c8677fbdc9e5e1a1a8b40068c2cbca4f98a00c566a3a946d7ab1df54cecd9147

Analysis

max time kernel
141s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
Size

80KB
MD5

cfcf69947f31d6ee167a2c31ea92dd70
SHA1

ef0429e388439005020bfece9c63c90751a12c4c
SHA256

c8677fbdc9e5e1a1a8b40068c2cbca4f98a00c566a3a946d7ab1df54cecd9147
SHA512

c177a7f3303eac0c999e544fc3a9c38863aeb7f9b724da2851c3d2e736c29aba5d58c2a3214865a6d3d9ae6f44e50f22f62be0a6eccced72b0a4848ff1380407
SSDEEP

1536:/uhpgDr/5oeVUuRauay/1yRby2L9CYrum8SPG2:z8upaekb/9VT8SL

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmjbhh32.exe

Executes dropped EXE 5 IoCs

pid	Process
1524	Bfkpqn32.exe
2604	Cfnmfn32.exe
1632	Cpfaocal.exe
2588	Cmjbhh32.exe
2504	Ceegmj32.exe

Loads dropped DLL 14 IoCs

pid	Process
3040	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
3040	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
1524	Bfkpqn32.exe
1524	Bfkpqn32.exe
2604	Cfnmfn32.exe
2604	Cfnmfn32.exe
1632	Cpfaocal.exe
1632	Cpfaocal.exe
2588	Cmjbhh32.exe
2588	Cmjbhh32.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe
2980	WerFault.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bfkpqn32.exe	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Bfkpqn32.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Dqcngnae.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Ckpfcfnm.dll	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Cmjbhh32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfaocal.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Cmjbhh32.exe	Cpfaocal.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Cmjbhh32.exe
File created	C:\Windows\SysWOW64\Bfkpqn32.exe	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
File created	C:\Windows\SysWOW64\Pkfaka32.dll	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Bfkpqn32.exe
File created	C:\Windows\SysWOW64\Cpfaocal.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmjbhh32.exe	Cpfaocal.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Cmjbhh32.exe

Program crash 1 IoCs

pid	pid_target	Process
2980	2504	WerFault.exe

Modifies registry class 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfaka32.dll"	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpfcfnm.dll"	Cpfaocal.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfaocal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Cmjbhh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkpqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmjbhh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkpqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 1524	3040	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe	21
PID 3040 wrote to memory of 1524	3040	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe	21
PID 3040 wrote to memory of 1524	3040	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe	21
PID 3040 wrote to memory of 1524	3040	cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe	21
PID 1524 wrote to memory of 2604	1524	Bfkpqn32.exe	20
PID 1524 wrote to memory of 2604	1524	Bfkpqn32.exe	20
PID 1524 wrote to memory of 2604	1524	Bfkpqn32.exe	20
PID 1524 wrote to memory of 2604	1524	Bfkpqn32.exe	20
PID 2604 wrote to memory of 1632	2604	Cfnmfn32.exe	16
PID 2604 wrote to memory of 1632	2604	Cfnmfn32.exe	16
PID 2604 wrote to memory of 1632	2604	Cfnmfn32.exe	16
PID 2604 wrote to memory of 1632	2604	Cfnmfn32.exe	16
PID 1632 wrote to memory of 2588	1632	Cpfaocal.exe	19
PID 1632 wrote to memory of 2588	1632	Cpfaocal.exe	19
PID 1632 wrote to memory of 2588	1632	Cpfaocal.exe	19
PID 1632 wrote to memory of 2588	1632	Cpfaocal.exe	19
PID 2588 wrote to memory of 2504	2588	Cmjbhh32.exe	18
PID 2588 wrote to memory of 2504	2588	Cmjbhh32.exe	18
PID 2588 wrote to memory of 2504	2588	Cmjbhh32.exe	18
PID 2588 wrote to memory of 2504	2588	Cmjbhh32.exe	18
PID 2504 wrote to memory of 2980	2504	Ceegmj32.exe	17
PID 2504 wrote to memory of 2980	2504	Ceegmj32.exe	17
PID 2504 wrote to memory of 2980	2504	Ceegmj32.exe	17
PID 2504 wrote to memory of 2980	2504	Ceegmj32.exe	17

C:\Users\Admin\AppData\Local\Temp\cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\cfcf69947f31d6ee167a2c31ea92dd70_exe32.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\SysWOW64\Bfkpqn32.exe
  C:\Windows\system32\Bfkpqn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1524

C:\Windows\SysWOW64\Cpfaocal.exe
C:\Windows\system32\Cpfaocal.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\Cmjbhh32.exe
  C:\Windows\system32\Cmjbhh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 140
1⤵
- Loads dropped DLL
- Program crash
PID:2980

C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\Cfnmfn32.exe
C:\Windows\system32\Cfnmfn32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
80KB

MD5
64b09c19d2355f7f475cbb6e454de162

SHA1
4a96afd065316d3ba3b135f270083e153a6fd97d

SHA256
45411e425dd4070bc5725cf3f3d97343a9c98df8380b9840047912f4ea271baa

SHA512
7efab5e98b3fdfe00ffd04accd57de179caa3f63bf7f4cc3fb75eae54eb02854f4296d4006f314a4ae4d8c4499972f5297efecfb70bf87e6d3e18801861963d6

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
80KB

MD5
64b09c19d2355f7f475cbb6e454de162

SHA1
4a96afd065316d3ba3b135f270083e153a6fd97d

SHA256
45411e425dd4070bc5725cf3f3d97343a9c98df8380b9840047912f4ea271baa

SHA512
7efab5e98b3fdfe00ffd04accd57de179caa3f63bf7f4cc3fb75eae54eb02854f4296d4006f314a4ae4d8c4499972f5297efecfb70bf87e6d3e18801861963d6

Download Submit
C:\Windows\SysWOW64\Bfkpqn32.exe

Filesize
80KB

MD5
64b09c19d2355f7f475cbb6e454de162

SHA1
4a96afd065316d3ba3b135f270083e153a6fd97d

SHA256
45411e425dd4070bc5725cf3f3d97343a9c98df8380b9840047912f4ea271baa

SHA512
7efab5e98b3fdfe00ffd04accd57de179caa3f63bf7f4cc3fb75eae54eb02854f4296d4006f314a4ae4d8c4499972f5297efecfb70bf87e6d3e18801861963d6

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
68d68b361567a0ae9b6f2d351c76e081

SHA1
34f700768d89588a1aa4654531dc03bf41d30453

SHA256
e997e26a27df16cd7e4be34265b855975cba0122362ef6f15efa4bdfd598064f

SHA512
3e6b24ace53ecde5776419dade54df4e037414bb63d6717def7c5c1c72ee97ba5ff809d3be813e1d8a55294e47266de93e852de3d57f7a596dfb262f6903ba66

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
68d68b361567a0ae9b6f2d351c76e081

SHA1
34f700768d89588a1aa4654531dc03bf41d30453

SHA256
e997e26a27df16cd7e4be34265b855975cba0122362ef6f15efa4bdfd598064f

SHA512
3e6b24ace53ecde5776419dade54df4e037414bb63d6717def7c5c1c72ee97ba5ff809d3be813e1d8a55294e47266de93e852de3d57f7a596dfb262f6903ba66

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
80KB

MD5
b2d2066ab65ed125730b6d25f21e216e

SHA1
cdac7bedff20313384825ea1f75fd1836db27856

SHA256
d8c491372afee3540e3e51318a6549966602bdd722ae931493313222c874434e

SHA512
ef7cfe3364b3af7c2487e668e8e9533338c3ef3fc380a5d2b5dbc6570a38836e3bdec76fd2843e32a8ca51d6f87350608b7abca4a49980afb65969b6faa73e91

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
80KB

MD5
b2d2066ab65ed125730b6d25f21e216e

SHA1
cdac7bedff20313384825ea1f75fd1836db27856

SHA256
d8c491372afee3540e3e51318a6549966602bdd722ae931493313222c874434e

SHA512
ef7cfe3364b3af7c2487e668e8e9533338c3ef3fc380a5d2b5dbc6570a38836e3bdec76fd2843e32a8ca51d6f87350608b7abca4a49980afb65969b6faa73e91

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
80KB

MD5
b2d2066ab65ed125730b6d25f21e216e

SHA1
cdac7bedff20313384825ea1f75fd1836db27856

SHA256
d8c491372afee3540e3e51318a6549966602bdd722ae931493313222c874434e

SHA512
ef7cfe3364b3af7c2487e668e8e9533338c3ef3fc380a5d2b5dbc6570a38836e3bdec76fd2843e32a8ca51d6f87350608b7abca4a49980afb65969b6faa73e91

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
80KB

MD5
21511ab2050284bfd61333049c273621

SHA1
c0d5bba45e80889bed250a29b89f29fac0935786

SHA256
1ad279a4da642caa1eda0c98779c4c5d988f0b335284e150cea345e5392d5992

SHA512
41ed9a67fffc8e874b10b3a915ac3fd88879dc68b9ffd2236b5c5e7e9092c764ac7cb0d4de4d6888e96480700d4102f4450278b4da447471bdc2719a6a1ec658

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
80KB

MD5
21511ab2050284bfd61333049c273621

SHA1
c0d5bba45e80889bed250a29b89f29fac0935786

SHA256
1ad279a4da642caa1eda0c98779c4c5d988f0b335284e150cea345e5392d5992

SHA512
41ed9a67fffc8e874b10b3a915ac3fd88879dc68b9ffd2236b5c5e7e9092c764ac7cb0d4de4d6888e96480700d4102f4450278b4da447471bdc2719a6a1ec658

Download Submit
C:\Windows\SysWOW64\Cmjbhh32.exe

Filesize
80KB

MD5
21511ab2050284bfd61333049c273621

SHA1
c0d5bba45e80889bed250a29b89f29fac0935786

SHA256
1ad279a4da642caa1eda0c98779c4c5d988f0b335284e150cea345e5392d5992

SHA512
41ed9a67fffc8e874b10b3a915ac3fd88879dc68b9ffd2236b5c5e7e9092c764ac7cb0d4de4d6888e96480700d4102f4450278b4da447471bdc2719a6a1ec658

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
80KB

MD5
6b2b428102dc722f0215ecfd85b12a2f

SHA1
ec5d2604e4e9b22d83600141fb9d8e89395811db

SHA256
19c603c3555b9f0a6b17c5116cd11332a7ea88286a963af2023a422efa6c31b9

SHA512
ebcb3af8ef9dc28501962a8d9a9c2b1f008af63296ed81036608342e9a732213e18e4c0621eeb24a3b41e0c1e33079b9b4e23df8ed30066e68bacce1921f923d

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
80KB

MD5
6b2b428102dc722f0215ecfd85b12a2f

SHA1
ec5d2604e4e9b22d83600141fb9d8e89395811db

SHA256
19c603c3555b9f0a6b17c5116cd11332a7ea88286a963af2023a422efa6c31b9

SHA512
ebcb3af8ef9dc28501962a8d9a9c2b1f008af63296ed81036608342e9a732213e18e4c0621eeb24a3b41e0c1e33079b9b4e23df8ed30066e68bacce1921f923d

Download Submit
C:\Windows\SysWOW64\Cpfaocal.exe

Filesize
80KB

MD5
6b2b428102dc722f0215ecfd85b12a2f

SHA1
ec5d2604e4e9b22d83600141fb9d8e89395811db

SHA256
19c603c3555b9f0a6b17c5116cd11332a7ea88286a963af2023a422efa6c31b9

SHA512
ebcb3af8ef9dc28501962a8d9a9c2b1f008af63296ed81036608342e9a732213e18e4c0621eeb24a3b41e0c1e33079b9b4e23df8ed30066e68bacce1921f923d

Download Submit
\Windows\SysWOW64\Bfkpqn32.exe

Filesize
80KB

MD5
64b09c19d2355f7f475cbb6e454de162

SHA1
4a96afd065316d3ba3b135f270083e153a6fd97d

SHA256
45411e425dd4070bc5725cf3f3d97343a9c98df8380b9840047912f4ea271baa

SHA512
7efab5e98b3fdfe00ffd04accd57de179caa3f63bf7f4cc3fb75eae54eb02854f4296d4006f314a4ae4d8c4499972f5297efecfb70bf87e6d3e18801861963d6

Download Submit
\Windows\SysWOW64\Bfkpqn32.exe

Filesize
80KB

MD5
64b09c19d2355f7f475cbb6e454de162

SHA1
4a96afd065316d3ba3b135f270083e153a6fd97d

SHA256
45411e425dd4070bc5725cf3f3d97343a9c98df8380b9840047912f4ea271baa

SHA512
7efab5e98b3fdfe00ffd04accd57de179caa3f63bf7f4cc3fb75eae54eb02854f4296d4006f314a4ae4d8c4499972f5297efecfb70bf87e6d3e18801861963d6

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
68d68b361567a0ae9b6f2d351c76e081

SHA1
34f700768d89588a1aa4654531dc03bf41d30453

SHA256
e997e26a27df16cd7e4be34265b855975cba0122362ef6f15efa4bdfd598064f

SHA512
3e6b24ace53ecde5776419dade54df4e037414bb63d6717def7c5c1c72ee97ba5ff809d3be813e1d8a55294e47266de93e852de3d57f7a596dfb262f6903ba66

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
68d68b361567a0ae9b6f2d351c76e081

SHA1
34f700768d89588a1aa4654531dc03bf41d30453

SHA256
e997e26a27df16cd7e4be34265b855975cba0122362ef6f15efa4bdfd598064f

SHA512
3e6b24ace53ecde5776419dade54df4e037414bb63d6717def7c5c1c72ee97ba5ff809d3be813e1d8a55294e47266de93e852de3d57f7a596dfb262f6903ba66

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
68d68b361567a0ae9b6f2d351c76e081

SHA1
34f700768d89588a1aa4654531dc03bf41d30453

SHA256
e997e26a27df16cd7e4be34265b855975cba0122362ef6f15efa4bdfd598064f

SHA512
3e6b24ace53ecde5776419dade54df4e037414bb63d6717def7c5c1c72ee97ba5ff809d3be813e1d8a55294e47266de93e852de3d57f7a596dfb262f6903ba66

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
68d68b361567a0ae9b6f2d351c76e081

SHA1
34f700768d89588a1aa4654531dc03bf41d30453

SHA256
e997e26a27df16cd7e4be34265b855975cba0122362ef6f15efa4bdfd598064f

SHA512
3e6b24ace53ecde5776419dade54df4e037414bb63d6717def7c5c1c72ee97ba5ff809d3be813e1d8a55294e47266de93e852de3d57f7a596dfb262f6903ba66

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
68d68b361567a0ae9b6f2d351c76e081

SHA1
34f700768d89588a1aa4654531dc03bf41d30453

SHA256
e997e26a27df16cd7e4be34265b855975cba0122362ef6f15efa4bdfd598064f

SHA512
3e6b24ace53ecde5776419dade54df4e037414bb63d6717def7c5c1c72ee97ba5ff809d3be813e1d8a55294e47266de93e852de3d57f7a596dfb262f6903ba66

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
80KB

MD5
68d68b361567a0ae9b6f2d351c76e081

SHA1
34f700768d89588a1aa4654531dc03bf41d30453

SHA256
e997e26a27df16cd7e4be34265b855975cba0122362ef6f15efa4bdfd598064f

SHA512
3e6b24ace53ecde5776419dade54df4e037414bb63d6717def7c5c1c72ee97ba5ff809d3be813e1d8a55294e47266de93e852de3d57f7a596dfb262f6903ba66

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
80KB

MD5
b2d2066ab65ed125730b6d25f21e216e

SHA1
cdac7bedff20313384825ea1f75fd1836db27856

SHA256
d8c491372afee3540e3e51318a6549966602bdd722ae931493313222c874434e

SHA512
ef7cfe3364b3af7c2487e668e8e9533338c3ef3fc380a5d2b5dbc6570a38836e3bdec76fd2843e32a8ca51d6f87350608b7abca4a49980afb65969b6faa73e91

Download Submit
\Windows\SysWOW64\Cfnmfn32.exe

Filesize
80KB

MD5
b2d2066ab65ed125730b6d25f21e216e

SHA1
cdac7bedff20313384825ea1f75fd1836db27856

SHA256
d8c491372afee3540e3e51318a6549966602bdd722ae931493313222c874434e

SHA512
ef7cfe3364b3af7c2487e668e8e9533338c3ef3fc380a5d2b5dbc6570a38836e3bdec76fd2843e32a8ca51d6f87350608b7abca4a49980afb65969b6faa73e91

Download Submit
\Windows\SysWOW64\Cmjbhh32.exe

Filesize
80KB

MD5
21511ab2050284bfd61333049c273621

SHA1
c0d5bba45e80889bed250a29b89f29fac0935786

SHA256
1ad279a4da642caa1eda0c98779c4c5d988f0b335284e150cea345e5392d5992

SHA512
41ed9a67fffc8e874b10b3a915ac3fd88879dc68b9ffd2236b5c5e7e9092c764ac7cb0d4de4d6888e96480700d4102f4450278b4da447471bdc2719a6a1ec658

Download Submit
\Windows\SysWOW64\Cmjbhh32.exe

Filesize
80KB

MD5
21511ab2050284bfd61333049c273621

SHA1
c0d5bba45e80889bed250a29b89f29fac0935786

SHA256
1ad279a4da642caa1eda0c98779c4c5d988f0b335284e150cea345e5392d5992

SHA512
41ed9a67fffc8e874b10b3a915ac3fd88879dc68b9ffd2236b5c5e7e9092c764ac7cb0d4de4d6888e96480700d4102f4450278b4da447471bdc2719a6a1ec658

Download Submit
\Windows\SysWOW64\Cpfaocal.exe

Filesize
80KB

MD5
6b2b428102dc722f0215ecfd85b12a2f

SHA1
ec5d2604e4e9b22d83600141fb9d8e89395811db

SHA256
19c603c3555b9f0a6b17c5116cd11332a7ea88286a963af2023a422efa6c31b9

SHA512
ebcb3af8ef9dc28501962a8d9a9c2b1f008af63296ed81036608342e9a732213e18e4c0621eeb24a3b41e0c1e33079b9b4e23df8ed30066e68bacce1921f923d

Download Submit
\Windows\SysWOW64\Cpfaocal.exe

Filesize
80KB

MD5
6b2b428102dc722f0215ecfd85b12a2f

SHA1
ec5d2604e4e9b22d83600141fb9d8e89395811db

SHA256
19c603c3555b9f0a6b17c5116cd11332a7ea88286a963af2023a422efa6c31b9

SHA512
ebcb3af8ef9dc28501962a8d9a9c2b1f008af63296ed81036608342e9a732213e18e4c0621eeb24a3b41e0c1e33079b9b4e23df8ed30066e68bacce1921f923d

Download Submit
memory/1524-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-27-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1524-22-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1632-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-76-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-49-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2504-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-63-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2588-77-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-12-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3040-6-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/3040-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads