0aded87b3151fbda2fd00f6cb9e363c4071255fdbfccb6dd458c2ea0965f4290

Analysis

max time kernel
137s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
12/11/2023, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c6a6f4cb908622c0df33430ac5764990.exe
Size

400KB
MD5

c6a6f4cb908622c0df33430ac5764990
SHA1

ece948d1677a8c919ef32bf65d2742ab0bd801d7
SHA256

0aded87b3151fbda2fd00f6cb9e363c4071255fdbfccb6dd458c2ea0965f4290
SHA512

eab928872680119f75d143bae55d7936327740e6a289bdfa0d93112d5ce319a3bffa455197e2bb669df6ad55ecf588b51973dc659b238947e60e41c478f8e21e
SSDEEP

6144:T5w6mBatDyB8LoedCFJ369BJ369vpui6yYPaIGckvNP9T9pui6yYPaIGckv:FwUtyWUedCv2EpV6yYPaNFZpV6yYPo

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncaklhdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iencmm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mohbjkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apkjddke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpifeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkgmoncl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohbjkgp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmaai32.exe

Executes dropped EXE 19 IoCs

pid	Process
1744	Fqdbdbna.exe
1776	Iencmm32.exe
1240	Jbijgp32.exe
1956	Jjihfbno.exe
1736	Koimbpbc.exe
4896	Kefbdjgm.exe
4036	Kbnlim32.exe
724	Mkgmoncl.exe
4280	Mohbjkgp.exe
2488	Ncmaai32.exe
2208	Ncaklhdi.exe
2904	Oomelheh.exe
2268	Pomncfge.exe
3076	Qmckbjdl.exe
4344	Apkjddke.exe
860	Aidomjaf.exe
1152	Cpifeb32.exe
1292	Cmdmpe32.exe
4596	Dbkhnk32.exe

Drops file in System32 directory 57 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pomncfge.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Mfppnk32.dll	Pomncfge.exe
File created	C:\Windows\SysWOW64\Plmiie32.dll	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Aidomjaf.exe	Apkjddke.exe
File created	C:\Windows\SysWOW64\Mondkfmh.dll	Cpifeb32.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Ifkqol32.dll	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Nbdenofm.dll	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Eoggpbpn.dll	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Mohbjkgp.exe	Mkgmoncl.exe
File created	C:\Windows\SysWOW64\Kkacdofa.dll	Ncaklhdi.exe
File opened for modification	C:\Windows\SysWOW64\Cmdmpe32.exe	Cpifeb32.exe
File created	C:\Windows\SysWOW64\Aaqcco32.dll	Jbijgp32.exe
File opened for modification	C:\Windows\SysWOW64\Kbnlim32.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Dbkhnk32.exe	Cmdmpe32.exe
File opened for modification	C:\Windows\SysWOW64\Mkgmoncl.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Ncaklhdi.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Kefbdjgm.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Oomelheh.exe
File created	C:\Windows\SysWOW64\Jjihfbno.exe	Jbijgp32.exe
File created	C:\Windows\SysWOW64\Ncmaai32.exe	Mohbjkgp.exe
File opened for modification	C:\Windows\SysWOW64\Oomelheh.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Iencmm32.exe	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Jbijgp32.exe	Iencmm32.exe
File opened for modification	C:\Windows\SysWOW64\Fqdbdbna.exe	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
File created	C:\Windows\SysWOW64\Kfhfap32.dll	Apkjddke.exe
File opened for modification	C:\Windows\SysWOW64\Kefbdjgm.exe	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Oomelheh.exe	Ncaklhdi.exe
File created	C:\Windows\SysWOW64\Cpifeb32.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Fmbcdide.dll	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Koimbpbc.exe	Jjihfbno.exe
File opened for modification	C:\Windows\SysWOW64\Koimbpbc.exe	Jjihfbno.exe
File created	C:\Windows\SysWOW64\Dbmoak32.dll	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Jbijgp32.exe	Iencmm32.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
File created	C:\Windows\SysWOW64\Cmdmpe32.exe	Cpifeb32.exe
File created	C:\Windows\SysWOW64\Hgnfpc32.dll	Koimbpbc.exe
File created	C:\Windows\SysWOW64\Fkekkccb.dll	Mkgmoncl.exe
File created	C:\Windows\SysWOW64\Odehaccj.dll	Kefbdjgm.exe
File opened for modification	C:\Windows\SysWOW64\Pomncfge.exe	Oomelheh.exe
File created	C:\Windows\SysWOW64\Aidomjaf.exe	Apkjddke.exe
File opened for modification	C:\Windows\SysWOW64\Iencmm32.exe	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Jdiphhpk.dll	Iencmm32.exe
File opened for modification	C:\Windows\SysWOW64\Cpifeb32.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Kbnlim32.exe	Kefbdjgm.exe
File created	C:\Windows\SysWOW64\Daphho32.dll	Mohbjkgp.exe
File opened for modification	C:\Windows\SysWOW64\Ncaklhdi.exe	Ncmaai32.exe
File created	C:\Windows\SysWOW64\Mkgmoncl.exe	Kbnlim32.exe
File created	C:\Windows\SysWOW64\Qmckbjdl.exe	Pomncfge.exe
File opened for modification	C:\Windows\SysWOW64\Mohbjkgp.exe	Mkgmoncl.exe
File opened for modification	C:\Windows\SysWOW64\Ncmaai32.exe	Mohbjkgp.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Apkjddke.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Apkjddke.exe	Qmckbjdl.exe
File created	C:\Windows\SysWOW64\Gajlgpic.dll	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
File opened for modification	C:\Windows\SysWOW64\Jjihfbno.exe	Jbijgp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
552	4596	WerFault.exe	109

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbcdide.dll"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naefjl32.dll"	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mohbjkgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmiie32.dll"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmoak32.dll"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncmaai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdenofm.dll"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncmaai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Apkjddke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjihfbno.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pomncfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdiphhpk.dll"	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifkqol32.dll"	Jjihfbno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkekkccb.dll"	Mkgmoncl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jbijgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll"	Koimbpbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll"	Oomelheh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daphho32.dll"	Mohbjkgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkacdofa.dll"	Ncaklhdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mondkfmh.dll"	Cpifeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkgmoncl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoggpbpn.dll"	Kbnlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kefbdjgm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Apkjddke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iencmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Koimbpbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbnlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odehaccj.dll"	Kefbdjgm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhfap32.dll"	Apkjddke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aidomjaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.c6a6f4cb908622c0df33430ac5764990.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iencmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqcco32.dll"	Jbijgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oomelheh.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 1744	5116	NEAS.c6a6f4cb908622c0df33430ac5764990.exe	91
PID 5116 wrote to memory of 1744	5116	NEAS.c6a6f4cb908622c0df33430ac5764990.exe	91
PID 5116 wrote to memory of 1744	5116	NEAS.c6a6f4cb908622c0df33430ac5764990.exe	91
PID 1744 wrote to memory of 1776	1744	Fqdbdbna.exe	92
PID 1744 wrote to memory of 1776	1744	Fqdbdbna.exe	92
PID 1744 wrote to memory of 1776	1744	Fqdbdbna.exe	92
PID 1776 wrote to memory of 1240	1776	Iencmm32.exe	93
PID 1776 wrote to memory of 1240	1776	Iencmm32.exe	93
PID 1776 wrote to memory of 1240	1776	Iencmm32.exe	93
PID 1240 wrote to memory of 1956	1240	Jbijgp32.exe	94
PID 1240 wrote to memory of 1956	1240	Jbijgp32.exe	94
PID 1240 wrote to memory of 1956	1240	Jbijgp32.exe	94
PID 1956 wrote to memory of 1736	1956	Jjihfbno.exe	95
PID 1956 wrote to memory of 1736	1956	Jjihfbno.exe	95
PID 1956 wrote to memory of 1736	1956	Jjihfbno.exe	95
PID 1736 wrote to memory of 4896	1736	Koimbpbc.exe	96
PID 1736 wrote to memory of 4896	1736	Koimbpbc.exe	96
PID 1736 wrote to memory of 4896	1736	Koimbpbc.exe	96
PID 4896 wrote to memory of 4036	4896	Kefbdjgm.exe	97
PID 4896 wrote to memory of 4036	4896	Kefbdjgm.exe	97
PID 4896 wrote to memory of 4036	4896	Kefbdjgm.exe	97
PID 4036 wrote to memory of 724	4036	Kbnlim32.exe	98
PID 4036 wrote to memory of 724	4036	Kbnlim32.exe	98
PID 4036 wrote to memory of 724	4036	Kbnlim32.exe	98
PID 724 wrote to memory of 4280	724	Mkgmoncl.exe	99
PID 724 wrote to memory of 4280	724	Mkgmoncl.exe	99
PID 724 wrote to memory of 4280	724	Mkgmoncl.exe	99
PID 4280 wrote to memory of 2488	4280	Mohbjkgp.exe	100
PID 4280 wrote to memory of 2488	4280	Mohbjkgp.exe	100
PID 4280 wrote to memory of 2488	4280	Mohbjkgp.exe	100
PID 2488 wrote to memory of 2208	2488	Ncmaai32.exe	101
PID 2488 wrote to memory of 2208	2488	Ncmaai32.exe	101
PID 2488 wrote to memory of 2208	2488	Ncmaai32.exe	101
PID 2208 wrote to memory of 2904	2208	Ncaklhdi.exe	102
PID 2208 wrote to memory of 2904	2208	Ncaklhdi.exe	102
PID 2208 wrote to memory of 2904	2208	Ncaklhdi.exe	102
PID 2904 wrote to memory of 2268	2904	Oomelheh.exe	103
PID 2904 wrote to memory of 2268	2904	Oomelheh.exe	103
PID 2904 wrote to memory of 2268	2904	Oomelheh.exe	103
PID 2268 wrote to memory of 3076	2268	Pomncfge.exe	104
PID 2268 wrote to memory of 3076	2268	Pomncfge.exe	104
PID 2268 wrote to memory of 3076	2268	Pomncfge.exe	104
PID 3076 wrote to memory of 4344	3076	Qmckbjdl.exe	105
PID 3076 wrote to memory of 4344	3076	Qmckbjdl.exe	105
PID 3076 wrote to memory of 4344	3076	Qmckbjdl.exe	105
PID 4344 wrote to memory of 860	4344	Apkjddke.exe	106
PID 4344 wrote to memory of 860	4344	Apkjddke.exe	106
PID 4344 wrote to memory of 860	4344	Apkjddke.exe	106
PID 860 wrote to memory of 1152	860	Aidomjaf.exe	107
PID 860 wrote to memory of 1152	860	Aidomjaf.exe	107
PID 860 wrote to memory of 1152	860	Aidomjaf.exe	107
PID 1152 wrote to memory of 1292	1152	Cpifeb32.exe	108
PID 1152 wrote to memory of 1292	1152	Cpifeb32.exe	108
PID 1152 wrote to memory of 1292	1152	Cpifeb32.exe	108
PID 1292 wrote to memory of 4596	1292	Cmdmpe32.exe	109
PID 1292 wrote to memory of 4596	1292	Cmdmpe32.exe	109
PID 1292 wrote to memory of 4596	1292	Cmdmpe32.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.c6a6f4cb908622c0df33430ac5764990.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c6a6f4cb908622c0df33430ac5764990.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\SysWOW64\Fqdbdbna.exe
  C:\Windows\system32\Fqdbdbna.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\Iencmm32.exe
    C:\Windows\system32\Iencmm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Windows\SysWOW64\Jbijgp32.exe
      C:\Windows\system32\Jbijgp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Windows\SysWOW64\Jjihfbno.exe
        
        C:\Windows\system32\Jjihfbno.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
      - C:\Windows\SysWOW64\Koimbpbc.exe
        
        C:\Windows\system32\Koimbpbc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\Kefbdjgm.exe
        
        C:\Windows\system32\Kefbdjgm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\SysWOW64\Kbnlim32.exe
        
        C:\Windows\system32\Kbnlim32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\SysWOW64\Mkgmoncl.exe
        
        C:\Windows\system32\Mkgmoncl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Windows\SysWOW64\Mohbjkgp.exe
        
        C:\Windows\system32\Mohbjkgp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Ncmaai32.exe
        
        C:\Windows\system32\Ncmaai32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Ncaklhdi.exe
        
        C:\Windows\system32\Ncaklhdi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\SysWOW64\Apkjddke.exe
        
        C:\Windows\system32\Apkjddke.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        20⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 412
        21⤵
        Program crash
        
        PID:552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4596 -ip 4596
1⤵
PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aidomjaf.exe

Filesize
400KB

MD5
ce71a733c09ffbcc043e00715a67cc16

SHA1
5abb71348042aeb16d931587fbdc1f19d7fa3817

SHA256
efaae02ee17356564eb95a1529033730be89f61c51d27c65fad63e5788b0a385

SHA512
6b87cb7ca19d1ef48c7bf2879d95a717865386acd99912d2bcc462ad92380088ace243bf04b149d39105ebd152cc966f6ea8aeacadc1fbbfd49d4c74784ff369

Download Submit
C:\Windows\SysWOW64\Aidomjaf.exe

Filesize
400KB

MD5
ce71a733c09ffbcc043e00715a67cc16

SHA1
5abb71348042aeb16d931587fbdc1f19d7fa3817

SHA256
efaae02ee17356564eb95a1529033730be89f61c51d27c65fad63e5788b0a385

SHA512
6b87cb7ca19d1ef48c7bf2879d95a717865386acd99912d2bcc462ad92380088ace243bf04b149d39105ebd152cc966f6ea8aeacadc1fbbfd49d4c74784ff369

Download Submit
C:\Windows\SysWOW64\Apkjddke.exe

Filesize
400KB

MD5
c7821608ee4c8304c93e90ab6fc3f6c7

SHA1
fd3a953cb5c241d3defd9431f1184dd647d1c64e

SHA256
3421da0f8f485a9c1a27d9cb09e7b6dd92fa9884687577c3b310e071eb8c227a

SHA512
03100eb89dad347150d8c7ce02d87005f6c79f5ea0b704fb8ed18e5cea00a54321ce8199577e898e6ed74dfc17f4bb86739ab3b50b5396a14908e899162dc460

Download Submit
C:\Windows\SysWOW64\Apkjddke.exe

Filesize
400KB

MD5
c7821608ee4c8304c93e90ab6fc3f6c7

SHA1
fd3a953cb5c241d3defd9431f1184dd647d1c64e

SHA256
3421da0f8f485a9c1a27d9cb09e7b6dd92fa9884687577c3b310e071eb8c227a

SHA512
03100eb89dad347150d8c7ce02d87005f6c79f5ea0b704fb8ed18e5cea00a54321ce8199577e898e6ed74dfc17f4bb86739ab3b50b5396a14908e899162dc460

Download Submit
C:\Windows\SysWOW64\Cmdmpe32.exe

Filesize
400KB

MD5
d99b2c2c5bebd0c034fd713de21695f6

SHA1
d798a3c89c827511a16126becca81a43ba1aa308

SHA256
aa3c42b7109445964d78d9fdcd199d43e819c04b0abc76169060ae7acdf84b63

SHA512
3e2e6ee6280e04c425a1317492f23dd25f2818e471e9933388573d1b10a3760cb33b954172c5ee5a1e5b78d686ed2415a542b3be1bdbaf70d1b6f2c73d713ab4

Download Submit
C:\Windows\SysWOW64\Cmdmpe32.exe

Filesize
400KB

MD5
d99b2c2c5bebd0c034fd713de21695f6

SHA1
d798a3c89c827511a16126becca81a43ba1aa308

SHA256
aa3c42b7109445964d78d9fdcd199d43e819c04b0abc76169060ae7acdf84b63

SHA512
3e2e6ee6280e04c425a1317492f23dd25f2818e471e9933388573d1b10a3760cb33b954172c5ee5a1e5b78d686ed2415a542b3be1bdbaf70d1b6f2c73d713ab4

Download Submit
C:\Windows\SysWOW64\Cpifeb32.exe

Filesize
400KB

MD5
9ecafdc8b135c4eaf8f4c9198e2ccc3d

SHA1
2ac0dd4ec42789a3ccd9c3f49702a71aa40c1afe

SHA256
55f1fb47062f22e9319e8de2c15ea48a85c4a4923d2b5573071451ee8fcc62bc

SHA512
de035eeb085a4f70e79e7ee755908cfe6b31603ba77a6167863667f0b8efa1426467001316e109e3b4c373e634094624194f7970c95b9073e1abf0910df07c73

Download Submit
C:\Windows\SysWOW64\Cpifeb32.exe

Filesize
400KB

MD5
9ecafdc8b135c4eaf8f4c9198e2ccc3d

SHA1
2ac0dd4ec42789a3ccd9c3f49702a71aa40c1afe

SHA256
55f1fb47062f22e9319e8de2c15ea48a85c4a4923d2b5573071451ee8fcc62bc

SHA512
de035eeb085a4f70e79e7ee755908cfe6b31603ba77a6167863667f0b8efa1426467001316e109e3b4c373e634094624194f7970c95b9073e1abf0910df07c73

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
400KB

MD5
65321291ff2f7c0d8e8545b20b67630d

SHA1
e385f1dfc5b9f32a3a2527f46c145bb5a2e7e9e0

SHA256
160e9416107cb1f28f232fe91c4f3f8eae6719bcf1aedfa8f1214f5985125078

SHA512
b575901f38c281ca2bab357d77aff7cbcfdae89b11b2ce579698f5b77e329a4d7abf77c3c000f2cf250ad1034803caa07263408d4503ecb88d9a301cfdf3d3b6

Download Submit
C:\Windows\SysWOW64\Dbkhnk32.exe

Filesize
400KB

MD5
65321291ff2f7c0d8e8545b20b67630d

SHA1
e385f1dfc5b9f32a3a2527f46c145bb5a2e7e9e0

SHA256
160e9416107cb1f28f232fe91c4f3f8eae6719bcf1aedfa8f1214f5985125078

SHA512
b575901f38c281ca2bab357d77aff7cbcfdae89b11b2ce579698f5b77e329a4d7abf77c3c000f2cf250ad1034803caa07263408d4503ecb88d9a301cfdf3d3b6

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
400KB

MD5
83e8c4ab4465ab1539bacdc16c61d546

SHA1
3ac37f3d501cc26f6d072cb1f7f98a9bc3c5dddc

SHA256
097c462e63e68bfc49392a9e3c50d65f6599c0677d630370f95a1b8bdf88158e

SHA512
c972d7df8e5451e7e5171cd642f3cec4ef304a5458829bec00f7588793195e17665ed51ec8f669a0b41e96e4f5b408b42680fa0f09c1fd205245e9182461b24b

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
400KB

MD5
83e8c4ab4465ab1539bacdc16c61d546

SHA1
3ac37f3d501cc26f6d072cb1f7f98a9bc3c5dddc

SHA256
097c462e63e68bfc49392a9e3c50d65f6599c0677d630370f95a1b8bdf88158e

SHA512
c972d7df8e5451e7e5171cd642f3cec4ef304a5458829bec00f7588793195e17665ed51ec8f669a0b41e96e4f5b408b42680fa0f09c1fd205245e9182461b24b

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe

Filesize
400KB

MD5
c018b8a988f6164d31273fca7917acf4

SHA1
7fc78c5e9ee7447a1bcee8ea7a14809b9e417c79

SHA256
800167e91d740eaf090e73d196b5400201ef13616f9365f604a9a56398e2190f

SHA512
ea32cfcd46b935bca4f4b9c450c2c36412bf9809d739540f4d5ad436ed90aae7d7839cb982fc504bebde925bd876ee13d6d6f81ede81243f4ba5468858f8801b

Download Submit
C:\Windows\SysWOW64\Iencmm32.exe

Filesize
400KB

MD5
c018b8a988f6164d31273fca7917acf4

SHA1
7fc78c5e9ee7447a1bcee8ea7a14809b9e417c79

SHA256
800167e91d740eaf090e73d196b5400201ef13616f9365f604a9a56398e2190f

SHA512
ea32cfcd46b935bca4f4b9c450c2c36412bf9809d739540f4d5ad436ed90aae7d7839cb982fc504bebde925bd876ee13d6d6f81ede81243f4ba5468858f8801b

Download Submit
C:\Windows\SysWOW64\Ifkqol32.dll

Filesize
7KB

MD5
41a13a4231af3c0dd6b0bb4f2cf571d4

SHA1
7e40fb824d03906c5fa6275dda06503cc7ff3f0f

SHA256
8cb3a36f7a1675222f0b0d8cfb65e74c54386a9542c27fa8bcf7b05eacb17ec4

SHA512
a6c783e21add7c557ed596652090ee5a3a73543c3e4d98ee8df6e06eec23934612c4b93f349402374753c2984050a4ea3654d9c6e10dedc99f69d94b7a75e6c8

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
400KB

MD5
c5c53a708dd71a664c88b8b7dffcb409

SHA1
dff300493dcbb8181302ed1ebc697de31435437b

SHA256
073c6fd0b66443e7a991507360ffb1ff364d3ea4bc20ea28d6dd81b64f4213a4

SHA512
9c580f0cbd1d3b59ae5df194821eefa0a2f32a5abbfb5b40195a76fd1f838ab8dac323044b6c8712a159f0d7a4310368f246007364e34818daddb410d33dd903

Download Submit
C:\Windows\SysWOW64\Jbijgp32.exe

Filesize
400KB

MD5
c5c53a708dd71a664c88b8b7dffcb409

SHA1
dff300493dcbb8181302ed1ebc697de31435437b

SHA256
073c6fd0b66443e7a991507360ffb1ff364d3ea4bc20ea28d6dd81b64f4213a4

SHA512
9c580f0cbd1d3b59ae5df194821eefa0a2f32a5abbfb5b40195a76fd1f838ab8dac323044b6c8712a159f0d7a4310368f246007364e34818daddb410d33dd903

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
400KB

MD5
c7900ef36dd3be1e5d1f24be7d62740c

SHA1
2559dc4fc38c773e7dfc568f3db00a0c7898bb9f

SHA256
b923846a24025ee284ce7add894f744bbb8e5ed7debd8a453e4156cce3e5ad88

SHA512
1be33e1f948f31ffba620d9f4789a76d96aa5bb14eaf1888c90be1f4de28265e0a0bbb110668784f5737ec390941f8471847f51d37f0aa8b2a66605b27317bc4

Download Submit
C:\Windows\SysWOW64\Jjihfbno.exe

Filesize
400KB

MD5
c7900ef36dd3be1e5d1f24be7d62740c

SHA1
2559dc4fc38c773e7dfc568f3db00a0c7898bb9f

SHA256
b923846a24025ee284ce7add894f744bbb8e5ed7debd8a453e4156cce3e5ad88

SHA512
1be33e1f948f31ffba620d9f4789a76d96aa5bb14eaf1888c90be1f4de28265e0a0bbb110668784f5737ec390941f8471847f51d37f0aa8b2a66605b27317bc4

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
400KB

MD5
da44070cf90230303a513a4062b56528

SHA1
04c637dc8b1bb6ace0c3cbfd499fd9c1587f21ee

SHA256
80b56e9add3ae6196dcef913b764decf2d2577d5b2683faa12a7dfb9fbcaa2d7

SHA512
53e064fc129877918a0ddcb1ff82b20c5b8a377c92a99b9bb8b221991511d8873e2a4de0a0c4459c6d07b9aa0ca8042c0d84031b458c8d413bcd2231bfd0a403

Download Submit
C:\Windows\SysWOW64\Kbnlim32.exe

Filesize
400KB

MD5
da44070cf90230303a513a4062b56528

SHA1
04c637dc8b1bb6ace0c3cbfd499fd9c1587f21ee

SHA256
80b56e9add3ae6196dcef913b764decf2d2577d5b2683faa12a7dfb9fbcaa2d7

SHA512
53e064fc129877918a0ddcb1ff82b20c5b8a377c92a99b9bb8b221991511d8873e2a4de0a0c4459c6d07b9aa0ca8042c0d84031b458c8d413bcd2231bfd0a403

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
400KB

MD5
0f8283e177810494f7e34162a1c1c5c2

SHA1
2be36ffc2d040fcaee97aaa78e27fa7b05504c15

SHA256
c4ae749d4fbbbd80bdfd0b4417bfd3306b0bab789aeffb4e8075a9a639c8115e

SHA512
5788f9720c368d89d299910e22cda330a5134a4cbadb2464d19121bebdde9ae7b68515dc1d5869d35457ea51ac9c906c2be7a3390fee2001107e9c1c68ee1bda

Download Submit
C:\Windows\SysWOW64\Kefbdjgm.exe

Filesize
400KB

MD5
0f8283e177810494f7e34162a1c1c5c2

SHA1
2be36ffc2d040fcaee97aaa78e27fa7b05504c15

SHA256
c4ae749d4fbbbd80bdfd0b4417bfd3306b0bab789aeffb4e8075a9a639c8115e

SHA512
5788f9720c368d89d299910e22cda330a5134a4cbadb2464d19121bebdde9ae7b68515dc1d5869d35457ea51ac9c906c2be7a3390fee2001107e9c1c68ee1bda

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
400KB

MD5
130e04f7283cb605a565d33d23185c77

SHA1
d8468a51793b78e7d86f4ff64dbb4e7454bb3eaa

SHA256
3798dd1abf46b7f2ceda5612d799417d5c63b57b8fabe34a554ab28fd439b7c7

SHA512
330da606527da6114e0f77dc2d5d152cf0325cd0d4c2e73908eda995f5dd2df14a9cc0926f1c67d0c2506f69be9f9a6f80ddc85a6c23516b6fd61d1e350b6372

Download Submit
C:\Windows\SysWOW64\Koimbpbc.exe

Filesize
400KB

MD5
130e04f7283cb605a565d33d23185c77

SHA1
d8468a51793b78e7d86f4ff64dbb4e7454bb3eaa

SHA256
3798dd1abf46b7f2ceda5612d799417d5c63b57b8fabe34a554ab28fd439b7c7

SHA512
330da606527da6114e0f77dc2d5d152cf0325cd0d4c2e73908eda995f5dd2df14a9cc0926f1c67d0c2506f69be9f9a6f80ddc85a6c23516b6fd61d1e350b6372

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe

Filesize
400KB

MD5
c00ea3577f3fc0ebf523d2724e7b77de

SHA1
49b325118d9b5b5a7c97a75221bacaf76eeddf40

SHA256
8ffcbcc57632d7137f566f3f9fbcd1ece898c7a345ec9d5b0fe95cc273584bb7

SHA512
c576210d103d0b0de284f0fd02fe41953df6b9dba97a0db7408b5523932ee4ea2e643a4b16630dfe704552655b92ab12309f35ed523586a1008e7cb665c96727

Download Submit
C:\Windows\SysWOW64\Mkgmoncl.exe

Filesize
400KB

MD5
c00ea3577f3fc0ebf523d2724e7b77de

SHA1
49b325118d9b5b5a7c97a75221bacaf76eeddf40

SHA256
8ffcbcc57632d7137f566f3f9fbcd1ece898c7a345ec9d5b0fe95cc273584bb7

SHA512
c576210d103d0b0de284f0fd02fe41953df6b9dba97a0db7408b5523932ee4ea2e643a4b16630dfe704552655b92ab12309f35ed523586a1008e7cb665c96727

Download Submit
C:\Windows\SysWOW64\Mohbjkgp.exe

Filesize
400KB

MD5
33b874ffca1ca534f9a105f975c773db

SHA1
b0536462d2497aa255349b65867636560508d70a

SHA256
74c0dfe447f6ac2acb331687b181019afde54c3231b2ea9289793b67de1eb6df

SHA512
472b3d5b187f8adcf5dd38bc04f62af983cebf7f456d1a2f0f232403105efdf27d09da054ba264a459d382caa6ff7ec8043bce76458937d5bbe87f488bbde572

Download Submit
C:\Windows\SysWOW64\Mohbjkgp.exe

Filesize
400KB

MD5
33b874ffca1ca534f9a105f975c773db

SHA1
b0536462d2497aa255349b65867636560508d70a

SHA256
74c0dfe447f6ac2acb331687b181019afde54c3231b2ea9289793b67de1eb6df

SHA512
472b3d5b187f8adcf5dd38bc04f62af983cebf7f456d1a2f0f232403105efdf27d09da054ba264a459d382caa6ff7ec8043bce76458937d5bbe87f488bbde572

Download Submit
C:\Windows\SysWOW64\Ncaklhdi.exe

Filesize
400KB

MD5
cff82a94249901b3992af4205655f4e8

SHA1
8c5b96e44845dff01c7f0f2c0f925dcc0c44fcd2

SHA256
288fa8d20dc7e153ecaff10df563062d787cd29e2d1cd380ba6adb90fef4b714

SHA512
23b8c67115d936c61c95e144eb2432b3a0f483a3415846da8b9f02251503ed0a58f75116e9edf84daa0fe36b26c07914798aa1771d50e7ad617ff79e2be77b36

Download Submit
C:\Windows\SysWOW64\Ncaklhdi.exe

Filesize
400KB

MD5
cff82a94249901b3992af4205655f4e8

SHA1
8c5b96e44845dff01c7f0f2c0f925dcc0c44fcd2

SHA256
288fa8d20dc7e153ecaff10df563062d787cd29e2d1cd380ba6adb90fef4b714

SHA512
23b8c67115d936c61c95e144eb2432b3a0f483a3415846da8b9f02251503ed0a58f75116e9edf84daa0fe36b26c07914798aa1771d50e7ad617ff79e2be77b36

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
400KB

MD5
4d03a48df5c0c7862b72be20e06e8b8d

SHA1
cbcce17502bd37c346df9a38486322fc697fec3b

SHA256
853e3e631951218c892e6ef4a20e98ce4b653fedd2c5602b7bb4ee6ea1e5d591

SHA512
c6646c8ac134db139ec8feaa3ef9a5bdf7c6d134270298bce56c73064c69533925110d172cf12eaa0f1d767487e3c5d9e17f4e4fb43b79afdf9a8ff4fa62feb6

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
400KB

MD5
4d03a48df5c0c7862b72be20e06e8b8d

SHA1
cbcce17502bd37c346df9a38486322fc697fec3b

SHA256
853e3e631951218c892e6ef4a20e98ce4b653fedd2c5602b7bb4ee6ea1e5d591

SHA512
c6646c8ac134db139ec8feaa3ef9a5bdf7c6d134270298bce56c73064c69533925110d172cf12eaa0f1d767487e3c5d9e17f4e4fb43b79afdf9a8ff4fa62feb6

Download Submit
C:\Windows\SysWOW64\Ncmaai32.exe

Filesize
400KB

MD5
4d03a48df5c0c7862b72be20e06e8b8d

SHA1
cbcce17502bd37c346df9a38486322fc697fec3b

SHA256
853e3e631951218c892e6ef4a20e98ce4b653fedd2c5602b7bb4ee6ea1e5d591

SHA512
c6646c8ac134db139ec8feaa3ef9a5bdf7c6d134270298bce56c73064c69533925110d172cf12eaa0f1d767487e3c5d9e17f4e4fb43b79afdf9a8ff4fa62feb6

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
400KB

MD5
a20e5a66634361202dda4edcaf0cbc9c

SHA1
eda1ed46d4239386f053927606fa8efad1e857cf

SHA256
12e22af805a4b28a481f228028202f63190373e19bfad25738621754614e8c18

SHA512
8a204d2b50a4e9712b776e5df0a95fc7c22e9edd9da95cac006b7a786ab7c338910bd2339836a4b989f19fccafd1ea92c837cedba787640d958664120a5ae1f5

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
400KB

MD5
51961da71e11196f802b34d58411d3f4

SHA1
1a68648e0fd4af82c1526009e6de398597c1406b

SHA256
3c1d855f5787fb785d01c47aa9cc0da36c2c730c4713f86fa17d394041bafb06

SHA512
4c3dbacbda1b255aa1557ee8f4f1221a7c9835b3d3327001ffa3f4a9553e2b1fff07f8fbd8693f0e576d3795ae636d52ce3fd7bf9e5749e246d241e2ea6d555c

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
400KB

MD5
51961da71e11196f802b34d58411d3f4

SHA1
1a68648e0fd4af82c1526009e6de398597c1406b

SHA256
3c1d855f5787fb785d01c47aa9cc0da36c2c730c4713f86fa17d394041bafb06

SHA512
4c3dbacbda1b255aa1557ee8f4f1221a7c9835b3d3327001ffa3f4a9553e2b1fff07f8fbd8693f0e576d3795ae636d52ce3fd7bf9e5749e246d241e2ea6d555c

Download Submit
C:\Windows\SysWOW64\Pomncfge.exe

Filesize
400KB

MD5
10c106fda01ee8d6a6a9473e48590a4f

SHA1
618bb627d6e136e6b0165593928ba6bd0e25f53e

SHA256
9c6ed8227f474dc621fa3526f028c7adb9ac333388412adb6fc9b5836b87321c

SHA512
6f6a37fae00f2a260c2273a6bdb771b44cbed33ea1cded2bd0e624c337324d9796ef197c93d34d12c28cff8c5beff1634902feaa835fdcbb7f4cafbb0fcba829

Download Submit
C:\Windows\SysWOW64\Pomncfge.exe

Filesize
400KB

MD5
10c106fda01ee8d6a6a9473e48590a4f

SHA1
618bb627d6e136e6b0165593928ba6bd0e25f53e

SHA256
9c6ed8227f474dc621fa3526f028c7adb9ac333388412adb6fc9b5836b87321c

SHA512
6f6a37fae00f2a260c2273a6bdb771b44cbed33ea1cded2bd0e624c337324d9796ef197c93d34d12c28cff8c5beff1634902feaa835fdcbb7f4cafbb0fcba829

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
400KB

MD5
8fda0a1d3e3e0c73dbeaf43c752b2830

SHA1
b82629c6b8c1c6dc0646fd5aad2731e2896b2cb8

SHA256
e35eb8882b99a3fdf8e1bf85aad24a7555cf3fa2ed5780e47b32d78b475ce92a

SHA512
440d2f919f2a3981430251093a5d7f4e12772d423caa2e3a8fdd535a1e948d0eeaae475a667f3e3e1b36ed27d71f9788ec6805cb01ddd526a78ccbeceb0c4c22

Download Submit
C:\Windows\SysWOW64\Qmckbjdl.exe

Filesize
400KB

MD5
8fda0a1d3e3e0c73dbeaf43c752b2830

SHA1
b82629c6b8c1c6dc0646fd5aad2731e2896b2cb8

SHA256
e35eb8882b99a3fdf8e1bf85aad24a7555cf3fa2ed5780e47b32d78b475ce92a

SHA512
440d2f919f2a3981430251093a5d7f4e12772d423caa2e3a8fdd535a1e948d0eeaae475a667f3e3e1b36ed27d71f9788ec6805cb01ddd526a78ccbeceb0c4c22

Download Submit
memory/724-64-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/724-218-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/860-226-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/860-129-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1152-224-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1152-138-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1240-25-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1240-207-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1292-145-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1292-222-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1736-40-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1736-211-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1744-200-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1744-8-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1776-203-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1776-17-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1956-32-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1956-209-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2208-89-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2208-238-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2268-105-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2268-232-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2488-81-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2488-239-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2904-236-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2904-97-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3076-231-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3076-113-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4036-56-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4036-215-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4280-234-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4280-74-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4344-228-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4344-122-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4596-219-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4596-153-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4896-49-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4896-213-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5116-201-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5116-0-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads