8685d355c56c8e3c9f3c5d6345355774c72a11e81e7d74429ea272ad03481819

Analysis

max time kernel
207s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22/10/2023, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
Size

74KB
MD5

d01d0fe67352ecbb2dec6c9e754d0420
SHA1

cfd8e7192b6508c6426cdde64a757c4f9f022de1
SHA256

8685d355c56c8e3c9f3c5d6345355774c72a11e81e7d74429ea272ad03481819
SHA512

2ce7d391f510ad2faf5e4c60c473b61180c45e8f7977ab99c20cab1845dc10b3cc3f33b1bc0feef7554af0a6aa15a3ac3474172055f97c1e87e6cbc5115ab106
SSDEEP

1536:AuShgIpYgWlNYjlOGkuz2JWv2MbBeFypMmUoE:ZIagR8NC0WxR+o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djeegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejhkdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fceihh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfmhjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffjkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gfmhjb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cokgonmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgbppknb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgbppknb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpllgme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejjgic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffahnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgpcklpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpllgme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efjbne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epgpajdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Epgpajdp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpmqoqbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ejjgic32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgpcklpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cokgonmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejhkdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfglahbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfglahbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpmqoqbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efjbne32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffjkdc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djeegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ffahnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fceihh32.exe

Executes dropped EXE 16 IoCs

pid	Process
4136	Cgpcklpd.exe
1372	Cokgonmp.exe
1836	Cgbppknb.exe
2348	Cjpllgme.exe
1476	Cfglahbj.exe
640	Cpmqoqbp.exe
3860	Djeegf32.exe
2280	Efjbne32.exe
4976	Ejhkdc32.exe
2204	Ejjgic32.exe
3024	Epgpajdp.exe
1840	Ffahnd32.exe
808	Fceihh32.exe
2744	Ffjkdc32.exe
1600	Gfmhjb32.exe
4448	Pqkdmc32.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pqkdmc32.exe	Gfmhjb32.exe
File created	C:\Windows\SysWOW64\Cfglahbj.exe	Cjpllgme.exe
File opened for modification	C:\Windows\SysWOW64\Cfglahbj.exe	Cjpllgme.exe
File created	C:\Windows\SysWOW64\Ejhkdc32.exe	Efjbne32.exe
File opened for modification	C:\Windows\SysWOW64\Ejhkdc32.exe	Efjbne32.exe
File created	C:\Windows\SysWOW64\Ejjgic32.exe	Ejhkdc32.exe
File created	C:\Windows\SysWOW64\Ffjkdc32.exe	Fceihh32.exe
File created	C:\Windows\SysWOW64\Gfmhjb32.exe	Ffjkdc32.exe
File opened for modification	C:\Windows\SysWOW64\Pqkdmc32.exe	Gfmhjb32.exe
File created	C:\Windows\SysWOW64\Hiimpa32.dll	Cgbppknb.exe
File created	C:\Windows\SysWOW64\Cpmqoqbp.exe	Cfglahbj.exe
File created	C:\Windows\SysWOW64\Lbpecm32.dll	Cfglahbj.exe
File created	C:\Windows\SysWOW64\Epgpajdp.exe	Ejjgic32.exe
File created	C:\Windows\SysWOW64\Ffahnd32.exe	Epgpajdp.exe
File created	C:\Windows\SysWOW64\Akljinhl.dll	Gfmhjb32.exe
File created	C:\Windows\SysWOW64\Ecgidn32.dll	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
File created	C:\Windows\SysWOW64\Dekkgkig.dll	Cokgonmp.exe
File opened for modification	C:\Windows\SysWOW64\Ffahnd32.exe	Epgpajdp.exe
File opened for modification	C:\Windows\SysWOW64\Ffjkdc32.exe	Fceihh32.exe
File created	C:\Windows\SysWOW64\Kbbalgak.dll	Fceihh32.exe
File created	C:\Windows\SysWOW64\Fceihh32.exe	Ffahnd32.exe
File opened for modification	C:\Windows\SysWOW64\Fceihh32.exe	Ffahnd32.exe
File created	C:\Windows\SysWOW64\Qaiaojhj.dll	Cgpcklpd.exe
File created	C:\Windows\SysWOW64\Cgbppknb.exe	Cokgonmp.exe
File opened for modification	C:\Windows\SysWOW64\Cjpllgme.exe	Cgbppknb.exe
File created	C:\Windows\SysWOW64\Glgediop.dll	Cjpllgme.exe
File created	C:\Windows\SysWOW64\Djeegf32.exe	Cpmqoqbp.exe
File created	C:\Windows\SysWOW64\Fboioldm.dll	Ffjkdc32.exe
File created	C:\Windows\SysWOW64\Cgpcklpd.exe	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
File opened for modification	C:\Windows\SysWOW64\Cokgonmp.exe	Cgpcklpd.exe
File created	C:\Windows\SysWOW64\Cjpllgme.exe	Cgbppknb.exe
File created	C:\Windows\SysWOW64\Cnmkea32.dll	Ejhkdc32.exe
File created	C:\Windows\SysWOW64\Bjqafj32.dll	Ffahnd32.exe
File opened for modification	C:\Windows\SysWOW64\Gfmhjb32.exe	Ffjkdc32.exe
File created	C:\Windows\SysWOW64\Cokgonmp.exe	Cgpcklpd.exe
File opened for modification	C:\Windows\SysWOW64\Cpmqoqbp.exe	Cfglahbj.exe
File opened for modification	C:\Windows\SysWOW64\Efjbne32.exe	Djeegf32.exe
File created	C:\Windows\SysWOW64\Lnqdkljp.dll	Efjbne32.exe
File created	C:\Windows\SysWOW64\Dbkpkdlk.dll	Ejjgic32.exe
File created	C:\Windows\SysWOW64\Qgfahk32.dll	Cpmqoqbp.exe
File opened for modification	C:\Windows\SysWOW64\Ejjgic32.exe	Ejhkdc32.exe
File opened for modification	C:\Windows\SysWOW64\Epgpajdp.exe	Ejjgic32.exe
File created	C:\Windows\SysWOW64\Coogie32.dll	Epgpajdp.exe
File opened for modification	C:\Windows\SysWOW64\Cgpcklpd.exe	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
File opened for modification	C:\Windows\SysWOW64\Cgbppknb.exe	Cokgonmp.exe
File opened for modification	C:\Windows\SysWOW64\Djeegf32.exe	Cpmqoqbp.exe
File created	C:\Windows\SysWOW64\Efjbne32.exe	Djeegf32.exe
File created	C:\Windows\SysWOW64\Faempoce.dll	Djeegf32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3760	4448	WerFault.exe	101
1632	4448	WerFault.exe	101

Modifies registry class 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgbppknb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efjbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coogie32.dll"	Epgpajdp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gfmhjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akljinhl.dll"	Gfmhjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgpcklpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekkgkig.dll"	Cokgonmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cokgonmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faempoce.dll"	Djeegf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffahnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpllgme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbbalgak.dll"	Fceihh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgediop.dll"	Cjpllgme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejhkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmkea32.dll"	Ejhkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqafj32.dll"	Ffahnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cokgonmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiimpa32.dll"	Cgbppknb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ejjgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfglahbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnqdkljp.dll"	Efjbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgidn32.dll"	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkpkdlk.dll"	Ejjgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gfmhjb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ffjkdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efjbne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpllgme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbpecm32.dll"	Cfglahbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djeegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejhkdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fceihh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboioldm.dll"	Ffjkdc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffjkdc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgpcklpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ejjgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Epgpajdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Epgpajdp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ffahnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfglahbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfahk32.dll"	Cpmqoqbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpmqoqbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djeegf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaiaojhj.dll"	Cgpcklpd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpmqoqbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgbppknb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fceihh32.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 4136	3992	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe	86
PID 3992 wrote to memory of 4136	3992	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe	86
PID 3992 wrote to memory of 4136	3992	NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe	86
PID 4136 wrote to memory of 1372	4136	Cgpcklpd.exe	87
PID 4136 wrote to memory of 1372	4136	Cgpcklpd.exe	87
PID 4136 wrote to memory of 1372	4136	Cgpcklpd.exe	87
PID 1372 wrote to memory of 1836	1372	Cokgonmp.exe	88
PID 1372 wrote to memory of 1836	1372	Cokgonmp.exe	88
PID 1372 wrote to memory of 1836	1372	Cokgonmp.exe	88
PID 1836 wrote to memory of 2348	1836	Cgbppknb.exe	90
PID 1836 wrote to memory of 2348	1836	Cgbppknb.exe	90
PID 1836 wrote to memory of 2348	1836	Cgbppknb.exe	90
PID 2348 wrote to memory of 1476	2348	Cjpllgme.exe	89
PID 2348 wrote to memory of 1476	2348	Cjpllgme.exe	89
PID 2348 wrote to memory of 1476	2348	Cjpllgme.exe	89
PID 1476 wrote to memory of 640	1476	Cfglahbj.exe	91
PID 1476 wrote to memory of 640	1476	Cfglahbj.exe	91
PID 1476 wrote to memory of 640	1476	Cfglahbj.exe	91
PID 640 wrote to memory of 3860	640	Cpmqoqbp.exe	92
PID 640 wrote to memory of 3860	640	Cpmqoqbp.exe	92
PID 640 wrote to memory of 3860	640	Cpmqoqbp.exe	92
PID 3860 wrote to memory of 2280	3860	Djeegf32.exe	93
PID 3860 wrote to memory of 2280	3860	Djeegf32.exe	93
PID 3860 wrote to memory of 2280	3860	Djeegf32.exe	93
PID 2280 wrote to memory of 4976	2280	Efjbne32.exe	94
PID 2280 wrote to memory of 4976	2280	Efjbne32.exe	94
PID 2280 wrote to memory of 4976	2280	Efjbne32.exe	94
PID 4976 wrote to memory of 2204	4976	Ejhkdc32.exe	95
PID 4976 wrote to memory of 2204	4976	Ejhkdc32.exe	95
PID 4976 wrote to memory of 2204	4976	Ejhkdc32.exe	95
PID 2204 wrote to memory of 3024	2204	Ejjgic32.exe	96
PID 2204 wrote to memory of 3024	2204	Ejjgic32.exe	96
PID 2204 wrote to memory of 3024	2204	Ejjgic32.exe	96
PID 3024 wrote to memory of 1840	3024	Epgpajdp.exe	97
PID 3024 wrote to memory of 1840	3024	Epgpajdp.exe	97
PID 3024 wrote to memory of 1840	3024	Epgpajdp.exe	97
PID 1840 wrote to memory of 808	1840	Ffahnd32.exe	98
PID 1840 wrote to memory of 808	1840	Ffahnd32.exe	98
PID 1840 wrote to memory of 808	1840	Ffahnd32.exe	98
PID 808 wrote to memory of 2744	808	Fceihh32.exe	99
PID 808 wrote to memory of 2744	808	Fceihh32.exe	99
PID 808 wrote to memory of 2744	808	Fceihh32.exe	99
PID 2744 wrote to memory of 1600	2744	Ffjkdc32.exe	100
PID 2744 wrote to memory of 1600	2744	Ffjkdc32.exe	100
PID 2744 wrote to memory of 1600	2744	Ffjkdc32.exe	100
PID 1600 wrote to memory of 4448	1600	Gfmhjb32.exe	101
PID 1600 wrote to memory of 4448	1600	Gfmhjb32.exe	101
PID 1600 wrote to memory of 4448	1600	Gfmhjb32.exe	101
PID 4448 wrote to memory of 3760	4448	Pqkdmc32.exe	104
PID 4448 wrote to memory of 3760	4448	Pqkdmc32.exe	104
PID 4448 wrote to memory of 3760	4448	Pqkdmc32.exe	104

C:\Users\Admin\AppData\Local\Temp\NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d01d0fe67352ecbb2dec6c9e754d0420.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Windows\SysWOW64\Cgpcklpd.exe
  C:\Windows\system32\Cgpcklpd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\Cokgonmp.exe
    C:\Windows\system32\Cokgonmp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\SysWOW64\Cgbppknb.exe
      C:\Windows\system32\Cgbppknb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\SysWOW64\Cjpllgme.exe
        
        C:\Windows\system32\Cjpllgme.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2348

C:\Windows\SysWOW64\Cfglahbj.exe
C:\Windows\system32\Cfglahbj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\SysWOW64\Cpmqoqbp.exe
  C:\Windows\system32\Cpmqoqbp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\Djeegf32.exe
    C:\Windows\system32\Djeegf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Windows\SysWOW64\Efjbne32.exe
      C:\Windows\system32\Efjbne32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\SysWOW64\Ejhkdc32.exe
        
        C:\Windows\system32\Ejhkdc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Windows\SysWOW64\Ejjgic32.exe
        
        C:\Windows\system32\Ejjgic32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Epgpajdp.exe
        
        C:\Windows\system32\Epgpajdp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\Ffahnd32.exe
        
        C:\Windows\system32\Ffahnd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Fceihh32.exe
        
        C:\Windows\system32\Fceihh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Ffjkdc32.exe
        
        C:\Windows\system32\Ffjkdc32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Gfmhjb32.exe
        
        C:\Windows\system32\Gfmhjb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Pqkdmc32.exe
        
        C:\Windows\system32\Pqkdmc32.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 412
        13⤵
        Program crash
        
        PID:3760
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 412
        13⤵
        Program crash
        
        PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4448 -ip 4448
1⤵
PID:3900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cfglahbj.exe

Filesize
74KB

MD5
4dcf4772a930a2e31921860662543f93

SHA1
5f3d210f0c89efda4a40785747c72c464e5c3470

SHA256
ed271ded5d575e2049d163071719441b71569b919922e2b5575955e993b7f6d9

SHA512
7134fc82106675cf3596276afe98395e740cb4d755dab052e3c818a914a695b8b3e3f304cf7adea0dad071948b58ca2125381bf2ba38a7b406f6ae1dd8afc6fb

Download Submit
C:\Windows\SysWOW64\Cfglahbj.exe

Filesize
74KB

MD5
4dcf4772a930a2e31921860662543f93

SHA1
5f3d210f0c89efda4a40785747c72c464e5c3470

SHA256
ed271ded5d575e2049d163071719441b71569b919922e2b5575955e993b7f6d9

SHA512
7134fc82106675cf3596276afe98395e740cb4d755dab052e3c818a914a695b8b3e3f304cf7adea0dad071948b58ca2125381bf2ba38a7b406f6ae1dd8afc6fb

Download Submit
C:\Windows\SysWOW64\Cgbppknb.exe

Filesize
74KB

MD5
6b52c132e5c13dabdcb27007de54efa4

SHA1
1d03240d89db52960c9bfc6bd9c1a2a6f3514872

SHA256
2a0b8010cfffa868397856d6a56723242f20bce9f1372b6b4bba6d18c2db51be

SHA512
7bc28307b762b8d366a9da283dd27774901c7042f169ddd061d0219877f36f3ad61f909361509a048609d009e19f6b12f4a81836bc818d94820730ce5966a719

Download Submit
C:\Windows\SysWOW64\Cgbppknb.exe

Filesize
74KB

MD5
6b52c132e5c13dabdcb27007de54efa4

SHA1
1d03240d89db52960c9bfc6bd9c1a2a6f3514872

SHA256
2a0b8010cfffa868397856d6a56723242f20bce9f1372b6b4bba6d18c2db51be

SHA512
7bc28307b762b8d366a9da283dd27774901c7042f169ddd061d0219877f36f3ad61f909361509a048609d009e19f6b12f4a81836bc818d94820730ce5966a719

Download Submit
C:\Windows\SysWOW64\Cgpcklpd.exe

Filesize
74KB

MD5
a923f9f1e46112224d598ae2009318f7

SHA1
e9288907048457b8982e2492ba166b3c54b875e5

SHA256
37011a7fa3b51cd1f41e859ea716757e83ff1894d4690b28e8a8a88cfd0fb29b

SHA512
0914d0684333668928d48104cbb0468392f2690dedd3d27b43ca97f570cf01bc157b18a6b5b0d2aa31d7c94fd2c7cdb1e399e415dd6f8a38c99d8f9115d4669f

Download Submit
C:\Windows\SysWOW64\Cgpcklpd.exe

Filesize
74KB

MD5
a923f9f1e46112224d598ae2009318f7

SHA1
e9288907048457b8982e2492ba166b3c54b875e5

SHA256
37011a7fa3b51cd1f41e859ea716757e83ff1894d4690b28e8a8a88cfd0fb29b

SHA512
0914d0684333668928d48104cbb0468392f2690dedd3d27b43ca97f570cf01bc157b18a6b5b0d2aa31d7c94fd2c7cdb1e399e415dd6f8a38c99d8f9115d4669f

Download Submit
C:\Windows\SysWOW64\Cjpllgme.exe

Filesize
74KB

MD5
3e644449c1473b54e8339695f5786dd1

SHA1
0cbf94b5256290684a6abfbea3f9429d47a65668

SHA256
66367bdce311f431fe2d8d32d3befe4205f806ee75c59588a5e4294696f311bd

SHA512
a3af631838e55dccc392d62f5ea6941ef305fc1c94dbe7ad0479f7b112269ba1c37f049a5f7fe415fd85fb396f9982299db88096a13486005eb4bd68b83c4f7f

Download Submit
C:\Windows\SysWOW64\Cjpllgme.exe

Filesize
74KB

MD5
3e644449c1473b54e8339695f5786dd1

SHA1
0cbf94b5256290684a6abfbea3f9429d47a65668

SHA256
66367bdce311f431fe2d8d32d3befe4205f806ee75c59588a5e4294696f311bd

SHA512
a3af631838e55dccc392d62f5ea6941ef305fc1c94dbe7ad0479f7b112269ba1c37f049a5f7fe415fd85fb396f9982299db88096a13486005eb4bd68b83c4f7f

Download Submit
C:\Windows\SysWOW64\Cokgonmp.exe

Filesize
74KB

MD5
5043306eb9b745b2f1c5061d867a98ec

SHA1
3ceae7e2e7c6158f7da3ac9f8766a7fd361bc354

SHA256
9e6af11ef783ec5d3aea41e221f6d1249891aeb0ee9daaaa300a8343b290c924

SHA512
0889911113008788fa734ba6c40588ab32741d9692ebd24288929c3a13b7f8f567722d09e0ce984bcd3ae9eaf02ae2248d5ed933940d4f4a72334eca7bf04319

Download Submit
C:\Windows\SysWOW64\Cokgonmp.exe

Filesize
74KB

MD5
5043306eb9b745b2f1c5061d867a98ec

SHA1
3ceae7e2e7c6158f7da3ac9f8766a7fd361bc354

SHA256
9e6af11ef783ec5d3aea41e221f6d1249891aeb0ee9daaaa300a8343b290c924

SHA512
0889911113008788fa734ba6c40588ab32741d9692ebd24288929c3a13b7f8f567722d09e0ce984bcd3ae9eaf02ae2248d5ed933940d4f4a72334eca7bf04319

Download Submit
C:\Windows\SysWOW64\Cpmqoqbp.exe

Filesize
74KB

MD5
ff248b9147a0058e2da97654bebae37a

SHA1
7d5170bfbe7fc2ff15f23847128e100cfa95da1e

SHA256
66eeab466a09dc8875b30b2477bf027edc9c340c64b570d99dbb46f0edb98879

SHA512
a97c09008773674e5328fed0efa528cddfee0d1d642717f0e3718b807dfd648ec17dd7985d81985d358af7cf3b0c832a64e3996f4c3d09c23e34c80a28924e0d

Download Submit
C:\Windows\SysWOW64\Cpmqoqbp.exe

Filesize
74KB

MD5
ff248b9147a0058e2da97654bebae37a

SHA1
7d5170bfbe7fc2ff15f23847128e100cfa95da1e

SHA256
66eeab466a09dc8875b30b2477bf027edc9c340c64b570d99dbb46f0edb98879

SHA512
a97c09008773674e5328fed0efa528cddfee0d1d642717f0e3718b807dfd648ec17dd7985d81985d358af7cf3b0c832a64e3996f4c3d09c23e34c80a28924e0d

Download Submit
C:\Windows\SysWOW64\Djeegf32.exe

Filesize
74KB

MD5
f6bb5c0c325188e5ddd65a44da65b210

SHA1
ace58f472445104b0f7ffd82d1ed754272d1b1bd

SHA256
36a526933d3bd4299251f54e940773aeb8c524bede3a97b210566ab500d690aa

SHA512
06fe694643fff3ad69b5ab817cfc0bd7e8cbeac41f0c27a1942a931ff10d96bae2e73dcd2fe4e61451ad59c36f834f5b0ce88996de79b8a1e03303d5e70a8f98

Download Submit
C:\Windows\SysWOW64\Djeegf32.exe

Filesize
74KB

MD5
f6bb5c0c325188e5ddd65a44da65b210

SHA1
ace58f472445104b0f7ffd82d1ed754272d1b1bd

SHA256
36a526933d3bd4299251f54e940773aeb8c524bede3a97b210566ab500d690aa

SHA512
06fe694643fff3ad69b5ab817cfc0bd7e8cbeac41f0c27a1942a931ff10d96bae2e73dcd2fe4e61451ad59c36f834f5b0ce88996de79b8a1e03303d5e70a8f98

Download Submit
C:\Windows\SysWOW64\Efjbne32.exe

Filesize
74KB

MD5
563fd85e3eb2ddc20ef7ca2908068914

SHA1
76b8517a7a84b455e848039372f786446fe32f6a

SHA256
8a3ece10c1a2954a326b4dbaff90cde7ff96e8a040d7279b44ba62369f3f9573

SHA512
56a3f73f704d26f6455c30837a31f7b78ba6b030d690df91a0c47e03332f5bb71a59dad9b458ec3581d10dc3d5d8314f5ced02f445cdaff91ac27c1a133713fd

Download Submit
C:\Windows\SysWOW64\Efjbne32.exe

Filesize
74KB

MD5
563fd85e3eb2ddc20ef7ca2908068914

SHA1
76b8517a7a84b455e848039372f786446fe32f6a

SHA256
8a3ece10c1a2954a326b4dbaff90cde7ff96e8a040d7279b44ba62369f3f9573

SHA512
56a3f73f704d26f6455c30837a31f7b78ba6b030d690df91a0c47e03332f5bb71a59dad9b458ec3581d10dc3d5d8314f5ced02f445cdaff91ac27c1a133713fd

Download Submit
C:\Windows\SysWOW64\Ejhkdc32.exe

Filesize
74KB

MD5
1ca3e3bed753b9a8c0924ec3320a728c

SHA1
ee0aded88e220ff25ed27409a16fddf6f4a0b5ac

SHA256
174699c129c3f214a79be121078dcc941cb033f0ed573a7dcfd050a58ec3387f

SHA512
5a4100d7f31971c935aa87359d5b3c10ed51ca3ae33ec718f793e4cc1b61255494804123b75643a84a6e37450056ee39bf2a3875459a849a49ec5f05ce9f802c

Download Submit
C:\Windows\SysWOW64\Ejhkdc32.exe

Filesize
74KB

MD5
1ca3e3bed753b9a8c0924ec3320a728c

SHA1
ee0aded88e220ff25ed27409a16fddf6f4a0b5ac

SHA256
174699c129c3f214a79be121078dcc941cb033f0ed573a7dcfd050a58ec3387f

SHA512
5a4100d7f31971c935aa87359d5b3c10ed51ca3ae33ec718f793e4cc1b61255494804123b75643a84a6e37450056ee39bf2a3875459a849a49ec5f05ce9f802c

Download Submit
C:\Windows\SysWOW64\Ejjgic32.exe

Filesize
74KB

MD5
1ca3e3bed753b9a8c0924ec3320a728c

SHA1
ee0aded88e220ff25ed27409a16fddf6f4a0b5ac

SHA256
174699c129c3f214a79be121078dcc941cb033f0ed573a7dcfd050a58ec3387f

SHA512
5a4100d7f31971c935aa87359d5b3c10ed51ca3ae33ec718f793e4cc1b61255494804123b75643a84a6e37450056ee39bf2a3875459a849a49ec5f05ce9f802c

Download Submit
C:\Windows\SysWOW64\Ejjgic32.exe

Filesize
74KB

MD5
27823d43a5a3b47e9622fd5aeb999eb4

SHA1
ff4bdb1506b75581d2571d35c8905af50de72784

SHA256
38b772dc26e1a34d9d9b506f8b0e58f3dfa84b69aad02ff0adad5d24cfaca7aa

SHA512
f214c4bc2a851bed92ad82adb51da42d7bc47d6a5d9e93901b9bb75dc9b1d132cf0423ec0133b289c9dcb265eea28f7dbff4421e014bb78629af100087cf255f

Download Submit
C:\Windows\SysWOW64\Ejjgic32.exe

Filesize
74KB

MD5
27823d43a5a3b47e9622fd5aeb999eb4

SHA1
ff4bdb1506b75581d2571d35c8905af50de72784

SHA256
38b772dc26e1a34d9d9b506f8b0e58f3dfa84b69aad02ff0adad5d24cfaca7aa

SHA512
f214c4bc2a851bed92ad82adb51da42d7bc47d6a5d9e93901b9bb75dc9b1d132cf0423ec0133b289c9dcb265eea28f7dbff4421e014bb78629af100087cf255f

Download Submit
C:\Windows\SysWOW64\Epgpajdp.exe

Filesize
74KB

MD5
1c00c5c036d336288bb11bbf571f12f4

SHA1
f6c8e980416326f07986c814c6244392dcca691d

SHA256
0e973d1d86c566beb2b0dd122cfb70ff2c78376188ec543c998555b1a7773920

SHA512
1d03c86bc6a14b2cee7c6b56e36874b033893c23fb6df4973945255ffc7756ebc05172fd376913eab2eef36b5c23032fe7caaaae10b5728eddb86c44be3f36fd

Download Submit
C:\Windows\SysWOW64\Epgpajdp.exe

Filesize
74KB

MD5
1c00c5c036d336288bb11bbf571f12f4

SHA1
f6c8e980416326f07986c814c6244392dcca691d

SHA256
0e973d1d86c566beb2b0dd122cfb70ff2c78376188ec543c998555b1a7773920

SHA512
1d03c86bc6a14b2cee7c6b56e36874b033893c23fb6df4973945255ffc7756ebc05172fd376913eab2eef36b5c23032fe7caaaae10b5728eddb86c44be3f36fd

Download Submit
C:\Windows\SysWOW64\Fceihh32.exe

Filesize
74KB

MD5
8bf4ac7124d9ecc8ab573373ec3f088b

SHA1
1781608cb4bc3fa733cf03b3687c3ae2cc27db02

SHA256
a3e3925c35b2c1fa97f74a4676744bd13fe3a05b172bf91ca327cd759236da60

SHA512
1781303b7508e0c1cf5c91f63d8f4be303a57c91f0763136d96faba3414ac2dfe4eee231622f7cf0cdf491a543cb8c02c85060526afc8f4c7f8e783770aad2eb

Download Submit
C:\Windows\SysWOW64\Fceihh32.exe

Filesize
74KB

MD5
8bf4ac7124d9ecc8ab573373ec3f088b

SHA1
1781608cb4bc3fa733cf03b3687c3ae2cc27db02

SHA256
a3e3925c35b2c1fa97f74a4676744bd13fe3a05b172bf91ca327cd759236da60

SHA512
1781303b7508e0c1cf5c91f63d8f4be303a57c91f0763136d96faba3414ac2dfe4eee231622f7cf0cdf491a543cb8c02c85060526afc8f4c7f8e783770aad2eb

Download Submit
C:\Windows\SysWOW64\Ffahnd32.exe

Filesize
74KB

MD5
b6a49052cdec35613ee47a4cc4b3768d

SHA1
c48c37b3af0dd26a830f76de1ea91965b17cd786

SHA256
10f09cba06ad0562cb9ecab97c5db95ce812223c717a45e45a46c99b09ba69ba

SHA512
5a2bf39b2d77703c407da07447e2e656f64e5a8031c6b4614ad7fa32f1b5410ed0eedb8bae72e9e28890b3ebefe29165d8a76e151b69df892aff8a60e4ba8ed7

Download Submit
C:\Windows\SysWOW64\Ffahnd32.exe

Filesize
74KB

MD5
b6a49052cdec35613ee47a4cc4b3768d

SHA1
c48c37b3af0dd26a830f76de1ea91965b17cd786

SHA256
10f09cba06ad0562cb9ecab97c5db95ce812223c717a45e45a46c99b09ba69ba

SHA512
5a2bf39b2d77703c407da07447e2e656f64e5a8031c6b4614ad7fa32f1b5410ed0eedb8bae72e9e28890b3ebefe29165d8a76e151b69df892aff8a60e4ba8ed7

Download Submit
C:\Windows\SysWOW64\Ffjkdc32.exe

Filesize
74KB

MD5
5c4843ef15e5557a1207f68e39960eca

SHA1
be14ad3d24c8b2b4d6eec2d4801954b47b940195

SHA256
15d2726e124d05d12731aec9a61164b342e67e764bdab9f5a9c4dbaa6372849c

SHA512
871a68270ce74d9193500d5516ca727e1a99c1466872d0b07204adb90573ae56aa7786aab83b309935b42eebc4ad13bfce11f5243b53113c0e6189b02dbae6a8

Download Submit
C:\Windows\SysWOW64\Ffjkdc32.exe

Filesize
74KB

MD5
5c4843ef15e5557a1207f68e39960eca

SHA1
be14ad3d24c8b2b4d6eec2d4801954b47b940195

SHA256
15d2726e124d05d12731aec9a61164b342e67e764bdab9f5a9c4dbaa6372849c

SHA512
871a68270ce74d9193500d5516ca727e1a99c1466872d0b07204adb90573ae56aa7786aab83b309935b42eebc4ad13bfce11f5243b53113c0e6189b02dbae6a8

Download Submit
C:\Windows\SysWOW64\Gfmhjb32.exe

Filesize
74KB

MD5
5c4843ef15e5557a1207f68e39960eca

SHA1
be14ad3d24c8b2b4d6eec2d4801954b47b940195

SHA256
15d2726e124d05d12731aec9a61164b342e67e764bdab9f5a9c4dbaa6372849c

SHA512
871a68270ce74d9193500d5516ca727e1a99c1466872d0b07204adb90573ae56aa7786aab83b309935b42eebc4ad13bfce11f5243b53113c0e6189b02dbae6a8

Download Submit
C:\Windows\SysWOW64\Gfmhjb32.exe

Filesize
74KB

MD5
5a196786185e4e48dae4ed5803571529

SHA1
3cc91d16adca176c561b411dbcf4498ee164d04c

SHA256
ef0415fc1863e48dbe3d85acae283871d0a078d68b6554d3212384ceea2ebe6f

SHA512
af1116d708aa6033ed270fa9ecbb7e4995f3c0f9afc6e58d3898715b5e987ca325e2d57c81b4e5b9be46859bea1dcf25d835d0d8f246a4f98c59797156dd59ba

Download Submit
C:\Windows\SysWOW64\Gfmhjb32.exe

Filesize
74KB

MD5
5a196786185e4e48dae4ed5803571529

SHA1
3cc91d16adca176c561b411dbcf4498ee164d04c

SHA256
ef0415fc1863e48dbe3d85acae283871d0a078d68b6554d3212384ceea2ebe6f

SHA512
af1116d708aa6033ed270fa9ecbb7e4995f3c0f9afc6e58d3898715b5e987ca325e2d57c81b4e5b9be46859bea1dcf25d835d0d8f246a4f98c59797156dd59ba

Download Submit
C:\Windows\SysWOW64\Glgediop.dll

Filesize
7KB

MD5
9ce81613117ee0e6e300fa614cfd02f4

SHA1
76d1a9c05edc58178ac0c74c92405206e9cc6f47

SHA256
e7b8f12b19d5e79edccfdfb1812ebea426fc9333c168321089572699f7b665ef

SHA512
4a25993dd596caf7eff315180c4ca9e589d49ced3f94b577c07ad1bd313247092ea87b47ad0fd75981b3e9d536d9eaa9f8f6f7f96814b3dbf4cec9a6e8935529

Download Submit
C:\Windows\SysWOW64\Pqkdmc32.exe

Filesize
74KB

MD5
fc54b0801401fdb0342ef9b37e9e29c1

SHA1
fa9dc511ef432a6e97e667b71715e50e91bf1b9a

SHA256
4b43c8360d958b2bfec85723bc1509664e556199ab019019796f6a08c70aaa82

SHA512
55570009f7437a247d3fdd527acd4683f3576130321b5da8f626fa7b741b768d3f05e1ca88e4a30eaae72551a04d6c97e576ede382d1669a3a00b2b7a201c75b

Download Submit
C:\Windows\SysWOW64\Pqkdmc32.exe

Filesize
74KB

MD5
fc54b0801401fdb0342ef9b37e9e29c1

SHA1
fa9dc511ef432a6e97e667b71715e50e91bf1b9a

SHA256
4b43c8360d958b2bfec85723bc1509664e556199ab019019796f6a08c70aaa82

SHA512
55570009f7437a247d3fdd527acd4683f3576130321b5da8f626fa7b741b768d3f05e1ca88e4a30eaae72551a04d6c97e576ede382d1669a3a00b2b7a201c75b

Download Submit
memory/640-134-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/640-48-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/808-103-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/808-129-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1372-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1476-39-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1476-136-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1600-119-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1600-142-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1836-28-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1840-96-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1840-140-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2204-131-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2204-80-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2280-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2280-133-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2348-31-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2348-135-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2744-141-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2744-111-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3024-139-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3024-88-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3860-132-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3860-56-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3992-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3992-138-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4136-137-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4136-8-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4448-127-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4448-143-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4976-130-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4976-71-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads