da912cfc47387f749d19aab00fc9d2111b41a346a9285269aa5998ec0a4947b4

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
18/11/2023, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
Size

219KB
MD5

d6e52b14cef7e5d13eca42e8fbeb1d00
SHA1

fe7e6a4f051494cc6e5da239be036624bf96645c
SHA256

da912cfc47387f749d19aab00fc9d2111b41a346a9285269aa5998ec0a4947b4
SHA512

43690f04b99f05055c06ebb190513cf3be8f14575326488a4bf82255568ddc474a87b4a2bfc38b0da798f78fe0a012628cf32ec886490d08e78dbd7cc1a10a53
SSDEEP

6144:E62HhRy8SihagzDOO0aDD4PCxdXXwSfYrwB:E62B48dOOdDD4PCxdXXwSfYr

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doehqead.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djklnnaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egllae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cojema32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cghggc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doehqead.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egllae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emnndlod.exe

Executes dropped EXE 12 IoCs

pid	Process
2924	Cojema32.exe
2568	Cghggc32.exe
1708	Cnaocmmi.exe
2756	Doehqead.exe
1252	Djklnnaj.exe
2804	Dfamcogo.exe
2492	Dfffnn32.exe
2532	Egjpkffe.exe
2400	Egllae32.exe
756	Edpmjj32.exe
336	Emnndlod.exe
1912	Fkckeh32.exe

Loads dropped DLL 28 IoCs

pid	Process
2944	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
2944	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
2924	Cojema32.exe
2924	Cojema32.exe
2568	Cghggc32.exe
2568	Cghggc32.exe
1708	Cnaocmmi.exe
1708	Cnaocmmi.exe
2756	Doehqead.exe
2756	Doehqead.exe
1252	Djklnnaj.exe
1252	Djklnnaj.exe
2804	Dfamcogo.exe
2804	Dfamcogo.exe
2492	Dfffnn32.exe
2492	Dfffnn32.exe
2532	Egjpkffe.exe
2532	Egjpkffe.exe
2400	Egllae32.exe
2400	Egllae32.exe
756	Edpmjj32.exe
756	Edpmjj32.exe
336	Emnndlod.exe
336	Emnndlod.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Abkphdmd.dll	Dfffnn32.exe
File opened for modification	C:\Windows\SysWOW64\Egllae32.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Edpmjj32.exe	Egllae32.exe
File opened for modification	C:\Windows\SysWOW64\Cojema32.exe	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
File opened for modification	C:\Windows\SysWOW64\Cnaocmmi.exe	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Djklnnaj.exe	Doehqead.exe
File created	C:\Windows\SysWOW64\Djklnnaj.exe	Doehqead.exe
File created	C:\Windows\SysWOW64\Dlkaflan.dll	Doehqead.exe
File created	C:\Windows\SysWOW64\Kcbabf32.dll	Egjpkffe.exe
File opened for modification	C:\Windows\SysWOW64\Edpmjj32.exe	Egllae32.exe
File opened for modification	C:\Windows\SysWOW64\Emnndlod.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Lfmnmlid.dll	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
File opened for modification	C:\Windows\SysWOW64\Cghggc32.exe	Cojema32.exe
File created	C:\Windows\SysWOW64\Lklohbmo.dll	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Mnghjbjl.dll	Cojema32.exe
File created	C:\Windows\SysWOW64\Doehqead.exe	Cnaocmmi.exe
File created	C:\Windows\SysWOW64\Egjpkffe.exe	Dfffnn32.exe
File created	C:\Windows\SysWOW64\Focnmm32.dll	Dfamcogo.exe
File opened for modification	C:\Windows\SysWOW64\Egjpkffe.exe	Dfffnn32.exe
File created	C:\Windows\SysWOW64\Pmdgmd32.dll	Egllae32.exe
File created	C:\Windows\SysWOW64\Egllae32.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Emnndlod.exe
File created	C:\Windows\SysWOW64\Dfamcogo.exe	Djklnnaj.exe
File created	C:\Windows\SysWOW64\Blopagpd.dll	Djklnnaj.exe
File opened for modification	C:\Windows\SysWOW64\Dfffnn32.exe	Dfamcogo.exe
File created	C:\Windows\SysWOW64\Emnndlod.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Emnndlod.exe
File created	C:\Windows\SysWOW64\Cojema32.exe	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
File created	C:\Windows\SysWOW64\Cghggc32.exe	Cojema32.exe
File created	C:\Windows\SysWOW64\Plnoej32.dll	Cnaocmmi.exe
File created	C:\Windows\SysWOW64\Dfffnn32.exe	Dfamcogo.exe
File created	C:\Windows\SysWOW64\Inegme32.dll	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Cnaocmmi.exe	Cghggc32.exe
File opened for modification	C:\Windows\SysWOW64\Doehqead.exe	Cnaocmmi.exe
File opened for modification	C:\Windows\SysWOW64\Dfamcogo.exe	Djklnnaj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2464	1912	WerFault.exe	39

Modifies registry class 39 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emnndlod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmnmlid.dll"	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnghjbjl.dll"	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll"	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cojema32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Doehqead.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnaocmmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll"	Doehqead.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbabf32.dll"	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lklohbmo.dll"	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnoej32.dll"	Cnaocmmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doehqead.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Emnndlod.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cojema32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djklnnaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edpmjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inegme32.dll"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfamcogo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egllae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll"	Egllae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cghggc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll"	Dfamcogo.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2924	2944	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe	28
PID 2944 wrote to memory of 2924	2944	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe	28
PID 2944 wrote to memory of 2924	2944	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe	28
PID 2944 wrote to memory of 2924	2944	NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe	28
PID 2924 wrote to memory of 2568	2924	Cojema32.exe	29
PID 2924 wrote to memory of 2568	2924	Cojema32.exe	29
PID 2924 wrote to memory of 2568	2924	Cojema32.exe	29
PID 2924 wrote to memory of 2568	2924	Cojema32.exe	29
PID 2568 wrote to memory of 1708	2568	Cghggc32.exe	32
PID 2568 wrote to memory of 1708	2568	Cghggc32.exe	32
PID 2568 wrote to memory of 1708	2568	Cghggc32.exe	32
PID 2568 wrote to memory of 1708	2568	Cghggc32.exe	32
PID 1708 wrote to memory of 2756	1708	Cnaocmmi.exe	31
PID 1708 wrote to memory of 2756	1708	Cnaocmmi.exe	31
PID 1708 wrote to memory of 2756	1708	Cnaocmmi.exe	31
PID 1708 wrote to memory of 2756	1708	Cnaocmmi.exe	31
PID 2756 wrote to memory of 1252	2756	Doehqead.exe	30
PID 2756 wrote to memory of 1252	2756	Doehqead.exe	30
PID 2756 wrote to memory of 1252	2756	Doehqead.exe	30
PID 2756 wrote to memory of 1252	2756	Doehqead.exe	30
PID 1252 wrote to memory of 2804	1252	Djklnnaj.exe	33
PID 1252 wrote to memory of 2804	1252	Djklnnaj.exe	33
PID 1252 wrote to memory of 2804	1252	Djklnnaj.exe	33
PID 1252 wrote to memory of 2804	1252	Djklnnaj.exe	33
PID 2804 wrote to memory of 2492	2804	Dfamcogo.exe	34
PID 2804 wrote to memory of 2492	2804	Dfamcogo.exe	34
PID 2804 wrote to memory of 2492	2804	Dfamcogo.exe	34
PID 2804 wrote to memory of 2492	2804	Dfamcogo.exe	34
PID 2492 wrote to memory of 2532	2492	Dfffnn32.exe	35
PID 2492 wrote to memory of 2532	2492	Dfffnn32.exe	35
PID 2492 wrote to memory of 2532	2492	Dfffnn32.exe	35
PID 2492 wrote to memory of 2532	2492	Dfffnn32.exe	35
PID 2532 wrote to memory of 2400	2532	Egjpkffe.exe	36
PID 2532 wrote to memory of 2400	2532	Egjpkffe.exe	36
PID 2532 wrote to memory of 2400	2532	Egjpkffe.exe	36
PID 2532 wrote to memory of 2400	2532	Egjpkffe.exe	36
PID 2400 wrote to memory of 756	2400	Egllae32.exe	37
PID 2400 wrote to memory of 756	2400	Egllae32.exe	37
PID 2400 wrote to memory of 756	2400	Egllae32.exe	37
PID 2400 wrote to memory of 756	2400	Egllae32.exe	37
PID 756 wrote to memory of 336	756	Edpmjj32.exe	38
PID 756 wrote to memory of 336	756	Edpmjj32.exe	38
PID 756 wrote to memory of 336	756	Edpmjj32.exe	38
PID 756 wrote to memory of 336	756	Edpmjj32.exe	38
PID 336 wrote to memory of 1912	336	Emnndlod.exe	39
PID 336 wrote to memory of 1912	336	Emnndlod.exe	39
PID 336 wrote to memory of 1912	336	Emnndlod.exe	39
PID 336 wrote to memory of 1912	336	Emnndlod.exe	39
PID 1912 wrote to memory of 2464	1912	Fkckeh32.exe	40
PID 1912 wrote to memory of 2464	1912	Fkckeh32.exe	40
PID 1912 wrote to memory of 2464	1912	Fkckeh32.exe	40
PID 1912 wrote to memory of 2464	1912	Fkckeh32.exe	40

C:\Users\Admin\AppData\Local\Temp\NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.d6e52b14cef7e5d13eca42e8fbeb1d00.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\Cojema32.exe
  C:\Windows\system32\Cojema32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\Cghggc32.exe
    C:\Windows\system32\Cghggc32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\Cnaocmmi.exe
      C:\Windows\system32\Cnaocmmi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1708

C:\Windows\SysWOW64\Djklnnaj.exe
C:\Windows\system32\Djklnnaj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\Dfamcogo.exe
  C:\Windows\system32\Dfamcogo.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\Dfffnn32.exe
    C:\Windows\system32\Dfffnn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Windows\SysWOW64\Egjpkffe.exe
      C:\Windows\system32\Egjpkffe.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\Egllae32.exe
        
        C:\Windows\system32\Egllae32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
      - C:\Windows\SysWOW64\Edpmjj32.exe
        
        C:\Windows\system32\Edpmjj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Emnndlod.exe
        
        C:\Windows\system32\Emnndlod.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 140
        9⤵
        Loads dropped DLL
        Program crash
        
        PID:2464

C:\Windows\SysWOW64\Doehqead.exe
C:\Windows\system32\Doehqead.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cghggc32.exe

Filesize
219KB

MD5
6d76945b808b18aea25b9a071a2cb88a

SHA1
03f5f9a06470e0f40b7b18457f2e2894f9a8bd72

SHA256
89a316b80cb36caf631a5877263ec834fbafc580586ac522045e40bf7078cb98

SHA512
2f68deac454ffca24c4e935d4ad714ebb427a613f8bfd962636c768b2f69a3a0a216656046b2312acd2d3e301edd6e3ddb1891d6d4ae9ad088983db17297f586

Download Submit
C:\Windows\SysWOW64\Cghggc32.exe

Filesize
219KB

MD5
6d76945b808b18aea25b9a071a2cb88a

SHA1
03f5f9a06470e0f40b7b18457f2e2894f9a8bd72

SHA256
89a316b80cb36caf631a5877263ec834fbafc580586ac522045e40bf7078cb98

SHA512
2f68deac454ffca24c4e935d4ad714ebb427a613f8bfd962636c768b2f69a3a0a216656046b2312acd2d3e301edd6e3ddb1891d6d4ae9ad088983db17297f586

Download Submit
C:\Windows\SysWOW64\Cghggc32.exe

Filesize
219KB

MD5
6d76945b808b18aea25b9a071a2cb88a

SHA1
03f5f9a06470e0f40b7b18457f2e2894f9a8bd72

SHA256
89a316b80cb36caf631a5877263ec834fbafc580586ac522045e40bf7078cb98

SHA512
2f68deac454ffca24c4e935d4ad714ebb427a613f8bfd962636c768b2f69a3a0a216656046b2312acd2d3e301edd6e3ddb1891d6d4ae9ad088983db17297f586

Download Submit
C:\Windows\SysWOW64\Cnaocmmi.exe

Filesize
219KB

MD5
8bf5c75db66fec2b86c664761cf928e2

SHA1
c2af366a3fecc61db47dd985216095a77bc548c4

SHA256
c6419fe45c04888af8469cd52fdbe1f665ad6728a31a733161621d26f29aa42f

SHA512
3093cd1251d37f0bdde580f804b32ca2f32f3be8048af18421405d29fd11106381a67ce979736f113eca7934fb66e35e74bf09b37d2905957515d49c9a873c91

Download Submit
C:\Windows\SysWOW64\Cnaocmmi.exe

Filesize
219KB

MD5
8bf5c75db66fec2b86c664761cf928e2

SHA1
c2af366a3fecc61db47dd985216095a77bc548c4

SHA256
c6419fe45c04888af8469cd52fdbe1f665ad6728a31a733161621d26f29aa42f

SHA512
3093cd1251d37f0bdde580f804b32ca2f32f3be8048af18421405d29fd11106381a67ce979736f113eca7934fb66e35e74bf09b37d2905957515d49c9a873c91

Download Submit
C:\Windows\SysWOW64\Cnaocmmi.exe

Filesize
219KB

MD5
8bf5c75db66fec2b86c664761cf928e2

SHA1
c2af366a3fecc61db47dd985216095a77bc548c4

SHA256
c6419fe45c04888af8469cd52fdbe1f665ad6728a31a733161621d26f29aa42f

SHA512
3093cd1251d37f0bdde580f804b32ca2f32f3be8048af18421405d29fd11106381a67ce979736f113eca7934fb66e35e74bf09b37d2905957515d49c9a873c91

Download Submit
C:\Windows\SysWOW64\Cojema32.exe

Filesize
219KB

MD5
a3210699c36d5af4b4f75ccdd84e0187

SHA1
c0730af1a03eb95586e414f8d3e093aa435f41cf

SHA256
e2e0310316a1c6230c756e375eb6b1ee418ca01cfcd9eba5e164230f054a2c31

SHA512
e474442a33bf385451efca3a8a284674132af8e7dc9181e8e40023c365237ca7edd89b5e75ad7b6c252138e1181161fc893a517d0864192e8ba04f0cda577212

Download Submit
C:\Windows\SysWOW64\Cojema32.exe

Filesize
219KB

MD5
a3210699c36d5af4b4f75ccdd84e0187

SHA1
c0730af1a03eb95586e414f8d3e093aa435f41cf

SHA256
e2e0310316a1c6230c756e375eb6b1ee418ca01cfcd9eba5e164230f054a2c31

SHA512
e474442a33bf385451efca3a8a284674132af8e7dc9181e8e40023c365237ca7edd89b5e75ad7b6c252138e1181161fc893a517d0864192e8ba04f0cda577212

Download Submit
C:\Windows\SysWOW64\Cojema32.exe

Filesize
219KB

MD5
a3210699c36d5af4b4f75ccdd84e0187

SHA1
c0730af1a03eb95586e414f8d3e093aa435f41cf

SHA256
e2e0310316a1c6230c756e375eb6b1ee418ca01cfcd9eba5e164230f054a2c31

SHA512
e474442a33bf385451efca3a8a284674132af8e7dc9181e8e40023c365237ca7edd89b5e75ad7b6c252138e1181161fc893a517d0864192e8ba04f0cda577212

Download Submit
C:\Windows\SysWOW64\Dfamcogo.exe

Filesize
219KB

MD5
046a18d15cbe797d9faaaf8a0de4c6c7

SHA1
8a6658913ac9849c505d7f44ee2cb09e53254761

SHA256
a71adf934000fdd9fcbac378862dff27982cb2438fd06e4331fb742392c7ee85

SHA512
a397d8dc989c30d5225ac1bcf85684b9673f39081431015ab15085e2089f3c2249cc7929ebf67bcbf3659e785d3f9cba85494a59f123aba8a43af1826c9741f2

Download Submit
C:\Windows\SysWOW64\Dfamcogo.exe

Filesize
219KB

MD5
046a18d15cbe797d9faaaf8a0de4c6c7

SHA1
8a6658913ac9849c505d7f44ee2cb09e53254761

SHA256
a71adf934000fdd9fcbac378862dff27982cb2438fd06e4331fb742392c7ee85

SHA512
a397d8dc989c30d5225ac1bcf85684b9673f39081431015ab15085e2089f3c2249cc7929ebf67bcbf3659e785d3f9cba85494a59f123aba8a43af1826c9741f2

Download Submit
C:\Windows\SysWOW64\Dfamcogo.exe

Filesize
219KB

MD5
046a18d15cbe797d9faaaf8a0de4c6c7

SHA1
8a6658913ac9849c505d7f44ee2cb09e53254761

SHA256
a71adf934000fdd9fcbac378862dff27982cb2438fd06e4331fb742392c7ee85

SHA512
a397d8dc989c30d5225ac1bcf85684b9673f39081431015ab15085e2089f3c2249cc7929ebf67bcbf3659e785d3f9cba85494a59f123aba8a43af1826c9741f2

Download Submit
C:\Windows\SysWOW64\Dfffnn32.exe

Filesize
219KB

MD5
d15d2a9a9812526500df664569df28e5

SHA1
0d8ecb25dfbec9d1b4ef7629c2a57aa0ae39ac2a

SHA256
799886408a47a15ebe0d50fb940e3654731e32b994324398ae24e587f9f02834

SHA512
20472979771c5d83cb4753a4f3b6f084368cd80018288bdd7f887333fce2deeaab5e6571a9df9424bb9409557cacfc3663200cf3383bf22224301ceb0178c53a

Download Submit
C:\Windows\SysWOW64\Dfffnn32.exe

Filesize
219KB

MD5
d15d2a9a9812526500df664569df28e5

SHA1
0d8ecb25dfbec9d1b4ef7629c2a57aa0ae39ac2a

SHA256
799886408a47a15ebe0d50fb940e3654731e32b994324398ae24e587f9f02834

SHA512
20472979771c5d83cb4753a4f3b6f084368cd80018288bdd7f887333fce2deeaab5e6571a9df9424bb9409557cacfc3663200cf3383bf22224301ceb0178c53a

Download Submit
C:\Windows\SysWOW64\Dfffnn32.exe

Filesize
219KB

MD5
d15d2a9a9812526500df664569df28e5

SHA1
0d8ecb25dfbec9d1b4ef7629c2a57aa0ae39ac2a

SHA256
799886408a47a15ebe0d50fb940e3654731e32b994324398ae24e587f9f02834

SHA512
20472979771c5d83cb4753a4f3b6f084368cd80018288bdd7f887333fce2deeaab5e6571a9df9424bb9409557cacfc3663200cf3383bf22224301ceb0178c53a

Download Submit
C:\Windows\SysWOW64\Djklnnaj.exe

Filesize
219KB

MD5
352dcc901aadca2b3686db143673f690

SHA1
005a81b157b42db2c5daf014d5ef24e413388de0

SHA256
0c0bada07d70556490b70c7f364000478cddf000ac576bf8f926e54a739e1101

SHA512
718d0ae330663777f35dd973251669d1060da7ffd7383f1bbd8ccc79006833b19cc0d7bcc963463373869dfa57371a92b4a8cc576dfd315a692faef320548e5e

Download Submit
C:\Windows\SysWOW64\Djklnnaj.exe

Filesize
219KB

MD5
352dcc901aadca2b3686db143673f690

SHA1
005a81b157b42db2c5daf014d5ef24e413388de0

SHA256
0c0bada07d70556490b70c7f364000478cddf000ac576bf8f926e54a739e1101

SHA512
718d0ae330663777f35dd973251669d1060da7ffd7383f1bbd8ccc79006833b19cc0d7bcc963463373869dfa57371a92b4a8cc576dfd315a692faef320548e5e

Download Submit
C:\Windows\SysWOW64\Djklnnaj.exe

Filesize
219KB

MD5
352dcc901aadca2b3686db143673f690

SHA1
005a81b157b42db2c5daf014d5ef24e413388de0

SHA256
0c0bada07d70556490b70c7f364000478cddf000ac576bf8f926e54a739e1101

SHA512
718d0ae330663777f35dd973251669d1060da7ffd7383f1bbd8ccc79006833b19cc0d7bcc963463373869dfa57371a92b4a8cc576dfd315a692faef320548e5e

Download Submit
C:\Windows\SysWOW64\Doehqead.exe

Filesize
219KB

MD5
d77569786d5a7e4aeba4cfce178bb43a

SHA1
09274bc298eb8d728840836cd12e47bd33c2d411

SHA256
99c899d426c26b9f2fee5b7ff987e9bf2042e7012f2c08d41c6a2a32ad3b5f41

SHA512
df138d6c8c721a3107a16bf9ec3dd6384f740d6da495a51ed9eddc01e611ee4d49898f43ef89755af861a27c8efb37e0195c15d0442261760d9e1190eba5ef62

Download Submit
C:\Windows\SysWOW64\Doehqead.exe

Filesize
219KB

MD5
d77569786d5a7e4aeba4cfce178bb43a

SHA1
09274bc298eb8d728840836cd12e47bd33c2d411

SHA256
99c899d426c26b9f2fee5b7ff987e9bf2042e7012f2c08d41c6a2a32ad3b5f41

SHA512
df138d6c8c721a3107a16bf9ec3dd6384f740d6da495a51ed9eddc01e611ee4d49898f43ef89755af861a27c8efb37e0195c15d0442261760d9e1190eba5ef62

Download Submit
C:\Windows\SysWOW64\Doehqead.exe

Filesize
219KB

MD5
d77569786d5a7e4aeba4cfce178bb43a

SHA1
09274bc298eb8d728840836cd12e47bd33c2d411

SHA256
99c899d426c26b9f2fee5b7ff987e9bf2042e7012f2c08d41c6a2a32ad3b5f41

SHA512
df138d6c8c721a3107a16bf9ec3dd6384f740d6da495a51ed9eddc01e611ee4d49898f43ef89755af861a27c8efb37e0195c15d0442261760d9e1190eba5ef62

Download Submit
C:\Windows\SysWOW64\Edpmjj32.exe

Filesize
219KB

MD5
f9d4ce3df23dc3fe9a2548fa5eda1561

SHA1
8acc67bdaffafe5d11266a7b715769b450ff0174

SHA256
7f036ce475ad9690b15281b274d76cf154b9ddc754a07dfc8e08675c28f98204

SHA512
bc08110b2c7785efb1e8906881c8914f8c80a45ae135838b554de11a944c7f90d8b5b38b59afd5040cb817d3c5b64012cdc120a193428cd5fefeb84a8dbe9202

Download Submit
C:\Windows\SysWOW64\Edpmjj32.exe

Filesize
219KB

MD5
f9d4ce3df23dc3fe9a2548fa5eda1561

SHA1
8acc67bdaffafe5d11266a7b715769b450ff0174

SHA256
7f036ce475ad9690b15281b274d76cf154b9ddc754a07dfc8e08675c28f98204

SHA512
bc08110b2c7785efb1e8906881c8914f8c80a45ae135838b554de11a944c7f90d8b5b38b59afd5040cb817d3c5b64012cdc120a193428cd5fefeb84a8dbe9202

Download Submit
C:\Windows\SysWOW64\Edpmjj32.exe

Filesize
219KB

MD5
f9d4ce3df23dc3fe9a2548fa5eda1561

SHA1
8acc67bdaffafe5d11266a7b715769b450ff0174

SHA256
7f036ce475ad9690b15281b274d76cf154b9ddc754a07dfc8e08675c28f98204

SHA512
bc08110b2c7785efb1e8906881c8914f8c80a45ae135838b554de11a944c7f90d8b5b38b59afd5040cb817d3c5b64012cdc120a193428cd5fefeb84a8dbe9202

Download Submit
C:\Windows\SysWOW64\Egjpkffe.exe

Filesize
219KB

MD5
fe84520f3e3ce9e29fb34599adcf54de

SHA1
217bc767b91485241403eb70ae8f1d5c40fe490a

SHA256
47c96a9de64753d1a820496d7973555d5c7929b0bfbd86792f0c5349e6a73224

SHA512
87a43157862ee6ad490cf359f2795500d97fa5fdaf14e4eb91f34f684b3175a89b70deabdade41acb629c2f6db90b72958c13d55fc5f80b4b035300c56bd6783

Download Submit
C:\Windows\SysWOW64\Egjpkffe.exe

Filesize
219KB

MD5
fe84520f3e3ce9e29fb34599adcf54de

SHA1
217bc767b91485241403eb70ae8f1d5c40fe490a

SHA256
47c96a9de64753d1a820496d7973555d5c7929b0bfbd86792f0c5349e6a73224

SHA512
87a43157862ee6ad490cf359f2795500d97fa5fdaf14e4eb91f34f684b3175a89b70deabdade41acb629c2f6db90b72958c13d55fc5f80b4b035300c56bd6783

Download Submit
C:\Windows\SysWOW64\Egjpkffe.exe

Filesize
219KB

MD5
fe84520f3e3ce9e29fb34599adcf54de

SHA1
217bc767b91485241403eb70ae8f1d5c40fe490a

SHA256
47c96a9de64753d1a820496d7973555d5c7929b0bfbd86792f0c5349e6a73224

SHA512
87a43157862ee6ad490cf359f2795500d97fa5fdaf14e4eb91f34f684b3175a89b70deabdade41acb629c2f6db90b72958c13d55fc5f80b4b035300c56bd6783

Download Submit
C:\Windows\SysWOW64\Egllae32.exe

Filesize
219KB

MD5
3eca22ce63d60c89f4a45195b8eac235

SHA1
16bc5f1f9ea4b98e22dad864745db298f9dfd3dd

SHA256
2ab5d11b995523fe6f9686920cb69c25ae11900840fdebee2b0c8e28df8a0600

SHA512
8ee56c33eccda67c87da94cd78361bea79d8c47f666e59a358278f32eae55c8ef7c6050bf6de394fea0aca4674dd157152a062cda92dec23b61e34be502b9095

Download Submit
C:\Windows\SysWOW64\Egllae32.exe

Filesize
219KB

MD5
3eca22ce63d60c89f4a45195b8eac235

SHA1
16bc5f1f9ea4b98e22dad864745db298f9dfd3dd

SHA256
2ab5d11b995523fe6f9686920cb69c25ae11900840fdebee2b0c8e28df8a0600

SHA512
8ee56c33eccda67c87da94cd78361bea79d8c47f666e59a358278f32eae55c8ef7c6050bf6de394fea0aca4674dd157152a062cda92dec23b61e34be502b9095

Download Submit
C:\Windows\SysWOW64\Egllae32.exe

Filesize
219KB

MD5
3eca22ce63d60c89f4a45195b8eac235

SHA1
16bc5f1f9ea4b98e22dad864745db298f9dfd3dd

SHA256
2ab5d11b995523fe6f9686920cb69c25ae11900840fdebee2b0c8e28df8a0600

SHA512
8ee56c33eccda67c87da94cd78361bea79d8c47f666e59a358278f32eae55c8ef7c6050bf6de394fea0aca4674dd157152a062cda92dec23b61e34be502b9095

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
219KB

MD5
25311b5d6372db4125856a683f01f2b8

SHA1
c1d255c8e36b2dedb3b185253113b387821290c0

SHA256
960a2776786016c1d21d59d9e33c80f27e46fca0f0da1055d718c3b6a17c082d

SHA512
d6493638edde67a7eeb1cd630ccddfcd4e46c17752a588bd705627341fa04d47487a31d4e5f336ecab207c6128d0ed9658c1152605d970efa1a519be5f58e8a0

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
219KB

MD5
25311b5d6372db4125856a683f01f2b8

SHA1
c1d255c8e36b2dedb3b185253113b387821290c0

SHA256
960a2776786016c1d21d59d9e33c80f27e46fca0f0da1055d718c3b6a17c082d

SHA512
d6493638edde67a7eeb1cd630ccddfcd4e46c17752a588bd705627341fa04d47487a31d4e5f336ecab207c6128d0ed9658c1152605d970efa1a519be5f58e8a0

Download Submit
C:\Windows\SysWOW64\Emnndlod.exe

Filesize
219KB

MD5
25311b5d6372db4125856a683f01f2b8

SHA1
c1d255c8e36b2dedb3b185253113b387821290c0

SHA256
960a2776786016c1d21d59d9e33c80f27e46fca0f0da1055d718c3b6a17c082d

SHA512
d6493638edde67a7eeb1cd630ccddfcd4e46c17752a588bd705627341fa04d47487a31d4e5f336ecab207c6128d0ed9658c1152605d970efa1a519be5f58e8a0

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
219KB

MD5
fba835c28274bc62d9dd16f7c3838957

SHA1
fe74f14c5151ca5f6d6241475d26448c0f56793e

SHA256
86f68f3d9a80ce6c5209615f43df496ab65e94485a62ac25b847865ee86bc4bd

SHA512
be6f817da56ac14c9f292181c235e85f0733140c6e8f1749a60ca84ab7571b89e197665e51ec7d2730f896bfddb2ff8279c2b77a01c73676fc4acb27d3fd6df6

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
219KB

MD5
fba835c28274bc62d9dd16f7c3838957

SHA1
fe74f14c5151ca5f6d6241475d26448c0f56793e

SHA256
86f68f3d9a80ce6c5209615f43df496ab65e94485a62ac25b847865ee86bc4bd

SHA512
be6f817da56ac14c9f292181c235e85f0733140c6e8f1749a60ca84ab7571b89e197665e51ec7d2730f896bfddb2ff8279c2b77a01c73676fc4acb27d3fd6df6

Download Submit
\Windows\SysWOW64\Cghggc32.exe

Filesize
219KB

MD5
6d76945b808b18aea25b9a071a2cb88a

SHA1
03f5f9a06470e0f40b7b18457f2e2894f9a8bd72

SHA256
89a316b80cb36caf631a5877263ec834fbafc580586ac522045e40bf7078cb98

SHA512
2f68deac454ffca24c4e935d4ad714ebb427a613f8bfd962636c768b2f69a3a0a216656046b2312acd2d3e301edd6e3ddb1891d6d4ae9ad088983db17297f586

Download Submit
\Windows\SysWOW64\Cghggc32.exe

Filesize
219KB

MD5
6d76945b808b18aea25b9a071a2cb88a

SHA1
03f5f9a06470e0f40b7b18457f2e2894f9a8bd72

SHA256
89a316b80cb36caf631a5877263ec834fbafc580586ac522045e40bf7078cb98

SHA512
2f68deac454ffca24c4e935d4ad714ebb427a613f8bfd962636c768b2f69a3a0a216656046b2312acd2d3e301edd6e3ddb1891d6d4ae9ad088983db17297f586

Download Submit
\Windows\SysWOW64\Cnaocmmi.exe

Filesize
219KB

MD5
8bf5c75db66fec2b86c664761cf928e2

SHA1
c2af366a3fecc61db47dd985216095a77bc548c4

SHA256
c6419fe45c04888af8469cd52fdbe1f665ad6728a31a733161621d26f29aa42f

SHA512
3093cd1251d37f0bdde580f804b32ca2f32f3be8048af18421405d29fd11106381a67ce979736f113eca7934fb66e35e74bf09b37d2905957515d49c9a873c91

Download Submit
\Windows\SysWOW64\Cnaocmmi.exe

Filesize
219KB

MD5
8bf5c75db66fec2b86c664761cf928e2

SHA1
c2af366a3fecc61db47dd985216095a77bc548c4

SHA256
c6419fe45c04888af8469cd52fdbe1f665ad6728a31a733161621d26f29aa42f

SHA512
3093cd1251d37f0bdde580f804b32ca2f32f3be8048af18421405d29fd11106381a67ce979736f113eca7934fb66e35e74bf09b37d2905957515d49c9a873c91

Download Submit
\Windows\SysWOW64\Cojema32.exe

Filesize
219KB

MD5
a3210699c36d5af4b4f75ccdd84e0187

SHA1
c0730af1a03eb95586e414f8d3e093aa435f41cf

SHA256
e2e0310316a1c6230c756e375eb6b1ee418ca01cfcd9eba5e164230f054a2c31

SHA512
e474442a33bf385451efca3a8a284674132af8e7dc9181e8e40023c365237ca7edd89b5e75ad7b6c252138e1181161fc893a517d0864192e8ba04f0cda577212

Download Submit
\Windows\SysWOW64\Cojema32.exe

Filesize
219KB

MD5
a3210699c36d5af4b4f75ccdd84e0187

SHA1
c0730af1a03eb95586e414f8d3e093aa435f41cf

SHA256
e2e0310316a1c6230c756e375eb6b1ee418ca01cfcd9eba5e164230f054a2c31

SHA512
e474442a33bf385451efca3a8a284674132af8e7dc9181e8e40023c365237ca7edd89b5e75ad7b6c252138e1181161fc893a517d0864192e8ba04f0cda577212

Download Submit
\Windows\SysWOW64\Dfamcogo.exe

Filesize
219KB

MD5
046a18d15cbe797d9faaaf8a0de4c6c7

SHA1
8a6658913ac9849c505d7f44ee2cb09e53254761

SHA256
a71adf934000fdd9fcbac378862dff27982cb2438fd06e4331fb742392c7ee85

SHA512
a397d8dc989c30d5225ac1bcf85684b9673f39081431015ab15085e2089f3c2249cc7929ebf67bcbf3659e785d3f9cba85494a59f123aba8a43af1826c9741f2

Download Submit
\Windows\SysWOW64\Dfamcogo.exe

Filesize
219KB

MD5
046a18d15cbe797d9faaaf8a0de4c6c7

SHA1
8a6658913ac9849c505d7f44ee2cb09e53254761

SHA256
a71adf934000fdd9fcbac378862dff27982cb2438fd06e4331fb742392c7ee85

SHA512
a397d8dc989c30d5225ac1bcf85684b9673f39081431015ab15085e2089f3c2249cc7929ebf67bcbf3659e785d3f9cba85494a59f123aba8a43af1826c9741f2

Download Submit
\Windows\SysWOW64\Dfffnn32.exe

Filesize
219KB

MD5
d15d2a9a9812526500df664569df28e5

SHA1
0d8ecb25dfbec9d1b4ef7629c2a57aa0ae39ac2a

SHA256
799886408a47a15ebe0d50fb940e3654731e32b994324398ae24e587f9f02834

SHA512
20472979771c5d83cb4753a4f3b6f084368cd80018288bdd7f887333fce2deeaab5e6571a9df9424bb9409557cacfc3663200cf3383bf22224301ceb0178c53a

Download Submit
\Windows\SysWOW64\Dfffnn32.exe

Filesize
219KB

MD5
d15d2a9a9812526500df664569df28e5

SHA1
0d8ecb25dfbec9d1b4ef7629c2a57aa0ae39ac2a

SHA256
799886408a47a15ebe0d50fb940e3654731e32b994324398ae24e587f9f02834

SHA512
20472979771c5d83cb4753a4f3b6f084368cd80018288bdd7f887333fce2deeaab5e6571a9df9424bb9409557cacfc3663200cf3383bf22224301ceb0178c53a

Download Submit
\Windows\SysWOW64\Djklnnaj.exe

Filesize
219KB

MD5
352dcc901aadca2b3686db143673f690

SHA1
005a81b157b42db2c5daf014d5ef24e413388de0

SHA256
0c0bada07d70556490b70c7f364000478cddf000ac576bf8f926e54a739e1101

SHA512
718d0ae330663777f35dd973251669d1060da7ffd7383f1bbd8ccc79006833b19cc0d7bcc963463373869dfa57371a92b4a8cc576dfd315a692faef320548e5e

Download Submit
\Windows\SysWOW64\Djklnnaj.exe

Filesize
219KB

MD5
352dcc901aadca2b3686db143673f690

SHA1
005a81b157b42db2c5daf014d5ef24e413388de0

SHA256
0c0bada07d70556490b70c7f364000478cddf000ac576bf8f926e54a739e1101

SHA512
718d0ae330663777f35dd973251669d1060da7ffd7383f1bbd8ccc79006833b19cc0d7bcc963463373869dfa57371a92b4a8cc576dfd315a692faef320548e5e

Download Submit
\Windows\SysWOW64\Doehqead.exe

Filesize
219KB

MD5
d77569786d5a7e4aeba4cfce178bb43a

SHA1
09274bc298eb8d728840836cd12e47bd33c2d411

SHA256
99c899d426c26b9f2fee5b7ff987e9bf2042e7012f2c08d41c6a2a32ad3b5f41

SHA512
df138d6c8c721a3107a16bf9ec3dd6384f740d6da495a51ed9eddc01e611ee4d49898f43ef89755af861a27c8efb37e0195c15d0442261760d9e1190eba5ef62

Download Submit
\Windows\SysWOW64\Doehqead.exe

Filesize
219KB

MD5
d77569786d5a7e4aeba4cfce178bb43a

SHA1
09274bc298eb8d728840836cd12e47bd33c2d411

SHA256
99c899d426c26b9f2fee5b7ff987e9bf2042e7012f2c08d41c6a2a32ad3b5f41

SHA512
df138d6c8c721a3107a16bf9ec3dd6384f740d6da495a51ed9eddc01e611ee4d49898f43ef89755af861a27c8efb37e0195c15d0442261760d9e1190eba5ef62

Download Submit
\Windows\SysWOW64\Edpmjj32.exe

Filesize
219KB

MD5
f9d4ce3df23dc3fe9a2548fa5eda1561

SHA1
8acc67bdaffafe5d11266a7b715769b450ff0174

SHA256
7f036ce475ad9690b15281b274d76cf154b9ddc754a07dfc8e08675c28f98204

SHA512
bc08110b2c7785efb1e8906881c8914f8c80a45ae135838b554de11a944c7f90d8b5b38b59afd5040cb817d3c5b64012cdc120a193428cd5fefeb84a8dbe9202

Download Submit
\Windows\SysWOW64\Edpmjj32.exe

Filesize
219KB

MD5
f9d4ce3df23dc3fe9a2548fa5eda1561

SHA1
8acc67bdaffafe5d11266a7b715769b450ff0174

SHA256
7f036ce475ad9690b15281b274d76cf154b9ddc754a07dfc8e08675c28f98204

SHA512
bc08110b2c7785efb1e8906881c8914f8c80a45ae135838b554de11a944c7f90d8b5b38b59afd5040cb817d3c5b64012cdc120a193428cd5fefeb84a8dbe9202

Download Submit
\Windows\SysWOW64\Egjpkffe.exe

Filesize
219KB

MD5
fe84520f3e3ce9e29fb34599adcf54de

SHA1
217bc767b91485241403eb70ae8f1d5c40fe490a

SHA256
47c96a9de64753d1a820496d7973555d5c7929b0bfbd86792f0c5349e6a73224

SHA512
87a43157862ee6ad490cf359f2795500d97fa5fdaf14e4eb91f34f684b3175a89b70deabdade41acb629c2f6db90b72958c13d55fc5f80b4b035300c56bd6783

Download Submit
\Windows\SysWOW64\Egjpkffe.exe

Filesize
219KB

MD5
fe84520f3e3ce9e29fb34599adcf54de

SHA1
217bc767b91485241403eb70ae8f1d5c40fe490a

SHA256
47c96a9de64753d1a820496d7973555d5c7929b0bfbd86792f0c5349e6a73224

SHA512
87a43157862ee6ad490cf359f2795500d97fa5fdaf14e4eb91f34f684b3175a89b70deabdade41acb629c2f6db90b72958c13d55fc5f80b4b035300c56bd6783

Download Submit
\Windows\SysWOW64\Egllae32.exe

Filesize
219KB

MD5
3eca22ce63d60c89f4a45195b8eac235

SHA1
16bc5f1f9ea4b98e22dad864745db298f9dfd3dd

SHA256
2ab5d11b995523fe6f9686920cb69c25ae11900840fdebee2b0c8e28df8a0600

SHA512
8ee56c33eccda67c87da94cd78361bea79d8c47f666e59a358278f32eae55c8ef7c6050bf6de394fea0aca4674dd157152a062cda92dec23b61e34be502b9095

Download Submit
\Windows\SysWOW64\Egllae32.exe

Filesize
219KB

MD5
3eca22ce63d60c89f4a45195b8eac235

SHA1
16bc5f1f9ea4b98e22dad864745db298f9dfd3dd

SHA256
2ab5d11b995523fe6f9686920cb69c25ae11900840fdebee2b0c8e28df8a0600

SHA512
8ee56c33eccda67c87da94cd78361bea79d8c47f666e59a358278f32eae55c8ef7c6050bf6de394fea0aca4674dd157152a062cda92dec23b61e34be502b9095

Download Submit
\Windows\SysWOW64\Emnndlod.exe

Filesize
219KB

MD5
25311b5d6372db4125856a683f01f2b8

SHA1
c1d255c8e36b2dedb3b185253113b387821290c0

SHA256
960a2776786016c1d21d59d9e33c80f27e46fca0f0da1055d718c3b6a17c082d

SHA512
d6493638edde67a7eeb1cd630ccddfcd4e46c17752a588bd705627341fa04d47487a31d4e5f336ecab207c6128d0ed9658c1152605d970efa1a519be5f58e8a0

Download Submit
\Windows\SysWOW64\Emnndlod.exe

Filesize
219KB

MD5
25311b5d6372db4125856a683f01f2b8

SHA1
c1d255c8e36b2dedb3b185253113b387821290c0

SHA256
960a2776786016c1d21d59d9e33c80f27e46fca0f0da1055d718c3b6a17c082d

SHA512
d6493638edde67a7eeb1cd630ccddfcd4e46c17752a588bd705627341fa04d47487a31d4e5f336ecab207c6128d0ed9658c1152605d970efa1a519be5f58e8a0

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
219KB

MD5
fba835c28274bc62d9dd16f7c3838957

SHA1
fe74f14c5151ca5f6d6241475d26448c0f56793e

SHA256
86f68f3d9a80ce6c5209615f43df496ab65e94485a62ac25b847865ee86bc4bd

SHA512
be6f817da56ac14c9f292181c235e85f0733140c6e8f1749a60ca84ab7571b89e197665e51ec7d2730f896bfddb2ff8279c2b77a01c73676fc4acb27d3fd6df6

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
219KB

MD5
fba835c28274bc62d9dd16f7c3838957

SHA1
fe74f14c5151ca5f6d6241475d26448c0f56793e

SHA256
86f68f3d9a80ce6c5209615f43df496ab65e94485a62ac25b847865ee86bc4bd

SHA512
be6f817da56ac14c9f292181c235e85f0733140c6e8f1749a60ca84ab7571b89e197665e51ec7d2730f896bfddb2ff8279c2b77a01c73676fc4acb27d3fd6df6

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
219KB

MD5
fba835c28274bc62d9dd16f7c3838957

SHA1
fe74f14c5151ca5f6d6241475d26448c0f56793e

SHA256
86f68f3d9a80ce6c5209615f43df496ab65e94485a62ac25b847865ee86bc4bd

SHA512
be6f817da56ac14c9f292181c235e85f0733140c6e8f1749a60ca84ab7571b89e197665e51ec7d2730f896bfddb2ff8279c2b77a01c73676fc4acb27d3fd6df6

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
219KB

MD5
fba835c28274bc62d9dd16f7c3838957

SHA1
fe74f14c5151ca5f6d6241475d26448c0f56793e

SHA256
86f68f3d9a80ce6c5209615f43df496ab65e94485a62ac25b847865ee86bc4bd

SHA512
be6f817da56ac14c9f292181c235e85f0733140c6e8f1749a60ca84ab7571b89e197665e51ec7d2730f896bfddb2ff8279c2b77a01c73676fc4acb27d3fd6df6

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
219KB

MD5
fba835c28274bc62d9dd16f7c3838957

SHA1
fe74f14c5151ca5f6d6241475d26448c0f56793e

SHA256
86f68f3d9a80ce6c5209615f43df496ab65e94485a62ac25b847865ee86bc4bd

SHA512
be6f817da56ac14c9f292181c235e85f0733140c6e8f1749a60ca84ab7571b89e197665e51ec7d2730f896bfddb2ff8279c2b77a01c73676fc4acb27d3fd6df6

Download Submit
\Windows\SysWOW64\Fkckeh32.exe

Filesize
219KB

MD5
fba835c28274bc62d9dd16f7c3838957

SHA1
fe74f14c5151ca5f6d6241475d26448c0f56793e

SHA256
86f68f3d9a80ce6c5209615f43df496ab65e94485a62ac25b847865ee86bc4bd

SHA512
be6f817da56ac14c9f292181c235e85f0733140c6e8f1749a60ca84ab7571b89e197665e51ec7d2730f896bfddb2ff8279c2b77a01c73676fc4acb27d3fd6df6

Download Submit
memory/336-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/756-156-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/756-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1252-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1912-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-178-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-136-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2400-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2492-102-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2492-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-128-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2532-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-177-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2532-116-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2568-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2756-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-98-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2804-92-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2804-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-62-0x00000000002C0000-0x00000000002EF000-memory.dmp

Filesize
188KB

Download
memory/2944-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2944-6-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/2944-13-0x00000000001C0000-0x00000000001EF000-memory.dmp

Filesize
188KB

Download
memory/2944-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads