0fc2ad799d1718f7c5cc34c71cd6dea16b21cd4755dfecd34400182cf880be92

Analysis

max time kernel
136s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24507bbaba953e1c235a2a6b4849b292_NEAS.exe
Size

896KB
MD5

24507bbaba953e1c235a2a6b4849b292
SHA1

ef791939f657013a803c00050f98632e892e9d0b
SHA256

0fc2ad799d1718f7c5cc34c71cd6dea16b21cd4755dfecd34400182cf880be92
SHA512

8fb79842f184573535340064fb3ec8d748472df30ed94404e2d33d8c11c41b1b07207fa99349dbde55e7c581716e97d5b3d1e0f1738e180dad97dac050b1ec15
SSDEEP

24576:HsBR6Ph2kkkkK4kXkkkkkkkkhLX3a20R0v50+5:uWbazR0vp

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkdnpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mamleegg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njogjfoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imdnklfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laefdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcklgm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jagqlj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcbiao32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iannfk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jiikak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	24507bbaba953e1c235a2a6b4849b292_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmpngk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjqjih32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	24507bbaba953e1c235a2a6b4849b292_NEAS.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfaloa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jiikak32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkihknfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmmhjm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpaghf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iiffen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kknafn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lilanioo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe

Executes dropped EXE 32 IoCs

pid	Process
868	Hmmhjm32.exe
1944	Ipldfi32.exe
4396	Iiffen32.exe
4620	Iannfk32.exe
1892	Imdnklfp.exe
4640	Imgkql32.exe
4820	Jfaloa32.exe
712	Jagqlj32.exe
1580	Jbhmdbnp.exe
4012	Jmpngk32.exe
3732	Jkdnpo32.exe
3012	Jpaghf32.exe
3216	Jiikak32.exe
4632	Kbapjafe.exe
2436	Kkihknfg.exe
2396	Kknafn32.exe
1608	Kdffocib.exe
1424	Kdhbec32.exe
1452	Kkbkamnl.exe
1676	Ldmlpbbj.exe
2912	Lcbiao32.exe
4628	Lilanioo.exe
4168	Laefdf32.exe
968	Mjqjih32.exe
4268	Mcklgm32.exe
4080	Mamleegg.exe
2248	Mcpebmkb.exe
3452	Mjjmog32.exe
4340	Njogjfoj.exe
636	Njacpf32.exe
4548	Njcpee32.exe
2024	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Akihmf32.dll	Kknafn32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mamleegg.exe
File opened for modification	C:\Windows\SysWOW64\Hmmhjm32.exe	24507bbaba953e1c235a2a6b4849b292_NEAS.exe
File created	C:\Windows\SysWOW64\Ipldfi32.exe	Hmmhjm32.exe
File created	C:\Windows\SysWOW64\Jiikak32.exe	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Enbofg32.dll	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Njcpee32.exe	Njacpf32.exe
File created	C:\Windows\SysWOW64\Opocad32.dll	24507bbaba953e1c235a2a6b4849b292_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Iiffen32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File created	C:\Windows\SysWOW64\Ebaqkk32.dll	Lilanioo.exe
File opened for modification	C:\Windows\SysWOW64\Mjqjih32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Ekmihm32.dll	Iannfk32.exe
File created	C:\Windows\SysWOW64\Lmmcfa32.dll	Jiikak32.exe
File created	C:\Windows\SysWOW64\Aajjaf32.dll	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Kknafn32.exe	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Lidmdfdo.dll	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Epmjjbbj.dll	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mamleegg.exe
File created	C:\Windows\SysWOW64\Hmmhjm32.exe	24507bbaba953e1c235a2a6b4849b292_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Imgkql32.exe	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Anmklllo.dll	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Ihaoimoh.dll	Kkihknfg.exe
File created	C:\Windows\SysWOW64\Kdhbec32.exe	Kdffocib.exe
File created	C:\Windows\SysWOW64\Lcbiao32.exe	Ldmlpbbj.exe
File opened for modification	C:\Windows\SysWOW64\Mamleegg.exe	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Iiffen32.exe	Ipldfi32.exe
File created	C:\Windows\SysWOW64\Kbmebabl.dll	Iiffen32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Jmpngk32.exe	Jbhmdbnp.exe
File created	C:\Windows\SysWOW64\Jkdnpo32.exe	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Nilhco32.dll	Jkdnpo32.exe
File opened for modification	C:\Windows\SysWOW64\Kkihknfg.exe	Kbapjafe.exe
File created	C:\Windows\SysWOW64\Mamleegg.exe	Mcklgm32.exe
File created	C:\Windows\SysWOW64\Nkcmohbg.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Bclgpkgk.dll	Imdnklfp.exe
File created	C:\Windows\SysWOW64\Jfaloa32.exe	Imgkql32.exe
File opened for modification	C:\Windows\SysWOW64\Jfaloa32.exe	Imgkql32.exe
File created	C:\Windows\SysWOW64\Bgllgqcp.dll	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Bekppcpp.dll	Hmmhjm32.exe
File opened for modification	C:\Windows\SysWOW64\Iannfk32.exe	Iiffen32.exe
File created	C:\Windows\SysWOW64\Eqbmje32.dll	Kkbkamnl.exe
File created	C:\Windows\SysWOW64\Mcklgm32.exe	Mjqjih32.exe
File created	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jagqlj32.exe
File opened for modification	C:\Windows\SysWOW64\Jbhmdbnp.exe	Jagqlj32.exe
File created	C:\Windows\SysWOW64\Ldmlpbbj.exe	Kkbkamnl.exe
File opened for modification	C:\Windows\SysWOW64\Lilanioo.exe	Lcbiao32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Njcpee32.exe
File created	C:\Windows\SysWOW64\Jagqlj32.exe	Jfaloa32.exe
File created	C:\Windows\SysWOW64\Jflepa32.dll	Jpaghf32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Njacpf32.exe
File opened for modification	C:\Windows\SysWOW64\Jagqlj32.exe	Jfaloa32.exe
File opened for modification	C:\Windows\SysWOW64\Kbapjafe.exe	Jiikak32.exe
File opened for modification	C:\Windows\SysWOW64\Kkbkamnl.exe	Kdhbec32.exe
File opened for modification	C:\Windows\SysWOW64\Lcbiao32.exe	Ldmlpbbj.exe
File created	C:\Windows\SysWOW64\Mjqjih32.exe	Laefdf32.exe
File created	C:\Windows\SysWOW64\Jgengpmj.dll	Mcklgm32.exe
File opened for modification	C:\Windows\SysWOW64\Njogjfoj.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Njogjfoj.exe
File created	C:\Windows\SysWOW64\Qknpkqim.dll	Jmpngk32.exe
File created	C:\Windows\SysWOW64\Kknafn32.exe	Kkihknfg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
860	2024	WerFault.exe	119

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmmhjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akihmf32.dll"	Kknafn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	24507bbaba953e1c235a2a6b4849b292_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdhbec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	24507bbaba953e1c235a2a6b4849b292_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmklllo.dll"	Jbhmdbnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkbkamnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imgkql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdimilg.dll"	Kdffocib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcdihi32.dll"	Kdhbec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihaoimoh.dll"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ipldfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Njcpee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	24507bbaba953e1c235a2a6b4849b292_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmihm32.dll"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgllgqcp.dll"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbhmdbnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mamleegg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laefdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhapkbgi.dll"	Mamleegg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	24507bbaba953e1c235a2a6b4849b292_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfcbokki.dll"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njogjfoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflepa32.dll"	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enbofg32.dll"	Kbapjafe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Imdnklfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcklgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkillp32.dll"	Ipldfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iannfk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jagqlj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jpaghf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmlpbbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iiffen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkdnpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jiikak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaqkk32.dll"	Lilanioo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcjqj32.dll"	Jfaloa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdffocib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmlpbbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkocp32.dll"	Lcbiao32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmjjbbj.dll"	Mjqjih32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmpngk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkihknfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkbkamnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lilanioo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Imdnklfp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 868	1516	24507bbaba953e1c235a2a6b4849b292_NEAS.exe	83
PID 1516 wrote to memory of 868	1516	24507bbaba953e1c235a2a6b4849b292_NEAS.exe	83
PID 1516 wrote to memory of 868	1516	24507bbaba953e1c235a2a6b4849b292_NEAS.exe	83
PID 868 wrote to memory of 1944	868	Hmmhjm32.exe	84
PID 868 wrote to memory of 1944	868	Hmmhjm32.exe	84
PID 868 wrote to memory of 1944	868	Hmmhjm32.exe	84
PID 1944 wrote to memory of 4396	1944	Ipldfi32.exe	85
PID 1944 wrote to memory of 4396	1944	Ipldfi32.exe	85
PID 1944 wrote to memory of 4396	1944	Ipldfi32.exe	85
PID 4396 wrote to memory of 4620	4396	Iiffen32.exe	86
PID 4396 wrote to memory of 4620	4396	Iiffen32.exe	86
PID 4396 wrote to memory of 4620	4396	Iiffen32.exe	86
PID 4620 wrote to memory of 1892	4620	Iannfk32.exe	87
PID 4620 wrote to memory of 1892	4620	Iannfk32.exe	87
PID 4620 wrote to memory of 1892	4620	Iannfk32.exe	87
PID 1892 wrote to memory of 4640	1892	Imdnklfp.exe	88
PID 1892 wrote to memory of 4640	1892	Imdnklfp.exe	88
PID 1892 wrote to memory of 4640	1892	Imdnklfp.exe	88
PID 4640 wrote to memory of 4820	4640	Imgkql32.exe	91
PID 4640 wrote to memory of 4820	4640	Imgkql32.exe	91
PID 4640 wrote to memory of 4820	4640	Imgkql32.exe	91
PID 4820 wrote to memory of 712	4820	Jfaloa32.exe	93
PID 4820 wrote to memory of 712	4820	Jfaloa32.exe	93
PID 4820 wrote to memory of 712	4820	Jfaloa32.exe	93
PID 712 wrote to memory of 1580	712	Jagqlj32.exe	94
PID 712 wrote to memory of 1580	712	Jagqlj32.exe	94
PID 712 wrote to memory of 1580	712	Jagqlj32.exe	94
PID 1580 wrote to memory of 4012	1580	Jbhmdbnp.exe	95
PID 1580 wrote to memory of 4012	1580	Jbhmdbnp.exe	95
PID 1580 wrote to memory of 4012	1580	Jbhmdbnp.exe	95
PID 4012 wrote to memory of 3732	4012	Jmpngk32.exe	96
PID 4012 wrote to memory of 3732	4012	Jmpngk32.exe	96
PID 4012 wrote to memory of 3732	4012	Jmpngk32.exe	96
PID 3732 wrote to memory of 3012	3732	Jkdnpo32.exe	97
PID 3732 wrote to memory of 3012	3732	Jkdnpo32.exe	97
PID 3732 wrote to memory of 3012	3732	Jkdnpo32.exe	97
PID 3012 wrote to memory of 3216	3012	Jpaghf32.exe	98
PID 3012 wrote to memory of 3216	3012	Jpaghf32.exe	98
PID 3012 wrote to memory of 3216	3012	Jpaghf32.exe	98
PID 3216 wrote to memory of 4632	3216	Jiikak32.exe	99
PID 3216 wrote to memory of 4632	3216	Jiikak32.exe	99
PID 3216 wrote to memory of 4632	3216	Jiikak32.exe	99
PID 4632 wrote to memory of 2436	4632	Kbapjafe.exe	100
PID 4632 wrote to memory of 2436	4632	Kbapjafe.exe	100
PID 4632 wrote to memory of 2436	4632	Kbapjafe.exe	100
PID 2436 wrote to memory of 2396	2436	Kkihknfg.exe	101
PID 2436 wrote to memory of 2396	2436	Kkihknfg.exe	101
PID 2436 wrote to memory of 2396	2436	Kkihknfg.exe	101
PID 2396 wrote to memory of 1608	2396	Kknafn32.exe	102
PID 2396 wrote to memory of 1608	2396	Kknafn32.exe	102
PID 2396 wrote to memory of 1608	2396	Kknafn32.exe	102
PID 1608 wrote to memory of 1424	1608	Kdffocib.exe	103
PID 1608 wrote to memory of 1424	1608	Kdffocib.exe	103
PID 1608 wrote to memory of 1424	1608	Kdffocib.exe	103
PID 1424 wrote to memory of 1452	1424	Kdhbec32.exe	104
PID 1424 wrote to memory of 1452	1424	Kdhbec32.exe	104
PID 1424 wrote to memory of 1452	1424	Kdhbec32.exe	104
PID 1452 wrote to memory of 1676	1452	Kkbkamnl.exe	105
PID 1452 wrote to memory of 1676	1452	Kkbkamnl.exe	105
PID 1452 wrote to memory of 1676	1452	Kkbkamnl.exe	105
PID 1676 wrote to memory of 2912	1676	Ldmlpbbj.exe	106
PID 1676 wrote to memory of 2912	1676	Ldmlpbbj.exe	106
PID 1676 wrote to memory of 2912	1676	Ldmlpbbj.exe	106
PID 2912 wrote to memory of 4628	2912	Lcbiao32.exe	107

C:\Users\Admin\AppData\Local\Temp\24507bbaba953e1c235a2a6b4849b292_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\24507bbaba953e1c235a2a6b4849b292_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\Hmmhjm32.exe
  C:\Windows\system32\Hmmhjm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\SysWOW64\Ipldfi32.exe
    C:\Windows\system32\Ipldfi32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\Iiffen32.exe
      C:\Windows\system32\Iiffen32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\SysWOW64\Iannfk32.exe
        
        C:\Windows\system32\Iannfk32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Windows\SysWOW64\Imdnklfp.exe
        
        C:\Windows\system32\Imdnklfp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\Imgkql32.exe
        
        C:\Windows\system32\Imgkql32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Jfaloa32.exe
        
        C:\Windows\system32\Jfaloa32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Jagqlj32.exe
        
        C:\Windows\system32\Jagqlj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Jbhmdbnp.exe
        
        C:\Windows\system32\Jbhmdbnp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Jmpngk32.exe
        
        C:\Windows\system32\Jmpngk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4012
        
        C:\Windows\SysWOW64\Jkdnpo32.exe
        
        C:\Windows\system32\Jkdnpo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\SysWOW64\Jpaghf32.exe
        
        C:\Windows\system32\Jpaghf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Jiikak32.exe
        
        C:\Windows\system32\Jiikak32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Kbapjafe.exe
        
        C:\Windows\system32\Kbapjafe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Windows\SysWOW64\Kkihknfg.exe
        
        C:\Windows\system32\Kkihknfg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\Kknafn32.exe
        
        C:\Windows\system32\Kknafn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Kdffocib.exe
        
        C:\Windows\system32\Kdffocib.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Kdhbec32.exe
        
        C:\Windows\system32\Kdhbec32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Kkbkamnl.exe
        
        C:\Windows\system32\Kkbkamnl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Ldmlpbbj.exe
        
        C:\Windows\system32\Ldmlpbbj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Lcbiao32.exe
        
        C:\Windows\system32\Lcbiao32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Lilanioo.exe
        
        C:\Windows\system32\Lilanioo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4628
        
        C:\Windows\SysWOW64\Laefdf32.exe
        
        C:\Windows\system32\Laefdf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Mjqjih32.exe
        
        C:\Windows\system32\Mjqjih32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Mcklgm32.exe
        
        C:\Windows\system32\Mcklgm32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Mamleegg.exe
        
        C:\Windows\system32\Mamleegg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Njogjfoj.exe
        
        C:\Windows\system32\Njogjfoj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        33⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 400
        34⤵
        Program crash
        
        PID:860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2024 -ip 2024
1⤵
PID:4140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Hmmhjm32.exe

Filesize
896KB

MD5
bce9a1e83a4f9a57fc20d7f88a7ccbbb

SHA1
50303296591ed694534c22908e0faacf5e4f394d

SHA256
09c4a735b763f2e0a6fa6a89999bcc56276628ef2a0299d758eec335bdce6f41

SHA512
bf5cb51df7b83353d51f3f226d159eaa52bed87441eca042a130cd9a262cb14408c14d0bc8e778b42e2f31ea253d163a7ca643d37d19d4b4c86d3b92694d6edd

Download Submit
C:\Windows\SysWOW64\Iannfk32.exe

Filesize
896KB

MD5
7894e060afa31f1942f45bd4cb6a6719

SHA1
4d42876bc5f28aafa3feedf71cb627573c746530

SHA256
cc1ece536b05a6ce135f64df915550f8197d492b56a59686c76821e89226e7c1

SHA512
2fc50f6b1137d201ba04911d791c924bc5d05010059bfc1f2aa93c49175b70b3392f5979f308792ce968b5a3a23ece57ef1cbedccdd7d44f32ccba95d37dda7b

Download Submit
C:\Windows\SysWOW64\Iiffen32.exe

Filesize
896KB

MD5
0607d65c4ac52f762adb5910128c074c

SHA1
a3bfac5b8122b92a66eff3c9cab38218dcd2a638

SHA256
7e69e1843f5df3326f6ae7486b0d0a9229ce56b03074a35fed3b67b392287bb1

SHA512
bc429c5bc368fd997c1950c1e82fce05dfa656c75cfb231e87c688cc90f080500f87162153118175b1741a8212ab6864f53a3277aa609603c9d9cb642456ed1b

Download Submit
C:\Windows\SysWOW64\Imdnklfp.exe

Filesize
896KB

MD5
8f356d755319ee557a960e91ee59ef0c

SHA1
f9380572d9cb0e9bedf4865aba7f4a6a33d429fb

SHA256
bfbb960e16687fcc401074d475fb3bc2a96a02d513a99434948239df099de6fe

SHA512
9beedc46a0438f2a10884422aae426e5d5899ff99ddf4ca183aaef7b452ee1ffeeb7c3603da3fea53ca53f954203f42fff985b411b508e38665da359bc53527a

Download Submit
C:\Windows\SysWOW64\Imgkql32.exe

Filesize
896KB

MD5
edb29f7aa75066c380c0bae1fdb3c86c

SHA1
aa2df1d703d0ea3c0f92956cb3c630f460406c50

SHA256
7db65712b17dd94b51e18abcc4a9b9864b78260e87f99dbdbf4deaa22d1dd1d2

SHA512
1d8996085b40bfced0cdf93da59626d03b7ca43c88755abd76859c041b524d6f457b247ebf57ccdd552d2605be9aecf877c819e78724a48ce92e153f521f8237

Download Submit
C:\Windows\SysWOW64\Ipldfi32.exe

Filesize
896KB

MD5
fb336d232f21dd96e73d877b5abcea21

SHA1
7a980824a9a92e6194498bb17286349f8c19f0ed

SHA256
1f266a852c8336a667c59824bbdfb21db7e7ddc1d4b6db829cdb407ec7b30e3b

SHA512
ff76d25eb14d6ca1cf05529e84d08e6a75a174a2b485faaed3be6d63941f760c98f66e88b8698eedf9351975fb20865c51fcc765298a699264d78e1373bb3dd8

Download Submit
C:\Windows\SysWOW64\Jagqlj32.exe

Filesize
896KB

MD5
10693be4d08f6a141f7c8c1d1c8f993f

SHA1
ba3e52ba08ecb292093827ce7d3d683976d3cfd2

SHA256
5970d11ec84c36781062b776fce5950eab3e7d4b2afb5b550774b4b82fe59a99

SHA512
19d57ae75a496fa467264786b83bc347d65150aadc72b6e01ebee0357f33fba95b741411ef978792e11ebfffebc24b5eac6a65dcaba9b9c262dd2d60f7f30652

Download Submit
C:\Windows\SysWOW64\Jbhmdbnp.exe

Filesize
896KB

MD5
56311f2f72a3ae71f08584a8fef8c843

SHA1
db27de7939d22962a33d40bbfd6564eed2aff44e

SHA256
55829a64189d72ca59b7801aa4341962c106f09790fda009ddb342d7eb623241

SHA512
b6c0bca7263db3c7c84ea2e4bac9c9799b26678e0612e23001ec4d495d13da6ef853412a6b0323884996ee185706b0a534eb542eadcf31560d4fc3da64736ea4

Download Submit
C:\Windows\SysWOW64\Jfaloa32.exe

Filesize
896KB

MD5
a2f7cb06b990e81bc8d1d728ebd55676

SHA1
b10c7ed40e5ee98020089bf07cebabdd5430dc38

SHA256
21a883aa2215496b65ec4f600e1cf656aa78b3cbffb97c81ca815233582eae20

SHA512
fb12dda6f383ea486a0ef5887962a2ca9add66f89211f89b76ad70a968d63aec71fab54ceff38dbe74b66e67ef732ec1420e037c909d733b85afa1ca5dce9f84

Download Submit
C:\Windows\SysWOW64\Jiikak32.exe

Filesize
896KB

MD5
f80e7834915b7815b89da33e055c360c

SHA1
bb05299547206edb8bfd22ce34a170f74f4e459c

SHA256
e32c721325b6f90d6efa87ef2708171c7731940c58e4014e0049364bf018095b

SHA512
afdbba4435bc1798505c527f92060af94d74d70fc3958b7d660c330edc1554f3a3f0d4345d5270e5aa59cc6822ad749ffb4f237170f47698ee16c10873900379

Download Submit
C:\Windows\SysWOW64\Jkdnpo32.exe

Filesize
896KB

MD5
dd580d9ffc002df23fd04b42e7c18fa9

SHA1
94cba317e6ee7aeca666b0d61087d2990a5758b7

SHA256
03c820faa2649e888dd3b5f432578e0ec5f42d5b974a22bcb598ed52717c0d12

SHA512
b7777d7eb50b2912196e51d48ee6142e007f95809bc4bd2ac9751abd30cc6caa2a545437b7a794d935218670b94314aed2a7c0525ee30e81f3fd32b4f810cb93

Download Submit
C:\Windows\SysWOW64\Jmpngk32.exe

Filesize
896KB

MD5
c99b7a1d4867ea5a17f551358553083e

SHA1
ae541ebfbd67c0e13cfc6175de30b63b034b40e4

SHA256
164c6bea3d5ee28a0e827d9fd2bf3a744d38d4d2f7b5f483f2b671111a4cf745

SHA512
47f76774e3a837d77d72c7d26b7206b5e304a633d42f073f71105defc85de44e3c4697908d6116f6772b354549de1095051dc6570331d939af0d6e53b3deff89

Download Submit
C:\Windows\SysWOW64\Jpaghf32.exe

Filesize
896KB

MD5
efae944c47a8573259ff756b9783237c

SHA1
e4cf30406eeef35a117ab2f46daac6459341ce59

SHA256
ddeadf20a4c1a718972a2f90242068c1d2934771abdd14a6fa338e1ad4e65538

SHA512
d2a4b0eb399512e39b5b1f1d011b771052736a648750956bbd0a93dccf0bfed469feab9cf813cf0c567f8c86c13004db7717003bac83be64df9297d30e1be51b

Download Submit
C:\Windows\SysWOW64\Kbapjafe.exe

Filesize
896KB

MD5
4296c3e764d38cf4ed23003469a7ec75

SHA1
8b5af3b44862b3fbd742957e57794c926d845361

SHA256
9291b552190e4d8a5c563f3a02ea0551a0fc8f43614803e75338e66d2327a653

SHA512
bf91e3848cda379c53929996d5c7b4a8f7a3b636f778e7c14e7fb39995f99668b2f40db940a8a108f959db1a32812974ff934738b7ca3e149ec93574d04dcaf4

Download Submit
C:\Windows\SysWOW64\Kdffocib.exe

Filesize
896KB

MD5
81920873a0ac423465eaad440431962a

SHA1
20f0fcf9f408ccef5237d45e66510fa4c4f6290c

SHA256
c376acab68ba322d1c3750c9197e543dccdcaae4522c320a8a602990ce3ca8bf

SHA512
9b413338ba52bd84083b23ff94a623f7aef0038a15014b5fd133e711feae2c4386e8e82eab8fa2df6bbbb4043dc8bc966dfe6b015a1bd3a951d575f57fa69ba3

Download Submit
C:\Windows\SysWOW64\Kdhbec32.exe

Filesize
896KB

MD5
90ed4e5e8a117cd36c1867cb667f86e3

SHA1
91bf8085f332e528cb1675bfc3a47c68b81a385c

SHA256
c53230124e0684b3859cd93d41ce32c1f6d5cd1b7341348e0955c8648ad809a0

SHA512
1d7dba8e7abcebc5e3cac285cfa7b96f94fe85ae933a0f1391070ca5158d70f65b0d4ce1be11d3a59810c2db1d3e1de07b10d5e839ae9e695a06d5fd9402158d

Download Submit
C:\Windows\SysWOW64\Kkbkamnl.exe

Filesize
896KB

MD5
9939e93881c0d4afda2f61c5c7907645

SHA1
42345caf1004b2f4a164e2d6a76508bd2098d277

SHA256
74861db9f8b03f53e263acf9c1a32fd26dbe021d5bccbdaa1ddd16ece5fe1d64

SHA512
062b0c204be6cbbcdc47b9e1267d2213a1344effa09558b2076247619614b212eb609ee2f6898db6f177f4e4dfb890180c1e8224ccd307a3b607a6421a7ec568

Download Submit
C:\Windows\SysWOW64\Kkihknfg.exe

Filesize
896KB

MD5
9cddd498b381c990edfa5d36371ec40e

SHA1
0bb38a4b771d7f08f3c0817efac412b0aa8e6b66

SHA256
24fc1ed4cfb5c926e25f38df218eacf5633c4d7dcf84089b63417680e0490b62

SHA512
6d5f6574a1d7a77ae4adde8b781a8bcc9fa45d22fdeaaa44adefe37d9338297012384bde5428bdd1c5b4eff8c1c65260c63ed83602992d4e2a40492d1f5cbb0f

Download Submit
C:\Windows\SysWOW64\Kknafn32.exe

Filesize
896KB

MD5
474387957f09722105a08eb59f420139

SHA1
cf7b322395e7bad77e72a26fed4e7d7fc0726734

SHA256
8e6fa137429e33ccd2db24bb3fc448d074eaf4a16fb5b2c1adf2ff35eee1b372

SHA512
e39f3f76e4b2b3e1e6d611e47fc875dd24c9b32e7a785a964a169af3929be2c6205f60bd52cdb8cecedb0172da507eb8abc3c2887c91dc22bbb6831e47d24b0b

Download Submit
C:\Windows\SysWOW64\Laefdf32.exe

Filesize
896KB

MD5
7c34261d813bd77f3131dd6e155f264b

SHA1
f5355d97b6f0b61ed2b30d8aa26b87343a7b2c70

SHA256
3a473fae7348c794cff61d656521ff4ab35f470251b6914f784d354e8a912eca

SHA512
8ee277985c002e82257641f6bb0c76bf64cc06ad7da0b7b2e7208993a17682e638c38e53870593f87c554a1553411b18005a712293d8d87bbee925883ec58b9a

Download Submit
C:\Windows\SysWOW64\Lcbiao32.exe

Filesize
896KB

MD5
c8e620373d8c413a27fae9badff76a06

SHA1
759eaa2be2e9ddc42554f3f9df66854bb14f527d

SHA256
852944f1bf7a8d2aaa1fcf7982b281753f5e4d64ef7c03853d0d1d2a7dde8929

SHA512
85359506320fabcadd18e67a580f6b140018071cfaff64b12a7d36057355cc4963b7f4a38d0ac340d14699ae501381331e3bf563580d053de2e7fd886270187c

Download Submit
C:\Windows\SysWOW64\Ldmlpbbj.exe

Filesize
896KB

MD5
4998d4951f6719ff833b7afd8849ebaf

SHA1
5fe7914c2b624b25d17a9af595f29a6fbd0016a6

SHA256
21db71ff883b3571986584b4ddd758c0b66b141df119aa80911f2ee64a634352

SHA512
7eb2321a25b05ec2144fadb531e133b6a3b72ba936dd3523e9e64023e7ca50e2f4116d6c24260203a3b173b1cf4eef5414a20c0dbf156a4b8a5d8902069917d1

Download Submit
C:\Windows\SysWOW64\Lilanioo.exe

Filesize
896KB

MD5
e33239a69fedbb40de8911099acf809c

SHA1
6a52c5220ef75b3c92303a4a8c448653b0b908a8

SHA256
e2fc973221ff91a1f0a1272a72dd11bfa1e81df47d321fbdb82ef3cd736769e7

SHA512
cd900612afa1131f17d00165225c3690dac539ea53d004491dd84de6e170d54da7348a3b748ffaf729e0aacfe9e883832811011eb363399b213ba75b199a3e75

Download Submit
C:\Windows\SysWOW64\Mamleegg.exe

Filesize
896KB

MD5
129afad157fd6ecd6770cbb03a4f285d

SHA1
ffefccab20f0f1747e7687d226abd639a0d90bcc

SHA256
d5c6ac5c31cfee660738054d06d5fcc2b90b9853eb414bdd43ed1c07fcd2f5dd

SHA512
79ab32499a4b57c29f7923b2d14d12b6e28529ef300287df369cfddcef1122356943b8732d4d59f2e8755c7b36d62efe35e61dcb870b95fec423c14586061322

Download Submit
C:\Windows\SysWOW64\Mcklgm32.exe

Filesize
896KB

MD5
9844603a1992f2c40fe56591a1a16ac8

SHA1
ffc6f06044ff1ae6ae06468f5ee4b88c33027ce6

SHA256
47ac09bad9886a0e199e1e78b18fb9fbb5c7d6b746604555ffb11f770dc29de6

SHA512
621b5bb0da46d1cca90a3b6705771830296ad53b4a597647d92309ad16fa6951bc64776abc0062e994e3cedc0a0d027ddfcdb604f1e80c7a7104338d2db71edc

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
896KB

MD5
fcc9a80adcb711cee61130d62200e2b3

SHA1
c8fa7f869c8e1d73a13906b7ab86fc2d12040615

SHA256
2a2d69c4cd919c72df0fb8d762859d3ee79e6c1e42c9af550c16191a58b9c141

SHA512
69966d73945cffd756c1e28ce1c959d373c50e3c53942e17787aaf7a2062d133754ef246bf72da725950a2b2c6fd4d846b447c7079236c7829da9d068b7f4f5a

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
896KB

MD5
5a7d1c5016fc4b4a1ec12a8b418eb4fd

SHA1
4b84b9e676af778268cdb2dd7582a4d01100c7ec

SHA256
858307cfb10a976339d69f940ff606ab195ac5c4350372ede8c734cb1d91b00a

SHA512
3e0e96f4f876687fb1aa41b2c347535b4a247cd17bf3d3014bc56b78530019d7c6a0c198d45dccd4691e4ac59e6725112eaf9fd3a2cbca2b1be302dea697b70e

Download Submit
C:\Windows\SysWOW64\Mjqjih32.exe

Filesize
896KB

MD5
e8c3d8874e8b9005d60286f15aa42c9d

SHA1
45d99baef4f1ba6bfb90333421a08e6fdb1d8222

SHA256
0dfaf24ed2664504966fc1ef2a95c40a1317c03cb4dadfdd63f1f6196e07c6ad

SHA512
f531e3af3fcc70179503cc30d1e568b61f2759a8f533945e2169ebe73b001d7b88cafd6d2481f5cef6b4a8e6b0f4cd2600301abba6b2e7cb51f1e90557088fac

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
896KB

MD5
10d29f379e1f8c835e9894a0d3892d3d

SHA1
b6db35dc8957d712b62c58c8b6ccc8f6df75fcdf

SHA256
22674b0e4b2a619030d41f6f752509fdd6015dcf24d94dcedca5aa668309268a

SHA512
69cbf9bf197eaef551f9792d8588be656cc248b6f076dab04cd580f01cf9bc775e8a5b37e7dda16e17f3b2881e086f698da8e7c536928b733e6a5e778cd9d8e3

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
896KB

MD5
16df7cdbb169f4b6596ba984ddc77754

SHA1
87b5ee2030c229e85b296851bbc4fb781f719bcb

SHA256
66585ff6fecc532c95b7645688bb348149e5ca3fbbb0a2be83019a2656ed7017

SHA512
0bcf603bc5c491edb61f6de4e677c0dabb5d77044db6445b57360bf1d7c81cbd67ec4faab8d9be1c6b8cdd95c0149994a267ae763b63d4390a36b0e3f5b62c93

Download Submit
C:\Windows\SysWOW64\Njogjfoj.exe

Filesize
896KB

MD5
e689580a3f54bdbf89d2bbc44b9739d4

SHA1
8893d6538efd82a073ee2ecc644b6477f2ee6d5e

SHA256
da719ed9136125f5b118be7477e583e6f1d6cf202657d7c939e94da133a663d4

SHA512
4c5ea68de22fae0d39c42328a2b79a4dfeb6939a4ca25c357e3c8ed4d995e88311483e5495736edd5ba527bf611f58edafe8e6ba1ef0848496150239f98643d1

Download Submit
C:\Windows\SysWOW64\Nkcmohbg.exe

Filesize
896KB

MD5
a9d9c309484b023a50f3c8834ec8cec6

SHA1
09c6ee9acc2953f7fed7b4f3838977e420170855

SHA256
b963017f67e5aac4ba0ae691ed9486dab3144d45150713f22b1c06396fa32c1d

SHA512
83cfb26cb2ae823ba9cec08226c84f4e294b1aed5b81c4a4898e1380ea347b0796192fbc56eb2e7bf2d7785adb58b31a92a299a9c15dda2500e9c11a2ebcfa87

Download Submit
memory/636-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-5-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1516-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1892-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2436-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2912-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-93-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4012-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4168-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4268-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads