62aa8fd1fd461b8474b6331a8ece2e82727ea265f3b10ab2fa19931aecfb7d92

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6d868239243f0f6ac212e53147e1014_NEAS.exe
Size

64KB
MD5

f6d868239243f0f6ac212e53147e1014
SHA1

3bef600b20709d754722609d24c67e0e6d04deb0
SHA256

62aa8fd1fd461b8474b6331a8ece2e82727ea265f3b10ab2fa19931aecfb7d92
SHA512

bca81d92debda2b72b16df02198556c31837f8aafbe0ff2564e203ccbf8b8f64c565a10bd36271499c21c2729281842dbf41fe99ab406bc94a999ed2b92d4e94
SSDEEP

1536:OTD2c40q/2BPcJcmzuyZB4hRKGmJDZCvl0YE8Rm0Z:OTn4h3fzuSlCvl0Y/m0Z

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpolqa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjjmog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnjbke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maohkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgghhlhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpaifalo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nklfoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnjbke32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f6d868239243f0f6ac212e53147e1014_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcbahlip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjcgohig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmokb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnfipekh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f6d868239243f0f6ac212e53147e1014_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgekbljc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njacpf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndghmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkqpjidj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgekbljc.exe

Executes dropped EXE 34 IoCs

pid	Process
1980	Lknjmkdo.exe
3164	Mahbje32.exe
4856	Mciobn32.exe
3248	Mgekbljc.exe
4636	Mjcgohig.exe
2116	Mpmokb32.exe
4100	Mdiklqhm.exe
1532	Mgghhlhq.exe
2924	Mnapdf32.exe
1544	Mpolqa32.exe
3012	Mcnhmm32.exe
3932	Mkepnjng.exe
1936	Maohkd32.exe
4648	Mpaifalo.exe
2420	Mcpebmkb.exe
5040	Mjjmog32.exe
1756	Mnfipekh.exe
1372	Mpdelajl.exe
4416	Mcbahlip.exe
3604	Mgnnhk32.exe
4220	Nacbfdao.exe
4260	Nqfbaq32.exe
1948	Nceonl32.exe
4172	Nklfoi32.exe
2340	Nnjbke32.exe
4796	Ncgkcl32.exe
3588	Njacpf32.exe
3536	Nbhkac32.exe
4740	Ndghmo32.exe
1004	Nkqpjidj.exe
2364	Njcpee32.exe
4504	Nbkhfc32.exe
2176	Ncldnkae.exe
3576	Nkcmohbg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nacbfdao.exe	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nbkhfc32.exe	Njcpee32.exe
File opened for modification	C:\Windows\SysWOW64\Mcpebmkb.exe	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mjjmog32.exe	Mcpebmkb.exe
File opened for modification	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File opened for modification	C:\Windows\SysWOW64\Mjcgohig.exe	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Lknjmkdo.exe	f6d868239243f0f6ac212e53147e1014_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File opened for modification	C:\Windows\SysWOW64\Nqfbaq32.exe	Nacbfdao.exe
File created	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ddpfgd32.dll	Nkqpjidj.exe
File opened for modification	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Bkankc32.dll	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Nklfoi32.exe	Nceonl32.exe
File created	C:\Windows\SysWOW64\Lmbnpm32.dll	Ncgkcl32.exe
File created	C:\Windows\SysWOW64\Geegicjl.dll	Mcpebmkb.exe
File created	C:\Windows\SysWOW64\Lkfbjdpq.dll	Njcpee32.exe
File created	C:\Windows\SysWOW64\Lifenaok.dll	Mahbje32.exe
File opened for modification	C:\Windows\SysWOW64\Nnjbke32.exe	Nklfoi32.exe
File opened for modification	C:\Windows\SysWOW64\Njcpee32.exe	Nkqpjidj.exe
File created	C:\Windows\SysWOW64\Mpolqa32.exe	Mnapdf32.exe
File created	C:\Windows\SysWOW64\Lknjmkdo.exe	f6d868239243f0f6ac212e53147e1014_NEAS.exe
File created	C:\Windows\SysWOW64\Jnngob32.dll	f6d868239243f0f6ac212e53147e1014_NEAS.exe
File opened for modification	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File opened for modification	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Mcnhmm32.exe	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Dgcifj32.dll	Mpolqa32.exe
File created	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Fnelfilp.dll	Maohkd32.exe
File created	C:\Windows\SysWOW64\Mpdelajl.exe	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mahbje32.exe	Lknjmkdo.exe
File created	C:\Windows\SysWOW64\Mgekbljc.exe	Mciobn32.exe
File opened for modification	C:\Windows\SysWOW64\Mdiklqhm.exe	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Fibjjh32.dll	Nceonl32.exe
File created	C:\Windows\SysWOW64\Hnibdpde.dll	Ncldnkae.exe
File created	C:\Windows\SysWOW64\Ocbakl32.dll	Mgekbljc.exe
File created	C:\Windows\SysWOW64\Agbnmibj.dll	Mdiklqhm.exe
File created	C:\Windows\SysWOW64\Mgnnhk32.exe	Mcbahlip.exe
File created	C:\Windows\SysWOW64\Hhapkbgi.dll	Mpaifalo.exe
File created	C:\Windows\SysWOW64\Ipkobd32.dll	Njacpf32.exe
File created	C:\Windows\SysWOW64\Mcbahlip.exe	Mpdelajl.exe
File created	C:\Windows\SysWOW64\Pipfna32.dll	Nnjbke32.exe
File created	C:\Windows\SysWOW64\Legdcg32.dll	Mgnnhk32.exe
File opened for modification	C:\Windows\SysWOW64\Nceonl32.exe	Nqfbaq32.exe
File opened for modification	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Ockcknah.dll	Mpmokb32.exe
File created	C:\Windows\SysWOW64\Gbbkdl32.dll	Mnfipekh.exe
File created	C:\Windows\SysWOW64\Mnfipekh.exe	Mjjmog32.exe
File created	C:\Windows\SysWOW64\Ogpnaafp.dll	Ndghmo32.exe
File created	C:\Windows\SysWOW64\Mpmokb32.exe	Mjcgohig.exe
File created	C:\Windows\SysWOW64\Mnapdf32.exe	Mgghhlhq.exe
File opened for modification	C:\Windows\SysWOW64\Maohkd32.exe	Mkepnjng.exe
File opened for modification	C:\Windows\SysWOW64\Mgghhlhq.exe	Mdiklqhm.exe
File opened for modification	C:\Windows\SysWOW64\Mkepnjng.exe	Mcnhmm32.exe
File created	C:\Windows\SysWOW64\Ncldnkae.exe	Nbkhfc32.exe
File created	C:\Windows\SysWOW64\Kpdobeck.dll	Mciobn32.exe
File created	C:\Windows\SysWOW64\Njacpf32.exe	Ncgkcl32.exe
File opened for modification	C:\Windows\SysWOW64\Ndghmo32.exe	Nbhkac32.exe
File created	C:\Windows\SysWOW64\Ncgkcl32.exe	Nnjbke32.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmohbg.exe	Ncldnkae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4056	3576	WerFault.exe	118

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geegicjl.dll"	Mcpebmkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndghmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mahbje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfgejn.dll"	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnelfilp.dll"	Maohkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdobeck.dll"	Mciobn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkepnjng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f6d868239243f0f6ac212e53147e1014_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fibjjh32.dll"	Nceonl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncgkcl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmokb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkepnjng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfmbf32.dll"	Mcbahlip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipkobd32.dll"	Njacpf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mcnhmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpdelajl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmbnpm32.dll"	Ncgkcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgbkio.dll"	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mciobn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcdjjo32.dll"	Nqfbaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmalco32.dll"	Nklfoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f6d868239243f0f6ac212e53147e1014_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nqfbaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcpebmkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdiklqhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfbjdpq.dll"	Njcpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f6d868239243f0f6ac212e53147e1014_NEAS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgnnhk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbhkac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpaifalo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f6d868239243f0f6ac212e53147e1014_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjjmog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbhkac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcifj32.dll"	Mpolqa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npckna32.dll"	Nacbfdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Njacpf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mcnhmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpdelajl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nceonl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhblqpo.dll"	Lknjmkdo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdiklqhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgdjjem.dll"	Mgghhlhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdcg32.dll"	Mgnnhk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkankc32.dll"	Mjcgohig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odegmceb.dll"	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnfipekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lknjmkdo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnapdf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbkhfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbakl32.dll"	Mgekbljc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnngob32.dll"	f6d868239243f0f6ac212e53147e1014_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnibdpde.dll"	Ncldnkae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f6d868239243f0f6ac212e53147e1014_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgnnhk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 1980	2064	f6d868239243f0f6ac212e53147e1014_NEAS.exe	84
PID 2064 wrote to memory of 1980	2064	f6d868239243f0f6ac212e53147e1014_NEAS.exe	84
PID 2064 wrote to memory of 1980	2064	f6d868239243f0f6ac212e53147e1014_NEAS.exe	84
PID 1980 wrote to memory of 3164	1980	Lknjmkdo.exe	85
PID 1980 wrote to memory of 3164	1980	Lknjmkdo.exe	85
PID 1980 wrote to memory of 3164	1980	Lknjmkdo.exe	85
PID 3164 wrote to memory of 4856	3164	Mahbje32.exe	86
PID 3164 wrote to memory of 4856	3164	Mahbje32.exe	86
PID 3164 wrote to memory of 4856	3164	Mahbje32.exe	86
PID 4856 wrote to memory of 3248	4856	Mciobn32.exe	87
PID 4856 wrote to memory of 3248	4856	Mciobn32.exe	87
PID 4856 wrote to memory of 3248	4856	Mciobn32.exe	87
PID 3248 wrote to memory of 4636	3248	Mgekbljc.exe	88
PID 3248 wrote to memory of 4636	3248	Mgekbljc.exe	88
PID 3248 wrote to memory of 4636	3248	Mgekbljc.exe	88
PID 4636 wrote to memory of 2116	4636	Mjcgohig.exe	89
PID 4636 wrote to memory of 2116	4636	Mjcgohig.exe	89
PID 4636 wrote to memory of 2116	4636	Mjcgohig.exe	89
PID 2116 wrote to memory of 4100	2116	Mpmokb32.exe	90
PID 2116 wrote to memory of 4100	2116	Mpmokb32.exe	90
PID 2116 wrote to memory of 4100	2116	Mpmokb32.exe	90
PID 4100 wrote to memory of 1532	4100	Mdiklqhm.exe	91
PID 4100 wrote to memory of 1532	4100	Mdiklqhm.exe	91
PID 4100 wrote to memory of 1532	4100	Mdiklqhm.exe	91
PID 1532 wrote to memory of 2924	1532	Mgghhlhq.exe	92
PID 1532 wrote to memory of 2924	1532	Mgghhlhq.exe	92
PID 1532 wrote to memory of 2924	1532	Mgghhlhq.exe	92
PID 2924 wrote to memory of 1544	2924	Mnapdf32.exe	93
PID 2924 wrote to memory of 1544	2924	Mnapdf32.exe	93
PID 2924 wrote to memory of 1544	2924	Mnapdf32.exe	93
PID 1544 wrote to memory of 3012	1544	Mpolqa32.exe	94
PID 1544 wrote to memory of 3012	1544	Mpolqa32.exe	94
PID 1544 wrote to memory of 3012	1544	Mpolqa32.exe	94
PID 3012 wrote to memory of 3932	3012	Mcnhmm32.exe	95
PID 3012 wrote to memory of 3932	3012	Mcnhmm32.exe	95
PID 3012 wrote to memory of 3932	3012	Mcnhmm32.exe	95
PID 3932 wrote to memory of 1936	3932	Mkepnjng.exe	96
PID 3932 wrote to memory of 1936	3932	Mkepnjng.exe	96
PID 3932 wrote to memory of 1936	3932	Mkepnjng.exe	96
PID 1936 wrote to memory of 4648	1936	Maohkd32.exe	97
PID 1936 wrote to memory of 4648	1936	Maohkd32.exe	97
PID 1936 wrote to memory of 4648	1936	Maohkd32.exe	97
PID 4648 wrote to memory of 2420	4648	Mpaifalo.exe	98
PID 4648 wrote to memory of 2420	4648	Mpaifalo.exe	98
PID 4648 wrote to memory of 2420	4648	Mpaifalo.exe	98
PID 2420 wrote to memory of 5040	2420	Mcpebmkb.exe	99
PID 2420 wrote to memory of 5040	2420	Mcpebmkb.exe	99
PID 2420 wrote to memory of 5040	2420	Mcpebmkb.exe	99
PID 5040 wrote to memory of 1756	5040	Mjjmog32.exe	100
PID 5040 wrote to memory of 1756	5040	Mjjmog32.exe	100
PID 5040 wrote to memory of 1756	5040	Mjjmog32.exe	100
PID 1756 wrote to memory of 1372	1756	Mnfipekh.exe	101
PID 1756 wrote to memory of 1372	1756	Mnfipekh.exe	101
PID 1756 wrote to memory of 1372	1756	Mnfipekh.exe	101
PID 1372 wrote to memory of 4416	1372	Mpdelajl.exe	102
PID 1372 wrote to memory of 4416	1372	Mpdelajl.exe	102
PID 1372 wrote to memory of 4416	1372	Mpdelajl.exe	102
PID 4416 wrote to memory of 3604	4416	Mcbahlip.exe	103
PID 4416 wrote to memory of 3604	4416	Mcbahlip.exe	103
PID 4416 wrote to memory of 3604	4416	Mcbahlip.exe	103
PID 3604 wrote to memory of 4220	3604	Mgnnhk32.exe	105
PID 3604 wrote to memory of 4220	3604	Mgnnhk32.exe	105
PID 3604 wrote to memory of 4220	3604	Mgnnhk32.exe	105
PID 4220 wrote to memory of 4260	4220	Nacbfdao.exe	106

C:\Users\Admin\AppData\Local\Temp\f6d868239243f0f6ac212e53147e1014_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\f6d868239243f0f6ac212e53147e1014_NEAS.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\Lknjmkdo.exe
  C:\Windows\system32\Lknjmkdo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\Mahbje32.exe
    C:\Windows\system32\Mahbje32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\Mciobn32.exe
      C:\Windows\system32\Mciobn32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4856
    - - C:\Windows\SysWOW64\Mgekbljc.exe
        
        C:\Windows\system32\Mgekbljc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3248
      - C:\Windows\SysWOW64\Mjcgohig.exe
        
        C:\Windows\system32\Mjcgohig.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Mpmokb32.exe
        
        C:\Windows\system32\Mpmokb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\Mdiklqhm.exe
        
        C:\Windows\system32\Mdiklqhm.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Mgghhlhq.exe
        
        C:\Windows\system32\Mgghhlhq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Mnapdf32.exe
        
        C:\Windows\system32\Mnapdf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Mpolqa32.exe
        
        C:\Windows\system32\Mpolqa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\Mcnhmm32.exe
        
        C:\Windows\system32\Mcnhmm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\SysWOW64\Mkepnjng.exe
        
        C:\Windows\system32\Mkepnjng.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\SysWOW64\Maohkd32.exe
        
        C:\Windows\system32\Maohkd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Mpaifalo.exe
        
        C:\Windows\system32\Mpaifalo.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\Mcpebmkb.exe
        
        C:\Windows\system32\Mcpebmkb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Mjjmog32.exe
        
        C:\Windows\system32\Mjjmog32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Mnfipekh.exe
        
        C:\Windows\system32\Mnfipekh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Mpdelajl.exe
        
        C:\Windows\system32\Mpdelajl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Mcbahlip.exe
        
        C:\Windows\system32\Mcbahlip.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\Mgnnhk32.exe
        
        C:\Windows\system32\Mgnnhk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\SysWOW64\Nacbfdao.exe
        
        C:\Windows\system32\Nacbfdao.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\SysWOW64\Nqfbaq32.exe
        
        C:\Windows\system32\Nqfbaq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Nceonl32.exe
        
        C:\Windows\system32\Nceonl32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Nklfoi32.exe
        
        C:\Windows\system32\Nklfoi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Nnjbke32.exe
        
        C:\Windows\system32\Nnjbke32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\Ncgkcl32.exe
        
        C:\Windows\system32\Ncgkcl32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Njacpf32.exe
        
        C:\Windows\system32\Njacpf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Nbhkac32.exe
        
        C:\Windows\system32\Nbhkac32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Ndghmo32.exe
        
        C:\Windows\system32\Ndghmo32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Nkqpjidj.exe
        
        C:\Windows\system32\Nkqpjidj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\Njcpee32.exe
        
        C:\Windows\system32\Njcpee32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Nbkhfc32.exe
        
        C:\Windows\system32\Nbkhfc32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Ncldnkae.exe
        
        C:\Windows\system32\Ncldnkae.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Nkcmohbg.exe
        
        C:\Windows\system32\Nkcmohbg.exe
        35⤵
        Executes dropped EXE
        
        PID:3576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 224
        36⤵
        Program crash
        
        PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3576 -ip 3576
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Lknjmkdo.exe

Filesize
64KB

MD5
76d34f71369e745358f93056a5ffc3ad

SHA1
b3c0e8646fe9e96c4604b1beaf2198d9f0b1f6be

SHA256
9c56c12c249237b6d0f9a5639fca1f00e54ae84d5a7404475efa5a8241155c28

SHA512
c497a9b893d8e1859d796652666aa35224ebf88eea6b75cf36915ec661726615211605bf769c61714ec6f7234fb5021aea7ee82e8ce37307311f983a13617154

Download Submit
C:\Windows\SysWOW64\Mahbje32.exe

Filesize
64KB

MD5
3891acc21b920fbd25224c3e7f998078

SHA1
ff1a1bfbc269ff838098a101c348128a8c35c369

SHA256
a6a4af056b5250542e1337f2ad8b6889ca7f19a544abdfd55e111bec3e94a195

SHA512
b1eadc4f3bd38106624c20611b14b18ba281bae04cded4adb9bd64dce3895eff129e246d0d778e885f58a1fb936d68a742ef476a63d11a722cd21020c4f23f3a

Download Submit
C:\Windows\SysWOW64\Maohkd32.exe

Filesize
64KB

MD5
0d10f436f832f02dde486c409c73a97a

SHA1
b09df310b20fcb25190a521a712e89e49a29e77d

SHA256
20f8422452797ae3298cdee3bf2e19082e3bad649da31cf9c45269fbe1cd9850

SHA512
3efdecfecc15ca9eb702e77698f3733376eba7604218be7b2e14106a4aee40142e63174230f8aac5c8043ae03ab3a65f7f24656880a20417360c15043c4e24c4

Download Submit
C:\Windows\SysWOW64\Mcbahlip.exe

Filesize
64KB

MD5
8a8f8ddaffa62aca55ddb77a719b99bc

SHA1
2b0ac170c4d3f017f42157c2edd79c59b106f82c

SHA256
28c07ceb153ede53836002d2ba1b15165438bccb3cd32fb587ab94f8776be18b

SHA512
074ff5398afe9d8dee4ee87e341f2c488a949bdd757b29b3ca72373b203a2680f94eac962510af1e0e4c875c2b3bab7ca9c6e509b3825c3282ac03d9bc602018

Download Submit
C:\Windows\SysWOW64\Mciobn32.exe

Filesize
64KB

MD5
94ba9b6c80776a697d842db41d270613

SHA1
11781436c2feefd91b3376ec7867bc9f264f571c

SHA256
85753e1957c5c18729d10ac383634f8100e2364a0418b139d68f5827e37b4861

SHA512
edc9741d3bf866229d23eb6730e51298e100cb74935f2f5bc710815d112eea00e85c3db5c404ff164ddccbaaba7d4523d24ff0dcfa8f77f59e3f52d8d5e54175

Download Submit
C:\Windows\SysWOW64\Mcnhmm32.exe

Filesize
64KB

MD5
7df64f37c6415c50ba55214b500a3936

SHA1
118c48ae9896c6e53e369981c7f621278e1ab31b

SHA256
4e46eae0bb48d73ff0dde7eebeb0d95ad95ef1882a8ab26b903dad4631071019

SHA512
c24b4f79bf94ae808ac5a40b4eea78bb74524cb11f9241669d4cac9b5253f4702fa7cdef8b47e34bbcf43a5f8e5ea58eec7111e916d7ed02fbd277985c0bdc68

Download Submit
C:\Windows\SysWOW64\Mcpebmkb.exe

Filesize
64KB

MD5
33368f64daed4bac939560c5051ebca3

SHA1
3770530708c8e7aa23598ad5d5d15e3c90f4c59b

SHA256
0877d1a9c5a43f987d5b9cb6009b44af034e485193894686b20c7d5e3668ef70

SHA512
1382435dfaec5c10c036adc64d95557b3c1b87f06440322d00ead174347aabb7966ce21e9c216106589dad1213de940ed22ed2e1724af8401ce621b562be45a9

Download Submit
C:\Windows\SysWOW64\Mdiklqhm.exe

Filesize
64KB

MD5
dfa2ed06095e14c5e80ce54c32663460

SHA1
59de06b167c481f64c0d947c84df574c50692cca

SHA256
b01b69cdc95d98ec344fd755d67b5df45adca2d56faeef7408fd26212e156ac3

SHA512
95417ec32fb369f390b6085e2b7a4de50b581ae3cd8a85b6bebb8799952874386160aeb29f311f8cee45a16ef07516cc3ee1e02b6fc66fdcf76f16921fec466c

Download Submit
C:\Windows\SysWOW64\Mgekbljc.exe

Filesize
64KB

MD5
0d33afdb31dfd54f98a742f828c41b65

SHA1
04cf29463301974b5e51f97026cb747f9a1bafd5

SHA256
bc5151f7e549061e296eabeae38d6ddd9ed3a0629223d7c189951e0d78d21d71

SHA512
0ac9fd9782ff50cd6729b57e288346b9db048eedfc9d00cc27b86b61f4386915b9e5ff90e91204b0e858af349af085c54f22cb1f949876288e79cf1247ee70ee

Download Submit
C:\Windows\SysWOW64\Mgghhlhq.exe

Filesize
64KB

MD5
2c3afac20e5b610381a6ed552f7bad9e

SHA1
064ea0d68551adfe7baf2a80280c1daf1ceeca7b

SHA256
e450e3f98bf53052ae4a05e614e5fbb33420d75a2b37bcfaefebb495e7ea691b

SHA512
a24791560116b42f8a3dc75a962589041dcaa4a4e2ee13e2b22cff9b6e05c3525d9a1c63ac468f5c0a590a40674758d5a6d6034943867aed82e5718d8842c81d

Download Submit
C:\Windows\SysWOW64\Mgnnhk32.exe

Filesize
64KB

MD5
3dfaa9ce412b3ea92c0f70026eda9856

SHA1
f98841acac7e2b3fa3dec9d7490653c65918882a

SHA256
34b92bb9861e0918fd5771e4e168f8162dc18043237770490a7b3c04a917cf5c

SHA512
36695562fbd99e535535263e2342a6d22790a89929a33643b1c778d2f70d9bd5294511aa46f2ff11920a4f7669cb421d6fa35615c183aff4278a0b233b629ca3

Download Submit
C:\Windows\SysWOW64\Mjcgohig.exe

Filesize
64KB

MD5
c9891291dec6e997c92b71aaa26a2bd2

SHA1
bbaa4c88f67191b79b341eaa4c5c071570fa62dc

SHA256
93905bc8ec26dacd016b5af46d69a3caeb421c763e263184ff09c16939e360e0

SHA512
ad120265b068356e094bb24d27296e4474efa3b9a0f28052fb24e87a25324ebf15227f7969636bf84a4d34ea43ed6ee98ebc505c14af0b400e0634227bef2f42

Download Submit
C:\Windows\SysWOW64\Mjjmog32.exe

Filesize
64KB

MD5
bdeab19ffe7b46ec358b6efaea77741c

SHA1
1d675795bccf51ec7a3ad9a164671c813d8befc8

SHA256
0b500d970cfca94eeea0fabe5a75719cc62483a43670ec319d2a774dade277be

SHA512
5e51e136cc9c1cdc613c401dd1fa1dc3391f31722c225a6773b33dd5180f8529eabe4310928d379d24962032af1f2fbd03f5e9cfc71e24f1dae1237f9b3239b3

Download Submit
C:\Windows\SysWOW64\Mkepnjng.exe

Filesize
64KB

MD5
64587789874b69b72b96fe9257a1ad82

SHA1
be57b090afc754697661167565789d50ba45fa6b

SHA256
e1a77ccbf697c60598085cbe18f2e770b7712811843decc702cd7648a57a697b

SHA512
7828cf569398b1fc3009d1786c59f3106da095c1a202ed41384c7ba5477855bda2d157c44b9b4b5cff5fdd611b2bf9e471990270ea85ec054af0dd048543ef78

Download Submit
C:\Windows\SysWOW64\Mnapdf32.exe

Filesize
64KB

MD5
59c1e03b9e3523dde4fa8498920635ef

SHA1
da11dcb2faa5cc20b1f94b350c9f0a09958dd975

SHA256
0ed9456cc94da0db45518b2b9c3560b86dd9f6604e2c77765072cf3c8e5022e1

SHA512
b935867d6983f3a0761f887eccfa08fe459ccd73f2ed9cbb53d8a3f4ab6cbd0d21de66be6fec8397ef8ba5e1fb8622aa747f9ac349c82efcd555552efb4ab58b

Download Submit
C:\Windows\SysWOW64\Mnfipekh.exe

Filesize
64KB

MD5
c7adbaef38cc724f12ec6c7f7ed59dc9

SHA1
4804e7614d227f1022631529f979e2e8cbeefa59

SHA256
398f86c9012a59bfe2ceb051f19a955b8207ff7808d4b36e7863cdb6b1043595

SHA512
4459ec5ceeb7df462b6895b612b74a0383cf2f1f7a53ee5dc53ec758694420a11575a39e13097a34c734b9bb49742767ae8226394a89c7986267131be7b877b3

Download Submit
C:\Windows\SysWOW64\Mpaifalo.exe

Filesize
64KB

MD5
0e1ad61af8a0f14977cfd2ce0e19aed3

SHA1
a732921743d79e7fe3b17292f08ac17041a31793

SHA256
814df686a9193a9a510e15fe9ca225825a4556abdf292a593f6632abb863c964

SHA512
22f02821d48250f1ce731faddc747c43ab0c1801008e7ca68400c07b8d4e035c0ebbfab378e07c4066149f3bb145271e35401878c5b03e5c9a7f9f31a8af34c9

Download Submit
C:\Windows\SysWOW64\Mpdelajl.exe

Filesize
64KB

MD5
e6ca0de27131a696c85a586a510e39db

SHA1
991c2cc77e46828bee99d428ca7ea618ab7ad6a8

SHA256
8c133799983cfdf1ab57cd067efb8a0bb86c923e27d5ebf0081cd1986ef9173b

SHA512
416696a289bcd05d8184cb055e0b53ad8ee8b240b2d00c86ffab24cd957b549005582bb397172c29c788f7d5c91ed3e147e20c6c0897033638ac425b680c8486

Download Submit
C:\Windows\SysWOW64\Mpmokb32.exe

Filesize
64KB

MD5
4831b119b42ccbac81c5527c3b7ad686

SHA1
7a19f49a2f540a8fffa8dcae438f00471f22b3df

SHA256
b816a43329f87c34229f030d67e6fb09ebaf6bdf2f883bec88bdfc42fae628dd

SHA512
54062505720ac074aa364bd468cec9f24de3a91d302dee40ecc5cc624c6ff8571f4187009d9dcd8d6d50b1ec6dd81821aef5568ae96b6cea2b56168048b91c8a

Download Submit
C:\Windows\SysWOW64\Mpolqa32.exe

Filesize
64KB

MD5
3b6414a9c28fe76579cd7df9320a414f

SHA1
49ebc2dfbfe5f47a9deedfa45aa274b1b3a39f6e

SHA256
7c635162d0874fa016b6814ae5dc082e1e08f1f831f40fa586e74f4b2ec6995d

SHA512
3d3cb6fc41515b539335c639301cc14f0a27530e9c1296964a844f0660650a2fbb193b7a93381a4f990df412805fa6ea411c29ec8ed68714d65af9f62386cc7f

Download Submit
C:\Windows\SysWOW64\Nacbfdao.exe

Filesize
64KB

MD5
e4bcae8bbbcef008d18e140c597e8399

SHA1
8547f4c68eab4c1ae3744e145c6223fcf4498916

SHA256
a29e419a29b29a95300ecc6a12e95b1c90b5c90cd7c9e46e254799681a6ca149

SHA512
b42abc5328b7f9e3f840d370dffc2d0f60463cc0f3cf5f80915ee399174934e26876b870faa21a2b4d153f0b1c415c0ed4bf2b003f53930f3e923100aea1f813

Download Submit
C:\Windows\SysWOW64\Nbhkac32.exe

Filesize
64KB

MD5
e6ad308569dc711fec37ab2ddf06bb00

SHA1
69b418758982330cf0fb46aa1b8a331eeb8d9f85

SHA256
9d916cdf1543b7337b33b0747e0be567732f2ac8649ad88aac71725553003729

SHA512
b93ad5d4aee67d51a3580597c621f72d3de45d564a6fcb24897fc248d21cb5571323cf7ada62dfb56e70c58b833041eab6ae4a6d8a06a036450f0e37ecb30cd2

Download Submit
C:\Windows\SysWOW64\Nbkhfc32.exe

Filesize
64KB

MD5
27b62e7e8dd9e97285da38e88933e980

SHA1
2f3e0141df8543637416a1e5f974cc442d0cbb4d

SHA256
f0580e11709826a14d879dd4547e92f6cddfc13b6b0a8216eb5b74ad58f6d5ef

SHA512
42dd1aaa016e864e8d4a7f2ab51fa8f09d6edcf0c3665823fea46b268441b5e46fe9dbd62bb875ae5ba1e33b97a4f1fc3a326055129b47c6d2809cb04d83abc2

Download Submit
C:\Windows\SysWOW64\Nceonl32.exe

Filesize
64KB

MD5
b36e2a9fcf78f833c57153fe7e606112

SHA1
e36e1be11a27804ccc309a6b2ac22d9db14b799b

SHA256
cac8a8f25ee7333b319a049c216c822fa066e9437120b3e07e4000b085357df3

SHA512
5cb42db021ae23f73af7f0abf54a994ecd0ff210faefa4814210521921809dab8e5394ce798244d94bfc41069f48d9c576539f288c24b5d3c87d6142b0c25a19

Download Submit
C:\Windows\SysWOW64\Ncgkcl32.exe

Filesize
64KB

MD5
3721748064e38b0b88bc64916884ae44

SHA1
cae82ee03691663d2ae0237f018db3d48241888c

SHA256
4b401da370816cead1557081e3b7b4fad3599460dbe8f84ae900e3bb2a3e4d21

SHA512
249ff0064259d2e94029a23296f46f0d52909c12fe7c925068df9c796ecc96b16eb38b391076db4ae5e7c1f0d51bf8f4d770cc94e8b2fca5c07d57e45d249425

Download Submit
C:\Windows\SysWOW64\Ndghmo32.exe

Filesize
64KB

MD5
02df55f2795330e1c77ddd5a431534d0

SHA1
85db592a1e22be9bbb0e9e9a5475e06d6afca1dd

SHA256
a30c0c09e4cafb53c856dc7432a74a308bab2e4e37ebb0dd42b48b13b46c9f8d

SHA512
64ca72b2cf88ec3d9dee5e344700f29ee782587eafb00e7086db64f013b6127546ced2266b2c2b382931a7b97644603977f7d91d0948e5d4da4b0045424d448e

Download Submit
C:\Windows\SysWOW64\Njacpf32.exe

Filesize
64KB

MD5
dbc0b5512c452e3e1aa9458b1bc96c07

SHA1
400a66d617bf13aac4daddb0cdb2e38460d50b00

SHA256
1ace73ced069c593c9df094c1891111e8da86bb7959d83cb3b97a4dcd188c574

SHA512
3161833e54ff5f0fd8bb05114748e8ef52e0e5f009fd9791870b9f5c7c7f886bd7e9829aef3c4d1221350216c756fd0a881e725d20e25984e15047ab42000d1d

Download Submit
C:\Windows\SysWOW64\Njcpee32.exe

Filesize
64KB

MD5
198ac55db33d17364a65bcacbcc09a3a

SHA1
2545987863737d89c4a8e8d0aa7649ac8c7098b4

SHA256
1ad7459568066a2a00a3ec5abcc3c533d793ddd8c977a135a8ecca2bfac9f489

SHA512
9311676f691544a5b067f86367fb0f9cbc7ecd8bab2e510294e626f544b0e27c68316671ed4c4ce5ca9c38e73ed898b5c5f709273c0a65deeb8d3a012ed5a3be

Download Submit
C:\Windows\SysWOW64\Nklfoi32.exe

Filesize
64KB

MD5
a5bd5a3ca4441966ac0cc46008be6e99

SHA1
38203243a4c051b885c4ad8d1d5906a4f0d0c931

SHA256
677ac171c7ce10fea7093384a86608a2f58a623e0f14b626e5c357a20140b4c7

SHA512
7de389b5bd2415e079f25183ac63ffa01fce9053c7396715776a36bf4c4b256114dc7d53b29e431ac27540cf622f6b0a9f8858e7addf2d720a38fab284c23a80

Download Submit
C:\Windows\SysWOW64\Nkqpjidj.exe

Filesize
64KB

MD5
6e54866fbc34f63416a2b2b4e3bdb1aa

SHA1
d34f540aed0e4195cd5e2d32431596cac43fd720

SHA256
d97e69c40e072bedc078d2f77a87ecc859c4159fa95a1269951bd3c71c96b8af

SHA512
18456172c2c36196d5788bd35c1b34227068702b34606f1ffd72a8477506b5567159cab9210c012b69db0bc66f6511cc5734ed08cb92139d4f86f7dddc24a109

Download Submit
C:\Windows\SysWOW64\Nnjbke32.exe

Filesize
64KB

MD5
f3d02516dc19bfcf6895876d12350fa2

SHA1
cd20a438b0433f1393802b0655840f66872b0e31

SHA256
6ba223e006ec9fdf87c791951e239057f16dc22655862ee47e9ac95afaf8f393

SHA512
739bc11da1a1de4f74d082534d64e8f0fbc275d361c2f2f56f18ec11340cc78ee0aacbca445d52bf3d77aa2497c5f89e7f1de1b311b0e8b1f98e8d681db4e52d

Download Submit
C:\Windows\SysWOW64\Nqfbaq32.exe

Filesize
64KB

MD5
4a9a7e65e69b8d17513322989f12f820

SHA1
a8b79385a9bfcc38ab9ea83cb3073214f68ce794

SHA256
66af4b16a4b343d947d353a2a67c841da630041872576bdf861c4bfda6945168

SHA512
834a376b7275e50aeb62a7b07db0e2d756f6c84cb15d11d1951fd4bc6684f0e906914dfec14482c56f8b51c4662929b6a3fe75cd4e0e3a6b21600388aa05742f

Download Submit
memory/1004-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-149-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1372-280-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-65-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1532-289-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1544-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1544-290-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1756-294-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-292-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1948-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1948-277-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1980-284-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-3-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2064-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2064-283-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-49-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2116-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2176-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2340-274-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2420-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2924-77-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3012-291-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3164-285-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3248-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3248-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3536-230-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3576-270-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3576-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3588-217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3604-161-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3932-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4100-288-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4100-57-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4172-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4172-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4220-279-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4220-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4260-276-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4416-158-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-271-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4504-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4636-45-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-112-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4648-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4740-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4796-272-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4856-29-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-282-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5040-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads