af1ff0ebb0f38761937a8dd4c15726f08d9710734edcc13278995e3c0f8c015b

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
03/01/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f22ed8abc1496dc0ec0ea4aa76dab29c.exe
Size

304KB
MD5

f22ed8abc1496dc0ec0ea4aa76dab29c
SHA1

90160eb2b35299b9d3c9402718c457c108a44320
SHA256

af1ff0ebb0f38761937a8dd4c15726f08d9710734edcc13278995e3c0f8c015b
SHA512

a72a7954215c88815d6c64dc0320bd947b6c46c0fba1d902df5af5a8cad816210183ecadbdb5630efc14239fdbe704d6f7a4ebf9a15f8a9f98ba6ed6298f73d5
SSDEEP

3072:5LC4v3LcWMZeDe5wkpHxGkIs6COoU60EaBNNVBZr6y2WU+XfiR:55bcZsVCAkOCOu0EajNVBZr6y2WXQ

Score

10^/10

backdoor dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmojocel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfpnmj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmojocel.exe

Malware Dropper & Backdoor - Berbew 39 IoCs

Berbew is a backdoor Trojan malware with capabilities to download and install a range of additional malicious software, such as other Trojans, ransomware, and cryptominers.

backdoor trojan dropper

resource	yara_rule
behavioral1/memory/2208-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/files/0x0008000000012248-5.dat	family_berbew
behavioral1/files/0x002c00000001529f-21.dat	family_berbew
behavioral1/memory/2260-18-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/2812-37-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/2764-56-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/files/0x0008000000015c1b-40.dat	family_berbew
behavioral1/files/0x0007000000015be4-39.dat	family_berbew
behavioral1/memory/2784-57-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d27-61.dat	family_berbew
behavioral1/memory/2624-74-0x0000000000290000-0x00000000002D1000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d48-72.dat	family_berbew
behavioral1/memory/2624-71-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/files/0x0006000000016d56-86.dat	family_berbew
behavioral1/files/0x002a00000001552e-99.dat	family_berbew
behavioral1/memory/2500-88-0x0000000000330000-0x0000000000371000-memory.dmp	family_berbew
behavioral1/memory/2500-84-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/1636-107-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/336-101-0x0000000000220000-0x0000000000261000-memory.dmp	family_berbew
behavioral1/files/0x00060000000170b7-113.dat	family_berbew
behavioral1/memory/2848-120-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/files/0x0006000000017539-126.dat	family_berbew
behavioral1/files/0x0005000000018671-139.dat	family_berbew
behavioral1/memory/1632-152-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/1568-153-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/files/0x0005000000018714-154.dat	family_berbew
behavioral1/memory/1684-161-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/files/0x0006000000018aed-167.dat	family_berbew
behavioral1/files/0x0006000000018b20-176.dat	family_berbew
behavioral1/memory/1668-180-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/1548-193-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/files/0x0006000000018b4d-200.dat	family_berbew
behavioral1/memory/2016-201-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/2208-206-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/2500-207-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/336-208-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/1636-209-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/2848-210-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral1/memory/1684-211-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew

Executes dropped EXE 15 IoCs

pid	Process
2260	Ogmhkmki.exe
2812	Pnimnfpc.exe
2784	Pqhijbog.exe
2764	Pmojocel.exe
2624	Pcibkm32.exe
2500	Qkhpkoen.exe
336	Anlfbi32.exe
1636	Achojp32.exe
2848	Aaolidlk.exe
1568	Abbeflpf.exe
1632	Bfpnmj32.exe
1684	Bonoflae.exe
1668	Bmclhi32.exe
1548	Cfnmfn32.exe
2016	Cacacg32.exe

Loads dropped DLL 34 IoCs

pid	Process
2208	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
2208	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
2260	Ogmhkmki.exe
2260	Ogmhkmki.exe
2812	Pnimnfpc.exe
2812	Pnimnfpc.exe
2784	Pqhijbog.exe
2784	Pqhijbog.exe
2764	Pmojocel.exe
2764	Pmojocel.exe
2624	Pcibkm32.exe
2624	Pcibkm32.exe
2500	Qkhpkoen.exe
2500	Qkhpkoen.exe
336	Anlfbi32.exe
336	Anlfbi32.exe
1636	Achojp32.exe
1636	Achojp32.exe
2848	Aaolidlk.exe
2848	Aaolidlk.exe
1568	Abbeflpf.exe
1568	Abbeflpf.exe
1632	Bfpnmj32.exe
1632	Bfpnmj32.exe
1684	Bonoflae.exe
1684	Bonoflae.exe
1668	Bmclhi32.exe
1668	Bmclhi32.exe
1548	Cfnmfn32.exe
1548	Cfnmfn32.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe
3000	WerFault.exe

Drops file in System32 directory 45 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pqhijbog.exe	Pnimnfpc.exe
File created	C:\Windows\SysWOW64\Pcibkm32.exe	Pmojocel.exe
File created	C:\Windows\SysWOW64\Anlfbi32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Bonoflae.exe
File created	C:\Windows\SysWOW64\Cfnmfn32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Qkhpkoen.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Anlfbi32.exe	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Odmoin32.dll	Qkhpkoen.exe
File created	C:\Windows\SysWOW64\Okbekdoi.dll	Anlfbi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfpnmj32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Mabanhgg.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Ihlfga32.dll	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
File created	C:\Windows\SysWOW64\Pmojocel.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Qkhpkoen.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Abbeflpf.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Aaolidlk.exe	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Bonoflae.exe	Bfpnmj32.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Anlfbi32.exe
File created	C:\Windows\SysWOW64\Bfpnmj32.exe	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Jhgkeald.dll	Abbeflpf.exe
File created	C:\Windows\SysWOW64\Nmqalo32.dll	Ogmhkmki.exe
File opened for modification	C:\Windows\SysWOW64\Pqhijbog.exe	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Pmojocel.exe	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Adagkoae.dll	Pqhijbog.exe
File created	C:\Windows\SysWOW64\Qhiphb32.dll	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Bonoflae.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Ogmhkmki.exe	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Pmojocel.exe
File opened for modification	C:\Windows\SysWOW64\Cfnmfn32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Bonoflae.exe	Bfpnmj32.exe
File created	C:\Windows\SysWOW64\Eignpade.dll	Bfpnmj32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Ogmhkmki.exe	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
File created	C:\Windows\SysWOW64\Pnimnfpc.exe	Ogmhkmki.exe
File opened for modification	C:\Windows\SysWOW64\Pnimnfpc.exe	Ogmhkmki.exe
File created	C:\Windows\SysWOW64\Bfqgjgep.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Gmfkdm32.dll	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Bpodeegi.dll	Pnimnfpc.exe
File opened for modification	C:\Windows\SysWOW64\Aaolidlk.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Abbeflpf.exe	Aaolidlk.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Bonoflae.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3000	2016	WerFault.exe	42

Modifies registry class 48 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfga32.dll"	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmqalo32.dll"	Ogmhkmki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqhijbog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqgjgep.dll"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfkdm32.dll"	Aaolidlk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgkeald.dll"	Abbeflpf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adagkoae.dll"	Pqhijbog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogmhkmki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pnimnfpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmoin32.dll"	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aaolidlk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f22ed8abc1496dc0ec0ea4aa76dab29c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll"	Pmojocel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qkhpkoen.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Bonoflae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmojocel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qkhpkoen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anlfbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Abbeflpf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpodeegi.dll"	Pnimnfpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhiphb32.dll"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okbekdoi.dll"	Anlfbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eignpade.dll"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfpnmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bonoflae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2260	2208	f22ed8abc1496dc0ec0ea4aa76dab29c.exe	28
PID 2208 wrote to memory of 2260	2208	f22ed8abc1496dc0ec0ea4aa76dab29c.exe	28
PID 2208 wrote to memory of 2260	2208	f22ed8abc1496dc0ec0ea4aa76dab29c.exe	28
PID 2208 wrote to memory of 2260	2208	f22ed8abc1496dc0ec0ea4aa76dab29c.exe	28
PID 2260 wrote to memory of 2812	2260	Ogmhkmki.exe	29
PID 2260 wrote to memory of 2812	2260	Ogmhkmki.exe	29
PID 2260 wrote to memory of 2812	2260	Ogmhkmki.exe	29
PID 2260 wrote to memory of 2812	2260	Ogmhkmki.exe	29
PID 2812 wrote to memory of 2784	2812	Pnimnfpc.exe	30
PID 2812 wrote to memory of 2784	2812	Pnimnfpc.exe	30
PID 2812 wrote to memory of 2784	2812	Pnimnfpc.exe	30
PID 2812 wrote to memory of 2784	2812	Pnimnfpc.exe	30
PID 2784 wrote to memory of 2764	2784	Pqhijbog.exe	31
PID 2784 wrote to memory of 2764	2784	Pqhijbog.exe	31
PID 2784 wrote to memory of 2764	2784	Pqhijbog.exe	31
PID 2784 wrote to memory of 2764	2784	Pqhijbog.exe	31
PID 2764 wrote to memory of 2624	2764	Pmojocel.exe	32
PID 2764 wrote to memory of 2624	2764	Pmojocel.exe	32
PID 2764 wrote to memory of 2624	2764	Pmojocel.exe	32
PID 2764 wrote to memory of 2624	2764	Pmojocel.exe	32
PID 2624 wrote to memory of 2500	2624	Pcibkm32.exe	33
PID 2624 wrote to memory of 2500	2624	Pcibkm32.exe	33
PID 2624 wrote to memory of 2500	2624	Pcibkm32.exe	33
PID 2624 wrote to memory of 2500	2624	Pcibkm32.exe	33
PID 2500 wrote to memory of 336	2500	Qkhpkoen.exe	34
PID 2500 wrote to memory of 336	2500	Qkhpkoen.exe	34
PID 2500 wrote to memory of 336	2500	Qkhpkoen.exe	34
PID 2500 wrote to memory of 336	2500	Qkhpkoen.exe	34
PID 336 wrote to memory of 1636	336	Anlfbi32.exe	35
PID 336 wrote to memory of 1636	336	Anlfbi32.exe	35
PID 336 wrote to memory of 1636	336	Anlfbi32.exe	35
PID 336 wrote to memory of 1636	336	Anlfbi32.exe	35
PID 1636 wrote to memory of 2848	1636	Achojp32.exe	36
PID 1636 wrote to memory of 2848	1636	Achojp32.exe	36
PID 1636 wrote to memory of 2848	1636	Achojp32.exe	36
PID 1636 wrote to memory of 2848	1636	Achojp32.exe	36
PID 2848 wrote to memory of 1568	2848	Aaolidlk.exe	37
PID 2848 wrote to memory of 1568	2848	Aaolidlk.exe	37
PID 2848 wrote to memory of 1568	2848	Aaolidlk.exe	37
PID 2848 wrote to memory of 1568	2848	Aaolidlk.exe	37
PID 1568 wrote to memory of 1632	1568	Abbeflpf.exe	38
PID 1568 wrote to memory of 1632	1568	Abbeflpf.exe	38
PID 1568 wrote to memory of 1632	1568	Abbeflpf.exe	38
PID 1568 wrote to memory of 1632	1568	Abbeflpf.exe	38
PID 1632 wrote to memory of 1684	1632	Bfpnmj32.exe	39
PID 1632 wrote to memory of 1684	1632	Bfpnmj32.exe	39
PID 1632 wrote to memory of 1684	1632	Bfpnmj32.exe	39
PID 1632 wrote to memory of 1684	1632	Bfpnmj32.exe	39
PID 1684 wrote to memory of 1668	1684	Bonoflae.exe	40
PID 1684 wrote to memory of 1668	1684	Bonoflae.exe	40
PID 1684 wrote to memory of 1668	1684	Bonoflae.exe	40
PID 1684 wrote to memory of 1668	1684	Bonoflae.exe	40
PID 1668 wrote to memory of 1548	1668	Bmclhi32.exe	41
PID 1668 wrote to memory of 1548	1668	Bmclhi32.exe	41
PID 1668 wrote to memory of 1548	1668	Bmclhi32.exe	41
PID 1668 wrote to memory of 1548	1668	Bmclhi32.exe	41
PID 1548 wrote to memory of 2016	1548	Cfnmfn32.exe	42
PID 1548 wrote to memory of 2016	1548	Cfnmfn32.exe	42
PID 1548 wrote to memory of 2016	1548	Cfnmfn32.exe	42
PID 1548 wrote to memory of 2016	1548	Cfnmfn32.exe	42
PID 2016 wrote to memory of 3000	2016	Cacacg32.exe	43
PID 2016 wrote to memory of 3000	2016	Cacacg32.exe	43
PID 2016 wrote to memory of 3000	2016	Cacacg32.exe	43
PID 2016 wrote to memory of 3000	2016	Cacacg32.exe	43

C:\Users\Admin\AppData\Local\Temp\f22ed8abc1496dc0ec0ea4aa76dab29c.exe
"C:\Users\Admin\AppData\Local\Temp\f22ed8abc1496dc0ec0ea4aa76dab29c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\SysWOW64\Ogmhkmki.exe
  C:\Windows\system32\Ogmhkmki.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\Pnimnfpc.exe
    C:\Windows\system32\Pnimnfpc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Pqhijbog.exe
      C:\Windows\system32\Pqhijbog.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\Pmojocel.exe
        
        C:\Windows\system32\Pmojocel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Qkhpkoen.exe
        
        C:\Windows\system32\Qkhpkoen.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Anlfbi32.exe
        
        C:\Windows\system32\Anlfbi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:336
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Aaolidlk.exe
        
        C:\Windows\system32\Aaolidlk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Abbeflpf.exe
        
        C:\Windows\system32\Abbeflpf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Bfpnmj32.exe
        
        C:\Windows\system32\Bfpnmj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Bonoflae.exe
        
        C:\Windows\system32\Bonoflae.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 140
        17⤵
        Loads dropped DLL
        Program crash
        
        PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adagkoae.dll

Filesize
7KB

MD5
db7b7e9b91c6ec8c9b8dfd3250e80233

SHA1
a0ce2bf5fd248e9447d9424b83db58b3eed251f7

SHA256
ac9afed7e6498cf4d268f8184f729a5830ffb2be629ebf6a4543685ccf377b16

SHA512
7651e6d56f35bd48cf983a21acad3ea2ae05573ae6a6dd10aeb2b8d9d31d12a6e41e9cecbaa2266d2181bfaa8c7f1303393e6f2dc973cea230b62aba6ab65da5

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
304KB

MD5
e305994fc593c5d910a54ffa818d7d7b

SHA1
e640593f2d17e46acec88e54074c761b38ab85d9

SHA256
33c49854617fcbf77640f252e285185429eb5a654d3842fd39fde31fb0dedd72

SHA512
b131dd4a830d337ccc287a02ec65373fa421a2455063bf801f331b70d366ea9edee30eec8bc9913846350081fce01ac5179e7484ecfca3e06d4217213cb055a5

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
304KB

MD5
5a3f0afab70a0a1e8e1a254dc86fd918

SHA1
24f18e1881ca3f9e64ae2d45de1782e9b018dc26

SHA256
cd7d37a516489c2d7f49de0ab76dde6ab11fcada99bc0afa7c6f670a51655b95

SHA512
a7d46ef0199cd73445a6e9fb57d05978d4763089ecc6a4938751b63e292fcf40c32c58a0ea81876ed14a686018324163bdc6c8ae2d1d3b5f6bce34d1dd6aeb2d

Download Submit
C:\Windows\SysWOW64\Pcibkm32.exe

Filesize
304KB

MD5
0d63157c92dcdf6b7435d996cefa6770

SHA1
49e4622463800e23d50ee0fe51458bfafa6b13b8

SHA256
f33c36c818e0d993fd44ed902c218148fc94792ca54640312b54cb0e5c272979

SHA512
a9d60ae68082d7b98ae439de7068b5a1d3e68405e8d98963e3c52f32e87bf6d0e72d56478cd200f2f7dcf60eaf5051ecdfa85b237281e1163b2ec6aea60a86fd

Download Submit
C:\Windows\SysWOW64\Pmojocel.exe

Filesize
304KB

MD5
192d36c454f997a5da1843ec141cc501

SHA1
17fc44609d50c0600422fe5a2501ac2e690c73ea

SHA256
e0363fec736cd258fa964464617c189a88bbf1ed65c737d97becaba1f01fd1f2

SHA512
4741cd67a29e2c3fec023a3be4606aa83901d57a9699860f6b1236fbd6459695b956ffc0783ad936f5328f46a1c91e57db1c5cfe14a23d45b3af5b31376298de

Download Submit
C:\Windows\SysWOW64\Pqhijbog.exe

Filesize
304KB

MD5
7ad7b68df2bc8bb5b60239372c808f45

SHA1
93792ee6e4905945adada4c00428359dfd0d06fe

SHA256
af66acf6a075a41fa48474d887b098b36469683c7b853229a47b53aa9329c37b

SHA512
2a4c101d09e6915c19dc9ff57445d0d525b409af5c2a2fac9792cdad47c7d68cceb92596b6fb9cb71e0e2f9e07c16db410719c14e02e6c90f39e707d0b29b4ad

Download Submit
\Windows\SysWOW64\Aaolidlk.exe

Filesize
304KB

MD5
4a436220d85426bf36f87ed85688ec63

SHA1
2e8c9989508bfd52958be7bc7092610f9e025267

SHA256
73a3d2a256e28b56daff8dfe7e2b5ccad9a8192e7fda382691184a899a315816

SHA512
120fc36353541f764fc02a54bb9fba9299f991aebed5cb48c32887386f8eab8263bdc3da299738af1901a45055a3e8146fb0f992265aec9ca4bd69264fb97714

Download Submit
\Windows\SysWOW64\Abbeflpf.exe

Filesize
304KB

MD5
1a9001788e99e796145151e967236695

SHA1
658b9949a913a7eb7c660ef89cd7fc92f2ba312d

SHA256
8939e3ee5333f1a4f637a683b8f425c47447ff0860493964cf617d3fed90764e

SHA512
feb801bf00b340c26026131c11714f0c274d503ee248f35517b81cb51292848528503db36610b04e64f4ff5b99c9ba661fa9a40c0e0ad3530ed026de332deb80

Download Submit
\Windows\SysWOW64\Achojp32.exe

Filesize
304KB

MD5
4a9c845fb592c68adfeed4eb41933cfc

SHA1
31b729c75a4437ff98b920a0ea7d3674d118421a

SHA256
c357c49aaddd4a1f669f192ae3d5d97345c963bd880a0b9537125f1749998b6e

SHA512
6fe12c3b952046f3fc86438cf747b15a8ff022e0f642e264f5b39b2666e13545eedffe04959f71250c16751a18c2a573b434bd4d7e1f548905ef6cca38955950

Download Submit
\Windows\SysWOW64\Anlfbi32.exe

Filesize
304KB

MD5
31bdce1e299467002d65032a3802ddf5

SHA1
a4bbc32c615be7291b33d3374720b9773a10ef5c

SHA256
8a8dda6e4107a11bd7bd45842d067c1d34bb69c851161fe53a32e5d24fece754

SHA512
bf4d9cd1f50533c0f2a469533f3b00148176c8ad49cccedd79d96f053cd387e9875f6ae36ac86606f10d9da067eaa0386f4a85deac2a110d9661efe1bb2869d7

Download Submit
\Windows\SysWOW64\Bfpnmj32.exe

Filesize
304KB

MD5
cf6da1b82d0681028b23db6a78293243

SHA1
865ada82b50d2659651083b86f884c3112d90f1d

SHA256
27f40653015daa496311e9e3fef0f23010652fff779c2ae0fdc1789efd88c4ff

SHA512
534d6c82672a24c956c3a6b17faf2851f636d03ee9d23325e7ab1af5b78c0829de14a431dac2dabbddde46dcd341d7d61a6346c39c5d207100917dd233569c6f

Download Submit
\Windows\SysWOW64\Bmclhi32.exe

Filesize
304KB

MD5
d80e8537a4e86f526be4f9bd60ad5ef8

SHA1
d2b8f0739a279f15b0ae6c3bfb464a32220d4216

SHA256
89afb575e093f2a3f324d56442faf65c15f06a22f3518e4522f3457ab2ad4824

SHA512
3d8554998cba401d4df2fa2436070116fe0fb3063edb4718d5c566e7e9608974c95e7b7975f4ff7858abcd7dc37f7ed059827eed35a1a70ce9fd0e04980912ee

Download Submit
\Windows\SysWOW64\Bonoflae.exe

Filesize
304KB

MD5
fc81006ea1bebb1534258f9e2c3e37e7

SHA1
8a2d2d6fd4a55c2b55d37e2e1a851ecb0c07aff7

SHA256
241d4699e54f4663df71a7354d91bd8a0e62385755a66661ddda13ce17bae733

SHA512
6127c5a2454cf07168b03567952e7ef4b9ecfa6e9575a0855443c206895192844dd2d6299808066dc4f355beea2c7de5150f2b79ae8ae90d187d67f448b99f58

Download Submit
\Windows\SysWOW64\Ogmhkmki.exe

Filesize
304KB

MD5
7584c287f28d3481b0d7569242dc58e4

SHA1
9989cb77c79cb500dfb48e28861962c6b9c5b4b7

SHA256
29e86a973d6c589e6da6e060929055f48d908ce5a4c50eb5b82bc9f18c8cc13f

SHA512
b221ced9e74c1148a3eb964d06451c7ad9e29bc3fa65e2ffc7f3a092de88a337913705da0c0ca5d30b2db5d521ef9b4e6ee1e5918f8ae1568cc678463764c5f5

Download Submit
\Windows\SysWOW64\Pnimnfpc.exe

Filesize
304KB

MD5
d96b2eae55f9fe0c228b976fd7ee8959

SHA1
5d06b0e911f7aa2c5abf68308fc96000be99cc02

SHA256
841dce214364da8db158736b2f96a067d3c9d9fc4deb83d8bd101f92c634185b

SHA512
11ebefa03f800f9186874bebe9a8f4564587a4f72618e2ac2bd235310823faca862c8bd2b2b4e3fb9dbf9ed4200b8e27f0045ea836d9e8c6d0e7f9cc4fa07ada

Download Submit
\Windows\SysWOW64\Qkhpkoen.exe

Filesize
304KB

MD5
5154410ab0edb15c9836636c677f1342

SHA1
a3522cc2fd6ebe85e3fd8992f04f7f6d32c42681

SHA256
0110d098bd057424ed889e1cd739a3a4a05120fe41553fe8e9413bd011e91617

SHA512
65c3e4fa315b1c2576903129430e2cb4aa7555d83019dfd9821017b5f0d1c33250d0de35477bff4877af0dd8ddf75bd15a17cea63bbea3ffe54ef92abf37eab4

Download Submit
memory/336-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/336-101-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1548-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1568-146-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/1632-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-209-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1636-107-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1668-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1684-173-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/1684-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1684-211-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2016-201-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-11-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2260-18-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-88-0x0000000000330000-0x0000000000371000-memory.dmp

Filesize
260KB

Download
memory/2500-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-84-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2624-74-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2624-71-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2764-66-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2784-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2812-37-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2848-133-0x0000000000220000-0x0000000000261000-memory.dmp

Filesize
260KB

Download
memory/2848-210-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2848-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads