8c4188f7f452a3e67a349bae44a94b1c996ca33dacee3a541f46496baa6d2375

Analysis

max time kernel
65s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.c73418ffbe860d05103170e9193ca2b0.exe
Size

269KB
MD5

c73418ffbe860d05103170e9193ca2b0
SHA1

648b49c462c9e452a55654f8a2b115ed320e0dad
SHA256

8c4188f7f452a3e67a349bae44a94b1c996ca33dacee3a541f46496baa6d2375
SHA512

22897e0124adb8e04dbccd86539cf63e074efa3e9b758ee9c76ae973882e0706cf0be0f6a3098882017388dce1ad2d8d0b2210f95be5389b56de17b91b3cee82
SSDEEP

6144:qfdXXSuj2EKyNDu22HDX4EYtCwGtMtkiXOoloMr1JeSldqP7+x55Kmj50GXoCcmP:2dSw8yNy2DChtMtkM71r1MSXqPix55KO

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amfobp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calfpk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfobp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aalmimfd.exe

Malware Backdoor - Berbew 29 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x000800000002304d-6.dat	family_berbew
behavioral2/files/0x000800000002304d-8.dat	family_berbew
behavioral2/files/0x0007000000023051-14.dat	family_berbew
behavioral2/files/0x0007000000023051-16.dat	family_berbew
behavioral2/files/0x0007000000023053-22.dat	family_berbew
behavioral2/files/0x0007000000023053-24.dat	family_berbew
behavioral2/files/0x0007000000023057-30.dat	family_berbew
behavioral2/files/0x0007000000023057-32.dat	family_berbew
behavioral2/files/0x0007000000023064-38.dat	family_berbew
behavioral2/files/0x0007000000023064-40.dat	family_berbew
behavioral2/files/0x000600000002308f-46.dat	family_berbew
behavioral2/files/0x000600000002308f-48.dat	family_berbew
behavioral2/files/0x0006000000023091-54.dat	family_berbew
behavioral2/files/0x0006000000023091-56.dat	family_berbew
behavioral2/files/0x0006000000023093-62.dat	family_berbew
behavioral2/files/0x0006000000023093-64.dat	family_berbew
behavioral2/files/0x0006000000023095-70.dat	family_berbew
behavioral2/files/0x0006000000023095-72.dat	family_berbew
behavioral2/files/0x0006000000023097-74.dat	family_berbew
behavioral2/files/0x0006000000023097-78.dat	family_berbew
behavioral2/files/0x0006000000023097-80.dat	family_berbew
behavioral2/files/0x0006000000023099-86.dat	family_berbew
behavioral2/files/0x0006000000023099-88.dat	family_berbew
behavioral2/files/0x000600000002309b-94.dat	family_berbew
behavioral2/files/0x000600000002309b-96.dat	family_berbew
behavioral2/files/0x000600000002309d-102.dat	family_berbew
behavioral2/files/0x000600000002309d-104.dat	family_berbew
behavioral2/files/0x000600000002309f-110.dat	family_berbew
behavioral2/files/0x000600000002309f-112.dat	family_berbew

Executes dropped EXE 14 IoCs

pid	Process
3868	Kbhmbdle.exe
1248	Mfenglqf.exe
964	Nmfmde32.exe
4160	Pcpnhl32.exe
4276	Pfhmjf32.exe
3588	Amfobp32.exe
3900	Ajohfcpj.exe
2460	Aalmimfd.exe
3532	Bpcgpihi.exe
1996	Cmnnimak.exe
792	Calfpk32.exe
2700	Ccppmc32.exe
2040	Cpcpfg32.exe
2436	Diqnjl32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mfenglqf.exe	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Nmfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Bpcgpihi.exe
File opened for modification	C:\Windows\SysWOW64\Aalmimfd.exe	Ajohfcpj.exe
File created	C:\Windows\SysWOW64\Dccfkp32.dll	Ajohfcpj.exe
File opened for modification	C:\Windows\SysWOW64\Bpcgpihi.exe	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Jmbpjm32.dll	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Kbhmbdle.exe	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
File created	C:\Windows\SysWOW64\Inpoggcb.dll	Pfhmjf32.exe
File created	C:\Windows\SysWOW64\Gpeipb32.dll	Amfobp32.exe
File created	C:\Windows\SysWOW64\Aalmimfd.exe	Ajohfcpj.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Eafbac32.dll	Cmnnimak.exe
File opened for modification	C:\Windows\SysWOW64\Ccppmc32.exe	Calfpk32.exe
File opened for modification	C:\Windows\SysWOW64\Mfenglqf.exe	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Ajohfcpj.exe	Amfobp32.exe
File created	C:\Windows\SysWOW64\Adppeapp.dll	Bpcgpihi.exe
File opened for modification	C:\Windows\SysWOW64\Calfpk32.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Cmnnimak.exe	Bpcgpihi.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Nmfmde32.exe
File created	C:\Windows\SysWOW64\Pfhmjf32.exe	Pcpnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Amfobp32.exe	Pfhmjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ajohfcpj.exe	Amfobp32.exe
File opened for modification	C:\Windows\SysWOW64\Nmfmde32.exe	Mfenglqf.exe
File created	C:\Windows\SysWOW64\Elekoe32.dll	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Calfpk32.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Ccppmc32.exe	Calfpk32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Cpcpfg32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Kbhmbdle.exe	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
File created	C:\Windows\SysWOW64\Nmfmde32.exe	Mfenglqf.exe
File created	C:\Windows\SysWOW64\Qidpon32.dll	Mfenglqf.exe
File created	C:\Windows\SysWOW64\Lfgnho32.dll	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Dndhqgbm.dll	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
File created	C:\Windows\SysWOW64\Bpcgpihi.exe	Aalmimfd.exe
File created	C:\Windows\SysWOW64\Jnblgj32.dll	Calfpk32.exe
File created	C:\Windows\SysWOW64\Cpcpfg32.exe	Ccppmc32.exe
File opened for modification	C:\Windows\SysWOW64\Cpcpfg32.exe	Ccppmc32.exe
File created	C:\Windows\SysWOW64\Mdcajc32.dll	Kbhmbdle.exe
File created	C:\Windows\SysWOW64\Qckcba32.dll	Nmfmde32.exe
File opened for modification	C:\Windows\SysWOW64\Pfhmjf32.exe	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Amfobp32.exe	Pfhmjf32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3060	2436	WerFault.exe	96
3300	2436	WerFault.exe	96

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dndhqgbm.dll"	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amfobp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpeipb32.dll"	Amfobp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amfobp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adppeapp.dll"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbhmbdle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccppmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajohfcpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elekoe32.dll"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qidpon32.dll"	Mfenglqf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mfenglqf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Calfpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgnho32.dll"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcajc32.dll"	Kbhmbdle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inpoggcb.dll"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfkp32.dll"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafbac32.dll"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnblgj32.dll"	Calfpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpcpfg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	NEAS.c73418ffbe860d05103170e9193ca2b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nmfmde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcpnhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll"	Nmfmde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajohfcpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbpjm32.dll"	Ccppmc32.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 3868	3748	NEAS.c73418ffbe860d05103170e9193ca2b0.exe	83
PID 3748 wrote to memory of 3868	3748	NEAS.c73418ffbe860d05103170e9193ca2b0.exe	83
PID 3748 wrote to memory of 3868	3748	NEAS.c73418ffbe860d05103170e9193ca2b0.exe	83
PID 3868 wrote to memory of 1248	3868	Kbhmbdle.exe	84
PID 3868 wrote to memory of 1248	3868	Kbhmbdle.exe	84
PID 3868 wrote to memory of 1248	3868	Kbhmbdle.exe	84
PID 1248 wrote to memory of 964	1248	Mfenglqf.exe	85
PID 1248 wrote to memory of 964	1248	Mfenglqf.exe	85
PID 1248 wrote to memory of 964	1248	Mfenglqf.exe	85
PID 964 wrote to memory of 4160	964	Nmfmde32.exe	86
PID 964 wrote to memory of 4160	964	Nmfmde32.exe	86
PID 964 wrote to memory of 4160	964	Nmfmde32.exe	86
PID 4160 wrote to memory of 4276	4160	Pcpnhl32.exe	87
PID 4160 wrote to memory of 4276	4160	Pcpnhl32.exe	87
PID 4160 wrote to memory of 4276	4160	Pcpnhl32.exe	87
PID 4276 wrote to memory of 3588	4276	Pfhmjf32.exe	88
PID 4276 wrote to memory of 3588	4276	Pfhmjf32.exe	88
PID 4276 wrote to memory of 3588	4276	Pfhmjf32.exe	88
PID 3588 wrote to memory of 3900	3588	Amfobp32.exe	89
PID 3588 wrote to memory of 3900	3588	Amfobp32.exe	89
PID 3588 wrote to memory of 3900	3588	Amfobp32.exe	89
PID 3900 wrote to memory of 2460	3900	Ajohfcpj.exe	90
PID 3900 wrote to memory of 2460	3900	Ajohfcpj.exe	90
PID 3900 wrote to memory of 2460	3900	Ajohfcpj.exe	90
PID 2460 wrote to memory of 3532	2460	Aalmimfd.exe	91
PID 2460 wrote to memory of 3532	2460	Aalmimfd.exe	91
PID 2460 wrote to memory of 3532	2460	Aalmimfd.exe	91
PID 3532 wrote to memory of 1996	3532	Bpcgpihi.exe	92
PID 3532 wrote to memory of 1996	3532	Bpcgpihi.exe	92
PID 3532 wrote to memory of 1996	3532	Bpcgpihi.exe	92
PID 1996 wrote to memory of 792	1996	Cmnnimak.exe	93
PID 1996 wrote to memory of 792	1996	Cmnnimak.exe	93
PID 1996 wrote to memory of 792	1996	Cmnnimak.exe	93
PID 792 wrote to memory of 2700	792	Calfpk32.exe	94
PID 792 wrote to memory of 2700	792	Calfpk32.exe	94
PID 792 wrote to memory of 2700	792	Calfpk32.exe	94
PID 2700 wrote to memory of 2040	2700	Ccppmc32.exe	95
PID 2700 wrote to memory of 2040	2700	Ccppmc32.exe	95
PID 2700 wrote to memory of 2040	2700	Ccppmc32.exe	95
PID 2040 wrote to memory of 2436	2040	Cpcpfg32.exe	96
PID 2040 wrote to memory of 2436	2040	Cpcpfg32.exe	96
PID 2040 wrote to memory of 2436	2040	Cpcpfg32.exe	96
PID 2436 wrote to memory of 3060	2436	Diqnjl32.exe	101
PID 2436 wrote to memory of 3060	2436	Diqnjl32.exe	101
PID 2436 wrote to memory of 3060	2436	Diqnjl32.exe	101

C:\Users\Admin\AppData\Local\Temp\NEAS.c73418ffbe860d05103170e9193ca2b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.c73418ffbe860d05103170e9193ca2b0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Windows\SysWOW64\Kbhmbdle.exe
  C:\Windows\system32\Kbhmbdle.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3868
- - C:\Windows\SysWOW64\Mfenglqf.exe
    C:\Windows\system32\Mfenglqf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1248
  - - C:\Windows\SysWOW64\Nmfmde32.exe
      C:\Windows\system32\Nmfmde32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:964
    - - C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4160
      - C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Amfobp32.exe
        
        C:\Windows\system32\Amfobp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Ajohfcpj.exe
        
        C:\Windows\system32\Ajohfcpj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3532
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Calfpk32.exe
        
        C:\Windows\system32\Calfpk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\SysWOW64\Ccppmc32.exe
        
        C:\Windows\system32\Ccppmc32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Cpcpfg32.exe
        
        C:\Windows\system32\Cpcpfg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 420
        16⤵
        Program crash
        
        PID:3060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 420
        16⤵
        Program crash
        
        PID:3300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2436 -ip 2436
1⤵
PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
269KB

MD5
58382496edc049b07a8d5995b3dd6165

SHA1
14a64cb55ddb79653155978e71c98a94d7e4b45a

SHA256
4d3f140d80bff8b06484a8741fd341329af9396115889807e221136d619fb6fc

SHA512
ff8c50aaa188af1d0eeab82d031c8a3af326bcb69fe35f6797be4b1fde554facbd1442ab3f94f03194eb806d1a9f315e79a1d01633e09c3899984bb362d97c80

Download Submit
C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
269KB

MD5
58382496edc049b07a8d5995b3dd6165

SHA1
14a64cb55ddb79653155978e71c98a94d7e4b45a

SHA256
4d3f140d80bff8b06484a8741fd341329af9396115889807e221136d619fb6fc

SHA512
ff8c50aaa188af1d0eeab82d031c8a3af326bcb69fe35f6797be4b1fde554facbd1442ab3f94f03194eb806d1a9f315e79a1d01633e09c3899984bb362d97c80

Download Submit
C:\Windows\SysWOW64\Ajohfcpj.exe

Filesize
269KB

MD5
3fe8fe7fa3cf7d2ef5436f9653b6b207

SHA1
38183b9496beeda8f1e9fa5a372811151aa690f7

SHA256
9126aad9a6827dec2d8ec8d3a7416536313f79a7a4c292cc222bfdee4e88fae0

SHA512
fc820ace9b086df3317d36cf72c77055aad26dac004e032e36c6b27b377b54ee6daeb58cb67a4a8330d0b24be7cb385f0f8a2479aee52f7f91a1b9abc7269346

Download Submit
C:\Windows\SysWOW64\Ajohfcpj.exe

Filesize
269KB

MD5
3fe8fe7fa3cf7d2ef5436f9653b6b207

SHA1
38183b9496beeda8f1e9fa5a372811151aa690f7

SHA256
9126aad9a6827dec2d8ec8d3a7416536313f79a7a4c292cc222bfdee4e88fae0

SHA512
fc820ace9b086df3317d36cf72c77055aad26dac004e032e36c6b27b377b54ee6daeb58cb67a4a8330d0b24be7cb385f0f8a2479aee52f7f91a1b9abc7269346

Download Submit
C:\Windows\SysWOW64\Amfobp32.exe

Filesize
269KB

MD5
c383fed7f1770c83fd9bb5f6c82ad44d

SHA1
abfe6cd57864ebfa316e583cfbd0b35477e5643e

SHA256
248fc47d60af475750f46cfc448fd4ed40b11a96a62a526141febee2fd445695

SHA512
3096b29ff5afc17998d573d87b8391be64c11498bef4ca6f46e6e04b8f641d4d93a258816563ddf4590b339928f65addbf5ab9ffb91086333e074785e609b23c

Download Submit
C:\Windows\SysWOW64\Amfobp32.exe

Filesize
269KB

MD5
c383fed7f1770c83fd9bb5f6c82ad44d

SHA1
abfe6cd57864ebfa316e583cfbd0b35477e5643e

SHA256
248fc47d60af475750f46cfc448fd4ed40b11a96a62a526141febee2fd445695

SHA512
3096b29ff5afc17998d573d87b8391be64c11498bef4ca6f46e6e04b8f641d4d93a258816563ddf4590b339928f65addbf5ab9ffb91086333e074785e609b23c

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
269KB

MD5
7911f84b888ad3607bef68864bc01936

SHA1
b30bbbd1622eca3c7a19833db30afd9df30e8fa1

SHA256
f569b4fae7bf639b95c6cc5b2ce4773c24ab1938704fdc1f9b40e197bca96424

SHA512
7cec8e0de60a234ed9db1b0aac397836792f9c3751bfb2577da0d15b284289a07ca49dda9b36d8d037605d2364ed8d7c4c6c86040b458e746a61f634bc4161fe

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
269KB

MD5
7911f84b888ad3607bef68864bc01936

SHA1
b30bbbd1622eca3c7a19833db30afd9df30e8fa1

SHA256
f569b4fae7bf639b95c6cc5b2ce4773c24ab1938704fdc1f9b40e197bca96424

SHA512
7cec8e0de60a234ed9db1b0aac397836792f9c3751bfb2577da0d15b284289a07ca49dda9b36d8d037605d2364ed8d7c4c6c86040b458e746a61f634bc4161fe

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
269KB

MD5
8ec56466361f38a4c1c25a4fa843cebc

SHA1
4cbb8752089ad5e1cc6495835953e040adc2baf5

SHA256
d75a4766f369616682d254ec97f4bb7cc923d48ae6ed9c1234e3afcd595acd9d

SHA512
2f44c90bc1fb4aaf19f2a3b9a25d7b0a91d2768351441c6394b19a348ce51d2ed6ba25733f0b0bcbbfff7532d5dcd1ec05068729a5863e72e542f00243258b50

Download Submit
C:\Windows\SysWOW64\Calfpk32.exe

Filesize
269KB

MD5
8ec56466361f38a4c1c25a4fa843cebc

SHA1
4cbb8752089ad5e1cc6495835953e040adc2baf5

SHA256
d75a4766f369616682d254ec97f4bb7cc923d48ae6ed9c1234e3afcd595acd9d

SHA512
2f44c90bc1fb4aaf19f2a3b9a25d7b0a91d2768351441c6394b19a348ce51d2ed6ba25733f0b0bcbbfff7532d5dcd1ec05068729a5863e72e542f00243258b50

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
269KB

MD5
42ee031c091f8033caac38c5a5ec810d

SHA1
6db2e698814c5bc424ce6a0447d9fec52ca40d3c

SHA256
92d364da7869cf8c9698da3445dae52730716399e9b4346314f83bdc3539fd0d

SHA512
c0a350dab854947563507b412e8a338fd50a7c6ff8fcd510252b311a593a15e8f198d80e14f1cfe9caec253ed0da421602f180c5324445ded753c0e5add6125b

Download Submit
C:\Windows\SysWOW64\Ccppmc32.exe

Filesize
269KB

MD5
42ee031c091f8033caac38c5a5ec810d

SHA1
6db2e698814c5bc424ce6a0447d9fec52ca40d3c

SHA256
92d364da7869cf8c9698da3445dae52730716399e9b4346314f83bdc3539fd0d

SHA512
c0a350dab854947563507b412e8a338fd50a7c6ff8fcd510252b311a593a15e8f198d80e14f1cfe9caec253ed0da421602f180c5324445ded753c0e5add6125b

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
128KB

MD5
8f1705c703ee06f153bf132868ccfbaf

SHA1
a497cfe6653db9824c15c5f6f2dcd65076ba8228

SHA256
5ea8610659f56a3a892dcdf52049670d5e528fa51fceb3a9fed5f72a9f518b87

SHA512
bd1c0068a5dc8585c9e482265c23a4bddd9be5e2d0f1b447a786faa36b94f8fcb0736fa830b11337a25df70326cec62a9a0a86fc9b2d69803b8e8fdf9cb85dd6

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
269KB

MD5
c1a646096520603c761de02db4eba74a

SHA1
54649e31e147832197a5e8ee842b98b0b3ca0690

SHA256
cee2d61fe76c67ba80cb1e6e97dd9517688f3a9f07b28d722c44afbf6e6860ef

SHA512
0e89ace8c71ca2ca1aa7c813bd2e29c8e2e0684cf8f2cfaff08da7265aaa736f68b3ebbbca0161a422c7c3dfa4ea85a6049d4f5f83a055b2d35bec05efe6bf7f

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
269KB

MD5
c1a646096520603c761de02db4eba74a

SHA1
54649e31e147832197a5e8ee842b98b0b3ca0690

SHA256
cee2d61fe76c67ba80cb1e6e97dd9517688f3a9f07b28d722c44afbf6e6860ef

SHA512
0e89ace8c71ca2ca1aa7c813bd2e29c8e2e0684cf8f2cfaff08da7265aaa736f68b3ebbbca0161a422c7c3dfa4ea85a6049d4f5f83a055b2d35bec05efe6bf7f

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
269KB

MD5
032c111d2f9c50d7dcd13b25340e82a0

SHA1
ae14a5a1e921e4b854318f19a8b4226c00ab081f

SHA256
a3cb25a690f44b221d47ed282f3a438bb2e733c039eda7d2177372316ea9c706

SHA512
56257f58546338ad04ded10508cfb9a83b99223c452d64ca3d75122e34c73d69c8d197d04a9c468dea47bd0402156ec222963723c5c757256a792ea55c886a01

Download Submit
C:\Windows\SysWOW64\Cpcpfg32.exe

Filesize
269KB

MD5
032c111d2f9c50d7dcd13b25340e82a0

SHA1
ae14a5a1e921e4b854318f19a8b4226c00ab081f

SHA256
a3cb25a690f44b221d47ed282f3a438bb2e733c039eda7d2177372316ea9c706

SHA512
56257f58546338ad04ded10508cfb9a83b99223c452d64ca3d75122e34c73d69c8d197d04a9c468dea47bd0402156ec222963723c5c757256a792ea55c886a01

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
269KB

MD5
af8e07c8c5c519aaaa525c146468e953

SHA1
d9517193714da0d717c1a00ac0e2e5bb69492be9

SHA256
d1d4e2dfd1ff8f532d39aacf96ab4d08294731a81297d058a964cfe2563ef582

SHA512
38d1bc173590c34576035846049766e27156fd99b6760bf2b02912d3aeb4cfbee09ff008e56a6ab426080b41e2ee887db2bd2b2e9c45e6a5af13d57b7f655cbd

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
269KB

MD5
af8e07c8c5c519aaaa525c146468e953

SHA1
d9517193714da0d717c1a00ac0e2e5bb69492be9

SHA256
d1d4e2dfd1ff8f532d39aacf96ab4d08294731a81297d058a964cfe2563ef582

SHA512
38d1bc173590c34576035846049766e27156fd99b6760bf2b02912d3aeb4cfbee09ff008e56a6ab426080b41e2ee887db2bd2b2e9c45e6a5af13d57b7f655cbd

Download Submit
C:\Windows\SysWOW64\Kbhmbdle.exe

Filesize
269KB

MD5
56a1c0b3c5a949354d0f08672521535e

SHA1
d8a46b632df614921c4ee527b26ec2105756ed36

SHA256
c712be52bd932221b504f944fb77d3e2dcdc1b14fbfb37357eb37d9e3e0af999

SHA512
fa8c5101eeafd79c5ab2b856d9d15c0a4fb4f746e83f39b0e90b152ba9d99eced4f22bdf0d6a2b0e522da7c8472859d0015def4607a3702f21718828b9ca9179

Download Submit
C:\Windows\SysWOW64\Kbhmbdle.exe

Filesize
269KB

MD5
56a1c0b3c5a949354d0f08672521535e

SHA1
d8a46b632df614921c4ee527b26ec2105756ed36

SHA256
c712be52bd932221b504f944fb77d3e2dcdc1b14fbfb37357eb37d9e3e0af999

SHA512
fa8c5101eeafd79c5ab2b856d9d15c0a4fb4f746e83f39b0e90b152ba9d99eced4f22bdf0d6a2b0e522da7c8472859d0015def4607a3702f21718828b9ca9179

Download Submit
C:\Windows\SysWOW64\Lfgnho32.dll

Filesize
7KB

MD5
943472f4912df8882812a28483e93b23

SHA1
b0755e0db3f9a52b0817a0beee9e22adf35c7285

SHA256
25c472055a4f3a1e2fd10a5cbd60ce8e5d5134ff86989ee75875af135e096b86

SHA512
16bf9c53c53ccaecb455a3e3141d43e819ab425c9158b3e37db435fafb9d83f9fa605f5a3338d37965c46ad492886d37b9bdf1be006ef3400973a13fb7b0426a

Download Submit
C:\Windows\SysWOW64\Mfenglqf.exe

Filesize
269KB

MD5
85e9d20391746dff1f30a926d491fea3

SHA1
b5b955f10de9c3a6949891a51e762dd6fdd3c289

SHA256
6ead33c7d1175cdf2c6525b1d1c664f260f70c5f001f2829907db5d84c720bec

SHA512
822db17d53c0eaf047bcfd81f7f4768bcdcc4e502bd1b6d42a13970ce5de05672abc913af244929feed9689bb65782c53a822416b072297f18b4c6bee19fa162

Download Submit
C:\Windows\SysWOW64\Mfenglqf.exe

Filesize
269KB

MD5
85e9d20391746dff1f30a926d491fea3

SHA1
b5b955f10de9c3a6949891a51e762dd6fdd3c289

SHA256
6ead33c7d1175cdf2c6525b1d1c664f260f70c5f001f2829907db5d84c720bec

SHA512
822db17d53c0eaf047bcfd81f7f4768bcdcc4e502bd1b6d42a13970ce5de05672abc913af244929feed9689bb65782c53a822416b072297f18b4c6bee19fa162

Download Submit
C:\Windows\SysWOW64\Nmfmde32.exe

Filesize
269KB

MD5
3b00584de617a5bebbc6f423f51188d0

SHA1
ce4ee8a1b6e553ab86007062a9b5acd8d1579a8d

SHA256
752c111da0610707aa948336657c2d47ce09ea6688bf386435dbcf06f8b070a0

SHA512
a7eb01399f2fa6817ca481ecad6498db57f51a1c5aceb13fd9f8df8ee4f012fada820a11dd51c83aa8d7081259420d53bd7bef86a41a28b03a0848b98a619be0

Download Submit
C:\Windows\SysWOW64\Nmfmde32.exe

Filesize
269KB

MD5
3b00584de617a5bebbc6f423f51188d0

SHA1
ce4ee8a1b6e553ab86007062a9b5acd8d1579a8d

SHA256
752c111da0610707aa948336657c2d47ce09ea6688bf386435dbcf06f8b070a0

SHA512
a7eb01399f2fa6817ca481ecad6498db57f51a1c5aceb13fd9f8df8ee4f012fada820a11dd51c83aa8d7081259420d53bd7bef86a41a28b03a0848b98a619be0

Download Submit
C:\Windows\SysWOW64\Pcpnhl32.exe

Filesize
269KB

MD5
22016195665374ad6451288734ec7a43

SHA1
6e668b0fba91fd548e0f87f7d7665c45536399e8

SHA256
1de6b0dcf0c347eddef1eaf6fb3ad0b59ec69d998879b16146c45ee4c593b491

SHA512
fb9c68a34dad19fde702b8ff424280fbc3a3b15ea7afb5c9a4cde4a38a18bf1c08c435fce90faa703f4a5acef4e7468d3b758cafcbe26dd5eb1852c482cbf0cd

Download Submit
C:\Windows\SysWOW64\Pcpnhl32.exe

Filesize
269KB

MD5
22016195665374ad6451288734ec7a43

SHA1
6e668b0fba91fd548e0f87f7d7665c45536399e8

SHA256
1de6b0dcf0c347eddef1eaf6fb3ad0b59ec69d998879b16146c45ee4c593b491

SHA512
fb9c68a34dad19fde702b8ff424280fbc3a3b15ea7afb5c9a4cde4a38a18bf1c08c435fce90faa703f4a5acef4e7468d3b758cafcbe26dd5eb1852c482cbf0cd

Download Submit
C:\Windows\SysWOW64\Pfhmjf32.exe

Filesize
269KB

MD5
4897991ec90a10e4906e61aac2597e37

SHA1
7799d6e1829bdd416d6575f2b4b79ec2ea1016af

SHA256
5d2074a80d19862d7351665fae17b0be8b62af5985f61035d62eafedb53d54c6

SHA512
3105efcf0189ae62ef2ecef999a5a20f0a56ad8594bb1e0dd3f2902b01a9d7cf1ba588a46510bb89f4e91b0c66301f41f8119101c6e832e13eddc8ae59fd99f3

Download Submit
C:\Windows\SysWOW64\Pfhmjf32.exe

Filesize
269KB

MD5
4897991ec90a10e4906e61aac2597e37

SHA1
7799d6e1829bdd416d6575f2b4b79ec2ea1016af

SHA256
5d2074a80d19862d7351665fae17b0be8b62af5985f61035d62eafedb53d54c6

SHA512
3105efcf0189ae62ef2ecef999a5a20f0a56ad8594bb1e0dd3f2902b01a9d7cf1ba588a46510bb89f4e91b0c66301f41f8119101c6e832e13eddc8ae59fd99f3

Download Submit
memory/792-87-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/964-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/964-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1996-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2040-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2460-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2700-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3532-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3588-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3588-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3748-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3748-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3868-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3868-114-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3900-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4160-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4160-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4276-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4276-118-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads