223a387651addc0fa7cf5144d178614be438177495fcc0df793eee8fb924b5da

Analysis

max time kernel
205s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2023, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
Size

4.5MB
MD5

0f4131d0d2d431fdbc26778e16238df0
SHA1

7ea70cbc4524a96f2ad781d74ad46904a43fb2b4
SHA256

223a387651addc0fa7cf5144d178614be438177495fcc0df793eee8fb924b5da
SHA512

6694f11614effa45a6dcb62fdd5c30415e7a8a8412f5bdf49956d32dc50a45a5933986f646bbfb5bc24de095835a38b5c587e4534513132f50b56d4fc3637b2e
SSDEEP

49152:l0kB9f0VwEIV0MVp5fbVvOB9f0eB9f0S/B9f0HdVAVkB9f0VZHJVkB9f0TTVfdg:WVG0uptJvlyVVHTBlg

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cecbgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmfldkei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hknkiokp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Keboni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hikkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ionbcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Okhmnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dalhgfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Faakickc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknkiokp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ionbcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgjkag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnahmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpadd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Neadfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mgjkag32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okhmnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnibhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcpadd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neadfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Capikhgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalhgfmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olfgcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ongpeejj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cecbgl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faakickc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Keboni32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hikkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmfldkei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnahmo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnibhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ieojqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Olfgcj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ongpeejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Capikhgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieojqi32.exe

Executes dropped EXE 19 IoCs

pid	Process
2260	Hikkdc32.exe
3976	Ionbcb32.exe
2072	Olfgcj32.exe
4620	Ongpeejj.exe
1052	Pmfldkei.exe
4980	Mgjkag32.exe
2468	Okhmnc32.exe
4604	Cecbgl32.exe
2924	Capikhgh.exe
3348	Dalhgfmk.exe
4940	Faakickc.exe
3888	Hknkiokp.exe
4628	Cnahmo32.exe
5100	Hnibhp32.exe
4592	Ieojqi32.exe
864	Fcpadd32.exe
1632	Keboni32.exe
4548	Neadfe32.exe
2388	Mclplffj.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ionbcb32.exe	Hikkdc32.exe
File created	C:\Windows\SysWOW64\Pfjnnpmb.dll	Fcpadd32.exe
File created	C:\Windows\SysWOW64\Olfgcj32.exe	Ionbcb32.exe
File created	C:\Windows\SysWOW64\Dgkqpd32.dll	Cecbgl32.exe
File opened for modification	C:\Windows\SysWOW64\Cnahmo32.exe	Hknkiokp.exe
File created	C:\Windows\SysWOW64\Objelghl.dll	Hnibhp32.exe
File created	C:\Windows\SysWOW64\Fcpadd32.exe	Ieojqi32.exe
File created	C:\Windows\SysWOW64\Ongpeejj.exe	Olfgcj32.exe
File created	C:\Windows\SysWOW64\Famqbcdp.dll	Pmfldkei.exe
File opened for modification	C:\Windows\SysWOW64\Cecbgl32.exe	Okhmnc32.exe
File created	C:\Windows\SysWOW64\Mggpeh32.dll	Keboni32.exe
File created	C:\Windows\SysWOW64\Mclplffj.exe	Neadfe32.exe
File created	C:\Windows\SysWOW64\Faakickc.exe	Dalhgfmk.exe
File created	C:\Windows\SysWOW64\Bhbiql32.dll	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
File created	C:\Windows\SysWOW64\Pmfldkei.exe	Ongpeejj.exe
File created	C:\Windows\SysWOW64\Neadfe32.exe	Keboni32.exe
File created	C:\Windows\SysWOW64\Okhmnc32.exe	Mgjkag32.exe
File created	C:\Windows\SysWOW64\Hnibhp32.exe	Cnahmo32.exe
File opened for modification	C:\Windows\SysWOW64\Fcpadd32.exe	Ieojqi32.exe
File created	C:\Windows\SysWOW64\Ionbcb32.exe	Hikkdc32.exe
File opened for modification	C:\Windows\SysWOW64\Ongpeejj.exe	Olfgcj32.exe
File created	C:\Windows\SysWOW64\Hmalih32.dll	Okhmnc32.exe
File opened for modification	C:\Windows\SysWOW64\Hnibhp32.exe	Cnahmo32.exe
File created	C:\Windows\SysWOW64\Ihfmlpka.dll	Neadfe32.exe
File created	C:\Windows\SysWOW64\Hikkdc32.exe	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
File opened for modification	C:\Windows\SysWOW64\Faakickc.exe	Dalhgfmk.exe
File created	C:\Windows\SysWOW64\Qjglkmmh.dll	Hknkiokp.exe
File opened for modification	C:\Windows\SysWOW64\Keboni32.exe	Fcpadd32.exe
File opened for modification	C:\Windows\SysWOW64\Ieojqi32.exe	Hnibhp32.exe
File opened for modification	C:\Windows\SysWOW64\Olfgcj32.exe	Ionbcb32.exe
File created	C:\Windows\SysWOW64\Cecbgl32.exe	Okhmnc32.exe
File created	C:\Windows\SysWOW64\Hknkiokp.exe	Faakickc.exe
File created	C:\Windows\SysWOW64\Kcmflj32.dll	Faakickc.exe
File created	C:\Windows\SysWOW64\Dkphjn32.dll	Cnahmo32.exe
File created	C:\Windows\SysWOW64\Dalhgfmk.exe	Capikhgh.exe
File created	C:\Windows\SysWOW64\Jimedokp.dll	Capikhgh.exe
File opened for modification	C:\Windows\SysWOW64\Hikkdc32.exe	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
File created	C:\Windows\SysWOW64\Hjnbag32.dll	Ionbcb32.exe
File created	C:\Windows\SysWOW64\Jphnld32.dll	Mgjkag32.exe
File opened for modification	C:\Windows\SysWOW64\Dalhgfmk.exe	Capikhgh.exe
File created	C:\Windows\SysWOW64\Cnahmo32.exe	Hknkiokp.exe
File created	C:\Windows\SysWOW64\Capikhgh.exe	Cecbgl32.exe
File opened for modification	C:\Windows\SysWOW64\Hknkiokp.exe	Faakickc.exe
File created	C:\Windows\SysWOW64\Mgjkag32.exe	Pmfldkei.exe
File created	C:\Windows\SysWOW64\Ieojqi32.exe	Hnibhp32.exe
File created	C:\Windows\SysWOW64\Keboni32.exe	Fcpadd32.exe
File created	C:\Windows\SysWOW64\Qkjbfi32.dll	Hikkdc32.exe
File created	C:\Windows\SysWOW64\Fopielld.dll	Ongpeejj.exe
File opened for modification	C:\Windows\SysWOW64\Mgjkag32.exe	Pmfldkei.exe
File opened for modification	C:\Windows\SysWOW64\Okhmnc32.exe	Mgjkag32.exe
File opened for modification	C:\Windows\SysWOW64\Capikhgh.exe	Cecbgl32.exe
File created	C:\Windows\SysWOW64\Ibblioai.dll	Dalhgfmk.exe
File opened for modification	C:\Windows\SysWOW64\Mclplffj.exe	Neadfe32.exe
File created	C:\Windows\SysWOW64\Kllpihkg.dll	Olfgcj32.exe
File opened for modification	C:\Windows\SysWOW64\Pmfldkei.exe	Ongpeejj.exe
File created	C:\Windows\SysWOW64\Ndjleb32.dll	Ieojqi32.exe
File opened for modification	C:\Windows\SysWOW64\Neadfe32.exe	Keboni32.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Famqbcdp.dll"	Pmfldkei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkjbfi32.dll"	Hikkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cecbgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hikkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Okhmnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hknkiokp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjnnpmb.dll"	Fcpadd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mgjkag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkphjn32.dll"	Cnahmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnbag32.dll"	Ionbcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Faakickc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olfgcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Okhmnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cecbgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcmflj32.dll"	Faakickc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Neadfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mgjkag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olfgcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dalhgfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnahmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Keboni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllpihkg.dll"	Olfgcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibblioai.dll"	Dalhgfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dalhgfmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ieojqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihfmlpka.dll"	Neadfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhbiql32.dll"	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jimedokp.dll"	Capikhgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnibhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Objelghl.dll"	Hnibhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mggpeh32.dll"	Keboni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcpadd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hikkdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ongpeejj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmfldkei.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnahmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjglkmmh.dll"	Hknkiokp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmalih32.dll"	Okhmnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkqpd32.dll"	Cecbgl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnibhp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ieojqi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcpadd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ionbcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopielld.dll"	Ongpeejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jphnld32.dll"	Mgjkag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Capikhgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hknkiokp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Faakickc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjleb32.dll"	Ieojqi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Keboni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ionbcb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ongpeejj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Capikhgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmfldkei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Neadfe32.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 2260	396	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe	88
PID 396 wrote to memory of 2260	396	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe	88
PID 396 wrote to memory of 2260	396	NEAS.0f4131d0d2d431fdbc26778e16238df0.exe	88
PID 2260 wrote to memory of 3976	2260	Hikkdc32.exe	90
PID 2260 wrote to memory of 3976	2260	Hikkdc32.exe	90
PID 2260 wrote to memory of 3976	2260	Hikkdc32.exe	90
PID 3976 wrote to memory of 2072	3976	Ionbcb32.exe	91
PID 3976 wrote to memory of 2072	3976	Ionbcb32.exe	91
PID 3976 wrote to memory of 2072	3976	Ionbcb32.exe	91
PID 2072 wrote to memory of 4620	2072	Olfgcj32.exe	92
PID 2072 wrote to memory of 4620	2072	Olfgcj32.exe	92
PID 2072 wrote to memory of 4620	2072	Olfgcj32.exe	92
PID 4620 wrote to memory of 1052	4620	Ongpeejj.exe	93
PID 4620 wrote to memory of 1052	4620	Ongpeejj.exe	93
PID 4620 wrote to memory of 1052	4620	Ongpeejj.exe	93
PID 1052 wrote to memory of 4980	1052	Pmfldkei.exe	94
PID 1052 wrote to memory of 4980	1052	Pmfldkei.exe	94
PID 1052 wrote to memory of 4980	1052	Pmfldkei.exe	94
PID 4980 wrote to memory of 2468	4980	Mgjkag32.exe	95
PID 4980 wrote to memory of 2468	4980	Mgjkag32.exe	95
PID 4980 wrote to memory of 2468	4980	Mgjkag32.exe	95
PID 2468 wrote to memory of 4604	2468	Okhmnc32.exe	97
PID 2468 wrote to memory of 4604	2468	Okhmnc32.exe	97
PID 2468 wrote to memory of 4604	2468	Okhmnc32.exe	97
PID 4604 wrote to memory of 2924	4604	Cecbgl32.exe	98
PID 4604 wrote to memory of 2924	4604	Cecbgl32.exe	98
PID 4604 wrote to memory of 2924	4604	Cecbgl32.exe	98
PID 2924 wrote to memory of 3348	2924	Capikhgh.exe	99
PID 2924 wrote to memory of 3348	2924	Capikhgh.exe	99
PID 2924 wrote to memory of 3348	2924	Capikhgh.exe	99
PID 3348 wrote to memory of 4940	3348	Dalhgfmk.exe	101
PID 3348 wrote to memory of 4940	3348	Dalhgfmk.exe	101
PID 3348 wrote to memory of 4940	3348	Dalhgfmk.exe	101
PID 4940 wrote to memory of 3888	4940	Faakickc.exe	104
PID 4940 wrote to memory of 3888	4940	Faakickc.exe	104
PID 4940 wrote to memory of 3888	4940	Faakickc.exe	104
PID 3888 wrote to memory of 4628	3888	Hknkiokp.exe	106
PID 3888 wrote to memory of 4628	3888	Hknkiokp.exe	106
PID 3888 wrote to memory of 4628	3888	Hknkiokp.exe	106
PID 4628 wrote to memory of 5100	4628	Cnahmo32.exe	107
PID 4628 wrote to memory of 5100	4628	Cnahmo32.exe	107
PID 4628 wrote to memory of 5100	4628	Cnahmo32.exe	107
PID 5100 wrote to memory of 4592	5100	Hnibhp32.exe	108
PID 5100 wrote to memory of 4592	5100	Hnibhp32.exe	108
PID 5100 wrote to memory of 4592	5100	Hnibhp32.exe	108
PID 4592 wrote to memory of 864	4592	Ieojqi32.exe	109
PID 4592 wrote to memory of 864	4592	Ieojqi32.exe	109
PID 4592 wrote to memory of 864	4592	Ieojqi32.exe	109
PID 864 wrote to memory of 1632	864	Fcpadd32.exe	110
PID 864 wrote to memory of 1632	864	Fcpadd32.exe	110
PID 864 wrote to memory of 1632	864	Fcpadd32.exe	110
PID 1632 wrote to memory of 4548	1632	Keboni32.exe	111
PID 1632 wrote to memory of 4548	1632	Keboni32.exe	111
PID 1632 wrote to memory of 4548	1632	Keboni32.exe	111
PID 4548 wrote to memory of 2388	4548	Neadfe32.exe	112
PID 4548 wrote to memory of 2388	4548	Neadfe32.exe	112
PID 4548 wrote to memory of 2388	4548	Neadfe32.exe	112

C:\Users\Admin\AppData\Local\Temp\NEAS.0f4131d0d2d431fdbc26778e16238df0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0f4131d0d2d431fdbc26778e16238df0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:396
- C:\Windows\SysWOW64\Hikkdc32.exe
  C:\Windows\system32\Hikkdc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\Ionbcb32.exe
    C:\Windows\system32\Ionbcb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\Olfgcj32.exe
      C:\Windows\system32\Olfgcj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Windows\SysWOW64\Ongpeejj.exe
        
        C:\Windows\system32\Ongpeejj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
      - C:\Windows\SysWOW64\Pmfldkei.exe
        
        C:\Windows\system32\Pmfldkei.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Mgjkag32.exe
        
        C:\Windows\system32\Mgjkag32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\Okhmnc32.exe
        
        C:\Windows\system32\Okhmnc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Cecbgl32.exe
        
        C:\Windows\system32\Cecbgl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Capikhgh.exe
        
        C:\Windows\system32\Capikhgh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Dalhgfmk.exe
        
        C:\Windows\system32\Dalhgfmk.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Faakickc.exe
        
        C:\Windows\system32\Faakickc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Hknkiokp.exe
        
        C:\Windows\system32\Hknkiokp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Cnahmo32.exe
        
        C:\Windows\system32\Cnahmo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\Hnibhp32.exe
        
        C:\Windows\system32\Hnibhp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\SysWOW64\Ieojqi32.exe
        
        C:\Windows\system32\Ieojqi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\SysWOW64\Fcpadd32.exe
        
        C:\Windows\system32\Fcpadd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Keboni32.exe
        
        C:\Windows\system32\Keboni32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Neadfe32.exe
        
        C:\Windows\system32\Neadfe32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\Mclplffj.exe
        
        C:\Windows\system32\Mclplffj.exe
        20⤵
        Executes dropped EXE
        
        PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Capikhgh.exe

Filesize
4.5MB

MD5
8bae5655a3c9e3e23c3edbe3ee6169c0

SHA1
d12e0be9d5a07a5dd4dd198ab2112242f5c96372

SHA256
f817da80a447b7f0f00774ac3e59ce2334d33418d7472a92970178b747d25746

SHA512
ae111c2bd4061d032107929107d5b5dd9b1a7c0736eee6ac5d3ae2f3441c1fb2a546345a5a262d33966e002ddeab002a754ee8df2858e5dcef213eb05a09fe96

Download Submit
C:\Windows\SysWOW64\Capikhgh.exe

Filesize
4.5MB

MD5
8bae5655a3c9e3e23c3edbe3ee6169c0

SHA1
d12e0be9d5a07a5dd4dd198ab2112242f5c96372

SHA256
f817da80a447b7f0f00774ac3e59ce2334d33418d7472a92970178b747d25746

SHA512
ae111c2bd4061d032107929107d5b5dd9b1a7c0736eee6ac5d3ae2f3441c1fb2a546345a5a262d33966e002ddeab002a754ee8df2858e5dcef213eb05a09fe96

Download Submit
C:\Windows\SysWOW64\Cecbgl32.exe

Filesize
4.5MB

MD5
ba5560a6989be95695b667cb16ed4a62

SHA1
8361badcfd2d734a41a9b9d03497174d0d06bcec

SHA256
6194a29b19500c9394b6a3b1bc12cee95fc3cb4a33b361fcff2d03a6bd1862b1

SHA512
ad59b596e47dd702466afcfba7a4b9b1c10e80f9958e042d9b40cddbdf34f0feb6dd7f7bd32fbd8d4aea937143d92c3a705aa6ec0df6b983c1b57ddf295d5f85

Download Submit
C:\Windows\SysWOW64\Cecbgl32.exe

Filesize
4.5MB

MD5
ba5560a6989be95695b667cb16ed4a62

SHA1
8361badcfd2d734a41a9b9d03497174d0d06bcec

SHA256
6194a29b19500c9394b6a3b1bc12cee95fc3cb4a33b361fcff2d03a6bd1862b1

SHA512
ad59b596e47dd702466afcfba7a4b9b1c10e80f9958e042d9b40cddbdf34f0feb6dd7f7bd32fbd8d4aea937143d92c3a705aa6ec0df6b983c1b57ddf295d5f85

Download Submit
C:\Windows\SysWOW64\Cnahmo32.exe

Filesize
4.5MB

MD5
a70dcdcd65e005622c49e04f97e22b41

SHA1
999a7b99c8cd818a476065445acafdb8bbbe0c99

SHA256
bd2f8a1cc40813322ecc2641b7de5cb8f7ea122e3be5d52637f6897105b084b2

SHA512
9a09d19c91be0127f4984e455887a1b486dc1dcc978eee312cdf5895a8b7db24d766669948bacf1ffa3411d8d7027e1b05eba0e2247d9fa2a4004b67de8d86bb

Download Submit
C:\Windows\SysWOW64\Cnahmo32.exe

Filesize
4.5MB

MD5
a70dcdcd65e005622c49e04f97e22b41

SHA1
999a7b99c8cd818a476065445acafdb8bbbe0c99

SHA256
bd2f8a1cc40813322ecc2641b7de5cb8f7ea122e3be5d52637f6897105b084b2

SHA512
9a09d19c91be0127f4984e455887a1b486dc1dcc978eee312cdf5895a8b7db24d766669948bacf1ffa3411d8d7027e1b05eba0e2247d9fa2a4004b67de8d86bb

Download Submit
C:\Windows\SysWOW64\Dalhgfmk.exe

Filesize
4.5MB

MD5
dd98137a1fd7bba8365f70fc4399bc6d

SHA1
ea2f59e1b955a7ad3bb5dd46bb54259742548bd1

SHA256
9b4a6cda2a5bf9e1a01c24466edcf98a94eb836b52776116fe33a7dabff99bea

SHA512
18d4ce0d108cc88516d812c7b3fdd66282f207cfddc7742d4d123558edb7838a0288e305f0d9035bcd38005ac7ac2eba1808640ca695719788667c477ffd27d4

Download Submit
C:\Windows\SysWOW64\Dalhgfmk.exe

Filesize
4.5MB

MD5
dd98137a1fd7bba8365f70fc4399bc6d

SHA1
ea2f59e1b955a7ad3bb5dd46bb54259742548bd1

SHA256
9b4a6cda2a5bf9e1a01c24466edcf98a94eb836b52776116fe33a7dabff99bea

SHA512
18d4ce0d108cc88516d812c7b3fdd66282f207cfddc7742d4d123558edb7838a0288e305f0d9035bcd38005ac7ac2eba1808640ca695719788667c477ffd27d4

Download Submit
C:\Windows\SysWOW64\Faakickc.exe

Filesize
4.5MB

MD5
8b0f71b4a1e626a16bb9252b3e9b688c

SHA1
e003a4472ec68cc7b3bba83678c6997c3da17923

SHA256
b4023c55bc5cb9d44d7b3207bb6cde60978f917e2851edbef64e8285614242a8

SHA512
fbd8f5f06c25cfa5a2f31f39487664d7be61e9d74e43516612e890c66118ae0136a2a012a3fd67a2e4e8a6603ab2961fe8a772bc6ba8b4d1c79789c1ca4da29e

Download Submit
C:\Windows\SysWOW64\Faakickc.exe

Filesize
4.5MB

MD5
8b0f71b4a1e626a16bb9252b3e9b688c

SHA1
e003a4472ec68cc7b3bba83678c6997c3da17923

SHA256
b4023c55bc5cb9d44d7b3207bb6cde60978f917e2851edbef64e8285614242a8

SHA512
fbd8f5f06c25cfa5a2f31f39487664d7be61e9d74e43516612e890c66118ae0136a2a012a3fd67a2e4e8a6603ab2961fe8a772bc6ba8b4d1c79789c1ca4da29e

Download Submit
C:\Windows\SysWOW64\Fcpadd32.exe

Filesize
4.5MB

MD5
9474e0543b09b6a9011ca23410129e64

SHA1
d401713e40dcd9c55f9f252b6350f7179fff06f5

SHA256
244b6ec9a512a62f6bd08065e448529841f698611fdd7293c0d648055f9a8dc5

SHA512
c9fd05f9fb0fad05ec70cf75d88632df47e46573d67c9c10a7765c21b696d49278055f2e79d583ff9693c324895cabae9e7931a6283f51cb6955f850cd323734

Download Submit
C:\Windows\SysWOW64\Fcpadd32.exe

Filesize
4.5MB

MD5
0894fed4fa7c683b34e1dbee4887a53c

SHA1
4fcac53aa422da38eabb7af6e628bf1a886346bb

SHA256
460eb8c8e376b90395b7e698b7e14f18e66496af001ee0db7464c9dc7c216d80

SHA512
c6937a34c29d8cc9642acc3eb68d16a2b96a02a2a8767a2088ad2baffaaa0848db70b1d14e7d2527ec6944d48b8506ea52de750a2a047ae31cc1098d6b224fba

Download Submit
C:\Windows\SysWOW64\Fcpadd32.exe

Filesize
4.5MB

MD5
0894fed4fa7c683b34e1dbee4887a53c

SHA1
4fcac53aa422da38eabb7af6e628bf1a886346bb

SHA256
460eb8c8e376b90395b7e698b7e14f18e66496af001ee0db7464c9dc7c216d80

SHA512
c6937a34c29d8cc9642acc3eb68d16a2b96a02a2a8767a2088ad2baffaaa0848db70b1d14e7d2527ec6944d48b8506ea52de750a2a047ae31cc1098d6b224fba

Download Submit
C:\Windows\SysWOW64\Fopielld.dll

Filesize
7KB

MD5
5652731f8ecacfbaafa74dc0e1a04861

SHA1
49c57732fc36b2186c03d71d1a0e346c9e9bd36d

SHA256
1fe5376cb908d4f826e11afecbb40c66261e9f6c68239027fc83063727f33797

SHA512
7c1e8881bd0c5ba987501a59c97a9a71a88125e2a87952ec87dbdf8e82c1b5d823e4610a2266fa039c392207ae5f23ca426bd2c9116557411ecede811103e838

Download Submit
C:\Windows\SysWOW64\Hikkdc32.exe

Filesize
4.5MB

MD5
16b10fb97ce2ac8ec325e8b8dfa9e4e0

SHA1
7953a6a9d9868b5abfd53aec33f54492c864dba6

SHA256
c64fb4134baed04a160bff8059e5ec0b30a96031bfda11380b65734e77db0895

SHA512
186654b29b73161f1c28a5f86dd09902c1314d49a733c8ed0a9d20394d25e34b9e770d5ccc654061e638a8b2163c8757ff4828663f67e8a550727fbf8065d08d

Download Submit
C:\Windows\SysWOW64\Hikkdc32.exe

Filesize
4.5MB

MD5
16b10fb97ce2ac8ec325e8b8dfa9e4e0

SHA1
7953a6a9d9868b5abfd53aec33f54492c864dba6

SHA256
c64fb4134baed04a160bff8059e5ec0b30a96031bfda11380b65734e77db0895

SHA512
186654b29b73161f1c28a5f86dd09902c1314d49a733c8ed0a9d20394d25e34b9e770d5ccc654061e638a8b2163c8757ff4828663f67e8a550727fbf8065d08d

Download Submit
C:\Windows\SysWOW64\Hknkiokp.exe

Filesize
4.5MB

MD5
8b0f71b4a1e626a16bb9252b3e9b688c

SHA1
e003a4472ec68cc7b3bba83678c6997c3da17923

SHA256
b4023c55bc5cb9d44d7b3207bb6cde60978f917e2851edbef64e8285614242a8

SHA512
fbd8f5f06c25cfa5a2f31f39487664d7be61e9d74e43516612e890c66118ae0136a2a012a3fd67a2e4e8a6603ab2961fe8a772bc6ba8b4d1c79789c1ca4da29e

Download Submit
C:\Windows\SysWOW64\Hknkiokp.exe

Filesize
4.5MB

MD5
797ceff72cec96b3feb5083e8a4e8c8d

SHA1
6b41e57ffe3e6162d1214c9c8629c1a989b2202b

SHA256
20ae94db984780ecde861bd2c334959eb1b45704e5770f894d2eea58a4068031

SHA512
cab106f43b37c140692bfb2bf3c769e6c2af06df291f252a3c2c14a07e4e3d8ab19837e40f40004efc1f28a901e085105c7c65bdbb813a505c1512ccab944e9e

Download Submit
C:\Windows\SysWOW64\Hknkiokp.exe

Filesize
4.5MB

MD5
797ceff72cec96b3feb5083e8a4e8c8d

SHA1
6b41e57ffe3e6162d1214c9c8629c1a989b2202b

SHA256
20ae94db984780ecde861bd2c334959eb1b45704e5770f894d2eea58a4068031

SHA512
cab106f43b37c140692bfb2bf3c769e6c2af06df291f252a3c2c14a07e4e3d8ab19837e40f40004efc1f28a901e085105c7c65bdbb813a505c1512ccab944e9e

Download Submit
C:\Windows\SysWOW64\Hnibhp32.exe

Filesize
4.5MB

MD5
c7a8926e02016a5c9d6e7c1085c272c6

SHA1
ee1b0e956743569f93d5a5faaaaa61f75d6f2b0e

SHA256
76e4372ce304b0bcf91b470af7b19e36014297a0aa2aea6bf991afa05bcba9c2

SHA512
bfbfff0c9fd652a88e6bdb5e0a6f1ce9ef7d8e47f32b4745f267f9e771e13b34d9ef8febe92c5b80fcb40375d217e5a3f5b5cc0c6fd3e98df9c27f4027949897

Download Submit
C:\Windows\SysWOW64\Hnibhp32.exe

Filesize
4.5MB

MD5
c7a8926e02016a5c9d6e7c1085c272c6

SHA1
ee1b0e956743569f93d5a5faaaaa61f75d6f2b0e

SHA256
76e4372ce304b0bcf91b470af7b19e36014297a0aa2aea6bf991afa05bcba9c2

SHA512
bfbfff0c9fd652a88e6bdb5e0a6f1ce9ef7d8e47f32b4745f267f9e771e13b34d9ef8febe92c5b80fcb40375d217e5a3f5b5cc0c6fd3e98df9c27f4027949897

Download Submit
C:\Windows\SysWOW64\Ieojqi32.exe

Filesize
4.5MB

MD5
9474e0543b09b6a9011ca23410129e64

SHA1
d401713e40dcd9c55f9f252b6350f7179fff06f5

SHA256
244b6ec9a512a62f6bd08065e448529841f698611fdd7293c0d648055f9a8dc5

SHA512
c9fd05f9fb0fad05ec70cf75d88632df47e46573d67c9c10a7765c21b696d49278055f2e79d583ff9693c324895cabae9e7931a6283f51cb6955f850cd323734

Download Submit
C:\Windows\SysWOW64\Ieojqi32.exe

Filesize
4.5MB

MD5
9474e0543b09b6a9011ca23410129e64

SHA1
d401713e40dcd9c55f9f252b6350f7179fff06f5

SHA256
244b6ec9a512a62f6bd08065e448529841f698611fdd7293c0d648055f9a8dc5

SHA512
c9fd05f9fb0fad05ec70cf75d88632df47e46573d67c9c10a7765c21b696d49278055f2e79d583ff9693c324895cabae9e7931a6283f51cb6955f850cd323734

Download Submit
C:\Windows\SysWOW64\Ionbcb32.exe

Filesize
4.5MB

MD5
0b5f4692b7329ca2bd50d8f3c2bbe9ad

SHA1
ec7ee9e23942ee434aa3e56a5a4e9d8b9bdfa008

SHA256
7532b48168ab178fdb5639db9265c67843468aaec7c36d37064d657eac8aa530

SHA512
72eb28bd65100753e7a2c1573bca559adb9ee1e2f25d75129d54e671be72554eba99b6f18bd39ef829b8351121dea41fdbac0115a971761586a108b5fa7f929e

Download Submit
C:\Windows\SysWOW64\Ionbcb32.exe

Filesize
4.5MB

MD5
0b5f4692b7329ca2bd50d8f3c2bbe9ad

SHA1
ec7ee9e23942ee434aa3e56a5a4e9d8b9bdfa008

SHA256
7532b48168ab178fdb5639db9265c67843468aaec7c36d37064d657eac8aa530

SHA512
72eb28bd65100753e7a2c1573bca559adb9ee1e2f25d75129d54e671be72554eba99b6f18bd39ef829b8351121dea41fdbac0115a971761586a108b5fa7f929e

Download Submit
C:\Windows\SysWOW64\Keboni32.exe

Filesize
4.5MB

MD5
2f9753629cbe83946f636872da95b4d9

SHA1
a69367ba79d1ac6846326b84e7343be5b65ff00b

SHA256
4f7e238ed46de554e3a65e8cf60e1b30056edd88396cfd5e76c029fe6fdcd69f

SHA512
3a3dec8a3560013c63ab683ed38cdc76d26c0f47b3ec83d9342f90c3f25f93988087af5ecebdba20c793d0293e72b17ad15a9926b40f9f5f1459b1fadf728bda

Download Submit
C:\Windows\SysWOW64\Keboni32.exe

Filesize
4.5MB

MD5
2f9753629cbe83946f636872da95b4d9

SHA1
a69367ba79d1ac6846326b84e7343be5b65ff00b

SHA256
4f7e238ed46de554e3a65e8cf60e1b30056edd88396cfd5e76c029fe6fdcd69f

SHA512
3a3dec8a3560013c63ab683ed38cdc76d26c0f47b3ec83d9342f90c3f25f93988087af5ecebdba20c793d0293e72b17ad15a9926b40f9f5f1459b1fadf728bda

Download Submit
C:\Windows\SysWOW64\Mclplffj.exe

Filesize
4.5MB

MD5
c39491b61bf4a6af3444969eff649e1f

SHA1
82bba92d231c4fa336ea0410e45af33a053ea9a1

SHA256
dcde9d3f7132dcf2a6b5249477dbc99905ae7add6d4cb59aa9ba59657b9cfd54

SHA512
127c56c7e650269b561d2c34a3c172290c375f3e0ddda51153bdf0fcb8ddf89006d45a4596f336f2232cd2cba325cb4a182b8eaccccf33250ffbb96a6fdea353

Download Submit
C:\Windows\SysWOW64\Mclplffj.exe

Filesize
4.5MB

MD5
c39491b61bf4a6af3444969eff649e1f

SHA1
82bba92d231c4fa336ea0410e45af33a053ea9a1

SHA256
dcde9d3f7132dcf2a6b5249477dbc99905ae7add6d4cb59aa9ba59657b9cfd54

SHA512
127c56c7e650269b561d2c34a3c172290c375f3e0ddda51153bdf0fcb8ddf89006d45a4596f336f2232cd2cba325cb4a182b8eaccccf33250ffbb96a6fdea353

Download Submit
C:\Windows\SysWOW64\Mgjkag32.exe

Filesize
4.5MB

MD5
b169b50366fa561f7ab136636f7d9d48

SHA1
cf1cdfa8b0bf19a076b01a653479882827c64311

SHA256
83f2a5c4628e924942b2765b52fbce1c43a398f7e52320971d8c3fa94a8beac7

SHA512
e970e16d97fd98c1683f6b097a5a6d2326c63ed5ef58075c4f0c629ed3ef52067f4c4df1bedf00892685dd43143a447708ef540c48774064937fcf978c009c4c

Download Submit
C:\Windows\SysWOW64\Mgjkag32.exe

Filesize
4.5MB

MD5
b169b50366fa561f7ab136636f7d9d48

SHA1
cf1cdfa8b0bf19a076b01a653479882827c64311

SHA256
83f2a5c4628e924942b2765b52fbce1c43a398f7e52320971d8c3fa94a8beac7

SHA512
e970e16d97fd98c1683f6b097a5a6d2326c63ed5ef58075c4f0c629ed3ef52067f4c4df1bedf00892685dd43143a447708ef540c48774064937fcf978c009c4c

Download Submit
C:\Windows\SysWOW64\Neadfe32.exe

Filesize
4.5MB

MD5
d0c2e9237603fad4a7b80eb3aee76e4c

SHA1
be61e5decfae5d6c60d3a376fddc97472a2b149f

SHA256
1b487d1db0795d34bcbe87854476f26af16f7f6841fbae8f1d8dbe80c387b348

SHA512
8037e8943b9e7db5da9afbbf6e23cb188bbb45d7a6b7ac76337e3e9339747ebd7acfc6f714b5507483a27fef183bd08d5e0f37b0775de088cc5e7a66cb29e426

Download Submit
C:\Windows\SysWOW64\Neadfe32.exe

Filesize
4.5MB

MD5
d0c2e9237603fad4a7b80eb3aee76e4c

SHA1
be61e5decfae5d6c60d3a376fddc97472a2b149f

SHA256
1b487d1db0795d34bcbe87854476f26af16f7f6841fbae8f1d8dbe80c387b348

SHA512
8037e8943b9e7db5da9afbbf6e23cb188bbb45d7a6b7ac76337e3e9339747ebd7acfc6f714b5507483a27fef183bd08d5e0f37b0775de088cc5e7a66cb29e426

Download Submit
C:\Windows\SysWOW64\Neadfe32.exe

Filesize
4.5MB

MD5
d0c2e9237603fad4a7b80eb3aee76e4c

SHA1
be61e5decfae5d6c60d3a376fddc97472a2b149f

SHA256
1b487d1db0795d34bcbe87854476f26af16f7f6841fbae8f1d8dbe80c387b348

SHA512
8037e8943b9e7db5da9afbbf6e23cb188bbb45d7a6b7ac76337e3e9339747ebd7acfc6f714b5507483a27fef183bd08d5e0f37b0775de088cc5e7a66cb29e426

Download Submit
C:\Windows\SysWOW64\Okhmnc32.exe

Filesize
4.5MB

MD5
2b33de561ff63d0c7cbb34f1eba962fb

SHA1
3880c053385aaf48fb9c2f0591bb9f8aca21aeb8

SHA256
81fc1ef34cd65784250e8ee6bc7d4b11d95f6e372d77b31f42af8a74407ca5b3

SHA512
28764e57975cd8f97cdca45416910117c6987f91e8dd1c6a3936c6fe1f5d07baf69ce12cdab6330beb8d4c92804755d1161d06ca73485b0f1cd68f316587ca8d

Download Submit
C:\Windows\SysWOW64\Okhmnc32.exe

Filesize
4.5MB

MD5
2b33de561ff63d0c7cbb34f1eba962fb

SHA1
3880c053385aaf48fb9c2f0591bb9f8aca21aeb8

SHA256
81fc1ef34cd65784250e8ee6bc7d4b11d95f6e372d77b31f42af8a74407ca5b3

SHA512
28764e57975cd8f97cdca45416910117c6987f91e8dd1c6a3936c6fe1f5d07baf69ce12cdab6330beb8d4c92804755d1161d06ca73485b0f1cd68f316587ca8d

Download Submit
C:\Windows\SysWOW64\Olfgcj32.exe

Filesize
4.5MB

MD5
611c4ce37e973ec401a2c073d19714ac

SHA1
12d282457a1fe21fa8cf00a7510fb3faffb9aeef

SHA256
5379bf245797e04f80d5654fcd66fc732aad1808793f61c9ba7d1203b9f43940

SHA512
3bf7fbb4187cb0184bb9273f2ac0f9c65da04edb3b77a7d4ed9e5cd2ad3f2bc6cd0b609e723bb033e2577dca8f848a36975484c7d42fb9227b579f76e1b6463a

Download Submit
C:\Windows\SysWOW64\Olfgcj32.exe

Filesize
4.5MB

MD5
611c4ce37e973ec401a2c073d19714ac

SHA1
12d282457a1fe21fa8cf00a7510fb3faffb9aeef

SHA256
5379bf245797e04f80d5654fcd66fc732aad1808793f61c9ba7d1203b9f43940

SHA512
3bf7fbb4187cb0184bb9273f2ac0f9c65da04edb3b77a7d4ed9e5cd2ad3f2bc6cd0b609e723bb033e2577dca8f848a36975484c7d42fb9227b579f76e1b6463a

Download Submit
C:\Windows\SysWOW64\Ongpeejj.exe

Filesize
4.5MB

MD5
69de5255e495f517db87263880318b8c

SHA1
825b8bbcdbfbc03f394cbf7b727c796101eb570b

SHA256
65730469adbb593ea47679a7dff287b6cf43e857d7f3f4299937b89204f61afd

SHA512
c2f870cc40253d34676ad1a886f4bc509425e47db8f1f98cbc4e435655a52d9e45c7c64b75e3ddc6a671044b8b5c0698da408e0eefeaee9cdc52375022ad432d

Download Submit
C:\Windows\SysWOW64\Ongpeejj.exe

Filesize
4.5MB

MD5
69de5255e495f517db87263880318b8c

SHA1
825b8bbcdbfbc03f394cbf7b727c796101eb570b

SHA256
65730469adbb593ea47679a7dff287b6cf43e857d7f3f4299937b89204f61afd

SHA512
c2f870cc40253d34676ad1a886f4bc509425e47db8f1f98cbc4e435655a52d9e45c7c64b75e3ddc6a671044b8b5c0698da408e0eefeaee9cdc52375022ad432d

Download Submit
C:\Windows\SysWOW64\Pmfldkei.exe

Filesize
4.5MB

MD5
bac10bc123b67f9cb2ed7f27ba810e72

SHA1
8bf51e4994d6f3b401d1b71862bb09a4bdeae523

SHA256
26bf13d956fdf17532b341e3224e3888e7b87f0d79681d72707a76d0707d438f

SHA512
60cb40fc06958e43add371525739173ff82fe9cc0c7fca6c16e7acf4931ed402169db99b78aa5d8937996598786a7e2a96bd43726005e1cae4c7a6af506a4cac

Download Submit
C:\Windows\SysWOW64\Pmfldkei.exe

Filesize
4.5MB

MD5
bac10bc123b67f9cb2ed7f27ba810e72

SHA1
8bf51e4994d6f3b401d1b71862bb09a4bdeae523

SHA256
26bf13d956fdf17532b341e3224e3888e7b87f0d79681d72707a76d0707d438f

SHA512
60cb40fc06958e43add371525739173ff82fe9cc0c7fca6c16e7acf4931ed402169db99b78aa5d8937996598786a7e2a96bd43726005e1cae4c7a6af506a4cac

Download Submit
memory/396-5-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/396-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/864-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2072-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-35-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2260-10-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3348-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3888-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-52-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4628-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-132-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-50-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-62-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads