8a61477eab570826827b1ed4a330c3fb8e7f90387c6f50c851ee86db67da5b22

Analysis

max time kernel
144s
max time network
129s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
01/11/2023, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.0d17c198119958eaf7b4654b7cf34590.exe
Size

6.4MB
MD5

0d17c198119958eaf7b4654b7cf34590
SHA1

9ec08782fd5f160c8e65ed72f3cabadb8c7eaaa0
SHA256

8a61477eab570826827b1ed4a330c3fb8e7f90387c6f50c851ee86db67da5b22
SHA512

abf557ff75985ec18a19673b0e47501414fa19d1a334fb4465b507c57239a7b20dc79c82928c6a61d0f1965e5b8831f4dccae4dc2b593e1f9e86067ddb72f5b5
SSDEEP

98304:k6Gn9646r6VatuKLXZnatuKLXZqatuKLXZ:ualLXValLXsalLX

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqacic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqacic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkfceo32.exe

Executes dropped EXE 6 IoCs

pid	Process
1232	Oqacic32.exe
1332	Pfgngh32.exe
2820	Pkfceo32.exe
2748	Aaloddnn.exe
2580	Bdmddc32.exe
1168	Ceegmj32.exe

Loads dropped DLL 16 IoCs

pid	Process
1816	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
1816	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
1232	Oqacic32.exe
1232	Oqacic32.exe
1332	Pfgngh32.exe
1332	Pfgngh32.exe
2820	Pkfceo32.exe
2820	Pkfceo32.exe
2748	Aaloddnn.exe
2748	Aaloddnn.exe
2580	Bdmddc32.exe
2580	Bdmddc32.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Oqacic32.exe
File created	C:\Windows\SysWOW64\Aipheffp.dll	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Mhpeoj32.dll	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Oqacic32.exe	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	Oqacic32.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Pkfceo32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Ceegmj32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Ghkekdhl.dll	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
File created	C:\Windows\SysWOW64\Hnablp32.dll	Oqacic32.exe
File created	C:\Windows\SysWOW64\Pkfceo32.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Pkfceo32.exe	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Oqacic32.exe	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
File opened for modification	C:\Windows\SysWOW64\Aaloddnn.exe	Pkfceo32.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Aaloddnn.exe
File created	C:\Windows\SysWOW64\Ceegmj32.exe	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Aoogfhfp.dll	Bdmddc32.exe

Program crash 1 IoCs

pid	pid_target	Process
2560	1168	WerFault.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoogfhfp.dll"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqacic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Pkfceo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkekdhl.dll"	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.0d17c198119958eaf7b4654b7cf34590.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipheffp.dll"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkfceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqacic32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1232	1816	NEAS.0d17c198119958eaf7b4654b7cf34590.exe	7
PID 1816 wrote to memory of 1232	1816	NEAS.0d17c198119958eaf7b4654b7cf34590.exe	7
PID 1816 wrote to memory of 1232	1816	NEAS.0d17c198119958eaf7b4654b7cf34590.exe	7
PID 1816 wrote to memory of 1232	1816	NEAS.0d17c198119958eaf7b4654b7cf34590.exe	7
PID 1232 wrote to memory of 1332	1232	Oqacic32.exe	6
PID 1232 wrote to memory of 1332	1232	Oqacic32.exe	6
PID 1232 wrote to memory of 1332	1232	Oqacic32.exe	6
PID 1232 wrote to memory of 1332	1232	Oqacic32.exe	6
PID 1332 wrote to memory of 2820	1332	Pfgngh32.exe	5
PID 1332 wrote to memory of 2820	1332	Pfgngh32.exe	5
PID 1332 wrote to memory of 2820	1332	Pfgngh32.exe	5
PID 1332 wrote to memory of 2820	1332	Pfgngh32.exe	5
PID 2820 wrote to memory of 2748	2820	Pkfceo32.exe	4
PID 2820 wrote to memory of 2748	2820	Pkfceo32.exe	4
PID 2820 wrote to memory of 2748	2820	Pkfceo32.exe	4
PID 2820 wrote to memory of 2748	2820	Pkfceo32.exe	4
PID 2748 wrote to memory of 2580	2748	Aaloddnn.exe	3
PID 2748 wrote to memory of 2580	2748	Aaloddnn.exe	3
PID 2748 wrote to memory of 2580	2748	Aaloddnn.exe	3
PID 2748 wrote to memory of 2580	2748	Aaloddnn.exe	3
PID 2580 wrote to memory of 1168	2580	Bdmddc32.exe	2
PID 2580 wrote to memory of 1168	2580	Bdmddc32.exe	2
PID 2580 wrote to memory of 1168	2580	Bdmddc32.exe	2
PID 2580 wrote to memory of 1168	2580	Bdmddc32.exe	2
PID 1168 wrote to memory of 2560	1168	Ceegmj32.exe	1
PID 1168 wrote to memory of 2560	1168	Ceegmj32.exe	1
PID 1168 wrote to memory of 2560	1168	Ceegmj32.exe	1
PID 1168 wrote to memory of 2560	1168	Ceegmj32.exe	1

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 140
1⤵
- Loads dropped DLL
- Program crash
PID:2560

C:\Windows\SysWOW64\Ceegmj32.exe
C:\Windows\system32\Ceegmj32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168

C:\Windows\SysWOW64\Bdmddc32.exe
C:\Windows\system32\Bdmddc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\SysWOW64\Aaloddnn.exe
C:\Windows\system32\Aaloddnn.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\SysWOW64\Pkfceo32.exe
C:\Windows\system32\Pkfceo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\Pfgngh32.exe
C:\Windows\system32\Pfgngh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\SysWOW64\Oqacic32.exe
C:\Windows\system32\Oqacic32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\NEAS.0d17c198119958eaf7b4654b7cf34590.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.0d17c198119958eaf7b4654b7cf34590.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
6.4MB

MD5
8213711724faea2fc6df049fb77e00a9

SHA1
0781d9c2cdba7430bd373566f6b97e1dd567ca9a

SHA256
a8f16dc328a6310564ff8623529cadf6acf818dafaaa27256cfcb07b838f7038

SHA512
168801c2c5ce70f832dfd6d4d2fbf325ef85e0fc3c009b21c994e2751433f673a3ec4b22f96c42db8a6cff65adb92e00582faadac50f17b5fc5ac5ee884f0c9d

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
6.4MB

MD5
8213711724faea2fc6df049fb77e00a9

SHA1
0781d9c2cdba7430bd373566f6b97e1dd567ca9a

SHA256
a8f16dc328a6310564ff8623529cadf6acf818dafaaa27256cfcb07b838f7038

SHA512
168801c2c5ce70f832dfd6d4d2fbf325ef85e0fc3c009b21c994e2751433f673a3ec4b22f96c42db8a6cff65adb92e00582faadac50f17b5fc5ac5ee884f0c9d

Download Submit
C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
6.4MB

MD5
8213711724faea2fc6df049fb77e00a9

SHA1
0781d9c2cdba7430bd373566f6b97e1dd567ca9a

SHA256
a8f16dc328a6310564ff8623529cadf6acf818dafaaa27256cfcb07b838f7038

SHA512
168801c2c5ce70f832dfd6d4d2fbf325ef85e0fc3c009b21c994e2751433f673a3ec4b22f96c42db8a6cff65adb92e00582faadac50f17b5fc5ac5ee884f0c9d

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
6.4MB

MD5
f633740efac95974e90ae6ab75952404

SHA1
4b9c69868be94ab3fad2a2ea91f7f0191c68de73

SHA256
52d66c4e78c7532fe664438e30ea2caa9b5703b8a04f0162bfe0e44a0ff25ae9

SHA512
965d83a90e264678a59bb3aaebe1658ffd838dff46c82f95306d70317e0c8abf75032b46ba8e3207fff605e45f6005d8f70a2559e17af2c5a5d21abfb4db1e38

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
6.4MB

MD5
f633740efac95974e90ae6ab75952404

SHA1
4b9c69868be94ab3fad2a2ea91f7f0191c68de73

SHA256
52d66c4e78c7532fe664438e30ea2caa9b5703b8a04f0162bfe0e44a0ff25ae9

SHA512
965d83a90e264678a59bb3aaebe1658ffd838dff46c82f95306d70317e0c8abf75032b46ba8e3207fff605e45f6005d8f70a2559e17af2c5a5d21abfb4db1e38

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
6.4MB

MD5
f633740efac95974e90ae6ab75952404

SHA1
4b9c69868be94ab3fad2a2ea91f7f0191c68de73

SHA256
52d66c4e78c7532fe664438e30ea2caa9b5703b8a04f0162bfe0e44a0ff25ae9

SHA512
965d83a90e264678a59bb3aaebe1658ffd838dff46c82f95306d70317e0c8abf75032b46ba8e3207fff605e45f6005d8f70a2559e17af2c5a5d21abfb4db1e38

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
6.4MB

MD5
1f783cccea89c64dd271316a97242648

SHA1
3b0387150145a041badfd7b80069233842ffa54f

SHA256
a9186a64cf9ee107c3ebba8c82c281456ad5cdf649108ed97eddad5b8526e10e

SHA512
18d3908d9539669cefdc9f5483dad6c1c9a5df2d9d2368a23b4b21a15c5c8b6e1ab2254aa159f9f037328beb9ec3c6f3f0d878375e063041d6167e0a2ec27323

Download Submit
C:\Windows\SysWOW64\Ceegmj32.exe

Filesize
6.4MB

MD5
1f783cccea89c64dd271316a97242648

SHA1
3b0387150145a041badfd7b80069233842ffa54f

SHA256
a9186a64cf9ee107c3ebba8c82c281456ad5cdf649108ed97eddad5b8526e10e

SHA512
18d3908d9539669cefdc9f5483dad6c1c9a5df2d9d2368a23b4b21a15c5c8b6e1ab2254aa159f9f037328beb9ec3c6f3f0d878375e063041d6167e0a2ec27323

Download Submit
C:\Windows\SysWOW64\Oqacic32.exe

Filesize
6.4MB

MD5
ba7fd67f42fd27b2589e635a519c84c6

SHA1
84be46d0ed756db2a78109c6736883c210442709

SHA256
4d14410461cad6a2c2f10d9cc40147ff1b9996f15af6611e30ddb8ec20a26571

SHA512
307d8f320b88d3f1fc216310bd56c915babb185e7d3ad31ae130ddd6c1f2cf049e70899383f390074f66cae5fa2e8ef16ee472cfdf2d74a00eea29ef29db2393

Download Submit
C:\Windows\SysWOW64\Oqacic32.exe

Filesize
6.4MB

MD5
ba7fd67f42fd27b2589e635a519c84c6

SHA1
84be46d0ed756db2a78109c6736883c210442709

SHA256
4d14410461cad6a2c2f10d9cc40147ff1b9996f15af6611e30ddb8ec20a26571

SHA512
307d8f320b88d3f1fc216310bd56c915babb185e7d3ad31ae130ddd6c1f2cf049e70899383f390074f66cae5fa2e8ef16ee472cfdf2d74a00eea29ef29db2393

Download Submit
C:\Windows\SysWOW64\Oqacic32.exe

Filesize
6.4MB

MD5
ba7fd67f42fd27b2589e635a519c84c6

SHA1
84be46d0ed756db2a78109c6736883c210442709

SHA256
4d14410461cad6a2c2f10d9cc40147ff1b9996f15af6611e30ddb8ec20a26571

SHA512
307d8f320b88d3f1fc216310bd56c915babb185e7d3ad31ae130ddd6c1f2cf049e70899383f390074f66cae5fa2e8ef16ee472cfdf2d74a00eea29ef29db2393

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
6.4MB

MD5
5d9afea317701dc2040401b6f4d93aef

SHA1
745c157d4d3464dd60d700cb89441859a852f4e8

SHA256
ba7eb811a62063a6b4697396c17adb99c66dda5bb940c0224f3195a9c8f86472

SHA512
0666a8737815c938ffb78411d45da92c6a83ca06e3444a93bf2619a7ec7f3aa867d2aab26a39f523bca7635c784a9e2d2774b178523f9fe4a59a5ae03b5ad8d8

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
6.4MB

MD5
5d9afea317701dc2040401b6f4d93aef

SHA1
745c157d4d3464dd60d700cb89441859a852f4e8

SHA256
ba7eb811a62063a6b4697396c17adb99c66dda5bb940c0224f3195a9c8f86472

SHA512
0666a8737815c938ffb78411d45da92c6a83ca06e3444a93bf2619a7ec7f3aa867d2aab26a39f523bca7635c784a9e2d2774b178523f9fe4a59a5ae03b5ad8d8

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
6.4MB

MD5
5d9afea317701dc2040401b6f4d93aef

SHA1
745c157d4d3464dd60d700cb89441859a852f4e8

SHA256
ba7eb811a62063a6b4697396c17adb99c66dda5bb940c0224f3195a9c8f86472

SHA512
0666a8737815c938ffb78411d45da92c6a83ca06e3444a93bf2619a7ec7f3aa867d2aab26a39f523bca7635c784a9e2d2774b178523f9fe4a59a5ae03b5ad8d8

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
6.4MB

MD5
e8a2668657581423cf1b2e6eaa8015a1

SHA1
bae21e039dc2b9818c7f7069243e8300ffd02666

SHA256
6ab9620b405a71ee58a75b01b8148325c7c072596c1586b8b4874f0cc8920ca4

SHA512
2f1c515a311689a38cdff2cc06997390b3728b199bc548e388783eecf3085680ce5cbf7ee561da38ad98a898d3ceeaf038c5412b7fce5921635198d9fcca3bc0

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
6.4MB

MD5
e8a2668657581423cf1b2e6eaa8015a1

SHA1
bae21e039dc2b9818c7f7069243e8300ffd02666

SHA256
6ab9620b405a71ee58a75b01b8148325c7c072596c1586b8b4874f0cc8920ca4

SHA512
2f1c515a311689a38cdff2cc06997390b3728b199bc548e388783eecf3085680ce5cbf7ee561da38ad98a898d3ceeaf038c5412b7fce5921635198d9fcca3bc0

Download Submit
C:\Windows\SysWOW64\Pkfceo32.exe

Filesize
6.4MB

MD5
e8a2668657581423cf1b2e6eaa8015a1

SHA1
bae21e039dc2b9818c7f7069243e8300ffd02666

SHA256
6ab9620b405a71ee58a75b01b8148325c7c072596c1586b8b4874f0cc8920ca4

SHA512
2f1c515a311689a38cdff2cc06997390b3728b199bc548e388783eecf3085680ce5cbf7ee561da38ad98a898d3ceeaf038c5412b7fce5921635198d9fcca3bc0

Download Submit
\Windows\SysWOW64\Aaloddnn.exe

Filesize
6.4MB

MD5
8213711724faea2fc6df049fb77e00a9

SHA1
0781d9c2cdba7430bd373566f6b97e1dd567ca9a

SHA256
a8f16dc328a6310564ff8623529cadf6acf818dafaaa27256cfcb07b838f7038

SHA512
168801c2c5ce70f832dfd6d4d2fbf325ef85e0fc3c009b21c994e2751433f673a3ec4b22f96c42db8a6cff65adb92e00582faadac50f17b5fc5ac5ee884f0c9d

Download Submit
\Windows\SysWOW64\Aaloddnn.exe

Filesize
6.4MB

MD5
8213711724faea2fc6df049fb77e00a9

SHA1
0781d9c2cdba7430bd373566f6b97e1dd567ca9a

SHA256
a8f16dc328a6310564ff8623529cadf6acf818dafaaa27256cfcb07b838f7038

SHA512
168801c2c5ce70f832dfd6d4d2fbf325ef85e0fc3c009b21c994e2751433f673a3ec4b22f96c42db8a6cff65adb92e00582faadac50f17b5fc5ac5ee884f0c9d

Download Submit
\Windows\SysWOW64\Bdmddc32.exe

Filesize
6.4MB

MD5
f633740efac95974e90ae6ab75952404

SHA1
4b9c69868be94ab3fad2a2ea91f7f0191c68de73

SHA256
52d66c4e78c7532fe664438e30ea2caa9b5703b8a04f0162bfe0e44a0ff25ae9

SHA512
965d83a90e264678a59bb3aaebe1658ffd838dff46c82f95306d70317e0c8abf75032b46ba8e3207fff605e45f6005d8f70a2559e17af2c5a5d21abfb4db1e38

Download Submit
\Windows\SysWOW64\Bdmddc32.exe

Filesize
6.4MB

MD5
f633740efac95974e90ae6ab75952404

SHA1
4b9c69868be94ab3fad2a2ea91f7f0191c68de73

SHA256
52d66c4e78c7532fe664438e30ea2caa9b5703b8a04f0162bfe0e44a0ff25ae9

SHA512
965d83a90e264678a59bb3aaebe1658ffd838dff46c82f95306d70317e0c8abf75032b46ba8e3207fff605e45f6005d8f70a2559e17af2c5a5d21abfb4db1e38

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
6.4MB

MD5
1f783cccea89c64dd271316a97242648

SHA1
3b0387150145a041badfd7b80069233842ffa54f

SHA256
a9186a64cf9ee107c3ebba8c82c281456ad5cdf649108ed97eddad5b8526e10e

SHA512
18d3908d9539669cefdc9f5483dad6c1c9a5df2d9d2368a23b4b21a15c5c8b6e1ab2254aa159f9f037328beb9ec3c6f3f0d878375e063041d6167e0a2ec27323

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
6.4MB

MD5
1f783cccea89c64dd271316a97242648

SHA1
3b0387150145a041badfd7b80069233842ffa54f

SHA256
a9186a64cf9ee107c3ebba8c82c281456ad5cdf649108ed97eddad5b8526e10e

SHA512
18d3908d9539669cefdc9f5483dad6c1c9a5df2d9d2368a23b4b21a15c5c8b6e1ab2254aa159f9f037328beb9ec3c6f3f0d878375e063041d6167e0a2ec27323

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
6.4MB

MD5
1f783cccea89c64dd271316a97242648

SHA1
3b0387150145a041badfd7b80069233842ffa54f

SHA256
a9186a64cf9ee107c3ebba8c82c281456ad5cdf649108ed97eddad5b8526e10e

SHA512
18d3908d9539669cefdc9f5483dad6c1c9a5df2d9d2368a23b4b21a15c5c8b6e1ab2254aa159f9f037328beb9ec3c6f3f0d878375e063041d6167e0a2ec27323

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
6.4MB

MD5
1f783cccea89c64dd271316a97242648

SHA1
3b0387150145a041badfd7b80069233842ffa54f

SHA256
a9186a64cf9ee107c3ebba8c82c281456ad5cdf649108ed97eddad5b8526e10e

SHA512
18d3908d9539669cefdc9f5483dad6c1c9a5df2d9d2368a23b4b21a15c5c8b6e1ab2254aa159f9f037328beb9ec3c6f3f0d878375e063041d6167e0a2ec27323

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
6.4MB

MD5
1f783cccea89c64dd271316a97242648

SHA1
3b0387150145a041badfd7b80069233842ffa54f

SHA256
a9186a64cf9ee107c3ebba8c82c281456ad5cdf649108ed97eddad5b8526e10e

SHA512
18d3908d9539669cefdc9f5483dad6c1c9a5df2d9d2368a23b4b21a15c5c8b6e1ab2254aa159f9f037328beb9ec3c6f3f0d878375e063041d6167e0a2ec27323

Download Submit
\Windows\SysWOW64\Ceegmj32.exe

Filesize
6.4MB

MD5
1f783cccea89c64dd271316a97242648

SHA1
3b0387150145a041badfd7b80069233842ffa54f

SHA256
a9186a64cf9ee107c3ebba8c82c281456ad5cdf649108ed97eddad5b8526e10e

SHA512
18d3908d9539669cefdc9f5483dad6c1c9a5df2d9d2368a23b4b21a15c5c8b6e1ab2254aa159f9f037328beb9ec3c6f3f0d878375e063041d6167e0a2ec27323

Download Submit
\Windows\SysWOW64\Oqacic32.exe

Filesize
6.4MB

MD5
ba7fd67f42fd27b2589e635a519c84c6

SHA1
84be46d0ed756db2a78109c6736883c210442709

SHA256
4d14410461cad6a2c2f10d9cc40147ff1b9996f15af6611e30ddb8ec20a26571

SHA512
307d8f320b88d3f1fc216310bd56c915babb185e7d3ad31ae130ddd6c1f2cf049e70899383f390074f66cae5fa2e8ef16ee472cfdf2d74a00eea29ef29db2393

Download Submit
\Windows\SysWOW64\Oqacic32.exe

Filesize
6.4MB

MD5
ba7fd67f42fd27b2589e635a519c84c6

SHA1
84be46d0ed756db2a78109c6736883c210442709

SHA256
4d14410461cad6a2c2f10d9cc40147ff1b9996f15af6611e30ddb8ec20a26571

SHA512
307d8f320b88d3f1fc216310bd56c915babb185e7d3ad31ae130ddd6c1f2cf049e70899383f390074f66cae5fa2e8ef16ee472cfdf2d74a00eea29ef29db2393

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
6.4MB

MD5
5d9afea317701dc2040401b6f4d93aef

SHA1
745c157d4d3464dd60d700cb89441859a852f4e8

SHA256
ba7eb811a62063a6b4697396c17adb99c66dda5bb940c0224f3195a9c8f86472

SHA512
0666a8737815c938ffb78411d45da92c6a83ca06e3444a93bf2619a7ec7f3aa867d2aab26a39f523bca7635c784a9e2d2774b178523f9fe4a59a5ae03b5ad8d8

Download Submit
\Windows\SysWOW64\Pfgngh32.exe

Filesize
6.4MB

MD5
5d9afea317701dc2040401b6f4d93aef

SHA1
745c157d4d3464dd60d700cb89441859a852f4e8

SHA256
ba7eb811a62063a6b4697396c17adb99c66dda5bb940c0224f3195a9c8f86472

SHA512
0666a8737815c938ffb78411d45da92c6a83ca06e3444a93bf2619a7ec7f3aa867d2aab26a39f523bca7635c784a9e2d2774b178523f9fe4a59a5ae03b5ad8d8

Download Submit
\Windows\SysWOW64\Pkfceo32.exe

Filesize
6.4MB

MD5
e8a2668657581423cf1b2e6eaa8015a1

SHA1
bae21e039dc2b9818c7f7069243e8300ffd02666

SHA256
6ab9620b405a71ee58a75b01b8148325c7c072596c1586b8b4874f0cc8920ca4

SHA512
2f1c515a311689a38cdff2cc06997390b3728b199bc548e388783eecf3085680ce5cbf7ee561da38ad98a898d3ceeaf038c5412b7fce5921635198d9fcca3bc0

Download Submit
\Windows\SysWOW64\Pkfceo32.exe

Filesize
6.4MB

MD5
e8a2668657581423cf1b2e6eaa8015a1

SHA1
bae21e039dc2b9818c7f7069243e8300ffd02666

SHA256
6ab9620b405a71ee58a75b01b8148325c7c072596c1586b8b4874f0cc8920ca4

SHA512
2f1c515a311689a38cdff2cc06997390b3728b199bc548e388783eecf3085680ce5cbf7ee561da38ad98a898d3ceeaf038c5412b7fce5921635198d9fcca3bc0

Download Submit
memory/1168-91-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-20-0x0000000001B90000-0x0000000001BC3000-memory.dmp

Filesize
204KB

Download
memory/1232-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-25-0x0000000001B90000-0x0000000001BC3000-memory.dmp

Filesize
204KB

Download
memory/1332-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-6-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2580-67-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-48-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2820-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads