fc045e90be88ad3c9544b6836d42756bc43650f67297b565427d9e2915b30f9f

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
13/11/2023, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe
Size

255KB
MD5

1ff588278d3f2b8427c5f0b1d49aa0b0
SHA1

0d1b395af89251d4e8f0c93f229b4c271116393f
SHA256

fc045e90be88ad3c9544b6836d42756bc43650f67297b565427d9e2915b30f9f
SHA512

7cd75c97c9a1ae874147f8ce214b14761d829ec96fdc4dfed0028de25a56378b2a60298b81b84f2036499309ed8ccd407a383d6f62299e64168ef8ebe595dd76
SSDEEP

6144:/K/rOK0gvF2xUS6UJjwszeXmDZUH8aiGaEP:C/6K+j6YjzZUH8awEP

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnfdcjkg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe

Malware Backdoor - Berbew 57 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x00090000000222f4-7.dat	family_berbew
behavioral2/files/0x00090000000222f4-9.dat	family_berbew
behavioral2/files/0x0007000000022e07-15.dat	family_berbew
behavioral2/files/0x0007000000022e07-16.dat	family_berbew
behavioral2/files/0x0006000000022e0c-23.dat	family_berbew
behavioral2/files/0x0006000000022e0c-24.dat	family_berbew
behavioral2/files/0x0006000000022e0e-33.dat	family_berbew
behavioral2/files/0x0006000000022e0e-31.dat	family_berbew
behavioral2/files/0x0006000000022e10-39.dat	family_berbew
behavioral2/files/0x0006000000022e10-41.dat	family_berbew
behavioral2/files/0x0006000000022e12-47.dat	family_berbew
behavioral2/files/0x0006000000022e12-48.dat	family_berbew
behavioral2/files/0x0006000000022e14-55.dat	family_berbew
behavioral2/files/0x0006000000022e14-56.dat	family_berbew
behavioral2/files/0x0006000000022e17-63.dat	family_berbew
behavioral2/files/0x0006000000022e17-64.dat	family_berbew
behavioral2/files/0x0006000000022e19-71.dat	family_berbew
behavioral2/files/0x0006000000022e19-72.dat	family_berbew
behavioral2/files/0x0006000000022e1b-79.dat	family_berbew
behavioral2/files/0x0006000000022e1b-80.dat	family_berbew
behavioral2/files/0x0007000000022e08-87.dat	family_berbew
behavioral2/files/0x0007000000022e08-88.dat	family_berbew
behavioral2/files/0x0006000000022e1e-96.dat	family_berbew
behavioral2/files/0x0006000000022e21-103.dat	family_berbew
behavioral2/files/0x0006000000022e21-104.dat	family_berbew
behavioral2/files/0x0006000000022e1e-95.dat	family_berbew
behavioral2/files/0x0006000000022e23-111.dat	family_berbew
behavioral2/files/0x0006000000022e23-113.dat	family_berbew
behavioral2/files/0x0006000000022e25-119.dat	family_berbew
behavioral2/files/0x0006000000022e25-120.dat	family_berbew
behavioral2/files/0x0006000000022e28-127.dat	family_berbew
behavioral2/files/0x0006000000022e28-128.dat	family_berbew
behavioral2/files/0x0006000000022e2a-135.dat	family_berbew
behavioral2/files/0x0006000000022e2a-136.dat	family_berbew
behavioral2/files/0x0006000000022e2c-143.dat	family_berbew
behavioral2/files/0x0006000000022e2c-145.dat	family_berbew
behavioral2/files/0x0006000000022e2e-151.dat	family_berbew
behavioral2/files/0x0006000000022e2e-152.dat	family_berbew
behavioral2/files/0x0006000000022e30-159.dat	family_berbew
behavioral2/files/0x0006000000022e30-161.dat	family_berbew
behavioral2/files/0x0006000000022e32-167.dat	family_berbew
behavioral2/files/0x0006000000022e32-169.dat	family_berbew
behavioral2/files/0x0006000000022e34-176.dat	family_berbew
behavioral2/files/0x0006000000022e36-183.dat	family_berbew
behavioral2/files/0x0006000000022e36-184.dat	family_berbew
behavioral2/files/0x0006000000022e34-175.dat	family_berbew
behavioral2/files/0x0006000000022e38-191.dat	family_berbew
behavioral2/files/0x0006000000022e3a-200.dat	family_berbew
behavioral2/files/0x0006000000022e3a-199.dat	family_berbew
behavioral2/files/0x0006000000022e3c-207.dat	family_berbew
behavioral2/files/0x0006000000022e3c-208.dat	family_berbew
behavioral2/files/0x0006000000022e38-192.dat	family_berbew
behavioral2/files/0x0006000000022e3e-215.dat	family_berbew
behavioral2/files/0x0006000000022e42-223.dat	family_berbew
behavioral2/files/0x0006000000022e42-224.dat	family_berbew
behavioral2/files/0x0006000000022e44-231.dat	family_berbew
behavioral2/files/0x0006000000022e44-232.dat	family_berbew

Executes dropped EXE 29 IoCs

pid	Process
1040	Pqknig32.exe
888	Pmannhhj.exe
2924	Pggbkagp.exe
4924	Pjeoglgc.exe
1512	Pcncpbmd.exe
3516	Pqbdjfln.exe
1180	Pnfdcjkg.exe
4172	Pfaigm32.exe
2684	Qnhahj32.exe
2300	Qceiaa32.exe
3356	Qgcbgo32.exe
2340	Aqkgpedc.exe
4040	Beihma32.exe
1796	Bmemac32.exe
1360	Cfmajipb.exe
1900	Cabfga32.exe
3224	Cjkjpgfi.exe
4680	Chokikeb.exe
3352	Ceckcp32.exe
1712	Cnkplejl.exe
472	Cjbpaf32.exe
2540	Ddjejl32.exe
544	Dopigd32.exe
4888	Ddmaok32.exe
2784	Daqbip32.exe
1632	Dhkjej32.exe
4632	Dmgbnq32.exe
2260	Dhocqigp.exe
4900	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Lnlden32.dll	Pqbdjfln.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pcncpbmd.exe	Pjeoglgc.exe
File opened for modification	C:\Windows\SysWOW64\Pnfdcjkg.exe	Pqbdjfln.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Pfaigm32.exe	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Pqbdjfln.exe	Pcncpbmd.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Pcncpbmd.exe	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Pjeoglgc.exe	Pggbkagp.exe
File created	C:\Windows\SysWOW64\Dbnamnpl.dll	Pggbkagp.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Hdoemjgn.dll	Pqknig32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Pqknig32.exe	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe
File created	C:\Windows\SysWOW64\Pggbkagp.exe	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Popodg32.dll	Pmannhhj.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pnfdcjkg.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pfaigm32.exe
File created	C:\Windows\SysWOW64\Qceiaa32.exe	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Djnkap32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Pqknig32.exe	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe
File created	C:\Windows\SysWOW64\Elocna32.dll	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe
File opened for modification	C:\Windows\SysWOW64\Pmannhhj.exe	Pqknig32.exe
File created	C:\Windows\SysWOW64\Oomibind.dll	Pjeoglgc.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pcncpbmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4028	4900	WerFault.exe	118

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqknig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popodg32.dll"	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbagnedl.dll"	Pcncpbmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmphmhjc.dll"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbdjfln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmannhhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjeoglgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlden32.dll"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnfdcjkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnamnpl.dll"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjeoglgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1040	2568	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe	88
PID 2568 wrote to memory of 1040	2568	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe	88
PID 2568 wrote to memory of 1040	2568	NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe	88
PID 1040 wrote to memory of 888	1040	Pqknig32.exe	89
PID 1040 wrote to memory of 888	1040	Pqknig32.exe	89
PID 1040 wrote to memory of 888	1040	Pqknig32.exe	89
PID 888 wrote to memory of 2924	888	Pmannhhj.exe	90
PID 888 wrote to memory of 2924	888	Pmannhhj.exe	90
PID 888 wrote to memory of 2924	888	Pmannhhj.exe	90
PID 2924 wrote to memory of 4924	2924	Pggbkagp.exe	91
PID 2924 wrote to memory of 4924	2924	Pggbkagp.exe	91
PID 2924 wrote to memory of 4924	2924	Pggbkagp.exe	91
PID 4924 wrote to memory of 1512	4924	Pjeoglgc.exe	92
PID 4924 wrote to memory of 1512	4924	Pjeoglgc.exe	92
PID 4924 wrote to memory of 1512	4924	Pjeoglgc.exe	92
PID 1512 wrote to memory of 3516	1512	Pcncpbmd.exe	93
PID 1512 wrote to memory of 3516	1512	Pcncpbmd.exe	93
PID 1512 wrote to memory of 3516	1512	Pcncpbmd.exe	93
PID 3516 wrote to memory of 1180	3516	Pqbdjfln.exe	94
PID 3516 wrote to memory of 1180	3516	Pqbdjfln.exe	94
PID 3516 wrote to memory of 1180	3516	Pqbdjfln.exe	94
PID 1180 wrote to memory of 4172	1180	Pnfdcjkg.exe	95
PID 1180 wrote to memory of 4172	1180	Pnfdcjkg.exe	95
PID 1180 wrote to memory of 4172	1180	Pnfdcjkg.exe	95
PID 4172 wrote to memory of 2684	4172	Pfaigm32.exe	96
PID 4172 wrote to memory of 2684	4172	Pfaigm32.exe	96
PID 4172 wrote to memory of 2684	4172	Pfaigm32.exe	96
PID 2684 wrote to memory of 2300	2684	Qnhahj32.exe	97
PID 2684 wrote to memory of 2300	2684	Qnhahj32.exe	97
PID 2684 wrote to memory of 2300	2684	Qnhahj32.exe	97
PID 2300 wrote to memory of 3356	2300	Qceiaa32.exe	98
PID 2300 wrote to memory of 3356	2300	Qceiaa32.exe	98
PID 2300 wrote to memory of 3356	2300	Qceiaa32.exe	98
PID 3356 wrote to memory of 2340	3356	Qgcbgo32.exe	99
PID 3356 wrote to memory of 2340	3356	Qgcbgo32.exe	99
PID 3356 wrote to memory of 2340	3356	Qgcbgo32.exe	99
PID 2340 wrote to memory of 4040	2340	Aqkgpedc.exe	100
PID 2340 wrote to memory of 4040	2340	Aqkgpedc.exe	100
PID 2340 wrote to memory of 4040	2340	Aqkgpedc.exe	100
PID 4040 wrote to memory of 1796	4040	Beihma32.exe	101
PID 4040 wrote to memory of 1796	4040	Beihma32.exe	101
PID 4040 wrote to memory of 1796	4040	Beihma32.exe	101
PID 1796 wrote to memory of 1360	1796	Bmemac32.exe	102
PID 1796 wrote to memory of 1360	1796	Bmemac32.exe	102
PID 1796 wrote to memory of 1360	1796	Bmemac32.exe	102
PID 1360 wrote to memory of 1900	1360	Cfmajipb.exe	104
PID 1360 wrote to memory of 1900	1360	Cfmajipb.exe	104
PID 1360 wrote to memory of 1900	1360	Cfmajipb.exe	104
PID 1900 wrote to memory of 3224	1900	Cabfga32.exe	105
PID 1900 wrote to memory of 3224	1900	Cabfga32.exe	105
PID 1900 wrote to memory of 3224	1900	Cabfga32.exe	105
PID 3224 wrote to memory of 4680	3224	Cjkjpgfi.exe	106
PID 3224 wrote to memory of 4680	3224	Cjkjpgfi.exe	106
PID 3224 wrote to memory of 4680	3224	Cjkjpgfi.exe	106
PID 4680 wrote to memory of 3352	4680	Chokikeb.exe	107
PID 4680 wrote to memory of 3352	4680	Chokikeb.exe	107
PID 4680 wrote to memory of 3352	4680	Chokikeb.exe	107
PID 3352 wrote to memory of 1712	3352	Ceckcp32.exe	108
PID 3352 wrote to memory of 1712	3352	Ceckcp32.exe	108
PID 3352 wrote to memory of 1712	3352	Ceckcp32.exe	108
PID 1712 wrote to memory of 472	1712	Cnkplejl.exe	109
PID 1712 wrote to memory of 472	1712	Cnkplejl.exe	109
PID 1712 wrote to memory of 472	1712	Cnkplejl.exe	109
PID 472 wrote to memory of 2540	472	Cjbpaf32.exe	110

C:\Users\Admin\AppData\Local\Temp\NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.1ff588278d3f2b8427c5f0b1d49aa0b0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\Pqknig32.exe
  C:\Windows\system32\Pqknig32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Windows\SysWOW64\Pmannhhj.exe
    C:\Windows\system32\Pmannhhj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\SysWOW64\Pggbkagp.exe
      C:\Windows\system32\Pggbkagp.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2924
    - - C:\Windows\SysWOW64\Pjeoglgc.exe
        
        C:\Windows\system32\Pjeoglgc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Pnfdcjkg.exe
        
        C:\Windows\system32\Pnfdcjkg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Pfaigm32.exe
        
        C:\Windows\system32\Pfaigm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4040
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784

C:\Windows\SysWOW64\Dmgbnq32.exe
C:\Windows\system32\Dmgbnq32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4632
- C:\Windows\SysWOW64\Daekdooc.exe
  C:\Windows\system32\Daekdooc.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Drops file in System32 directory
  - Modifies registry class
  PID:4012
- - C:\Windows\SysWOW64\Dhocqigp.exe
    C:\Windows\system32\Dhocqigp.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:2260
  - - C:\Windows\SysWOW64\Dmllipeg.exe
      C:\Windows\system32\Dmllipeg.exe
      4⤵
      Executes dropped EXE
      PID:4900
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 396
        5⤵
        Program crash
        
        PID:4028

C:\Windows\SysWOW64\Dhkjej32.exe
C:\Windows\system32\Dhkjej32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4900 -ip 4900
1⤵
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
255KB

MD5
398dd0a7bf1d37f86d32f31fe10d1137

SHA1
b8b404117bd7f98a146070543170b8e630739af2

SHA256
265b37a00b4d2a812ae0c4dc8a5d6ae3a8427d1a1040334b243961bcd105763b

SHA512
ad2254e96d9576021bcd42d015ce468b1d4c01f7d1c4c2c9a5dc935fe5fd3566bb87105fe4c12112dee165b26ef8de3ec3598ee5691ceaa3f965f53ec78e7ece

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
255KB

MD5
398dd0a7bf1d37f86d32f31fe10d1137

SHA1
b8b404117bd7f98a146070543170b8e630739af2

SHA256
265b37a00b4d2a812ae0c4dc8a5d6ae3a8427d1a1040334b243961bcd105763b

SHA512
ad2254e96d9576021bcd42d015ce468b1d4c01f7d1c4c2c9a5dc935fe5fd3566bb87105fe4c12112dee165b26ef8de3ec3598ee5691ceaa3f965f53ec78e7ece

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
255KB

MD5
0c731111441b1adc4f37943467791699

SHA1
7452de9d4924828385abd25803c0642e16a22433

SHA256
c59448f686dc47c93184aeaff01010abc48814de6d7880fac34588f64cb4f95e

SHA512
a3745e3dfa63d19f72ed4758fe7926fd259e344ad1a10cf0ccac75c2198d392b346560d9640f6c107d494e0471dde001e34b1d406dfd0b425952dfd9990579a6

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
255KB

MD5
0c731111441b1adc4f37943467791699

SHA1
7452de9d4924828385abd25803c0642e16a22433

SHA256
c59448f686dc47c93184aeaff01010abc48814de6d7880fac34588f64cb4f95e

SHA512
a3745e3dfa63d19f72ed4758fe7926fd259e344ad1a10cf0ccac75c2198d392b346560d9640f6c107d494e0471dde001e34b1d406dfd0b425952dfd9990579a6

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
255KB

MD5
5af4356f866f3c030bc2516ba0461494

SHA1
7a43ff77dbf1a1a8c8567b9c91592c37cef00c14

SHA256
e6a0b2a1d99f0bb5c7d6f796ff437656cf1a6623c3a76dc281989b185b621925

SHA512
0e384a6d52e7cadec70a4feec42e530ee8f9d47ba4951c93e3b4165d56604bcb3c8065cde507c46998156d104567746cac8cc2365982677ebe5881de395eee85

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
255KB

MD5
5af4356f866f3c030bc2516ba0461494

SHA1
7a43ff77dbf1a1a8c8567b9c91592c37cef00c14

SHA256
e6a0b2a1d99f0bb5c7d6f796ff437656cf1a6623c3a76dc281989b185b621925

SHA512
0e384a6d52e7cadec70a4feec42e530ee8f9d47ba4951c93e3b4165d56604bcb3c8065cde507c46998156d104567746cac8cc2365982677ebe5881de395eee85

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
255KB

MD5
92fad7f7a6fb3cdd2e7f653269b14281

SHA1
b8ec8678750d29e94bf5d304a1a528a747a79420

SHA256
432a0fcf55fcfdbed5d9f09fad2516ceaaa44064538a616dc37d49e607739500

SHA512
c9f093696e6a384e245bbd1e39dd48f90c2ee373eaf4c368246ce82b76f8f78294557da0ef6d1d8076b260d9394648952c417207c04016c5c0e47d41ef989e56

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
255KB

MD5
92fad7f7a6fb3cdd2e7f653269b14281

SHA1
b8ec8678750d29e94bf5d304a1a528a747a79420

SHA256
432a0fcf55fcfdbed5d9f09fad2516ceaaa44064538a616dc37d49e607739500

SHA512
c9f093696e6a384e245bbd1e39dd48f90c2ee373eaf4c368246ce82b76f8f78294557da0ef6d1d8076b260d9394648952c417207c04016c5c0e47d41ef989e56

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
255KB

MD5
fafc640aaef36aec53906961131f27d3

SHA1
40ba4096e2cabe3c9418465da5784b2aed6c6638

SHA256
a8eda7e5c6b8500ebd53ab9851631dc0808b61b4cc086aa502aff846fa344aca

SHA512
fc586b64781cf08f3712a27db1cae314def6bd3babaa733fbd8c4e4545e176484efb2897c7c0730dbf51d66d8d389930ba2311dbd70cd100ed5323915759ff2c

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
255KB

MD5
fafc640aaef36aec53906961131f27d3

SHA1
40ba4096e2cabe3c9418465da5784b2aed6c6638

SHA256
a8eda7e5c6b8500ebd53ab9851631dc0808b61b4cc086aa502aff846fa344aca

SHA512
fc586b64781cf08f3712a27db1cae314def6bd3babaa733fbd8c4e4545e176484efb2897c7c0730dbf51d66d8d389930ba2311dbd70cd100ed5323915759ff2c

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
255KB

MD5
3142423a4ecbb60f0add5d1e3bf788f7

SHA1
2d974be7b10f4a0d5b7d85e5a9b3aae8f4bdc8d8

SHA256
da7a8695efac3d7d0f6df651fb0877053d5f9951b8e5505a078d0e1b2a9e1a9a

SHA512
297594c9f0679140d59eee5ca968eb69f7955265f48c19753ae00a25bc8109fd09e35ed00efd321c56230f79dce133119664e31108c48990b4418f47e62d7da6

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
255KB

MD5
3142423a4ecbb60f0add5d1e3bf788f7

SHA1
2d974be7b10f4a0d5b7d85e5a9b3aae8f4bdc8d8

SHA256
da7a8695efac3d7d0f6df651fb0877053d5f9951b8e5505a078d0e1b2a9e1a9a

SHA512
297594c9f0679140d59eee5ca968eb69f7955265f48c19753ae00a25bc8109fd09e35ed00efd321c56230f79dce133119664e31108c48990b4418f47e62d7da6

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
255KB

MD5
810a1d31728c890365dabff3eea1e501

SHA1
e550d93f980be4fa95ea9501a2dde2f901121393

SHA256
e51ec9f39a7ba8abc9158e85b8a7af3a10d11a9fdcf86003474c9adbf90b7cd2

SHA512
4ae0e8e7bbf11a8d245e10d4688143a082981f52a8614e38994cbf14185c4d09afa8101c1d203d9ac5a107757cff62bc42594694ad6d81d67a70a915f679675f

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
255KB

MD5
810a1d31728c890365dabff3eea1e501

SHA1
e550d93f980be4fa95ea9501a2dde2f901121393

SHA256
e51ec9f39a7ba8abc9158e85b8a7af3a10d11a9fdcf86003474c9adbf90b7cd2

SHA512
4ae0e8e7bbf11a8d245e10d4688143a082981f52a8614e38994cbf14185c4d09afa8101c1d203d9ac5a107757cff62bc42594694ad6d81d67a70a915f679675f

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
255KB

MD5
39aa347b8579889de2db3146be904c55

SHA1
627d1656c408b550108163c44606040c7609095c

SHA256
5daf40d5d8be1a1913074483402b7ea0f1a1d85fb7d1fe68831f47d29b490605

SHA512
5344875690006937e6898f9af91831ccd78bc1bc69d7def1c88b0f9f8a7ec80afdbe8dd0656671c561ec2de9ba405276b98f9801f3af8c828ab6096616bab0bf

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
255KB

MD5
39aa347b8579889de2db3146be904c55

SHA1
627d1656c408b550108163c44606040c7609095c

SHA256
5daf40d5d8be1a1913074483402b7ea0f1a1d85fb7d1fe68831f47d29b490605

SHA512
5344875690006937e6898f9af91831ccd78bc1bc69d7def1c88b0f9f8a7ec80afdbe8dd0656671c561ec2de9ba405276b98f9801f3af8c828ab6096616bab0bf

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
255KB

MD5
c8c78682dca4abed79846c8d5adc3a22

SHA1
cb69e87fdd576d6f59656d43ada7a0c848335e41

SHA256
cbce33c32a0afa8e34943783374862d2d5d79a6cf11e0e4672a6797bfc328e37

SHA512
a79694264a93e618d747fbe2fd095000f1d6e96f2341bc3c50d31f4dfc8b22132d878fa2037e2def7d98c6e1e20b1a04b99ff4d1aa7fa9235f70eed2ed56cb9b

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
255KB

MD5
c8c78682dca4abed79846c8d5adc3a22

SHA1
cb69e87fdd576d6f59656d43ada7a0c848335e41

SHA256
cbce33c32a0afa8e34943783374862d2d5d79a6cf11e0e4672a6797bfc328e37

SHA512
a79694264a93e618d747fbe2fd095000f1d6e96f2341bc3c50d31f4dfc8b22132d878fa2037e2def7d98c6e1e20b1a04b99ff4d1aa7fa9235f70eed2ed56cb9b

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
255KB

MD5
da73faf3c5bed4ab1f679f1cb8bc8c68

SHA1
ff733e6da4002dfc69d8a5c7f1b0bea0e2c21e61

SHA256
5947358689a00327c6ce82501b63c024aacdb239260ee62f9db119f8599f774e

SHA512
616172a755fb9b6e8192c1c1d0b68b3b819dc1710844cceca8557c311235eeb2d1d6bcb96912bd0c3f5f250fde65a2fe6f0a5bb420eaba2b0b9c6c6835d688e1

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
255KB

MD5
da73faf3c5bed4ab1f679f1cb8bc8c68

SHA1
ff733e6da4002dfc69d8a5c7f1b0bea0e2c21e61

SHA256
5947358689a00327c6ce82501b63c024aacdb239260ee62f9db119f8599f774e

SHA512
616172a755fb9b6e8192c1c1d0b68b3b819dc1710844cceca8557c311235eeb2d1d6bcb96912bd0c3f5f250fde65a2fe6f0a5bb420eaba2b0b9c6c6835d688e1

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
255KB

MD5
1916fa12cb794685b0187d155fca627e

SHA1
1bf024cc20a66fde5807a01006e7acafb12a9aa0

SHA256
9c4b744dc6495c48724e67a1add15e13d58ed8f9561b6ec3f1f9f1f9ec508e3a

SHA512
d1a5e4898ad73dace0ccb87c8bf05211c81daa6937eecd20bd35b3a5eca094b668fc582db2542266e6fa2da98333eff780ce9c976caf497932388124e1cffb23

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
255KB

MD5
1916fa12cb794685b0187d155fca627e

SHA1
1bf024cc20a66fde5807a01006e7acafb12a9aa0

SHA256
9c4b744dc6495c48724e67a1add15e13d58ed8f9561b6ec3f1f9f1f9ec508e3a

SHA512
d1a5e4898ad73dace0ccb87c8bf05211c81daa6937eecd20bd35b3a5eca094b668fc582db2542266e6fa2da98333eff780ce9c976caf497932388124e1cffb23

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
255KB

MD5
c716eb95ee7e3101a48ac91b377cedae

SHA1
1d3ba14633437aff98524da6c60ab70b48314f28

SHA256
8b44944fefe74f410bcc0941f0aa1dc8017ded0081e52c38753226b2006f1e15

SHA512
b741772206c47a0daa5948494584532019245811fca8e1c463578502cc08daaa67c9466d05f06fe3723909dc5c62d7d193d94666572d6ae882f3d9fd222cd6dd

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
255KB

MD5
c716eb95ee7e3101a48ac91b377cedae

SHA1
1d3ba14633437aff98524da6c60ab70b48314f28

SHA256
8b44944fefe74f410bcc0941f0aa1dc8017ded0081e52c38753226b2006f1e15

SHA512
b741772206c47a0daa5948494584532019245811fca8e1c463578502cc08daaa67c9466d05f06fe3723909dc5c62d7d193d94666572d6ae882f3d9fd222cd6dd

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
255KB

MD5
0d5855b36b2660ca0679c49ec373a0df

SHA1
8bcd97143360497434b0bb6ccab05f4ac5ef7dbf

SHA256
01c5f08de1e7c19f83bfa2fc9dcb84aceb6e569a985a948c1b44588837779b48

SHA512
37d8b4ad484b16a5908bf6d49bce282beec8858b756e6c6d56b043771bdc6f75d9371cfc7336320ee2037da08c4eefe928b96fbb6525e6346779d1efb8946f0e

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
255KB

MD5
0d5855b36b2660ca0679c49ec373a0df

SHA1
8bcd97143360497434b0bb6ccab05f4ac5ef7dbf

SHA256
01c5f08de1e7c19f83bfa2fc9dcb84aceb6e569a985a948c1b44588837779b48

SHA512
37d8b4ad484b16a5908bf6d49bce282beec8858b756e6c6d56b043771bdc6f75d9371cfc7336320ee2037da08c4eefe928b96fbb6525e6346779d1efb8946f0e

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
255KB

MD5
53ee8d04dd175c13b0c04b49f6ec1798

SHA1
ecd68da33646c00121fb8eb9c3fa7234362a2ee4

SHA256
5713a672ebc7ba69d62feed7e27b63bbc40d080d9552dd33c0e322fcbbbd3055

SHA512
7260e31f2d5dee95904a0a5537601d92b7f5e95c585fbdefe5d448333457f5b08294e5c2e55c03f668c4552fd92d9318a93925822d408163cab17e4c7acf4d16

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
255KB

MD5
53ee8d04dd175c13b0c04b49f6ec1798

SHA1
ecd68da33646c00121fb8eb9c3fa7234362a2ee4

SHA256
5713a672ebc7ba69d62feed7e27b63bbc40d080d9552dd33c0e322fcbbbd3055

SHA512
7260e31f2d5dee95904a0a5537601d92b7f5e95c585fbdefe5d448333457f5b08294e5c2e55c03f668c4552fd92d9318a93925822d408163cab17e4c7acf4d16

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
255KB

MD5
4aa9096e90f43fd493579a039f808ab2

SHA1
647faf6a546ec44911b64792309d279a90ab43c3

SHA256
ba98ab9439c98c994f822012024df71a795869c5588ce5f43c159b8f363e458b

SHA512
b4a9c6aecbdebf2714e484ae6cbac58d97862acedae26282aa8f561ff5e9316ff9ab901b698f9007218dce6ce06782a9f008911710639cbca2b50cd6a203f8c8

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
255KB

MD5
4aa9096e90f43fd493579a039f808ab2

SHA1
647faf6a546ec44911b64792309d279a90ab43c3

SHA256
ba98ab9439c98c994f822012024df71a795869c5588ce5f43c159b8f363e458b

SHA512
b4a9c6aecbdebf2714e484ae6cbac58d97862acedae26282aa8f561ff5e9316ff9ab901b698f9007218dce6ce06782a9f008911710639cbca2b50cd6a203f8c8

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
255KB

MD5
c80c9747072d1e1ff7f29c978612bb88

SHA1
dc21bd0f14c08a3d4f29aac36d7d53e8d832d878

SHA256
6ec4ad06ccfe30496179cea78f61090bbad4603ed03c4789d8e0ff43a5c064be

SHA512
f5b8de4900ae7648aa33537b1925965fc8f002ca07db6d468dbf18aa413e058bdf81017c9d319fb6bf8dc22c1582a1744836577d4acf8625ef1a74ae591ba251

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
255KB

MD5
488416a57cba983282b6a161e6632a03

SHA1
be37ce424e1f1d4a9ea3ef62261f504c23068294

SHA256
b7cc171eed36b2b0f23ecf2462b546e65fdd9ce543bfa07872171adb9af9272b

SHA512
b51e3e18f44f527be44e9822c4085d21046ddf9670a6f74bb6dd2fec37952d245a5f71873b069425062e691d656d962bb3c1ed72c1334d50c73fa78a0b8fef39

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
255KB

MD5
488416a57cba983282b6a161e6632a03

SHA1
be37ce424e1f1d4a9ea3ef62261f504c23068294

SHA256
b7cc171eed36b2b0f23ecf2462b546e65fdd9ce543bfa07872171adb9af9272b

SHA512
b51e3e18f44f527be44e9822c4085d21046ddf9670a6f74bb6dd2fec37952d245a5f71873b069425062e691d656d962bb3c1ed72c1334d50c73fa78a0b8fef39

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
255KB

MD5
06b62c7f119aa792419ade29ab3c22e4

SHA1
05ec34637fad48d63742cea3362a3763cdad8762

SHA256
1e602e04a4e7191cced1dda7d06905fce5154aa470f760f889755f4de2ac21e8

SHA512
b4b2bac9d1168520547289a34054f58572801e84e226c3d92dcaaf2571de210676bc2c316d3e0d5a238fc82d5a4b2f7603cb41aa5ec7892b78498426be72b286

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
255KB

MD5
06b62c7f119aa792419ade29ab3c22e4

SHA1
05ec34637fad48d63742cea3362a3763cdad8762

SHA256
1e602e04a4e7191cced1dda7d06905fce5154aa470f760f889755f4de2ac21e8

SHA512
b4b2bac9d1168520547289a34054f58572801e84e226c3d92dcaaf2571de210676bc2c316d3e0d5a238fc82d5a4b2f7603cb41aa5ec7892b78498426be72b286

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
255KB

MD5
4586d5331be785ea67ffd8674d3bbce8

SHA1
94dc0044d749db2ce2c0129ed9e7f830e177c21f

SHA256
90a43a0541e1fb53ad75420fd315b83789a0b2c363218be371beee805f1276e6

SHA512
573eb7ee6d96dbaeb4878b1c3596a29542d6b342173f7ed012f478660e5ca7eeadd98d321f9cedd197b0f3d716817b5a5965aeae016a6bce6eeaadf9562121cf

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
255KB

MD5
4586d5331be785ea67ffd8674d3bbce8

SHA1
94dc0044d749db2ce2c0129ed9e7f830e177c21f

SHA256
90a43a0541e1fb53ad75420fd315b83789a0b2c363218be371beee805f1276e6

SHA512
573eb7ee6d96dbaeb4878b1c3596a29542d6b342173f7ed012f478660e5ca7eeadd98d321f9cedd197b0f3d716817b5a5965aeae016a6bce6eeaadf9562121cf

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
255KB

MD5
d0e80b8b61b45a9b8ab90972c49f433c

SHA1
005397dbca85ba5f7e01db3dbdd2383c9cf28374

SHA256
3e5ac6f5124ab049ca95e2bf191a9031625bb1bd1b38680ca5b1c3240568c3a4

SHA512
507e0945830f73f6c949c7c1ee026c184b23f11997de6e9bb297dc8423832bd8eee974bca9e0638a49c8ca69dc65fde517b1f56893822c59022d54d17ed8e375

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
255KB

MD5
d0e80b8b61b45a9b8ab90972c49f433c

SHA1
005397dbca85ba5f7e01db3dbdd2383c9cf28374

SHA256
3e5ac6f5124ab049ca95e2bf191a9031625bb1bd1b38680ca5b1c3240568c3a4

SHA512
507e0945830f73f6c949c7c1ee026c184b23f11997de6e9bb297dc8423832bd8eee974bca9e0638a49c8ca69dc65fde517b1f56893822c59022d54d17ed8e375

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
255KB

MD5
4fa6b46244f224683b6ff067044a508c

SHA1
1d34d9486f3d2d7fe608c4e71d7dfb02a2c65105

SHA256
81d196422323a48cf17073572919302380699d45a46cfb22ec2057959b0a6811

SHA512
43d54e3017676cfe7e0dd50d0f591041487ef9fb670ca9271340ccfba2646aff483938792b0d8a5e75fe5414447334b6b8580e43df3446fdd95580ea7e4a0f3e

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
255KB

MD5
4fa6b46244f224683b6ff067044a508c

SHA1
1d34d9486f3d2d7fe608c4e71d7dfb02a2c65105

SHA256
81d196422323a48cf17073572919302380699d45a46cfb22ec2057959b0a6811

SHA512
43d54e3017676cfe7e0dd50d0f591041487ef9fb670ca9271340ccfba2646aff483938792b0d8a5e75fe5414447334b6b8580e43df3446fdd95580ea7e4a0f3e

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
255KB

MD5
9009fa8be9ac3730de001e0dbac0713e

SHA1
a4236757b22576169bee5db780317e08c7d6867c

SHA256
e91ed843cc1a8a5da11ada69e948b0c3c3e1ae7470bc4d2140bd865a6539b17f

SHA512
1d9b35f7826dddfb7a58cbade7467ca07fd1a1b1d0836fdc08d0b9d944881a030f17f140c49c5584a1ca0083e417eba1a5b73a4cd70107ca21af03118333da37

Download Submit
C:\Windows\SysWOW64\Pjeoglgc.exe

Filesize
255KB

MD5
9009fa8be9ac3730de001e0dbac0713e

SHA1
a4236757b22576169bee5db780317e08c7d6867c

SHA256
e91ed843cc1a8a5da11ada69e948b0c3c3e1ae7470bc4d2140bd865a6539b17f

SHA512
1d9b35f7826dddfb7a58cbade7467ca07fd1a1b1d0836fdc08d0b9d944881a030f17f140c49c5584a1ca0083e417eba1a5b73a4cd70107ca21af03118333da37

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
255KB

MD5
6a586a31e9a938ba710a793b87041d85

SHA1
556ce235487a106bc26fbc165ac82264195071ad

SHA256
d742c8f683e23914851b46583b4f299ac0b67654274af76db7da137d880ac06e

SHA512
834ac1d79302f395c479f4cbd598f5bcc9b625eeb9ab29dccd0e1f88153807d8728a253ff1d73899b2c77f383400fb075699ca090de505107fe729dca4492220

Download Submit
C:\Windows\SysWOW64\Pmannhhj.exe

Filesize
255KB

MD5
6a586a31e9a938ba710a793b87041d85

SHA1
556ce235487a106bc26fbc165ac82264195071ad

SHA256
d742c8f683e23914851b46583b4f299ac0b67654274af76db7da137d880ac06e

SHA512
834ac1d79302f395c479f4cbd598f5bcc9b625eeb9ab29dccd0e1f88153807d8728a253ff1d73899b2c77f383400fb075699ca090de505107fe729dca4492220

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
255KB

MD5
e690d0b25158c376117a9e6dfac22385

SHA1
d624e19b1bf4d10d073448140a5d50a7ddf2b163

SHA256
f1eaf12beb9edf3923f54aa7711f2d208cb4a2cf75d912eed7e0cd9728fb4dfb

SHA512
2e6725d38a714d807f67127138ff42a3eba62bdb2f104725885f2c12cd904e2c3f0a6194ede4b39cbed0b73919207e9cd3b3c7b87194b3cee4a0e8fc5585f64f

Download Submit
C:\Windows\SysWOW64\Pnfdcjkg.exe

Filesize
255KB

MD5
e690d0b25158c376117a9e6dfac22385

SHA1
d624e19b1bf4d10d073448140a5d50a7ddf2b163

SHA256
f1eaf12beb9edf3923f54aa7711f2d208cb4a2cf75d912eed7e0cd9728fb4dfb

SHA512
2e6725d38a714d807f67127138ff42a3eba62bdb2f104725885f2c12cd904e2c3f0a6194ede4b39cbed0b73919207e9cd3b3c7b87194b3cee4a0e8fc5585f64f

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
255KB

MD5
c2b5829ab2093bab5bd1950a0104f1e0

SHA1
d94ccf688c01932288b566909b8b1bc5a5b13ea5

SHA256
4022f1c43f5d98e14c77d89c5b3c6b50588ab15d2f6473a4a3393ebb75d51d2c

SHA512
4696b9024d5c778c70c9ccaf6be96d9d59b6d4f79a5717371001d45a7079126f8f5524d8a566abb357e0b76bee6dff87b05cca99cabd615f1209eeeb450f1298

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
255KB

MD5
c2b5829ab2093bab5bd1950a0104f1e0

SHA1
d94ccf688c01932288b566909b8b1bc5a5b13ea5

SHA256
4022f1c43f5d98e14c77d89c5b3c6b50588ab15d2f6473a4a3393ebb75d51d2c

SHA512
4696b9024d5c778c70c9ccaf6be96d9d59b6d4f79a5717371001d45a7079126f8f5524d8a566abb357e0b76bee6dff87b05cca99cabd615f1209eeeb450f1298

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
255KB

MD5
e67df5d4dda12f5b46467cc8f1d1aa68

SHA1
bdc57c87f81a0cbc37cf4dd8f7bc8d7bbf3ded07

SHA256
0c548fd19b60e1f6cda97d2c22332828d0867ea6289dd0f142835aa6543a2050

SHA512
a72b7086811511b0e9518b141318573128f4b2bad70488938750655ede0d9679dcaf8c7d93d9574f1b325f1be9b605f60864f39d9cdb3c4f9284e8b7dee2350a

Download Submit
C:\Windows\SysWOW64\Pqknig32.exe

Filesize
255KB

MD5
e67df5d4dda12f5b46467cc8f1d1aa68

SHA1
bdc57c87f81a0cbc37cf4dd8f7bc8d7bbf3ded07

SHA256
0c548fd19b60e1f6cda97d2c22332828d0867ea6289dd0f142835aa6543a2050

SHA512
a72b7086811511b0e9518b141318573128f4b2bad70488938750655ede0d9679dcaf8c7d93d9574f1b325f1be9b605f60864f39d9cdb3c4f9284e8b7dee2350a

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
255KB

MD5
36643ec7d9209812060d4fed2c441ddf

SHA1
2214ae27283218526ef2a1c87a05dd53389bc6f7

SHA256
0e13641bfd341efd2542d13a85948978d81bed651c729223f20b71bc4aa06a3f

SHA512
ec748c34e680c4c6212a6b0957330265a32bdb1d09bb32e958386770b024a0d4005ea347a87252de5c3c3bd1d176bf9e3f2ff4719e7d702b039b789c25db138b

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
255KB

MD5
36643ec7d9209812060d4fed2c441ddf

SHA1
2214ae27283218526ef2a1c87a05dd53389bc6f7

SHA256
0e13641bfd341efd2542d13a85948978d81bed651c729223f20b71bc4aa06a3f

SHA512
ec748c34e680c4c6212a6b0957330265a32bdb1d09bb32e958386770b024a0d4005ea347a87252de5c3c3bd1d176bf9e3f2ff4719e7d702b039b789c25db138b

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
255KB

MD5
d7a9c235aadeff009c3ce69a52a7f052

SHA1
d0bf49e6fe0bf2f0d633252b230283892707a4a0

SHA256
169661ef5f668259d896ec0426b34d393dd3bf896750b5457f821e6efde87af5

SHA512
8bdc8574b95ea7e4c42eb753f3286ad6a785c12a1ca0bb11edecd12755cf0acdc459dd7410190866e7ec160841072f183f83b60cf03118c4f170dcfe9c3dce5c

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
255KB

MD5
d7a9c235aadeff009c3ce69a52a7f052

SHA1
d0bf49e6fe0bf2f0d633252b230283892707a4a0

SHA256
169661ef5f668259d896ec0426b34d393dd3bf896750b5457f821e6efde87af5

SHA512
8bdc8574b95ea7e4c42eb753f3286ad6a785c12a1ca0bb11edecd12755cf0acdc459dd7410190866e7ec160841072f183f83b60cf03118c4f170dcfe9c3dce5c

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
255KB

MD5
d2968bcd8137c71281567632253d205d

SHA1
c3ccbd13075ef7432b1acad36591a4b79a4d34ed

SHA256
c3029b983cf21a606cd083a6747da3563ac53be50121d852baafe65cd3df46b6

SHA512
d167d9bd8253352c58f57301432412fbbeefa43ad7135d57ff525fde3cb8be2bb67ccaa2b90ab9f5620c4bc0bad9a5363f5ef088b26c4e1c2c31f4d86b2a8ef6

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
255KB

MD5
d2968bcd8137c71281567632253d205d

SHA1
c3ccbd13075ef7432b1acad36591a4b79a4d34ed

SHA256
c3029b983cf21a606cd083a6747da3563ac53be50121d852baafe65cd3df46b6

SHA512
d167d9bd8253352c58f57301432412fbbeefa43ad7135d57ff525fde3cb8be2bb67ccaa2b90ab9f5620c4bc0bad9a5363f5ef088b26c4e1c2c31f4d86b2a8ef6

Download Submit
memory/472-240-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/472-168-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/544-239-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/544-185-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/888-21-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-258-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1040-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1180-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1180-253-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1360-121-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1360-246-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-255-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1632-213-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1712-242-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1712-160-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1796-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1796-247-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1900-245-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1900-129-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-235-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2260-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-251-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2300-81-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2340-249-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2340-97-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2540-181-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2568-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2568-5-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2684-252-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2684-73-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2784-205-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-257-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2924-28-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3224-137-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3224-244-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3352-153-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3352-241-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-250-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3356-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3516-254-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3516-49-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4012-217-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4012-236-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-105-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4040-248-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4172-69-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4632-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4632-237-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4680-243-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4680-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-193-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4888-238-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4900-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4900-234-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4924-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4924-256-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads