0bd0c78b38b2f6517e9cfd7bc6370028f7af4239359cf21b3823a35a92eff50f

Analysis

max time kernel
133s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
02/11/2023, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
Size

237KB
MD5

e185a49817e49603770c8b5b6c961280
SHA1

817e1089cc24524bd2399b7bd087e30914c6d634
SHA256

0bd0c78b38b2f6517e9cfd7bc6370028f7af4239359cf21b3823a35a92eff50f
SHA512

1c7934cf0ddfaf547d675d1efff13cafe275eb8bdbfe6c61ed72359ec6fd78ecae8b782b0a38d45e7185274bb709b3d39e3db08816ae659718d1222b36011c7a
SSDEEP

6144:Hx13h0yJjxobikQ76QwlkwsDkOlti7wnN:bk46QwqDtlr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egbken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Famhmfkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cancekeo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edoencdm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpnooan.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cibain32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe

Executes dropped EXE 17 IoCs

pid	Process
756	Cibain32.exe
2964	Cancekeo.exe
4252	Cpcpfg32.exe
4328	Dmjmekgn.exe
1140	Dnljkk32.exe
3080	Dpmcmf32.exe
4736	Dcnlnaom.exe
2756	Dpalgenf.exe
4560	Edoencdm.exe
4936	Egpnooan.exe
1264	Egbken32.exe
4412	Ejccgi32.exe
2540	Famhmfkl.exe
4468	Fgiaemic.exe
2896	Fncibg32.exe
4848	Fjmfmh32.exe
936	Gddgpqbe.exe

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Cancekeo.exe
File opened for modification	C:\Windows\SysWOW64\Cpcpfg32.exe	Cancekeo.exe
File created	C:\Windows\SysWOW64\Glkkmjeh.dll	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjmfmh32.exe
File opened for modification	C:\Windows\SysWOW64\Famhmfkl.exe	Ejccgi32.exe
File opened for modification	C:\Windows\SysWOW64\Cancekeo.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Dnljkk32.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Ndmojj32.dll	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Egpnooan.exe	Edoencdm.exe
File created	C:\Windows\SysWOW64\Cancekeo.exe	Cibain32.exe
File created	C:\Windows\SysWOW64\Egbken32.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Famhmfkl.exe
File created	C:\Windows\SysWOW64\Cibain32.exe	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
File created	C:\Windows\SysWOW64\Anbgamkp.dll	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
File opened for modification	C:\Windows\SysWOW64\Edoencdm.exe	Dpalgenf.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Jmbpjm32.dll	Cancekeo.exe
File created	C:\Windows\SysWOW64\Dmjmekgn.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Dpalgenf.exe	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Ejccgi32.exe	Egbken32.exe
File created	C:\Windows\SysWOW64\Kplqhmfl.dll	Egbken32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Aldjigql.dll	Cibain32.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Dnljkk32.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Egpnooan.exe	Edoencdm.exe
File opened for modification	C:\Windows\SysWOW64\Fncibg32.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Kcpcgc32.dll	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Famhmfkl.exe	Ejccgi32.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Famhmfkl.exe
File opened for modification	C:\Windows\SysWOW64\Dpalgenf.exe	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Edoencdm.exe	Dpalgenf.exe
File opened for modification	C:\Windows\SysWOW64\Cibain32.exe	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
File created	C:\Windows\SysWOW64\Mgqaip32.dll	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Dpmcmf32.exe	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Dpmcmf32.exe	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Fjmfmh32.exe	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Fjmfmh32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Nhbjnc32.dll	Egpnooan.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Famhmfkl.exe
File opened for modification	C:\Windows\SysWOW64\Dmjmekgn.exe	Cpcpfg32.exe
File opened for modification	C:\Windows\SysWOW64\Egbken32.exe	Egpnooan.exe
File opened for modification	C:\Windows\SysWOW64\Ejccgi32.exe	Egbken32.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Gdmkfp32.dll	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Bailkjga.dll	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Dcnlnaom.exe	Dpmcmf32.exe
File created	C:\Windows\SysWOW64\Lnedgk32.dll	Edoencdm.exe
File created	C:\Windows\SysWOW64\Klfhhpnk.dll	Fncibg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4280	936	WerFault.exe	109

Modifies registry class 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll"	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anbgamkp.dll"	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glkkmjeh.dll"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldjigql.dll"	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begndj32.dll"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpalgenf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egbken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfhhpnk.dll"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmkfp32.dll"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmojj32.dll"	Dpalgenf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejccgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpjm32.dll"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll"	Dpmcmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cibain32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kplqhmfl.dll"	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Famhmfkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbaohka.dll"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cibain32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cancekeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnedgk32.dll"	Edoencdm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bailkjga.dll"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edoencdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejccgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcggmk32.dll"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpmcmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edoencdm.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 756	2752	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe	92
PID 2752 wrote to memory of 756	2752	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe	92
PID 2752 wrote to memory of 756	2752	NEAS.e185a49817e49603770c8b5b6c961280_JC.exe	92
PID 756 wrote to memory of 2964	756	Cibain32.exe	93
PID 756 wrote to memory of 2964	756	Cibain32.exe	93
PID 756 wrote to memory of 2964	756	Cibain32.exe	93
PID 2964 wrote to memory of 4252	2964	Cancekeo.exe	94
PID 2964 wrote to memory of 4252	2964	Cancekeo.exe	94
PID 2964 wrote to memory of 4252	2964	Cancekeo.exe	94
PID 4252 wrote to memory of 4328	4252	Cpcpfg32.exe	95
PID 4252 wrote to memory of 4328	4252	Cpcpfg32.exe	95
PID 4252 wrote to memory of 4328	4252	Cpcpfg32.exe	95
PID 4328 wrote to memory of 1140	4328	Dmjmekgn.exe	96
PID 4328 wrote to memory of 1140	4328	Dmjmekgn.exe	96
PID 4328 wrote to memory of 1140	4328	Dmjmekgn.exe	96
PID 1140 wrote to memory of 3080	1140	Dnljkk32.exe	98
PID 1140 wrote to memory of 3080	1140	Dnljkk32.exe	98
PID 1140 wrote to memory of 3080	1140	Dnljkk32.exe	98
PID 3080 wrote to memory of 4736	3080	Dpmcmf32.exe	99
PID 3080 wrote to memory of 4736	3080	Dpmcmf32.exe	99
PID 3080 wrote to memory of 4736	3080	Dpmcmf32.exe	99
PID 4736 wrote to memory of 2756	4736	Dcnlnaom.exe	100
PID 4736 wrote to memory of 2756	4736	Dcnlnaom.exe	100
PID 4736 wrote to memory of 2756	4736	Dcnlnaom.exe	100
PID 2756 wrote to memory of 4560	2756	Dpalgenf.exe	101
PID 2756 wrote to memory of 4560	2756	Dpalgenf.exe	101
PID 2756 wrote to memory of 4560	2756	Dpalgenf.exe	101
PID 4560 wrote to memory of 4936	4560	Edoencdm.exe	102
PID 4560 wrote to memory of 4936	4560	Edoencdm.exe	102
PID 4560 wrote to memory of 4936	4560	Edoencdm.exe	102
PID 4936 wrote to memory of 1264	4936	Egpnooan.exe	103
PID 4936 wrote to memory of 1264	4936	Egpnooan.exe	103
PID 4936 wrote to memory of 1264	4936	Egpnooan.exe	103
PID 1264 wrote to memory of 4412	1264	Egbken32.exe	104
PID 1264 wrote to memory of 4412	1264	Egbken32.exe	104
PID 1264 wrote to memory of 4412	1264	Egbken32.exe	104
PID 4412 wrote to memory of 2540	4412	Ejccgi32.exe	105
PID 4412 wrote to memory of 2540	4412	Ejccgi32.exe	105
PID 4412 wrote to memory of 2540	4412	Ejccgi32.exe	105
PID 2540 wrote to memory of 4468	2540	Famhmfkl.exe	106
PID 2540 wrote to memory of 4468	2540	Famhmfkl.exe	106
PID 2540 wrote to memory of 4468	2540	Famhmfkl.exe	106
PID 4468 wrote to memory of 2896	4468	Fgiaemic.exe	107
PID 4468 wrote to memory of 2896	4468	Fgiaemic.exe	107
PID 4468 wrote to memory of 2896	4468	Fgiaemic.exe	107
PID 2896 wrote to memory of 4848	2896	Fncibg32.exe	108
PID 2896 wrote to memory of 4848	2896	Fncibg32.exe	108
PID 2896 wrote to memory of 4848	2896	Fncibg32.exe	108
PID 4848 wrote to memory of 936	4848	Fjmfmh32.exe	109
PID 4848 wrote to memory of 936	4848	Fjmfmh32.exe	109
PID 4848 wrote to memory of 936	4848	Fjmfmh32.exe	109

C:\Users\Admin\AppData\Local\Temp\NEAS.e185a49817e49603770c8b5b6c961280_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e185a49817e49603770c8b5b6c961280_JC.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\Cibain32.exe
  C:\Windows\system32\Cibain32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\Cancekeo.exe
    C:\Windows\system32\Cancekeo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\SysWOW64\Cpcpfg32.exe
      C:\Windows\system32\Cpcpfg32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4252
    - - C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4328
      - C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\SysWOW64\Dpmcmf32.exe
        
        C:\Windows\system32\Dpmcmf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Dpalgenf.exe
        
        C:\Windows\system32\Dpalgenf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Edoencdm.exe
        
        C:\Windows\system32\Edoencdm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4936
        
        C:\Windows\SysWOW64\Egbken32.exe
        
        C:\Windows\system32\Egbken32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\SysWOW64\Ejccgi32.exe
        
        C:\Windows\system32\Ejccgi32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Famhmfkl.exe
        
        C:\Windows\system32\Famhmfkl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4848
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        18⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 400
        19⤵
        Program crash
        
        PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 936 -ip 936
1⤵
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cancekeo.exe

Filesize
237KB

MD5
babfc508b6735d51766f22af5745c754

SHA1
d584779b5b1523e9645c7f7eebeaade42f9f5837

SHA256
79d66da1a354b520927c465204f1b3ebd56e27a385a54f0799f5db2579854af2

SHA512
7b30eb19f5c94c2d61bdb9280a5036da3774cd1bec7141ce686920ae2489b769b546dfc4668cc655feabbd7c94ef2355fd0ff3bb2df3c68f5ce815ede09c0e47

Download Submit
C:\Windows\SysWOW64\Cancekeo.exe

Filesize
237KB

MD5
babfc508b6735d51766f22af5745c754

SHA1
d584779b5b1523e9645c7f7eebeaade42f9f5837

SHA256
79d66da1a354b520927c465204f1b3ebd56e27a385a54f0799f5db2579854af2

SHA512
7b30eb19f5c94c2d61bdb9280a5036da3774cd1bec7141ce686920ae2489b769b546dfc4668cc655feabbd7c94ef2355fd0ff3bb2df3c68f5ce815ede09c0e47

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
237KB

MD5
75fafafd8268a7c0089f93d6fc3cef0f

SHA1
2db4141a08472926e5646ca84c933064fcf96351

SHA256
f1802093e31fcdb2c72aa7fd257afd221a4f3a083dae5e22ba1ea1d0a8188fba

SHA512
4bb1b1bf5ec905050cec5644f164bae333f5a58023d503c846338f6ae6fb7403889055072e8fd7e605706192d1426014354eeeca338f9b9841005b98eb5e3936

Download Submit
C:\Windows\SysWOW64\Cibain32.exe

Filesize
237KB

MD5
75fafafd8268a7c0089f93d6fc3cef0f

SHA1
2db4141a08472926e5646ca84c933064fcf96351

SHA256
f1802093e31fcdb2c72aa7fd257afd221a4f3a083dae5e22ba1ea1d0a8188fba

SHA512
4bb1b1bf5ec905050cec5644f164bae333f5a58023d503c846338f6ae6fb7403889055072e8fd7e605706192d1426014354eeeca338f9b9841005b98eb5e3936

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
237KB

MD5
4ab0aac5a537299e02a17332aaeb0345

SHA1
00922ebcb14f524d5628c2971a1b97f2720492a5

SHA256
b7f982d3d3e54c07d5a645040c2e9d60c09a8ab356b4c0ad653fb353b13994c2

SHA512
6486402a8f98e57dd3e60fa09afd9d4c2d530e435b6ba42123b54d37615519b5d8b590d640b4a2ad267c408010f7f95df59f806b0f95b3eb73359778a7d46bb2

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
237KB

MD5
4ab0aac5a537299e02a17332aaeb0345

SHA1
00922ebcb14f524d5628c2971a1b97f2720492a5

SHA256
b7f982d3d3e54c07d5a645040c2e9d60c09a8ab356b4c0ad653fb353b13994c2

SHA512
6486402a8f98e57dd3e60fa09afd9d4c2d530e435b6ba42123b54d37615519b5d8b590d640b4a2ad267c408010f7f95df59f806b0f95b3eb73359778a7d46bb2

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
237KB

MD5
decfbb4b652577ebd730e0b4e779874f

SHA1
73aacb38d9af295d093637ef5227cb64c5944c5e

SHA256
5f1dfab59e80f96c22b5fbdc6597509a734ba400f95cfafe444ba824626818ef

SHA512
771624a0344dac4a8fdcccc54da1ea3954c813b4625378008defe548bd9b40df03f145a6473811b98085d479134bd4b625ba550d8f7f0c83c2a6d84d2393a442

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
237KB

MD5
decfbb4b652577ebd730e0b4e779874f

SHA1
73aacb38d9af295d093637ef5227cb64c5944c5e

SHA256
5f1dfab59e80f96c22b5fbdc6597509a734ba400f95cfafe444ba824626818ef

SHA512
771624a0344dac4a8fdcccc54da1ea3954c813b4625378008defe548bd9b40df03f145a6473811b98085d479134bd4b625ba550d8f7f0c83c2a6d84d2393a442

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
237KB

MD5
7b1a814195ef77e6b066a89d8bebc5be

SHA1
5812c377babac17d05404b86a9a2cae7306d531f

SHA256
1005e35526f49c7a8fea208ada67d7f4f4228e936d6a9860353a21e785619b4f

SHA512
6e31826bb302cabdd7d346ab66424271fb1738354b69ca1074ae6f454f91ffe5d0b1a4f08bd940d2445676efde7ac5af48b9def7069e899fc1096e4745dea2bd

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
237KB

MD5
7b1a814195ef77e6b066a89d8bebc5be

SHA1
5812c377babac17d05404b86a9a2cae7306d531f

SHA256
1005e35526f49c7a8fea208ada67d7f4f4228e936d6a9860353a21e785619b4f

SHA512
6e31826bb302cabdd7d346ab66424271fb1738354b69ca1074ae6f454f91ffe5d0b1a4f08bd940d2445676efde7ac5af48b9def7069e899fc1096e4745dea2bd

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
237KB

MD5
0ae2f6a70e498b3b9d0ea4069655afb0

SHA1
ed021cc9f958bc38ae389d1d8980a4577c400419

SHA256
703bbd87bb2b36843878f0715bc3d4422e6eabff56df4f8cb2969a4bf2ea5e88

SHA512
13beb81e8eb043b72329d5fd8213288ce4ecf06b7063fa7ed1d2cc66e1af49b74a27a3a33888ec02a66ecbba31c31e03db39fcfb88ee5ff171abeaa928b07cfd

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
237KB

MD5
0ae2f6a70e498b3b9d0ea4069655afb0

SHA1
ed021cc9f958bc38ae389d1d8980a4577c400419

SHA256
703bbd87bb2b36843878f0715bc3d4422e6eabff56df4f8cb2969a4bf2ea5e88

SHA512
13beb81e8eb043b72329d5fd8213288ce4ecf06b7063fa7ed1d2cc66e1af49b74a27a3a33888ec02a66ecbba31c31e03db39fcfb88ee5ff171abeaa928b07cfd

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
237KB

MD5
b55c7e6b2124b5a6b1a55afd59d9cb84

SHA1
2e79becec08436e630fc93ca4c1f17ff11bc2829

SHA256
64d5939cdc14ed4094f4f64428ba0c4257d61411b3ddbd00a20f712702068925

SHA512
8619e9c73d9193f7f0adfcb8b6b6dad3a45e5438c6000a8a0792aeef127f18b53ee49202d7258dc07462b1873973dbd490a672025b3a1aff2d9a15262d753aac

Download Submit
C:\Windows\SysWOW64\Dpalgenf.exe

Filesize
237KB

MD5
b55c7e6b2124b5a6b1a55afd59d9cb84

SHA1
2e79becec08436e630fc93ca4c1f17ff11bc2829

SHA256
64d5939cdc14ed4094f4f64428ba0c4257d61411b3ddbd00a20f712702068925

SHA512
8619e9c73d9193f7f0adfcb8b6b6dad3a45e5438c6000a8a0792aeef127f18b53ee49202d7258dc07462b1873973dbd490a672025b3a1aff2d9a15262d753aac

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
237KB

MD5
062a822b8957220fdec79f292084603f

SHA1
cb34c3bfbfcf4267bebe9b7d32f9a5e38e4ff3d1

SHA256
acb00fedaf15bc4707c588d7726978d718fcf2aa532cff24ff26e96fbd25ea25

SHA512
d20dcafc32e3dd04f4cf08beea8c0c76b632d15f8590bbafca8ce51d38d07ee320321e820729e42d6098ac92b473787aca90815230def6a946c9ba4d1c5843be

Download Submit
C:\Windows\SysWOW64\Dpmcmf32.exe

Filesize
237KB

MD5
062a822b8957220fdec79f292084603f

SHA1
cb34c3bfbfcf4267bebe9b7d32f9a5e38e4ff3d1

SHA256
acb00fedaf15bc4707c588d7726978d718fcf2aa532cff24ff26e96fbd25ea25

SHA512
d20dcafc32e3dd04f4cf08beea8c0c76b632d15f8590bbafca8ce51d38d07ee320321e820729e42d6098ac92b473787aca90815230def6a946c9ba4d1c5843be

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
237KB

MD5
2f791ef1c5f64c5f1e8929d48e710295

SHA1
946bb629a2379aaa2ee4759d643bed3d2f030c19

SHA256
b6071923198288503f57cd2dbaeb79dcdb83939741b5a2b872e91fb23f2eec8d

SHA512
00ed5cdff7e24eaafacb229eb705faf8d9cd112573d462f52037545a2245bce1a8c75d41739cbfd9e6d994722e6851e18032ec0596fa8062881f3c0aecdea284

Download Submit
C:\Windows\SysWOW64\Edoencdm.exe

Filesize
237KB

MD5
2f791ef1c5f64c5f1e8929d48e710295

SHA1
946bb629a2379aaa2ee4759d643bed3d2f030c19

SHA256
b6071923198288503f57cd2dbaeb79dcdb83939741b5a2b872e91fb23f2eec8d

SHA512
00ed5cdff7e24eaafacb229eb705faf8d9cd112573d462f52037545a2245bce1a8c75d41739cbfd9e6d994722e6851e18032ec0596fa8062881f3c0aecdea284

Download Submit
C:\Windows\SysWOW64\Egbken32.exe

Filesize
237KB

MD5
c790f7ec370d7ec781ff42bff4e8e8fc

SHA1
27bc57caa11a82ea1cce17d465f55526316486b3

SHA256
974ac70bd64ad1460a9b33e493fa289da58cc6162db49e7b8bf0674295b84499

SHA512
44fe6884e090de414132ce09de2566ac39a7dda75e67d3ef426d14dd88fc63a2d611b19425f5228a86bb4bc81aa7ecc3c22d00e14b7fbb57ddda07c896ccffdf

Download Submit
C:\Windows\SysWOW64\Egbken32.exe

Filesize
237KB

MD5
c790f7ec370d7ec781ff42bff4e8e8fc

SHA1
27bc57caa11a82ea1cce17d465f55526316486b3

SHA256
974ac70bd64ad1460a9b33e493fa289da58cc6162db49e7b8bf0674295b84499

SHA512
44fe6884e090de414132ce09de2566ac39a7dda75e67d3ef426d14dd88fc63a2d611b19425f5228a86bb4bc81aa7ecc3c22d00e14b7fbb57ddda07c896ccffdf

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
237KB

MD5
5e864ed77312a7a00859dbd72db8b061

SHA1
a47e47b64207ad56333af08c3e97018ac594e59a

SHA256
12ea6b618824a336bdfa2e7ad5f7f2b3e1433f7002a24ef065619a2e89e6dfa5

SHA512
43e7011859bcfdd3416274eef718942df346e2f79d4062174511bb411f9136bacd5bc4af8ca19f24eab7829c76196962d80f00c4d1625302415c8b994a038252

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
237KB

MD5
5e864ed77312a7a00859dbd72db8b061

SHA1
a47e47b64207ad56333af08c3e97018ac594e59a

SHA256
12ea6b618824a336bdfa2e7ad5f7f2b3e1433f7002a24ef065619a2e89e6dfa5

SHA512
43e7011859bcfdd3416274eef718942df346e2f79d4062174511bb411f9136bacd5bc4af8ca19f24eab7829c76196962d80f00c4d1625302415c8b994a038252

Download Submit
C:\Windows\SysWOW64\Ejccgi32.exe

Filesize
237KB

MD5
6953483852dba3085f5884e77ae25c9b

SHA1
524b33b229a601e6335989d70037f843f066ae8b

SHA256
37a37c00d0208cb0d66f94d54ad492bdab17e744e8de0db68134f3122aa34e21

SHA512
0063b48bb9acb842e15b7ae7ce60d1d37cf95013c1eca8e8998613b14b4e636aa4bfd880c51082b624e8c40899372b8acd3f53a375f87ac6c113dfeb9f0446a3

Download Submit
C:\Windows\SysWOW64\Ejccgi32.exe

Filesize
237KB

MD5
6953483852dba3085f5884e77ae25c9b

SHA1
524b33b229a601e6335989d70037f843f066ae8b

SHA256
37a37c00d0208cb0d66f94d54ad492bdab17e744e8de0db68134f3122aa34e21

SHA512
0063b48bb9acb842e15b7ae7ce60d1d37cf95013c1eca8e8998613b14b4e636aa4bfd880c51082b624e8c40899372b8acd3f53a375f87ac6c113dfeb9f0446a3

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
237KB

MD5
1f12d5dba8f83a34a33a5700dd696e17

SHA1
1b0407b19a9d1baaad3b72a6e9d9be1416cb5d38

SHA256
2d3963f70e96cf79823ecba17211b0afe8d7c3b4955bde86b72c70c313b90cce

SHA512
27e53fa96012db3f01cd1c6016eb7de40fad76f285335c43607f8dfa15f5ae52e130d19871d550915f34bf1b2b54c002ec09ea377ec441a82c39a5bd81f19ecb

Download Submit
C:\Windows\SysWOW64\Famhmfkl.exe

Filesize
237KB

MD5
1f12d5dba8f83a34a33a5700dd696e17

SHA1
1b0407b19a9d1baaad3b72a6e9d9be1416cb5d38

SHA256
2d3963f70e96cf79823ecba17211b0afe8d7c3b4955bde86b72c70c313b90cce

SHA512
27e53fa96012db3f01cd1c6016eb7de40fad76f285335c43607f8dfa15f5ae52e130d19871d550915f34bf1b2b54c002ec09ea377ec441a82c39a5bd81f19ecb

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
237KB

MD5
c3e0d01fc0cd0bbb826d8f06a0b0c28b

SHA1
20892b6ffd3922497ee6cc75aa5399c160d4a286

SHA256
2e1a2e62aefb2db4755816af6fbea26004b3b024fa3d96f8dc477ae294efe923

SHA512
c6c9fc1fc931ba8a9d91c10bb2a9d1b592cbd7561b85aa40abd8fa4563574eb2d7aaf6614a37e808e5b07ddb58eb3dec60c26652a1dba0ae2e401f6c8dea1bac

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
237KB

MD5
c3e0d01fc0cd0bbb826d8f06a0b0c28b

SHA1
20892b6ffd3922497ee6cc75aa5399c160d4a286

SHA256
2e1a2e62aefb2db4755816af6fbea26004b3b024fa3d96f8dc477ae294efe923

SHA512
c6c9fc1fc931ba8a9d91c10bb2a9d1b592cbd7561b85aa40abd8fa4563574eb2d7aaf6614a37e808e5b07ddb58eb3dec60c26652a1dba0ae2e401f6c8dea1bac

Download Submit
C:\Windows\SysWOW64\Fjmfmh32.exe

Filesize
237KB

MD5
805b4a654934bb0a2ae2107edbd84bb2

SHA1
bc099499043fbbe87c77503f2bf2b0855be090be

SHA256
ce0c1b3cff00c137527fa15e139f10ed5dd5f2a07aea15f58b0a4772736401c3

SHA512
09f662cca8197204f25bc94fbe633a78d0d0d4d9e98802aaf8a2435e6bd01739aff0907d0e2002382f218e15b568a170da964f06c597b9065660a80b975f1be5

Download Submit
C:\Windows\SysWOW64\Fjmfmh32.exe

Filesize
237KB

MD5
805b4a654934bb0a2ae2107edbd84bb2

SHA1
bc099499043fbbe87c77503f2bf2b0855be090be

SHA256
ce0c1b3cff00c137527fa15e139f10ed5dd5f2a07aea15f58b0a4772736401c3

SHA512
09f662cca8197204f25bc94fbe633a78d0d0d4d9e98802aaf8a2435e6bd01739aff0907d0e2002382f218e15b568a170da964f06c597b9065660a80b975f1be5

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
237KB

MD5
6ef65ddb19b861cedfc79c999cfd076e

SHA1
4a6b14122b0ff0a7d97f9bd5069768ca7f835b0a

SHA256
147a4f8255f5069af8c2d66885b15aad3e6e5cd68b33c940eeef10e472c4b21c

SHA512
649a63dbb994b219fe3698ef6958250c86261018e59b8599e7ec9b812d325e955ae60ffe9eb2b530f522a9ea3811e242ce5422247f1b02379e35bd95790829e1

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
237KB

MD5
6ef65ddb19b861cedfc79c999cfd076e

SHA1
4a6b14122b0ff0a7d97f9bd5069768ca7f835b0a

SHA256
147a4f8255f5069af8c2d66885b15aad3e6e5cd68b33c940eeef10e472c4b21c

SHA512
649a63dbb994b219fe3698ef6958250c86261018e59b8599e7ec9b812d325e955ae60ffe9eb2b530f522a9ea3811e242ce5422247f1b02379e35bd95790829e1

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
237KB

MD5
3a6e3139951ee1a8cd9ce75e83d6d8d7

SHA1
ae30d87213cfa97e98747f57dc53395ec8f9dbfe

SHA256
6cd7c57310c43598e368a3d42f10fbec279047ad09a4090bd30bbf70ccbaa01b

SHA512
4bef7c2bb771a3d4d7d104e0f3972b0b8433dc842822cb232c334e2e56696919fbc95ff11ecba2e74b278ebde2454f81ef70799cd8712418bfac14f81720f9cf

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
237KB

MD5
3a6e3139951ee1a8cd9ce75e83d6d8d7

SHA1
ae30d87213cfa97e98747f57dc53395ec8f9dbfe

SHA256
6cd7c57310c43598e368a3d42f10fbec279047ad09a4090bd30bbf70ccbaa01b

SHA512
4bef7c2bb771a3d4d7d104e0f3972b0b8433dc842822cb232c334e2e56696919fbc95ff11ecba2e74b278ebde2454f81ef70799cd8712418bfac14f81720f9cf

Download Submit
memory/756-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1264-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-106-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2752-1-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2896-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3080-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4252-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4328-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-82-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads