682028ad808334cab1f86f4a171447089be15d22d5263c7c4d33a312a34eb1ca

Analysis

max time kernel
135s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 15:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cf4315874952bf42afdba2c6273a49e0_NEAS.exe
Size

340KB
MD5

cf4315874952bf42afdba2c6273a49e0
SHA1

94a9470577746b17e9ad4b1b3496a117714e93ad
SHA256

682028ad808334cab1f86f4a171447089be15d22d5263c7c4d33a312a34eb1ca
SHA512

eb17a4bb81010a6c50aba5c507c8389972dfc29f4a4a69115c561154749f2b27404604b2713c846988a12e7317aa42346e8b31df876e0c9af291a3b6883bbd3b
SSDEEP

6144:nwt0o25M33/fc/UmKyIxLDXXoq9FJZCUmKyIxLjh:nw632XXf9Do3i

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbkhfc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmccchkn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	cf4315874952bf42afdba2c6273a49e0_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nnmopdep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgphpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpocjdld.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lphfpbdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kagichjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdopod32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kphmie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglack32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngedij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ndidbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmnjhioc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpappc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljnnch32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kgbefoji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnocof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpcmec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Laciofpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mnlfigcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njljefql.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cf4315874952bf42afdba2c6273a49e0_NEAS.exe

Executes dropped EXE 42 IoCs

pid	Process
868	Kdopod32.exe
2612	Kilhgk32.exe
2916	Kdaldd32.exe
4492	Kgphpo32.exe
3388	Kphmie32.exe
4436	Kgbefoji.exe
3748	Kagichjo.exe
2812	Kdffocib.exe
3636	Kmnjhioc.exe
1996	Kkbkamnl.exe
532	Lpocjdld.exe
4540	Lmccchkn.exe
1048	Lpappc32.exe
864	Lgkhlnbn.exe
3772	Lpcmec32.exe
4112	Laciofpa.exe
5108	Ljnnch32.exe
1524	Lphfpbdi.exe
2672	Mnlfigcc.exe
2212	Mgekbljc.exe
1028	Mnocof32.exe
3468	Mpmokb32.exe
4136	Mcklgm32.exe
1056	Mjeddggd.exe
4332	Mgidml32.exe
1500	Maohkd32.exe
4432	Mglack32.exe
1968	Maaepd32.exe
2352	Mdpalp32.exe
4384	Njljefql.exe
1080	Nceonl32.exe
4092	Nklfoi32.exe
760	Nqiogp32.exe
4176	Nddkgonp.exe
4944	Njacpf32.exe
1976	Nnmopdep.exe
4904	Ndghmo32.exe
3624	Ngedij32.exe
2028	Njcpee32.exe
1284	Nbkhfc32.exe
4440	Ndidbn32.exe
536	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lgkhlnbn.exe	Lpappc32.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Mglack32.exe	Maohkd32.exe
File created	C:\Windows\SysWOW64\Fcdjjo32.dll	Njljefql.exe
File opened for modification	C:\Windows\SysWOW64\Laciofpa.exe	Lpcmec32.exe
File opened for modification	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Ngedij32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Kilhgk32.exe	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Kdaldd32.exe	Kilhgk32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mnocof32.exe
File created	C:\Windows\SysWOW64\Ljnnch32.exe	Laciofpa.exe
File opened for modification	C:\Windows\SysWOW64\Mgekbljc.exe	Mnlfigcc.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Kdffocib.exe	Kagichjo.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File created	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ndidbn32.exe
File opened for modification	C:\Windows\SysWOW64\Kgbefoji.exe	Kphmie32.exe
File created	C:\Windows\SysWOW64\Milgab32.dll	Kphmie32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mnlfigcc.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Kdopod32.exe	cf4315874952bf42afdba2c6273a49e0_NEAS.exe
File created	C:\Windows\SysWOW64\Jchbak32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Nddkgonp.exe	Nqiogp32.exe
File created	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Kkdeek32.dll	Kdopod32.exe
File opened for modification	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Khehmdgi.dll	Lpcmec32.exe
File created	C:\Windows\SysWOW64\Oedbld32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Maaepd32.exe	Mglack32.exe
File opened for modification	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nnmopdep.exe
File created	C:\Windows\SysWOW64\Gcdihi32.dll	Kmnjhioc.exe
File created	C:\Windows\SysWOW64\Lpocjdld.exe	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Cmafhe32.dll	Lpocjdld.exe
File created	C:\Windows\SysWOW64\Ogndib32.dll	Lmccchkn.exe
File created	C:\Windows\SysWOW64\Mnocof32.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Ndclfb32.dll	Lpappc32.exe
File created	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Nqiogp32.exe	Nklfoi32.exe
File created	C:\Windows\SysWOW64\Njljefql.exe	Mdpalp32.exe
File created	C:\Windows\SysWOW64\Kgphpo32.exe	Kdaldd32.exe
File created	C:\Windows\SysWOW64\Hefffnbk.dll	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Kmnjhioc.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Mglppmnd.dll	Ljnnch32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Ndidbn32.exe
File created	C:\Windows\SysWOW64\Kkbkamnl.exe	Kmnjhioc.exe
File opened for modification	C:\Windows\SysWOW64\Lpcmec32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mcklgm32.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mgidml32.exe
File opened for modification	C:\Windows\SysWOW64\Ndidbn32.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Eplmgmol.dll	cf4315874952bf42afdba2c6273a49e0_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Ljnnch32.exe	Laciofpa.exe
File created	C:\Windows\SysWOW64\Jjblifaf.dll	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Nqjfoc32.dll	Kdaldd32.exe
File opened for modification	C:\Windows\SysWOW64\Kphmie32.exe	Kgphpo32.exe
File created	C:\Windows\SysWOW64\Lpcmec32.exe	Lgkhlnbn.exe
File opened for modification	C:\Windows\SysWOW64\Mdpalp32.exe	Maaepd32.exe
File opened for modification	C:\Windows\SysWOW64\Nnmopdep.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Bnckcnhb.dll	Kilhgk32.exe
File opened for modification	C:\Windows\SysWOW64\Kagichjo.exe	Kgbefoji.exe
File created	C:\Windows\SysWOW64\Lpappc32.exe	Lmccchkn.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4372	536	WerFault.exe	128

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbibebo.dll"	Mdpalp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogndib32.dll"	Lmccchkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjblifaf.dll"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpalp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lgkhlnbn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjkmlh.dll"	Lphfpbdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebboiqi.dll"	Mglack32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cf4315874952bf42afdba2c6273a49e0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mglack32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mgidml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Njljefql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kagichjo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kmnjhioc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedbld32.dll"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kdaldd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnacjn32.dll"	Mjeddggd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplmgmol.dll"	cf4315874952bf42afdba2c6273a49e0_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kphmie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdknoa32.dll"	Nnmopdep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnckcnhb.dll"	Kilhgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lpappc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nddkgonp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	cf4315874952bf42afdba2c6273a49e0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaehlf32.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhpdhp32.dll"	Maaepd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnpomfk.dll"	Nqiogp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Nddkgonp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefffnbk.dll"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjeddggd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mnocof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opbnic32.dll"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ndidbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pponmema.dll"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqiogp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	cf4315874952bf42afdba2c6273a49e0_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kgbefoji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baefid32.dll"	Lgkhlnbn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lpcmec32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 868	4924	cf4315874952bf42afdba2c6273a49e0_NEAS.exe	84
PID 4924 wrote to memory of 868	4924	cf4315874952bf42afdba2c6273a49e0_NEAS.exe	84
PID 4924 wrote to memory of 868	4924	cf4315874952bf42afdba2c6273a49e0_NEAS.exe	84
PID 868 wrote to memory of 2612	868	Kdopod32.exe	85
PID 868 wrote to memory of 2612	868	Kdopod32.exe	85
PID 868 wrote to memory of 2612	868	Kdopod32.exe	85
PID 2612 wrote to memory of 2916	2612	Kilhgk32.exe	86
PID 2612 wrote to memory of 2916	2612	Kilhgk32.exe	86
PID 2612 wrote to memory of 2916	2612	Kilhgk32.exe	86
PID 2916 wrote to memory of 4492	2916	Kdaldd32.exe	87
PID 2916 wrote to memory of 4492	2916	Kdaldd32.exe	87
PID 2916 wrote to memory of 4492	2916	Kdaldd32.exe	87
PID 4492 wrote to memory of 3388	4492	Kgphpo32.exe	88
PID 4492 wrote to memory of 3388	4492	Kgphpo32.exe	88
PID 4492 wrote to memory of 3388	4492	Kgphpo32.exe	88
PID 3388 wrote to memory of 4436	3388	Kphmie32.exe	89
PID 3388 wrote to memory of 4436	3388	Kphmie32.exe	89
PID 3388 wrote to memory of 4436	3388	Kphmie32.exe	89
PID 4436 wrote to memory of 3748	4436	Kgbefoji.exe	91
PID 4436 wrote to memory of 3748	4436	Kgbefoji.exe	91
PID 4436 wrote to memory of 3748	4436	Kgbefoji.exe	91
PID 3748 wrote to memory of 2812	3748	Kagichjo.exe	92
PID 3748 wrote to memory of 2812	3748	Kagichjo.exe	92
PID 3748 wrote to memory of 2812	3748	Kagichjo.exe	92
PID 2812 wrote to memory of 3636	2812	Kdffocib.exe	94
PID 2812 wrote to memory of 3636	2812	Kdffocib.exe	94
PID 2812 wrote to memory of 3636	2812	Kdffocib.exe	94
PID 3636 wrote to memory of 1996	3636	Kmnjhioc.exe	95
PID 3636 wrote to memory of 1996	3636	Kmnjhioc.exe	95
PID 3636 wrote to memory of 1996	3636	Kmnjhioc.exe	95
PID 1996 wrote to memory of 532	1996	Kkbkamnl.exe	96
PID 1996 wrote to memory of 532	1996	Kkbkamnl.exe	96
PID 1996 wrote to memory of 532	1996	Kkbkamnl.exe	96
PID 532 wrote to memory of 4540	532	Lpocjdld.exe	98
PID 532 wrote to memory of 4540	532	Lpocjdld.exe	98
PID 532 wrote to memory of 4540	532	Lpocjdld.exe	98
PID 4540 wrote to memory of 1048	4540	Lmccchkn.exe	99
PID 4540 wrote to memory of 1048	4540	Lmccchkn.exe	99
PID 4540 wrote to memory of 1048	4540	Lmccchkn.exe	99
PID 1048 wrote to memory of 864	1048	Lpappc32.exe	100
PID 1048 wrote to memory of 864	1048	Lpappc32.exe	100
PID 1048 wrote to memory of 864	1048	Lpappc32.exe	100
PID 864 wrote to memory of 3772	864	Lgkhlnbn.exe	101
PID 864 wrote to memory of 3772	864	Lgkhlnbn.exe	101
PID 864 wrote to memory of 3772	864	Lgkhlnbn.exe	101
PID 3772 wrote to memory of 4112	3772	Lpcmec32.exe	102
PID 3772 wrote to memory of 4112	3772	Lpcmec32.exe	102
PID 3772 wrote to memory of 4112	3772	Lpcmec32.exe	102
PID 4112 wrote to memory of 5108	4112	Laciofpa.exe	103
PID 4112 wrote to memory of 5108	4112	Laciofpa.exe	103
PID 4112 wrote to memory of 5108	4112	Laciofpa.exe	103
PID 5108 wrote to memory of 1524	5108	Ljnnch32.exe	104
PID 5108 wrote to memory of 1524	5108	Ljnnch32.exe	104
PID 5108 wrote to memory of 1524	5108	Ljnnch32.exe	104
PID 1524 wrote to memory of 2672	1524	Lphfpbdi.exe	105
PID 1524 wrote to memory of 2672	1524	Lphfpbdi.exe	105
PID 1524 wrote to memory of 2672	1524	Lphfpbdi.exe	105
PID 2672 wrote to memory of 2212	2672	Mnlfigcc.exe	106
PID 2672 wrote to memory of 2212	2672	Mnlfigcc.exe	106
PID 2672 wrote to memory of 2212	2672	Mnlfigcc.exe	106
PID 2212 wrote to memory of 1028	2212	Mgekbljc.exe	107
PID 2212 wrote to memory of 1028	2212	Mgekbljc.exe	107
PID 2212 wrote to memory of 1028	2212	Mgekbljc.exe	107
PID 1028 wrote to memory of 3468	1028	Mnocof32.exe	108

C:\Users\Admin\AppData\Local\Temp\cf4315874952bf42afdba2c6273a49e0_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\cf4315874952bf42afdba2c6273a49e0_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\SysWOW64\Kdopod32.exe
  C:\Windows\system32\Kdopod32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\Kilhgk32.exe
    C:\Windows\system32\Kilhgk32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\SysWOW64\Kdaldd32.exe
      C:\Windows\system32\Kdaldd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\Kgphpo32.exe
        
        C:\Windows\system32\Kgphpo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4492
      - C:\Windows\SysWOW64\Kphmie32.exe
        
        C:\Windows\system32\Kphmie32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\SysWOW64\Kgbefoji.exe
        
        C:\Windows\system32\Kgbefoji.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Kagichjo.exe
        
        C:\Windows\system32\Kagichjo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Kmnjhioc.exe
        
        C:\Windows\system32\Kmnjhioc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Lpocjdld.exe
        
        C:\Windows\system32\Lpocjdld.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\SysWOW64\Lmccchkn.exe
        
        C:\Windows\system32\Lmccchkn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Lpappc32.exe
        
        C:\Windows\system32\Lpappc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Lgkhlnbn.exe
        
        C:\Windows\system32\Lgkhlnbn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Lpcmec32.exe
        
        C:\Windows\system32\Lpcmec32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Laciofpa.exe
        
        C:\Windows\system32\Laciofpa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\SysWOW64\Ljnnch32.exe
        
        C:\Windows\system32\Ljnnch32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Lphfpbdi.exe
        
        C:\Windows\system32\Lphfpbdi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Mnlfigcc.exe
        
        C:\Windows\system32\Mnlfigcc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Mnocof32.exe
        
        C:\Windows\system32\Mnocof32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Mjeddggd.exe
        
        C:\Windows\system32\Mjeddggd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Mgidml32.exe
        
        C:\Windows\system32\Mgidml32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Mglack32.exe
        
        C:\Windows\system32\Mglack32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4432
        
        C:\Windows\SysWOW64\Maaepd32.exe
        
        C:\Windows\system32\Maaepd32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\Mdpalp32.exe
        
        C:\Windows\system32\Mdpalp32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Njljefql.exe
        
        C:\Windows\system32\Njljefql.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Nqiogp32.exe
        
        C:\Windows\system32\Nqiogp32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\Nddkgonp.exe
        
        C:\Windows\system32\Nddkgonp.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4176
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Nnmopdep.exe
        
        C:\Windows\system32\Nnmopdep.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4904
        
        C:\Windows\SysWOW64\Ngedij32.exe
        
        C:\Windows\system32\Ngedij32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3624
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Ndidbn32.exe
        
        C:\Windows\system32\Ndidbn32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        43⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 428
        44⤵
        Program crash
        
        PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 536 -ip 536
1⤵
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kagichjo.exe

Filesize
340KB

MD5
74f75687eff33d0496b6fb400712b96f

SHA1
8b38ca7035bb956c86d1206574ffbac78fd4695f

SHA256
50ec45593fd8a18fb1eb51c54515e31f1695cbc52f53e771d421a50fe37ac392

SHA512
b758f4949a22a9a00cdbbbc92a6b54a6fa1164319d6669414a02079ee36ed151ad88cfe3a7fd462ecfb6bd3958732f43ad07a3c2409986afa920881a87bafd42

Download Submit
C:\Windows\SysWOW64\Kdaldd32.exe

Filesize
340KB

MD5
eeeb0f27decac6b37c0015072463f36b

SHA1
339ba4f7f09319de83f8a314fb871d334616025f

SHA256
adb908d88939e784e657ed6cdb06cef31f42f0d4cc22778ef3ace9951f4fd678

SHA512
a2ba508f15c9c18af3efdb30698ff5e7ec940201fdd4522b551c81c267fb8dcec3abc9a11fc42c4eed67479e97768cb2d9483c5cb333adced1a21de43bf032da

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
340KB

MD5
213992488bc21cbff09b4f294df50863

SHA1
4d7f4f6a0cfde574e58c8607762f40e0ab1343fd

SHA256
0d4d4bb32a5030f07862ad98304fd26ba8e9ec1fe9ac15d10d25ee3e0098f962

SHA512
7902092d91fdf1d69840c767b4774e8b3cbc6873c15daec9d867386716d95e6be1ae82f8ffe3412c425c9ad56e450e931013edf3a4530202e5bb2c8c7e582f2e

Download Submit
C:\Windows\SysWOW64\Kdopod32.exe

Filesize
340KB

MD5
8af22f8b8eab77bfc7d5377e16356185

SHA1
0ded511b9db74da5bdac04de94b86d769ee803e8

SHA256
700dae3fd9ad3f8d2f7fc4a8d157bff3f42ff0d62ba9f3dd73a6c692ff619a69

SHA512
3b20393405bea55b5783e8596a1ac22a27390a37fc4f5a7e1d08f6a0c3566a5504f233ef13afda1fe6f3d6173d124740cd0e3c2b5439f6dc30bf8e647323652a

Download Submit
C:\Windows\SysWOW64\Kgbefoji.exe

Filesize
340KB

MD5
7fac42ed797e383fb5968e75a98348d3

SHA1
16055e52ba0d4582d33d81b750133878c314b698

SHA256
b310cb30f492ba4618d8a1bfc25709c7d23636760478dabb76add9c9ec632d82

SHA512
1c04fe692650581296db6a097fb0c5afa533cd52e9be63e0a6b30510526d5a0060b7b1b4d01578eed73326810f8523fe949a2d43e64fc1ba7fc083352d868380

Download Submit
C:\Windows\SysWOW64\Kgphpo32.exe

Filesize
340KB

MD5
114f43c3fff977f64ed9bc31c8a8ac32

SHA1
6a0da43b353380279596dc6a13dd6ec212cff649

SHA256
136b1cfbc3402bad0c9c679e226769e77b917d006c51af619125577c55416fd8

SHA512
2941c7d69c6918e6f090f28c3df3d3d83c0c327f1eced0c74edb1e744b9d8f637c5f9e04ae1475d8b7d9cc47b2d77308ee0ad8818b5db0eda5339d6c7f2ef9f8

Download Submit
C:\Windows\SysWOW64\Kilhgk32.exe

Filesize
340KB

MD5
4193d97eea8f7f52be06919b1d0a8097

SHA1
2c1dbe3ab651bc53850bdea9c9f2ac4291b6926e

SHA256
7c120529a445205ec090a1531962eede41fb49f2dc74144aa176800e9953cc8d

SHA512
840648368dda1d1848c384adb1cc84c16986b21a620211185ae59d26fb409b23fef61e8c73e4e3bea7b4703da7f5a924ae3c5daaca43f0cc3f1f928e4f7fa7a7

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
340KB

MD5
58f7d7693f9a6767ff301deadd6b52b7

SHA1
b1e28dc55327d29e2222eb82220027a3c343631f

SHA256
8f851092a7d760983e1dc47c30417e01d82d0e56bb6f33ef4e6002655b19295f

SHA512
234949520c662c94267454de549b3ac0d811325d5ba4763eac0c8c6a3502759ce74dc42cea7fe27a1ed7584eba81aac8d04873c20d81c1044d80e11ec37be953

Download Submit
C:\Windows\SysWOW64\Kmnjhioc.exe

Filesize
340KB

MD5
bdb959694553abf0a4823fd42586c82d

SHA1
3441db6889455dce4f62144936c59a4bcfde9843

SHA256
65acd9f0ca2c64fd06c3d72f125a4214302435ce0b5d7ed78b2677bd504d5dda

SHA512
9e95943b4ee7f632e8c782c899de8fe7a6f6e80dae7c20bb3d8c2a77c01afe684b27547a02cef2f76c8cfee2ac83597fe7c9c2ad431cf502be48a98ecdb348a8

Download Submit
C:\Windows\SysWOW64\Kphmie32.exe

Filesize
340KB

MD5
5e9a84fcd81136d9715f25991a6ae663

SHA1
09aaaf881e20c59f39a3e2c1add411ac047245c9

SHA256
38e6729ed03418633428d6cc67f4284dcff1fd9c8b96e5cb21180c133b0c3536

SHA512
367feb72694f1055b03f71af7783b8e1a92909d79fc4363bd458ff07fe797072a5b7b62ce559741f69de21c36782292f30baf8057927114f1c73b8a903431457

Download Submit
C:\Windows\SysWOW64\Laciofpa.exe

Filesize
340KB

MD5
80d1920ce2af51e89470a15692a2436a

SHA1
67e32458500760358b6de9dc92bdf2cc0596eabc

SHA256
52ac0d3573517e62fb8bd54932d25c843ca0be3ba990078db30f4ad76422b558

SHA512
3e7530c327e307da7c954913918dd55985f7c79cc46e872b7b33aa63807a262923fcc29ad988e4835943ceb5c13d4410d00912b12a9f109f041746fe56928183

Download Submit
C:\Windows\SysWOW64\Lgkhlnbn.exe

Filesize
340KB

MD5
acf5ad744f6cebdea4d3ef55df2bb0ed

SHA1
b35457302c45271fdeda79d679e830bedf958991

SHA256
958b747a8b6a024cd04dd75dbf2ead9ab278c093dab3dfca6dbc6d186d6fee87

SHA512
56a91d6635f4437be2e2d2704919b196cdbf89d4349ac728b050fd6b3571b267275f70d7cdfd961d59ec61e8d99038bd85a84fef89a9b071d41bf82bc3529afd

Download Submit
C:\Windows\SysWOW64\Ljnnch32.exe

Filesize
340KB

MD5
1c9e0d6e278a9286091be92e0a75f745

SHA1
5291cfb43093ffc5f3d775e0dc81899a5d3bd8f4

SHA256
9122f0e91db602b76a97b10051d1f154a17352cfc553ac46e800951294aef81f

SHA512
e477e7388d45fcd77a094ee89bfef51d19de59f8564fe65de9a5502c66509023261341b5c52613b1e456d54b962673f7fd38fd71c0189ecf08c0c1822d11c355

Download Submit
C:\Windows\SysWOW64\Lmccchkn.exe

Filesize
340KB

MD5
06e12db55998de759dc1587e34f3af0e

SHA1
474471d9e32c6254e0749263f810bec56b3bee5c

SHA256
728c20bb15072e0f0c5da80ab3f83c6380d7e696e8eff586efe42415d52ced05

SHA512
79ee2db16634ab9ae24ba11cf96ff72405f9fce38bbafe40c65fb533dde47c41726384c798c4f99f23e1d90721d694cc4d10f650d171765dcfc173ac60fadc7b

Download Submit
C:\Windows\SysWOW64\Lpappc32.exe

Filesize
340KB

MD5
ebfdce23820250573ce9615736a3301f

SHA1
aed1eafbbb33548ff14a43321a561ba96621db98

SHA256
d6b9dede6206d6ba5e378a9cf55d3daef39903d74f09cafeda065e23586824a4

SHA512
49a6e964942b95d8b98ef3a34dd7e7700f9f49c04dc6843d63d9045af98aff676fe12e52b420d573455f877d0bf12b1799f90987cd47578ace582e3ab751b331

Download Submit
C:\Windows\SysWOW64\Lpcmec32.exe

Filesize
340KB

MD5
6a4c8369d8de8b86f5a11fcf306df181

SHA1
88320953048f253421443e42fe1bae1602ec1a0a

SHA256
4fbb077c120d7f7fc7d9b4c22bede16563ef853da09a1b8cec97d4cb40919052

SHA512
4f3c48b95a97eeead85b6202ff13aab978449872d75e5b717fcca010a5d925940c0a66bbab6c8e83190551e22c2e8aaf07971ff8dae8e03d3b26ce1b2f1b1787

Download Submit
C:\Windows\SysWOW64\Lphfpbdi.exe

Filesize
340KB

MD5
9cedd6372e83277957e4b5d457021aa5

SHA1
e9c931f89ccacf19dbc78ed8a8a46d4158ae65d5

SHA256
2875ce65dbe4f0c1cec0dc3ed98bdae082489b08db6974e392e523670cec2b56

SHA512
ea05dea4b9ad30f1f24f817b18d5b329bc45c6397c5de106b5b74a12b78352965908156bf143d339e7b8d8894a787a737e911eacc152264da54cf4c398839a60

Download Submit
C:\Windows\SysWOW64\Lpocjdld.exe

Filesize
340KB

MD5
af9fc48e338f8afcf4779d32e9c2b66a

SHA1
d64ae5e5f0791ab4736bcd2e7fd990891e284ffd

SHA256
1e7094471adfa214055f56139cec7cbf2b2b7281f884668501f5dcec4690277a

SHA512
cc94ca42de795a35aa2e7bc9f6ae7906fc29f42f868130791c44ef27d274a2dfd89964a2aac60ac6026541f183fab320d4ab443d91b5437d64338e63ac264c70

Download Submit
C:\Windows\SysWOW64\Maaepd32.exe

Filesize
340KB

MD5
33df17b84daa080658983c98753f4e49

SHA1
bc303d5673836cd755f13ff151e9fa1042225462

SHA256
7939bf05fa464dd2cd62d67df30465928b284e3de774167fabf6071202e7548c

SHA512
2db809d5ea9a0db9154f4d5bdac7d6448e688c5d0485fd18c4669a64ebfa8b4ea3c1ca7d4ea6c5da13b26491b2827af26f7412976dcd964f80827acca02c34b6

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
340KB

MD5
2ff319ef97a260b93b2b534d603cd9a2

SHA1
0ce7398b115066ad0c59cb56e8bafc052e89a33f

SHA256
d1e24919979615925b7bb0654dbd767623081e4aeb11671b3f3d21168f6ac6c6

SHA512
d8f52fa405e93b67cfe9d659bee77550ebcaa350c243c647a1e8c4092ef05d7134af76388b5015c053aaf8266dc240d5af8a3fa41d367582e3e549c2dd3f1a5a

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
340KB

MD5
05176554a411f8d5a27016e6fe611a3e

SHA1
686bb6646d2278281ac64fedcb3c5e6f7a2564f6

SHA256
5130b4de04ddfb44b6e03a2625645f4cb81dd2a00a88a587c5cce22cc161e0dc

SHA512
385b3de9879049d0dc1e4c7480d9b1ddb201398cdefa574fc5250e3259024aac40d30049ae5711d07b90f9ab1e6d8747145df8eaeb7e5719c06a29808f649130

Download Submit
C:\Windows\SysWOW64\Mdpalp32.exe

Filesize
340KB

MD5
c8d3f9c83c220a2c46ec879032f14f91

SHA1
0d8aea3bd1cd36cb6655d4fefe5441f05f69ad71

SHA256
f6c328ce0db973e1fe1c9a0018b2c15410497f29736f20b644c4b517abf9518f

SHA512
6a65580ef30ced14bad4a5b521993cb5acbfe366727eb6011ce3691b182a8e44374f31dfd530029bcf01e3101faa9ca4a4b9f3a1a20990e72e890686b0e257e6

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
340KB

MD5
240b0fcf352a3bb295f5f0e7e432c9fb

SHA1
22a455e6f5f26f575edc59ba3ec25a4ada4ee23b

SHA256
d62b349822021288484f92a6e5025a12fd2fca72c021313af62e31f4dc338987

SHA512
6611db410da8256a19fb3ec4a8f45e4fda7fc4af53dd2a76d439333722e39432b4b49066b59fdecbc5d725bd30aa3df3bb789f97fca94431dd80c8d4d92cff23

Download Submit
C:\Windows\SysWOW64\Mgidml32.exe

Filesize
340KB

MD5
230aa8d95537dc254baf47a9c31af1bb

SHA1
8ea6b537f9693ba6be5737125d511f066ea304d4

SHA256
8cd00febb71879bd9e887bbc868130fb21d5dc188283dbf749ceef4e478a5270

SHA512
9c7e5a632e6e3d9facc5b99d0ce78f0d97a539899a9604837b7d64f8aef680f90a10ff03e3188d6a4fd30dec848cb88d2ab216e6db77fc534c644d49c3e13fa0

Download Submit
C:\Windows\SysWOW64\Mglack32.exe

Filesize
340KB

MD5
e827e04b8e9e339f98c22857e4ae081f

SHA1
de0946072ed80d2257e9c6321cb0d88ffce0ac32

SHA256
c0c0f45d51390bd805092dbd4c04ce355cede5d2598fedc476e9828034a36bba

SHA512
448d57bda65bc069df79d48363e6cc93b0bf2ff9203aba344e52b9a18a89c3416b0cf68aea677aaa96f7f3d286855d9f66d22ba53e0c6898e39556b9d69bd13c

Download Submit
C:\Windows\SysWOW64\Mjeddggd.exe

Filesize
340KB

MD5
07ffe3939f46cceddb02be3c4f190576

SHA1
6b144267990d178d59da210c34a74c63e929f855

SHA256
d1ee23e1a2ef86ad13bb81bd32e4859c2e626ad4d47f29d6014176d06bc1d886

SHA512
03b4c86f5c408b81430b3fc820585daaf07e4c9c9a4facbbf7470978e7323ec3339574a2e4341d456cacd3aaa936d4b0632fa0e6dde7c016530ee0b1aa5ec3f6

Download Submit
C:\Windows\SysWOW64\Mkeebhjc.dll

Filesize
7KB

MD5
8a129845ef91926edba4fff2ef919466

SHA1
243199d58ced4f36bee1fc91463fb289febdf268

SHA256
6962245bc2f7661817d2c0d71fd2a9057b56b391f4e286a40354e9ef0a917b02

SHA512
e04d4e1ff7cee0c7b76555084f8273e4d671eaf878c5662da74f4a3a0fc7f07a272a978171e684e053c7273b9fd4141246e04429dde7ac6f470ec4ba6285a0f5

Download Submit
C:\Windows\SysWOW64\Mnlfigcc.exe

Filesize
340KB

MD5
3662876930f5ccf32a4b80d73c5780f1

SHA1
aa8a916d4262d0f91a2e2e12e1037ba6283b5c90

SHA256
b4428f746d43c343a117d84607960b6e4aca4dfc65e2d4436b8125ad21f372a8

SHA512
8e5cae4ebe52d92f66a9b99790cc266929fea1ef28e78f78915655109ad5c0102e4ba281283fe4ae4a24b0999e1e5719e06f51b7f4a3ec543db98b1ae2776b1d

Download Submit
C:\Windows\SysWOW64\Mnocof32.exe

Filesize
340KB

MD5
5125ee41af3ec01cad121d10dd13e350

SHA1
2ff08688de2782eb47976450a2507555597dfca9

SHA256
c19f12dce4f14ff9402ba488068639164141a7a9b5e3074e0a59d93ad3a74d30

SHA512
866893916eef692af7bfafa4ff55bc6b7bf23efef4f7f1922892043f433985aca3bfa8437bfacb0cc5b6a78527ffc9846a2aad2a8d47b0821751fea7fcbd207d

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
340KB

MD5
51d400abb757745c9091bc3b50da7681

SHA1
c5035a88b8749160c282bc2c6c7083df8e3bc343

SHA256
96c7c2fbe3cad68e82910009246621e166087ad70febc1476b8d4248263eb8c0

SHA512
bc19402c195a0303501c3871ace1ca2c393c485b1e74ba34d24bdcb630dfb45439ca3727ae6876bdc6ee379448a68290a2e4e2f80b10582eebc1845e0e1db4c5

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
340KB

MD5
89db702e2b1abcc8a98da32ac7d3b0af

SHA1
2bb2bac5d88909c40efa0ca7ddd89d168c4169f5

SHA256
b25cd41707001ac2b120917a5692b3af39dbae686529b6876957d6d90017f993

SHA512
39114af6b1994cdc6b300cf4811f386bc6e85d97b5a2adb4700e3a47cc0616d5b2c79b369e4882fac8c1dab5d5ed0548320b661758fc8d482e55c6f85bb8a927

Download Submit
C:\Windows\SysWOW64\Njljefql.exe

Filesize
340KB

MD5
715017a2b89df3396cd009349399059b

SHA1
77d811be355802d46baf5f74d147cb01b12e5780

SHA256
929eca4878b6342ab83b59a23eb838d1b372e17d90fcf5b5bc4dd25054093705

SHA512
e818054184928418ce49cdc2391a126be9769f2b997bdaac4a77be3570d001686b29676808ac62de349f42e00a5a7de3bb14931e149149bc2f30e6e07f4e7307

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
340KB

MD5
8ee38fae76e2c59e92e59cbb451b4d61

SHA1
8b2c019cff5086c56628454dcb117e836cef7054

SHA256
3ebf1cb2c1dc03c26cae4971c1093fc42f8bdb59a8f1e897ea1688bcb1c0b40c

SHA512
52a589deb882a9d5540d2267f6d4c6551a30e85ce7f14542e7c97d6843b1df85f042e848aba273598cb8f2f0a4c52940ae5fb744f7497be0957ef669c462b273

Download Submit
memory/532-341-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/532-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/536-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/760-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/864-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/864-338-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/868-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/868-351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1028-168-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1028-331-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-103-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1048-339-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-191-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-329-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1080-251-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1284-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1284-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1500-327-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1500-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1524-144-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-224-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1968-325-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1976-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1976-284-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-342-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1996-79-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2028-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2212-332-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-324-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-350-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2612-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-152-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2672-333-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2812-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2812-344-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2916-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2916-349-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3388-43-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3388-347-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3468-181-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3624-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3636-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3636-343-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3748-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3748-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3772-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3772-337-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4092-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4092-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4112-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4112-336-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4136-186-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4136-330-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4176-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4176-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4332-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-323-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4384-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-326-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4432-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-48-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4440-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4440-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4492-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4492-348-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4540-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4540-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4904-290-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4924-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4924-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4944-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5108-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads