bd61cc960e2ccbaf3e7b814bcb4d492b23459931df20fd90a93ef6296ae6445a

Analysis

max time kernel
138s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2023, 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.03c9baf8c968d7f40eec298c11104550.exe
Size

3.2MB
MD5

03c9baf8c968d7f40eec298c11104550
SHA1

7a8b0f54d74ac753f5eb9f35efe6be979ce06463
SHA256

bd61cc960e2ccbaf3e7b814bcb4d492b23459931df20fd90a93ef6296ae6445a
SHA512

1b3344265bb965effa7445f940aecfc55307ad7561e154a7dd4d42ff35db446a655b794b97d0caa796a5e051ef8d0c39e7afdc30e59b575d227fe3f4d08faf2e
SSDEEP

98304:xjalBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NT/YUugy:YlBFLPj3JStuv40ar7zrbDlsa2VIlPWH

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmladm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.03c9baf8c968d7f40eec298c11104550.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.03c9baf8c968d7f40eec298c11104550.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbonoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbonoghb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmladm32.exe

Malware Backdoor - Berbew 32 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x0008000000022d73-7.dat	family_berbew
behavioral2/files/0x0006000000022d7e-15.dat	family_berbew
behavioral2/files/0x0006000000022d80-17.dat	family_berbew
behavioral2/files/0x0006000000022d80-22.dat	family_berbew
behavioral2/files/0x0006000000022d80-23.dat	family_berbew
behavioral2/files/0x0006000000022d84-30.dat	family_berbew
behavioral2/files/0x0006000000022d86-38.dat	family_berbew
behavioral2/files/0x0006000000022d86-40.dat	family_berbew
behavioral2/files/0x0007000000022d77-47.dat	family_berbew
behavioral2/files/0x0006000000022d89-54.dat	family_berbew
behavioral2/files/0x0006000000022d8b-63.dat	family_berbew
behavioral2/files/0x0006000000022d8d-65.dat	family_berbew
behavioral2/files/0x0006000000022d8b-62.dat	family_berbew
behavioral2/files/0x0006000000022d89-55.dat	family_berbew
behavioral2/files/0x0007000000022d77-46.dat	family_berbew
behavioral2/files/0x0006000000022d84-31.dat	family_berbew
behavioral2/files/0x0006000000022d7e-14.dat	family_berbew
behavioral2/files/0x0008000000022d73-6.dat	family_berbew
behavioral2/files/0x0006000000022d8d-71.dat	family_berbew
behavioral2/files/0x0006000000022d8d-70.dat	family_berbew
behavioral2/files/0x0006000000022d8f-78.dat	family_berbew
behavioral2/files/0x0006000000022d8f-80.dat	family_berbew
behavioral2/files/0x0006000000022d91-86.dat	family_berbew
behavioral2/files/0x0006000000022d91-87.dat	family_berbew
behavioral2/files/0x0006000000022d91-81.dat	family_berbew
behavioral2/files/0x0006000000022d93-95.dat	family_berbew
behavioral2/files/0x0006000000022d95-97.dat	family_berbew
behavioral2/files/0x0006000000022d93-94.dat	family_berbew
behavioral2/files/0x0006000000022d95-102.dat	family_berbew
behavioral2/files/0x0006000000022d97-110.dat	family_berbew
behavioral2/files/0x0006000000022d97-111.dat	family_berbew
behavioral2/files/0x0006000000022d95-103.dat	family_berbew

Executes dropped EXE 14 IoCs

pid	Process
2632	Oqhoeb32.exe
1804	Ocihgnam.exe
5096	Ockdmmoj.exe
4700	Ocnabm32.exe
4988	Pjjfdfbb.exe
2100	BackgroundTransferHost.exe
2008	Pplhhm32.exe
640	Pciqnk32.exe
4860	Qbonoghb.exe
3560	Bpedeiff.exe
3984	Bmladm32.exe
2308	Cmnnimak.exe
2472	Ckggnp32.exe
1188	Diqnjl32.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Qahlom32.dll	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Oqhoeb32.exe	NEAS.03c9baf8c968d7f40eec298c11104550.exe
File created	C:\Windows\SysWOW64\Mckmcadl.dll	NEAS.03c9baf8c968d7f40eec298c11104550.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Oqhoeb32.exe
File opened for modification	C:\Windows\SysWOW64\Ocnabm32.exe	Process not Found
File created	C:\Windows\SysWOW64\Pciqnk32.exe	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Pciqnk32.exe	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmladm32.exe	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Ocnabm32.exe
File opened for modification	C:\Windows\SysWOW64\Pafkgphl.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Ckggnp32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Ckggnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmmoj.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Blcnqjjo.dll	BackgroundTransferHost.exe
File created	C:\Windows\SysWOW64\Cmnnimak.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Ockdmmoj.exe	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Kpikki32.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\Pjjfdfbb.exe	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Kqkplq32.dll	Ocnabm32.exe
File created	C:\Windows\SysWOW64\Fknofqcc.dll	Pjjfdfbb.exe
File opened for modification	C:\Windows\SysWOW64\Pplhhm32.exe	BackgroundTransferHost.exe
File opened for modification	C:\Windows\SysWOW64\Bpedeiff.exe	Qbonoghb.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Bmladm32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhoeb32.exe	NEAS.03c9baf8c968d7f40eec298c11104550.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgnam.exe	Oqhoeb32.exe
File created	C:\Windows\SysWOW64\Bihice32.dll	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Ocnabm32.exe	Process not Found
File created	C:\Windows\SysWOW64\Pplhhm32.exe	BackgroundTransferHost.exe
File opened for modification	C:\Windows\SysWOW64\Qbonoghb.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Epgldbkn.dll	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Balgcpkn.dll	Oqhoeb32.exe
File created	C:\Windows\SysWOW64\Pafkgphl.exe	Pjjfdfbb.exe
File created	C:\Windows\SysWOW64\Adppeapp.dll	Bmladm32.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Cmnnimak.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Gcilohid.dll	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Qbonoghb.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Bpedeiff.exe	Qbonoghb.exe
File created	C:\Windows\SysWOW64\Leldmdbk.dll	Qbonoghb.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	Bpedeiff.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Amoppdld.dll	Bpedeiff.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4528	1188	WerFault.exe	81

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.03c9baf8c968d7f40eec298c11104550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.03c9baf8c968d7f40eec298c11104550.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll"	NEAS.03c9baf8c968d7f40eec298c11104550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balgcpkn.dll"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihice32.dll"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbonoghb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll"	Ocnabm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cmnnimak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqhoeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpikki32.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocnabm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll"	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.03c9baf8c968d7f40eec298c11104550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leldmdbk.dll"	Qbonoghb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.03c9baf8c968d7f40eec298c11104550.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.03c9baf8c968d7f40eec298c11104550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcnqjjo.dll"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgldbkn.dll"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bpedeiff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adppeapp.dll"	Bmladm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcilohid.dll"	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qbonoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	Bpedeiff.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 2632	4064	NEAS.03c9baf8c968d7f40eec298c11104550.exe	56
PID 4064 wrote to memory of 2632	4064	NEAS.03c9baf8c968d7f40eec298c11104550.exe	56
PID 4064 wrote to memory of 2632	4064	NEAS.03c9baf8c968d7f40eec298c11104550.exe	56
PID 2632 wrote to memory of 1804	2632	Oqhoeb32.exe	57
PID 2632 wrote to memory of 1804	2632	Oqhoeb32.exe	57
PID 2632 wrote to memory of 1804	2632	Oqhoeb32.exe	57
PID 1804 wrote to memory of 5096	1804	Ocihgnam.exe	58
PID 1804 wrote to memory of 5096	1804	Ocihgnam.exe	58
PID 1804 wrote to memory of 5096	1804	Ocihgnam.exe	58
PID 5096 wrote to memory of 4700	5096	Process not Found	59
PID 5096 wrote to memory of 4700	5096	Process not Found	59
PID 5096 wrote to memory of 4700	5096	Process not Found	59
PID 4700 wrote to memory of 4988	4700	Ocnabm32.exe	60
PID 4700 wrote to memory of 4988	4700	Ocnabm32.exe	60
PID 4700 wrote to memory of 4988	4700	Ocnabm32.exe	60
PID 4988 wrote to memory of 2100	4988	Pjjfdfbb.exe	117
PID 4988 wrote to memory of 2100	4988	Pjjfdfbb.exe	117
PID 4988 wrote to memory of 2100	4988	Pjjfdfbb.exe	117
PID 2100 wrote to memory of 2008	2100	BackgroundTransferHost.exe	62
PID 2100 wrote to memory of 2008	2100	BackgroundTransferHost.exe	62
PID 2100 wrote to memory of 2008	2100	BackgroundTransferHost.exe	62
PID 2008 wrote to memory of 640	2008	Pplhhm32.exe	63
PID 2008 wrote to memory of 640	2008	Pplhhm32.exe	63
PID 2008 wrote to memory of 640	2008	Pplhhm32.exe	63
PID 640 wrote to memory of 4860	640	Pciqnk32.exe	72
PID 640 wrote to memory of 4860	640	Pciqnk32.exe	72
PID 640 wrote to memory of 4860	640	Pciqnk32.exe	72
PID 4860 wrote to memory of 3560	4860	Qbonoghb.exe	74
PID 4860 wrote to memory of 3560	4860	Qbonoghb.exe	74
PID 4860 wrote to memory of 3560	4860	Qbonoghb.exe	74
PID 3560 wrote to memory of 3984	3560	Bpedeiff.exe	75
PID 3560 wrote to memory of 3984	3560	Bpedeiff.exe	75
PID 3560 wrote to memory of 3984	3560	Bpedeiff.exe	75
PID 3984 wrote to memory of 2308	3984	Bmladm32.exe	76
PID 3984 wrote to memory of 2308	3984	Bmladm32.exe	76
PID 3984 wrote to memory of 2308	3984	Bmladm32.exe	76
PID 2308 wrote to memory of 2472	2308	Cmnnimak.exe	80
PID 2308 wrote to memory of 2472	2308	Cmnnimak.exe	80
PID 2308 wrote to memory of 2472	2308	Cmnnimak.exe	80
PID 2472 wrote to memory of 1188	2472	Ckggnp32.exe	81
PID 2472 wrote to memory of 1188	2472	Ckggnp32.exe	81
PID 2472 wrote to memory of 1188	2472	Ckggnp32.exe	81

C:\Users\Admin\AppData\Local\Temp\NEAS.03c9baf8c968d7f40eec298c11104550.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.03c9baf8c968d7f40eec298c11104550.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Windows\SysWOW64\Oqhoeb32.exe
  C:\Windows\system32\Oqhoeb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\Ocihgnam.exe
    C:\Windows\system32\Ocihgnam.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\SysWOW64\Ockdmmoj.exe
      C:\Windows\system32\Ockdmmoj.exe
      4⤵
      Executes dropped EXE
      PID:5096
    - - C:\Windows\SysWOW64\Ocnabm32.exe
        
        C:\Windows\system32\Ocnabm32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4700
      - C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        7⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Qbonoghb.exe
        
        C:\Windows\system32\Qbonoghb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Bpedeiff.exe
        
        C:\Windows\system32\Bpedeiff.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3560
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        15⤵
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 420
        16⤵
        Program crash
        
        PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1188 -ip 1188
1⤵
PID:3796

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bmladm32.exe

Filesize
3.2MB

MD5
ab1599457231a68b9623ab31c3433218

SHA1
cb94a3ec181009d127860943fd793f974d93989b

SHA256
c0821e555a341b42634593279b00723c44821b243dd32802026ee7749795df1b

SHA512
770fe003680269c63f66c072db1d3a2e0082d96bbb4660bdaea390229fb1403956866f264ba678fc40e691128307a4276fc1d9129ae1029804899f60e6389dfd

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
3.2MB

MD5
bea940a240f6b28aa8870090d1d77ef8

SHA1
7f701ac79f3da66360063415471cb920b3f82a52

SHA256
68a1b7faed640334cbb5ec8cad6410ad34e4147117bcc3d1039fd668b12a4d6f

SHA512
4e75b0dc089243262aade13c14922effafa926b0df7589b77e08dcd2ccbd58783c33791c1c7cb4b384dcc7330e9f6bf0253ee89630309f684fde03162595acb4

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
3.2MB

MD5
bea940a240f6b28aa8870090d1d77ef8

SHA1
7f701ac79f3da66360063415471cb920b3f82a52

SHA256
68a1b7faed640334cbb5ec8cad6410ad34e4147117bcc3d1039fd668b12a4d6f

SHA512
4e75b0dc089243262aade13c14922effafa926b0df7589b77e08dcd2ccbd58783c33791c1c7cb4b384dcc7330e9f6bf0253ee89630309f684fde03162595acb4

Download Submit
C:\Windows\SysWOW64\Bpedeiff.exe

Filesize
3.2MB

MD5
bf65e5ff264ba61c758e5c6940c035f2

SHA1
5fb32e0fd6e600d4118aec60b8e5b890ade9ddb9

SHA256
8b509fba36b680f5d230411a123b1bc05a7d1ee9daaf51c431a91d4544326f42

SHA512
a7a1ee9e2422e3872a5ffbcb52c9979d16d41bb760723e1ccb95c600d7ddef7ac03c6ba8647aa66362ee0a3fa06e132c69e0755970f6bdc7aa1dac68d94400d4

Download Submit
C:\Windows\SysWOW64\Bpedeiff.exe

Filesize
3.2MB

MD5
bf65e5ff264ba61c758e5c6940c035f2

SHA1
5fb32e0fd6e600d4118aec60b8e5b890ade9ddb9

SHA256
8b509fba36b680f5d230411a123b1bc05a7d1ee9daaf51c431a91d4544326f42

SHA512
a7a1ee9e2422e3872a5ffbcb52c9979d16d41bb760723e1ccb95c600d7ddef7ac03c6ba8647aa66362ee0a3fa06e132c69e0755970f6bdc7aa1dac68d94400d4

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
3.2MB

MD5
3a4d5b001cdfbf68988b6d826efbc287

SHA1
dec3c20bdc988fa3cff46b915654199e5b287602

SHA256
36ce3a42ec0c5a73a506325750956c73bf510c6df40da8a83eabb4a68280af2f

SHA512
f7dbda62da1aa1aa7945a42193583947566513f5ca445adeee350bc20ac23c714a8125f7c0e4f3b900af73719eaa89f5e14a34eb5027250bab5b32a2c2b63686

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
3.2MB

MD5
3a4d5b001cdfbf68988b6d826efbc287

SHA1
dec3c20bdc988fa3cff46b915654199e5b287602

SHA256
36ce3a42ec0c5a73a506325750956c73bf510c6df40da8a83eabb4a68280af2f

SHA512
f7dbda62da1aa1aa7945a42193583947566513f5ca445adeee350bc20ac23c714a8125f7c0e4f3b900af73719eaa89f5e14a34eb5027250bab5b32a2c2b63686

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
3.2MB

MD5
ecd6941e4a305c91bea538828fa145a2

SHA1
66532a5deed841d4d847c33cf8257405f29e9a07

SHA256
f36654a5278bac946abf8dc25542113e723558684280fd3afcc8827d640ef00b

SHA512
bec1f392d6a3c35ed96b1f5c02e62c138396110367abb6265c8ec98e068ad8ba914f87791884c5858bbcd2aa2c4fcf55317b37a9e27a3b53722d749ab7c48474

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
3.2MB

MD5
ecd6941e4a305c91bea538828fa145a2

SHA1
66532a5deed841d4d847c33cf8257405f29e9a07

SHA256
f36654a5278bac946abf8dc25542113e723558684280fd3afcc8827d640ef00b

SHA512
bec1f392d6a3c35ed96b1f5c02e62c138396110367abb6265c8ec98e068ad8ba914f87791884c5858bbcd2aa2c4fcf55317b37a9e27a3b53722d749ab7c48474

Download Submit
C:\Windows\SysWOW64\Cmnnimak.exe

Filesize
3.2MB

MD5
ecd6941e4a305c91bea538828fa145a2

SHA1
66532a5deed841d4d847c33cf8257405f29e9a07

SHA256
f36654a5278bac946abf8dc25542113e723558684280fd3afcc8827d640ef00b

SHA512
bec1f392d6a3c35ed96b1f5c02e62c138396110367abb6265c8ec98e068ad8ba914f87791884c5858bbcd2aa2c4fcf55317b37a9e27a3b53722d749ab7c48474

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
3.2MB

MD5
5a3fb341ef6092fcadcad5c81d00fd6d

SHA1
5c3e939bc68c829fe91e5f39ebe644f777d33a15

SHA256
faf37a33e9151189d1080f8de610235c1b8759ddfefd62e6c9f1f75c1aa76a51

SHA512
92f68ec6889f3298f691baf9f7b7627088edf41b54cb547ce0aec33924c46e0f5e1694c50a606593775813d78c04269bbb53708877840a3ccdfccb194908d4a6

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
3.2MB

MD5
5a3fb341ef6092fcadcad5c81d00fd6d

SHA1
5c3e939bc68c829fe91e5f39ebe644f777d33a15

SHA256
faf37a33e9151189d1080f8de610235c1b8759ddfefd62e6c9f1f75c1aa76a51

SHA512
92f68ec6889f3298f691baf9f7b7627088edf41b54cb547ce0aec33924c46e0f5e1694c50a606593775813d78c04269bbb53708877840a3ccdfccb194908d4a6

Download Submit
C:\Windows\SysWOW64\Kqkplq32.dll

Filesize
7KB

MD5
0dfc5d31a29ac3b9dc3b0ea44d92401e

SHA1
3c38d8ca62e02df3515a6ab55bfa55102f81d8ad

SHA256
4c0a84c1a46bf35a14ba236c03c8883b9859179e446f594ca01925f19d84a535

SHA512
2047497619758b3107111c60a7a10fa215574820165427d39e9dde1974665d2b045cb77904c040caeacb1e23af5606fb3a71d45db563f7904b0dde109fdd81c6

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
3.2MB

MD5
8edc85e6a2b24dea934bd06a598da625

SHA1
d8d861fa4becc0fcd2964baf96f6b0c050acdebe

SHA256
915c65471d08ac83d3b4835555d63bddb1ecc9856f53f643e7a2769faaad4504

SHA512
150af50b27dd465d4d6c3e53dd2fb2c2adaa97a787ed2c195a421dbf38888bf9e169f177010bfde19b6a29dbac47e392f080526e9ec1498aab8588e0b20b73bb

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
3.2MB

MD5
8edc85e6a2b24dea934bd06a598da625

SHA1
d8d861fa4becc0fcd2964baf96f6b0c050acdebe

SHA256
915c65471d08ac83d3b4835555d63bddb1ecc9856f53f643e7a2769faaad4504

SHA512
150af50b27dd465d4d6c3e53dd2fb2c2adaa97a787ed2c195a421dbf38888bf9e169f177010bfde19b6a29dbac47e392f080526e9ec1498aab8588e0b20b73bb

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
3.2MB

MD5
44d33041e2d1af61d40bbff8d456f109

SHA1
a7db3e9c983e76aa8c657f9a6e1296822084813e

SHA256
321266d76cac64c0de4d00bd9d102d7e713ea12e5efe014cda7259b4a40b9fce

SHA512
ded4dbcae268992a0e84160d4c6c8ab688df8dd73d31f10953a4878fcfdbf7d979775519d5cbeed5cd20a74822faef0682bf7c4676352405a7e3adcddd4ee567

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
3.2MB

MD5
44d33041e2d1af61d40bbff8d456f109

SHA1
a7db3e9c983e76aa8c657f9a6e1296822084813e

SHA256
321266d76cac64c0de4d00bd9d102d7e713ea12e5efe014cda7259b4a40b9fce

SHA512
ded4dbcae268992a0e84160d4c6c8ab688df8dd73d31f10953a4878fcfdbf7d979775519d5cbeed5cd20a74822faef0682bf7c4676352405a7e3adcddd4ee567

Download Submit
C:\Windows\SysWOW64\Ockdmmoj.exe

Filesize
3.2MB

MD5
44d33041e2d1af61d40bbff8d456f109

SHA1
a7db3e9c983e76aa8c657f9a6e1296822084813e

SHA256
321266d76cac64c0de4d00bd9d102d7e713ea12e5efe014cda7259b4a40b9fce

SHA512
ded4dbcae268992a0e84160d4c6c8ab688df8dd73d31f10953a4878fcfdbf7d979775519d5cbeed5cd20a74822faef0682bf7c4676352405a7e3adcddd4ee567

Download Submit
C:\Windows\SysWOW64\Ocnabm32.exe

Filesize
3.2MB

MD5
ee6a6562e98f53cf5929afb3a86deb75

SHA1
5f0781eb2049fcd63c0db6d88fffb59bdc5cd7ab

SHA256
34d16ce2041f082e21e972e89946132f868c842159090113b8a75143fc897c80

SHA512
3881b6711c8c4bd666841a246a1a63af812daecbcbf19da91f77a2b8455994fe3b7fbb77c0f93e29d22cc3f6f749d4ce7ce8ff29984897876f72069ac18c90ad

Download Submit
C:\Windows\SysWOW64\Ocnabm32.exe

Filesize
3.2MB

MD5
ee6a6562e98f53cf5929afb3a86deb75

SHA1
5f0781eb2049fcd63c0db6d88fffb59bdc5cd7ab

SHA256
34d16ce2041f082e21e972e89946132f868c842159090113b8a75143fc897c80

SHA512
3881b6711c8c4bd666841a246a1a63af812daecbcbf19da91f77a2b8455994fe3b7fbb77c0f93e29d22cc3f6f749d4ce7ce8ff29984897876f72069ac18c90ad

Download Submit
C:\Windows\SysWOW64\Oqhoeb32.exe

Filesize
3.2MB

MD5
479b50bfe3908134f7bfa6d19c0105ef

SHA1
1d37e2bba293f9e353f667e70634763c678cbc38

SHA256
0eb65e87bf4e44a9531d90d21838bc5b31a906544e08cfcf3ef9bd4b9134170e

SHA512
55acd21dd0e0dde6cb0b20fe9688782c88062b16875ccfe475f6be4be7ed2f87b44b62ce8679dfda98c65c4b748488e5d3951f9ee8f8d9ee78da42f5a6872cb2

Download Submit
C:\Windows\SysWOW64\Oqhoeb32.exe

Filesize
3.2MB

MD5
479b50bfe3908134f7bfa6d19c0105ef

SHA1
1d37e2bba293f9e353f667e70634763c678cbc38

SHA256
0eb65e87bf4e44a9531d90d21838bc5b31a906544e08cfcf3ef9bd4b9134170e

SHA512
55acd21dd0e0dde6cb0b20fe9688782c88062b16875ccfe475f6be4be7ed2f87b44b62ce8679dfda98c65c4b748488e5d3951f9ee8f8d9ee78da42f5a6872cb2

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
3.2MB

MD5
7bdac340d3e50b87becb5a85ab6dd510

SHA1
493eb623d23f08952a89255d540fb532e2b90b53

SHA256
95d749fc73672085c5fbb6d863d7bdb8ad4348afef721dc5780e091097a77ada

SHA512
b17423415518e3dd3341ed3d1be5c609695e99f5cb4f7b514cfacbd0771c348bb230321f77aab7c2f873524176f1014e1e8ddef2b101ba6b6bd017fdd8dcba3c

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
3.2MB

MD5
7bdac340d3e50b87becb5a85ab6dd510

SHA1
493eb623d23f08952a89255d540fb532e2b90b53

SHA256
95d749fc73672085c5fbb6d863d7bdb8ad4348afef721dc5780e091097a77ada

SHA512
b17423415518e3dd3341ed3d1be5c609695e99f5cb4f7b514cfacbd0771c348bb230321f77aab7c2f873524176f1014e1e8ddef2b101ba6b6bd017fdd8dcba3c

Download Submit
C:\Windows\SysWOW64\Pciqnk32.exe

Filesize
3.2MB

MD5
00788b1b772f825bd5afac8e9c890afe

SHA1
1fdf14fb4eff587044f82345dc627e9d0c282ecb

SHA256
437d05d4d6d28cff7e8d78d9ed4bf4786b97fea21caac00102ba9ebe84e8921d

SHA512
4baa10377ad5e06751f12ab8bd3dbc334ad99bc5cc9f07bc43d991916d12c40d9143b6cda178b6d9a7dc9cc40ff80ed465b672a1e24bc8d2bba77e8e36265fe4

Download Submit
C:\Windows\SysWOW64\Pciqnk32.exe

Filesize
3.2MB

MD5
00788b1b772f825bd5afac8e9c890afe

SHA1
1fdf14fb4eff587044f82345dc627e9d0c282ecb

SHA256
437d05d4d6d28cff7e8d78d9ed4bf4786b97fea21caac00102ba9ebe84e8921d

SHA512
4baa10377ad5e06751f12ab8bd3dbc334ad99bc5cc9f07bc43d991916d12c40d9143b6cda178b6d9a7dc9cc40ff80ed465b672a1e24bc8d2bba77e8e36265fe4

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
3.2MB

MD5
aee81c7407998448b288f1a59d4bc966

SHA1
d4877c607937b47ffd0b06f11072465351e7c4d6

SHA256
130e21ed2a8a603ee0c626f7112178fbfdaaf32b2ce3ec006e776956ed7bea80

SHA512
c3ba47e95c5d9df6706134dff6f4cbd3a5db19bbfe333d84a4d6dfee77415e90ba8eb76b7d08b88a7b3bb2d2e7cccd5c10fb084bfa9b875fc0841f19f4542d63

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
3.2MB

MD5
aee81c7407998448b288f1a59d4bc966

SHA1
d4877c607937b47ffd0b06f11072465351e7c4d6

SHA256
130e21ed2a8a603ee0c626f7112178fbfdaaf32b2ce3ec006e776956ed7bea80

SHA512
c3ba47e95c5d9df6706134dff6f4cbd3a5db19bbfe333d84a4d6dfee77415e90ba8eb76b7d08b88a7b3bb2d2e7cccd5c10fb084bfa9b875fc0841f19f4542d63

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
3.2MB

MD5
fe89a5c7c722c9713a3323a1e78821bf

SHA1
c38e0751a8914fbe6c8b343a9ca1b6a92a589066

SHA256
8345e5d327dbc0cf85e89ce9550f7def494e5fe3276768cecc40917c03136c38

SHA512
61526490af3be76e964988276c7a398a7e1ab4b480c0d3276993de6fd1e98e9f1d5804dfe80b5d25b33ae48916c4e33c98653ab8d790a2bc30d3172c9386609b

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
3.2MB

MD5
fe89a5c7c722c9713a3323a1e78821bf

SHA1
c38e0751a8914fbe6c8b343a9ca1b6a92a589066

SHA256
8345e5d327dbc0cf85e89ce9550f7def494e5fe3276768cecc40917c03136c38

SHA512
61526490af3be76e964988276c7a398a7e1ab4b480c0d3276993de6fd1e98e9f1d5804dfe80b5d25b33ae48916c4e33c98653ab8d790a2bc30d3172c9386609b

Download Submit
C:\Windows\SysWOW64\Qbonoghb.exe

Filesize
3.2MB

MD5
23e8fe015c22dcffc4bc99c8d6829eff

SHA1
0028e385a195af844c4c5f061b16be4ed32c7491

SHA256
9893d869a36f5af158ebade973b240ef30fa469307a461e024fc948731c80e3a

SHA512
99b1e43365aec45e2127fc8ec995a4d693ff9d6680c799422b55750b2a40a43f43e338a079d4a6721659ba8e48a14e9055574a3a137ca25b4bc2541873186bca

Download Submit
C:\Windows\SysWOW64\Qbonoghb.exe

Filesize
3.2MB

MD5
23e8fe015c22dcffc4bc99c8d6829eff

SHA1
0028e385a195af844c4c5f061b16be4ed32c7491

SHA256
9893d869a36f5af158ebade973b240ef30fa469307a461e024fc948731c80e3a

SHA512
99b1e43365aec45e2127fc8ec995a4d693ff9d6680c799422b55750b2a40a43f43e338a079d4a6721659ba8e48a14e9055574a3a137ca25b4bc2541873186bca

Download Submit
C:\Windows\SysWOW64\Qbonoghb.exe

Filesize
3.2MB

MD5
23e8fe015c22dcffc4bc99c8d6829eff

SHA1
0028e385a195af844c4c5f061b16be4ed32c7491

SHA256
9893d869a36f5af158ebade973b240ef30fa469307a461e024fc948731c80e3a

SHA512
99b1e43365aec45e2127fc8ec995a4d693ff9d6680c799422b55750b2a40a43f43e338a079d4a6721659ba8e48a14e9055574a3a137ca25b4bc2541873186bca

Download Submit
memory/640-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/640-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1188-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1188-112-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1804-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1804-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-52-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2308-96-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2308-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2472-114-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2472-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2632-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2632-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3560-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3560-79-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3984-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3984-88-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4064-126-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4064-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4700-122-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4700-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4860-118-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4860-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-121-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4988-39-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5096-123-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5096-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads