012 wrote to memory of 3516	5012	Mahbje32.exe	93
PID 5012 wrote to memory of 3516	5012	Mahbje32.exe	93
PID 5012 wrote to memory of 3516	5012	Mahbje32.exe	93
PID 3516 wrote to memory of 3804	3516	Mdfofakp.exe	94
PID 3516 wrote to memory of 3804	3516	Mdfofakp.exe	94
PID 3516 wrote to memory of 3804	3516	Mdfofakp.exe	94
PID 3804 wrote to memory of 4404	3804	Mgekbljc.exe	95
PID 3804 wrote to memory of 4404	3804	Mgekbljc.exe	95
PID 3804 wrote to memory of 4404	3804	Mgekbljc.exe	95
PID 4404 wrote to memory of 3368	4404	Majopeii.exe	96
PID 4404 wrote to memory of 3368	4404	Majopeii.exe	96
PID 4404 wrote to memory of 3368	4404	Majopeii.exe	96
PID 3368 wrote to memory of 2488	3368	Mpmokb32.exe	97
PID 3368 wrote to memory of 2488	3368	Mpmokb32.exe	97
PID 3368 wrote to memory of 2488	3368	Mpmokb32.exe	97
PID 2488 wrote to memory of 4936	2488	Mcklgm32.exe	98
PID 2488 wrote to memory of 4936	2488	Mcklgm32.exe	98
PID 2488 wrote to memory of 4936	2488	Mcklgm32.exe	98
PID 4936 wrote to memory of 2056	4936	Mkbchk32.exe	99
PID 4936 wrote to memory of 2056	4936	Mkbchk32.exe	99
PID 4936 wrote to memory of 2056	4936	Mkbchk32.exe	99
PID 2056 wrote to memory of 4388	2056	Mamleegg.exe	100
PID 2056 wrote to memory of 4388	2056	Mamleegg.exe	100
PID 2056 wrote to memory of 4388	2056	Mamleegg.exe	100
PID 4388 wrote to memory of 2272	4388	Mdkhapfj.exe	101
PID 4388 wrote to memory of 2272	4388	Mdkhapfj.exe	101
PID 4388 wrote to memory of 2272	4388	Mdkhapfj.exe	101
PID 2272 wrote to memory of 616	2272	Mgidml32.exe	102
PID 2272 wrote to memory of 616	2272	Mgidml32.exe	102
PID 2272 wrote to memory of 616	2272	Mgidml32.exe	102
PID 616 wrote to memory of 4072	616	Mjhqjg32.exe	103
PID 616 wrote to memory of 4072	616	Mjhqjg32.exe	103
PID 616 wrote to memory of 4072	616	Mjhqjg32.exe	103
PID 4072 wrote to memory of 3348	4072	Maohkd32.exe	104
PID 4072 wrote to memory of 3348	4072	Maohkd32.exe	104
PID 4072 wrote to memory of 3348	4072	Maohkd32.exe	104
PID 3348 wrote to memory of 3932	3348	Mcpebmkb.exe	106

C:\Users\Admin\AppData\Local\Temp\6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\6db7247ad7b092a69b3d60cf37dedf60_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\Lnhmng32.exe
  C:\Windows\system32\Lnhmng32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\SysWOW64\Lpfijcfl.exe
    C:\Windows\system32\Lpfijcfl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\Lgpagm32.exe
      C:\Windows\system32\Lgpagm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\SysWOW64\Lnjjdgee.exe
        
        C:\Windows\system32\Lnjjdgee.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\SysWOW64\Lddbqa32.exe
        
        C:\Windows\system32\Lddbqa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Lgbnmm32.exe
        
        C:\Windows\system32\Lgbnmm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Mahbje32.exe
        
        C:\Windows\system32\Mahbje32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\SysWOW64\Mdfofakp.exe
        
        C:\Windows\system32\Mdfofakp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Majopeii.exe
        
        C:\Windows\system32\Majopeii.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3368
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Mkbchk32.exe
        
        C:\Windows\system32\Mkbchk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Mdkhapfj.exe
        
        C:\Windows\system32\Mdkhapfj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\SysWOW64\Mjhqjg32.exe
        
        C:\Windows\system32\Mjhqjg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3376
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\Nkjjij32.exe
        
        C:\Windows\system32\Nkjjij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Ndbnboqb.exe
        
        C:\Windows\system32\Ndbnboqb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Nafokcol.exe
        
        C:\Windows\system32\Nafokcol.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3632
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1612
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2232
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2756
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\Nggqoj32.exe
        
        C:\Windows\system32\Nggqoj32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        39⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4364 -s 400
        40⤵
        Program crash
        
        PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4364 -ip 4364
1⤵
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lddbqa32.exe

Filesize
80KB

MD5
96594820c6422646afa5bfb129b68867

SHA1
b5af7996c7545f8a0364a4d5152edf3171898fa2

SHA256
99d684e56c902fbbd4d1dd70087c98ad9150109e3621d04f54c0838427557335

SHA512
463e5b37dc1d76cab1696c1f430bba227d128ca68de06c0035957aa2ba830138e5d58cfad32152bfa26f7f4de6f407f6aaa550863c3556196fc0a652d6ed0af8

Download Submit
C:\Windows\SysWOW64\Lgbnmm32.exe

Filesize
80KB

MD5
5f8755c337d0917613941fc7737423a0

SHA1
f3d1eb93dee1d834374d15494b50b71648542fa5

SHA256
01bc53918f0dd7aa52a34c6c45f14b5d08a8c392c79c8c3fbe0663f440c20247

SHA512
26070e42dadedfe487a5ce415e8c43ff5bbc414d3bec98a0589479b52b0971c2a422048d9b06fa988cf73fbdd2737ad2311af0513233a6acd4789d082c4162d7

Download Submit
C:\Windows\SysWOW64\Lgpagm32.exe

Filesize
80KB

MD5
82c923e792f8539b0e6ff001f4bd13ea

SHA1
a8651ffb62b62670bf4aaaf175812336c8f50c27

SHA256
7887efcf46df9153fb682ebf1cdd061c1df0e4fb5c1642842aa54c0a518d6660

SHA512
a510bb34f483d95f1525464239d470e53986a0a657b8aa80bd1fa3d02f7b353a903fb0784e2219905eef88be236a486051c336ab61e40ea5038ace06192b3619

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
80KB

MD5
4654f390e0392701055fc5b170c7d990

SHA1
6773163689dfb181a19c18c1421cf09b0af65e67

SHA256
8bcb95902ae02ff312e974a2f53798d3bacecbcb08e840b6b0a8d0a7b075de71

SHA512
567af409909e99086ecbdac0410a24c54950ff5f0bbd4b640e3a667f2f7bf575416bcdd5685e02625ddd51696f7227ec9aa86c4406fe25cf89997bf172298dc0

Download Submit
C:\Windows\SysWOW64\Lnhmng32.exe

Filesize
80KB

MD5
5a62dda507bbf580c1f56a2d50e17f69

SHA1
4831a3777892de60de96eef0ee8791d917d44389

SHA256
908f34ea1b9f31a76baeb46ecf060f8fb872b71478d5613682f0bfba58343d4f

SHA512
6ea981b6fbc4936e6fb778559a9e0e46a25936578cc02ebdbebec1e956760842a2703c5cbfc9426b01f2e5a2ae476e4c5c8e2314f55622860fed5212b9412a3c

Download Submit
C:\Windows\SysWOW64\Lnjjdgee.exe

Filesize
80KB

MD5
e0b2c5648d1f7febd7636c0f536707d0

SHA1
ae3bb3f2c31653aa6a6af0cd9befd39e75e83f57

SHA256
33f7d3aa5b7ab17208d0262999f3e3454cd64ed10f816c68fca0927fb769ab2f

SHA512
ecdded46d6754df3db49fc610dd2a033551bcf5844a1f5a3defd50190fec32becbe6f26087eb6e720836487aa06d12f12fb9eea8574924bbcc170471ab20ffb8

Download Submit
C:\Windows\SysWOW64\Lpfijcfl.exe

Filesize
80KB

MD5
2824827bd7ec8ca8d74b10f6620d64e0

SHA1
67f3370c39294c9c5e5549472851b7a254bf472c

SHA256
02fb43084369026155093637be1e18dac1829c6b82363d339beb410e67f4bea5

SHA512
af04bfcb2d46a65a32035c885174b944a6018c11f8399a7817bbd79a83127e46d1e092451ce9b8b93cb8700be8fe8756c67088f3ed1bc3589a712daa8e5769b2

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
80KB

MD5
7ff6fabcbbe9d6b956e2522ac4e533a6

SHA1
c8c4c2d8827115cdb27f6ea18c2b9f875047e9ae

SHA256
1729a3b45b0b2360f2010c9bc9c0dc85fa1924c2ba940ddb5883798f87fa0f3a

SHA512
e9b4ca78a562c1d43e1db9df104f43d25f6d8bc7218642ab57abfb259490d0954117377823aedef44e43090c1840c016b6fe2efed10cf04366e029e8d03290af

Download Submit
C:\Windows\SysWOW64\Majopeii.exe

Filesize
80KB

MD5
7d128a3ee7025fc83a39b696d67d009f

SHA1
060542f3b1154a3529ba648617639d59e1d4bf42

SHA256
e54fa468e60889a0dac9ef913f9c9d55a54ee4604c8af217a9850351856363dc

SHA512
d0ec05b31823cf3e3cc373e1b0e648b6c6c1d2c2fe9267f6f05ac594ec9d48aa4ccbfe28a2acf180df6f166874c9679d5dc5e357830718a2b42c441b6b0d0fe9

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
80KB

MD5
69e61757e6aee0c1e95438ee88c517dc

SHA1
86dad18f1832b2172ac5cb02d5edc437d7de0a91

SHA256
f428e3c35e64acadbce28e00d20e52466d1e29c62ad047b577e47f98c6c9b00d

SHA512
0bb1ca6ca7d050c3e7bbf85165923b04f25ce17f30803e3fe011ff34abbce017e92d570f6e2dab27cd49e98efa7a34fadd5e6dccc6b1933a9e3ad9eb1101d181

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
80KB

MD5
7bfbdc430996a6fa6ce6e6d50009fe5d

SHA1
e89f2d8e7249e628f50a76905e9f1fdb9a881bc3

SHA256
b91a712f0d45b1fe771927d187b79eaed0072ab4b4b14c224eadaf74e8c7fdea

SHA512
6758301a362c52c21df16181c13cd8691c4c570b9e6d689cb50c3baf91c1c019682ec8c6f2192cfb5a9bf6fe8b2fc002ee88104ed9932d9ec19d3719775847ef

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
80KB

MD5
469b006212c5e4616d9a3124a0416d73

SHA1
1a650904bac8666a66d4dc071644be4a8409e03e

SHA256
2ecaca5542a5400058e460e91ed0c4a1b35448d4967e0d257a387457d21c71a5

SHA512
a4b6225576a302cf5409df3c55dcea9f7eed75c5fc72be4a29504944d921d359ce43554e146930cdef5111256f3dd977d6cd8957df1b98fec0c8702a91d107e6

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
80KB

MD5
3d33a5d0ae2133eda7ea49b9b34168ea

SHA1
150819ee89d949b2ac5b0143f313d9c2874c0425

SHA256
4d4b25a722aec5b6c4a0adf761f05474d51742219b26606f6beedc7aba8b2af0

SHA512
ceeed75d1aadd6db1270d4ab35459e45ec08585e40cac34ee6c0cd90d6d22ef1840db1d80af0312aaf8cb2a00acd940398e512ff6ecb6e79dfa7286b8da22b50

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
80KB

MD5
388df1f9700906a1a012921b0dc4609c

SHA1
267297e6ddea8705ab1a213873d31dc09d680131

SHA256
c883c841bc041a71743414e90a2ba9d3daeac96da0c77d848f3a6af82aab27dd

SHA512
c76847c772cf6cbc159aa2034079b6216d352ed40912878a61c5252ef4b8c41f7069804e9ea7bb1b20082965aaccfbabd582d96e658f5fc1c60b3d6f0c360eb9

Download Submit
C:\Windows\SysWOW64\Mdfofakp.exe

Filesize
80KB

MD5
d83c90929571de78ab68c9d2821e7966

SHA1
2398d8de499f219879a8184ee0ba10ce34e58734

SHA256
6d08b0c28df936513ffae26c25912917a53a0bbd4ead088f3067d7c177429b47

SHA512
5d5315f717dbdcf0d952e1aa6e10c4d5248f1353ab00d19e47b9208733d62d7922165b729791a51e562bd2ba14f192c10d77534067ae3d9f71a1cf25827cdc1f

Download Submit
C:\Windows\SysWOW64\Mdkhapfj.exe

Filesize
80KB

MD5
59ffe7549ce5f48354113c1205729903

SHA1
0c1a19c81881581d98e8e07eba63451079953ae6

SHA256
9cc9c65206fca547c679281e70767a62c42f289f040f609f914ac1aa4d8a6cde

SHA512
8ff3922ba637e365bbf94fdcfc5789c1fab430492953afe869b791aa4f4c836d97138e7d641b3c0ba0eb052e23a74b78731932186ade3d9a6db02d02f1b64a4f

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
80KB

MD5
5ef174dae863b44e793d46fe5c37d7d1

SHA1
5050bf0b9764ab3d4201e262d5c34d5534b8c4fc

SHA256
e59d3441ce70731bfb54bacf583fe964be1b0f0d6fd51657d5684dd674ac10df

SHA512
745be03cc59c0c8fd3113f354b2bad21f19e7ccb7f65eb4007ee140d86e9db1d44852237a11e3be0fbdb535a0fac57eee8f5f7602a8733e71fe1cc8031024dc1

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
80KB

MD5
7f9de141e7a7c282b58a9ca4edc08663

SHA1
db1ae81302285c3128654aec37ca772d392e93c8

SHA256
0967f1f5d0d543c971b60097c265423c17610fb6342e57b1141120a4a607d369

SHA512
baeb59db0c490ec49e4309940fa00f23fc13fed3b3dbbbbd73a0caf3c90c8ec0da09a7cd060363d00a0027ecca29bf89bd6e917fb0908d652af1678004f3ee16

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
80KB

MD5
3f20b79cb6f013fbf9c902c6d40ed8ba

SHA1
e89ebcb9d695f64a1e032cc127507a61eae22a95

SHA256
a335070ee53a623464d2ce4ebdbb3e35a94a8c27c7bf8f575f7eeaf717dd7d50

SHA512
ff407239f9c7c217abae3f37ea1002094f0ddd240803b8b0f226445b51525fbac2215541eb38840ca48ce5a1d428b868729158c06c723c93ae59813df8baa87f

Download Submit
C:\Windows\SysWOW64\Mjhqjg32.exe

Filesize
80KB

MD5
7bf2911a66ff0552354c7b52e707f3ff

SHA1
a817c3c22172a3ec7716f1ffaff002196bf2e262

SHA256
f300b1f7c4a46747062d5e6b514871c430c41adfd856757fde524980b9071268

SHA512
f4313fdd7d2d5ea191f145f1807c34d42824f7a5de9122c989ff249d7a67d4801f81b1b8270c7472e8d2288637beca9ecc66972f6c9c4fca2cdee83c4fb784b0

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
80KB

MD5
1c2769f9e92a379ea5fbabc3eebf5bad

SHA1
2779edffbb35d6bc474abcddbf8459b40ac1836f

SHA256
f5d87c01521930ebdae8d7c4be391184edc2c7ca0f0bfe43be35f3058d13c3a1

SHA512
07a25c93ad0bb46ff663e4e33d54802e43a120fc4b1cc6d1c2f7fa72acd87bb33b3c2bedfaa6275a928a6f32be2a8d1c61dbbc542c5ed1fb9d47177b0898f63f

Download Submit
C:\Windows\SysWOW64\Mkbchk32.exe

Filesize
80KB

MD5
2113017d54b39bd8a214b7fe5e16cd8f

SHA1
c76787dd6d6ba4e562419f56adcdad7c2d33c963

SHA256
c6afb383e5742bb95366dfbffe802db0fcb9f586bfc7dee9e795bedaa824eff1

SHA512
9fce31a017e12c4d2dfd0af4cba9db2bebec1f4fe6f5f7b21b21b99d6ee13bdc354fac59640d17ea77a8fc381620bfb13a940aae272a3e1e4bffe375ee1aa9ad

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
80KB

MD5
59c78bf607e9eef9814c08f6f9d84cfa

SHA1
4228051321c7fb20c631816bb0bbeaeab2e98f58

SHA256
a6d3fc95a8eef7847d9cf71614529698a13d3aa959dbd8195cddf13a4f62f7bc

SHA512
7575f9a492f21f76c6d17075e1d8200ae6f4c9c41b10077519896ae94fd81452b8ca2cdde4288e6cf99512688533ab8329f39bdc8032df4b6136eeb92602ab50

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
80KB

MD5
93960ae370efc6683987b87480d47ed8

SHA1
1ecf7c37cd9f0b75fca475d36241efbd9ed1898a

SHA256
cc0aeca44a9b69289762d0ab7e2ee968d42f7cc7c72ee62b71f0eaa95232f7f7

SHA512
09565780bb70b0ea3c4ba0ad8353826566ad2bda80b57b9c67fa9b8db02b2e4fc68b181ff8c4a582f198319abc642e314aead6ef3db96d67429541fa5c8c584d

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
80KB

MD5
c0a93b4011439d05f7d0dfbae2408961

SHA1
b70c6c953aca02a727088bccdd46a66d95bccd0f

SHA256
d73b33d9acfc2763873fbfd1079b6c0e82886e5bfab53b8e10a76eaedbb7b3d6

SHA512
a7608aba7ff461846e99fe8c38e655e583a38afda9b3032833d4082cf171edf0e1c8b1eef8228067e8162894b41256b52eca7301a0c00f0c11b02b0b33789507

Download Submit
C:\Windows\SysWOW64\Nafokcol.exe

Filesize
80KB

MD5
147e8763f20cb4379ac4020582d4448f

SHA1
42b49c2088e7fd0a80fc360f5a6ead879755954e

SHA256
83ca0f836bd618dfcb22ec223a3afced3587772f6f5e1c26d64a2cedbad13105

SHA512
4f6b3d85c413edbd29f00baa85c0f8a71044be7b9d5b05e142af671ed223b27cdffaf4799386cccb37ae8e559dd285137e97175c8779280e9ce3199185ed7428

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
80KB

MD5
0a1016647b556c27afce9205eaae6443

SHA1
c082fce386f0a9f4d714964e8e6f3433b9d517c3

SHA256
dda0aeae1b40327b4fc74c56f9723c1b67d7a32a4907a6552cc461f2c9211409

SHA512
bc837ae7f82b7d90d0c4cc04ffc75beae509b935e536abacb870a7a8b7a5883b88242995733fb0fe8b079569709c9d78fc8eb629458dcd9862a015577cdb1f3a

Download Submit
C:\Windows\SysWOW64\Ndbnboqb.exe

Filesize
80KB

MD5
d36e39cb8b308cc540652cbd56d6346e

SHA1
1f137ad13bc87c6ce1bec3d75a728f922895b3cf

SHA256
9e5e09ad1457c2b8f387ab1c30554f93a7a225d5b0d38a5c2201c9fe8da6b878

SHA512
517e189e30b4d35b8da238cb68f98f2272cfc92a90716b19a5b1d07ae2bdb580a78fe2be9f134bd01c62fb8382975a3e289c8a33c560eab4987df50bb7cc6f19

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
80KB

MD5
20727a1398cb404bd184a959f99f7193

SHA1
e5f6e8b6a0a6b18dff42f29b5005152a77fdd124

SHA256
1b67ab5d2582377cf9fb696e57bfbccca4c63db2d91dd776f65d850482e29ddc

SHA512
ec87181493284de35d1f5d9a093d5949760941aed60f8f370a592e39c6bbcaebd4379fc962e6ee1b04d40637967cdace14c271f616c9966fde46cbd3171d4535

Download Submit
C:\Windows\SysWOW64\Nkjjij32.exe

Filesize
80KB

MD5
b859467ba3b5da59f3d939b9ac923270

SHA1
98496bd3ca043fe484c51d391d69ffd070c4bdab

SHA256
1192d1726f482a55f526886999a05d90cce0e926175be42cc2097d8683c7da26

SHA512
f1a0aab06cff5d74f044868c1e96554c33f12b57856077b35b18214177986f3a1756fa576b0c4e9ccf1032d965c5c7380334a9c122d6aee526751e23ab1ac8ec

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
80KB

MD5
3b9a689a65320b0abe9f2be906561562

SHA1
5ebbb7ae0f415df28fd2fae8d33e8786fff462b9

SHA256
f25948e4eef19d7d3de91beddb326c29cc53c531b7576741d66dc4b1e93d2d7b

SHA512
13e65765a780322e602c66e49cb010b870ed3e31c3438f897f2faf4a34d7c959bf4ec0d2472011674c0e1d73f8e6d719e859e539b4dd05c35457d6ad9c769070

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
80KB

MD5
eeacccfad40cfb001bf9f3e7a3d6d32b

SHA1
8dcf734cd7711706c6fbd1dc7134ce26afcd86f0

SHA256
e5b036f25df93d605b4fcb1bd3d3207f97b5f0ac22044ee5d2cbbd770a92eb0d

SHA512
c107a19921c16ac77c8809faea17a0244797f7d3bc1460688b5b6ff09436137febfeb19c8f3a0d8159e92fa225fe269b7f8436ae5cb842e96afb5b97c2c42125

Download Submit
memory/320-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/320-326-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/380-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/380-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/616-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/840-322-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1140-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-296-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1380-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1480-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-327-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-299-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1620-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-320-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1992-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1992-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2056-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2068-229-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2232-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-309-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2272-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2448-319-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2448-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-313-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2488-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2492-302-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2648-295-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-297-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2756-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2844-304-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2844-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3348-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3348-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3368-314-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3368-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3376-306-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3516-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-300-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3804-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3804-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3932-182-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-324-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3960-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4024-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4072-308-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4364-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-310-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4388-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4404-315-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4404-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4524-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4572-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-301-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4876-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4936-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-72-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5012-318-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads