25f92833e21e3c751bb3c087c01835030e6b20edff14e964b93046944cab9a17

Analysis

max time kernel
17s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
21/10/2023, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
Size

378KB
MD5

eb086d45f528914ae6c06dc752cc79f0
SHA1

bbab7a08282120e4d6dc779471243a1c97b269fa
SHA256

25f92833e21e3c751bb3c087c01835030e6b20edff14e964b93046944cab9a17
SHA512

a93c2ca1fed7fe690dae8b98fc446dd57b9f8d54facbcdf7a54712d666ca1da98653edf535f20f741b0d19acbab298e7dbac651378f828faf5b14d64c3c537e7
SSDEEP

6144:9q7FQhEgn1EgeYr75lHzpaF2e6UK+42GTQMJSZO5f7M0rx7/hP66qve6UK+42GT9:cBQhEgnGgeYr75lTefkY660fIaDZkY61

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omdieb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adepji32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njedbjej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdeiqgkj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pblajhje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofckhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocgkan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njedbjej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pakdbp32.exe

Malware Backdoor - Berbew 40 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/files/0x00070000000230a9-6.dat	family_berbew
behavioral2/files/0x00070000000230a9-8.dat	family_berbew
behavioral2/files/0x00060000000230ad-14.dat	family_berbew
behavioral2/files/0x00060000000230ad-16.dat	family_berbew
behavioral2/files/0x00060000000230af-17.dat	family_berbew
behavioral2/files/0x00060000000230af-22.dat	family_berbew
behavioral2/files/0x00060000000230af-24.dat	family_berbew
behavioral2/files/0x00060000000230b1-32.dat	family_berbew
behavioral2/files/0x00060000000230b1-30.dat	family_berbew
behavioral2/files/0x00060000000230b3-38.dat	family_berbew
behavioral2/files/0x00060000000230b3-40.dat	family_berbew
behavioral2/files/0x00060000000230b5-41.dat	family_berbew
behavioral2/files/0x00060000000230b5-46.dat	family_berbew
behavioral2/files/0x00060000000230b5-48.dat	family_berbew
behavioral2/files/0x00060000000230b7-54.dat	family_berbew
behavioral2/files/0x00060000000230b7-56.dat	family_berbew
behavioral2/files/0x00060000000230b9-62.dat	family_berbew
behavioral2/files/0x00060000000230b9-64.dat	family_berbew
behavioral2/files/0x00060000000230bb-70.dat	family_berbew
behavioral2/files/0x00060000000230bb-71.dat	family_berbew
behavioral2/files/0x00060000000230bd-78.dat	family_berbew
behavioral2/files/0x00060000000230bd-80.dat	family_berbew
behavioral2/files/0x00060000000230bf-86.dat	family_berbew
behavioral2/files/0x00060000000230bf-88.dat	family_berbew
behavioral2/files/0x00060000000230c1-89.dat	family_berbew
behavioral2/files/0x00060000000230c1-94.dat	family_berbew
behavioral2/files/0x00060000000230c1-96.dat	family_berbew
behavioral2/files/0x00060000000230c3-102.dat	family_berbew
behavioral2/files/0x00060000000230c3-103.dat	family_berbew
behavioral2/files/0x00060000000230c5-105.dat	family_berbew
behavioral2/files/0x00060000000230c5-110.dat	family_berbew
behavioral2/files/0x00060000000230c5-111.dat	family_berbew
behavioral2/files/0x00060000000230c7-118.dat	family_berbew
behavioral2/files/0x00060000000230c7-120.dat	family_berbew
behavioral2/files/0x00060000000230c9-126.dat	family_berbew
behavioral2/files/0x00060000000230c9-127.dat	family_berbew
behavioral2/files/0x00060000000230cb-134.dat	family_berbew
behavioral2/files/0x00060000000230cb-136.dat	family_berbew
behavioral2/files/0x00060000000230cd-142.dat	family_berbew
behavioral2/files/0x00060000000230cd-144.dat	family_berbew

Executes dropped EXE 18 IoCs

pid	Process
4168	Njedbjej.exe
2604	Nimmifgo.exe
4176	Ofckhj32.exe
3944	Ocgkan32.exe
3768	Ofgdcipq.exe
2052	Omdieb32.exe
3872	Pbekii32.exe
4684	Pakdbp32.exe
3744	Pblajhje.exe
212	Abcgjg32.exe
1556	Adepji32.exe
568	Ajdbac32.exe
1496	Bmdkcnie.exe
3008	Bdapehop.exe
1500	Bdeiqgkj.exe
2368	Cbkfbcpb.exe
3244	Cdolgfbp.exe
3844	Diqnjl32.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pblajhje.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Ogmeemdg.dll	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Phgibp32.dll	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bdapehop.exe
File opened for modification	C:\Windows\SysWOW64\Cdolgfbp.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Ofgdcipq.exe	Ocgkan32.exe
File opened for modification	C:\Windows\SysWOW64\Ofgdcipq.exe	Ocgkan32.exe
File created	C:\Windows\SysWOW64\Icpjna32.dll	Cbkfbcpb.exe
File opened for modification	C:\Windows\SysWOW64\Nimmifgo.exe	Njedbjej.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Ckjfdocc.dll	Pblajhje.exe
File created	C:\Windows\SysWOW64\Olqjha32.dll	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Bmdkcnie.exe	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Njedbjej.exe	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
File created	C:\Windows\SysWOW64\Pbekii32.exe	Omdieb32.exe
File opened for modification	C:\Windows\SysWOW64\Ocgkan32.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Bdeiqgkj.exe
File opened for modification	C:\Windows\SysWOW64\Bdeiqgkj.exe	Bdapehop.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Cdolgfbp.exe
File opened for modification	C:\Windows\SysWOW64\Ajdbac32.exe	Adepji32.exe
File created	C:\Windows\SysWOW64\Bdapehop.exe	Bmdkcnie.exe
File opened for modification	C:\Windows\SysWOW64\Pakdbp32.exe	Pbekii32.exe
File opened for modification	C:\Windows\SysWOW64\Adepji32.exe	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Ajdbac32.exe	Adepji32.exe
File opened for modification	C:\Windows\SysWOW64\Bmdkcnie.exe	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Njedbjej.exe
File created	C:\Windows\SysWOW64\Omdieb32.exe	Ofgdcipq.exe
File opened for modification	C:\Windows\SysWOW64\Cbkfbcpb.exe	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Anlkecaj.dll	Omdieb32.exe
File created	C:\Windows\SysWOW64\Ldbhiiol.dll	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Cdolgfbp.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Gflonn32.dll	Ofgdcipq.exe
File opened for modification	C:\Windows\SysWOW64\Abcgjg32.exe	Pblajhje.exe
File created	C:\Windows\SysWOW64\Adepji32.exe	Abcgjg32.exe
File created	C:\Windows\SysWOW64\Ocgkan32.exe	Ofckhj32.exe
File created	C:\Windows\SysWOW64\Mpiedk32.dll	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Deaiemli.dll	Pbekii32.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	Adepji32.exe
File created	C:\Windows\SysWOW64\Pjcfndog.dll	Bdapehop.exe
File created	C:\Windows\SysWOW64\Ejnnldhi.dll	Bdeiqgkj.exe
File created	C:\Windows\SysWOW64\Nimmifgo.exe	Njedbjej.exe
File created	C:\Windows\SysWOW64\Gejimf32.dll	Ocgkan32.exe
File opened for modification	C:\Windows\SysWOW64\Ofckhj32.exe	Nimmifgo.exe
File opened for modification	C:\Windows\SysWOW64\Bdapehop.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Ofckhj32.exe	Nimmifgo.exe
File opened for modification	C:\Windows\SysWOW64\Omdieb32.exe	Ofgdcipq.exe
File opened for modification	C:\Windows\SysWOW64\Pbekii32.exe	Omdieb32.exe
File created	C:\Windows\SysWOW64\Pakdbp32.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Boplohfa.dll	Bmdkcnie.exe
File opened for modification	C:\Windows\SysWOW64\Njedbjej.exe	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
File created	C:\Windows\SysWOW64\Naagioah.dll	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
File opened for modification	C:\Windows\SysWOW64\Pblajhje.exe	Pakdbp32.exe
File created	C:\Windows\SysWOW64\Abcgjg32.exe	Pblajhje.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
420	3844	WerFault.exe	100

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pbekii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pblajhje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmhkia.dll"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll"	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbhiiol.dll"	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgibp32.dll"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll"	Njedbjej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdapehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njedbjej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Abcgjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdeiqgkj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagioah.dll"	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflonn32.dll"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pakdbp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofckhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpiedk32.dll"	Pakdbp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmeemdg.dll"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Omdieb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olqjha32.dll"	Abcgjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Adepji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boplohfa.dll"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deaiemli.dll"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omdieb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocgkan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfdocc.dll"	Pblajhje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcfndog.dll"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nimmifgo.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4536 wrote to memory of 4168	4536	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe	83
PID 4536 wrote to memory of 4168	4536	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe	83
PID 4536 wrote to memory of 4168	4536	NEAS.eb086d45f528914ae6c06dc752cc79f0.exe	83
PID 4168 wrote to memory of 2604	4168	Njedbjej.exe	84
PID 4168 wrote to memory of 2604	4168	Njedbjej.exe	84
PID 4168 wrote to memory of 2604	4168	Njedbjej.exe	84
PID 2604 wrote to memory of 4176	2604	Nimmifgo.exe	85
PID 2604 wrote to memory of 4176	2604	Nimmifgo.exe	85
PID 2604 wrote to memory of 4176	2604	Nimmifgo.exe	85
PID 4176 wrote to memory of 3944	4176	Ofckhj32.exe	86
PID 4176 wrote to memory of 3944	4176	Ofckhj32.exe	86
PID 4176 wrote to memory of 3944	4176	Ofckhj32.exe	86
PID 3944 wrote to memory of 3768	3944	Ocgkan32.exe	87
PID 3944 wrote to memory of 3768	3944	Ocgkan32.exe	87
PID 3944 wrote to memory of 3768	3944	Ocgkan32.exe	87
PID 3768 wrote to memory of 2052	3768	Ofgdcipq.exe	88
PID 3768 wrote to memory of 2052	3768	Ofgdcipq.exe	88
PID 3768 wrote to memory of 2052	3768	Ofgdcipq.exe	88
PID 2052 wrote to memory of 3872	2052	Omdieb32.exe	89
PID 2052 wrote to memory of 3872	2052	Omdieb32.exe	89
PID 2052 wrote to memory of 3872	2052	Omdieb32.exe	89
PID 3872 wrote to memory of 4684	3872	Pbekii32.exe	90
PID 3872 wrote to memory of 4684	3872	Pbekii32.exe	90
PID 3872 wrote to memory of 4684	3872	Pbekii32.exe	90
PID 4684 wrote to memory of 3744	4684	Pakdbp32.exe	91
PID 4684 wrote to memory of 3744	4684	Pakdbp32.exe	91
PID 4684 wrote to memory of 3744	4684	Pakdbp32.exe	91
PID 3744 wrote to memory of 212	3744	Pblajhje.exe	92
PID 3744 wrote to memory of 212	3744	Pblajhje.exe	92
PID 3744 wrote to memory of 212	3744	Pblajhje.exe	92
PID 212 wrote to memory of 1556	212	Abcgjg32.exe	93
PID 212 wrote to memory of 1556	212	Abcgjg32.exe	93
PID 212 wrote to memory of 1556	212	Abcgjg32.exe	93
PID 1556 wrote to memory of 568	1556	Adepji32.exe	94
PID 1556 wrote to memory of 568	1556	Adepji32.exe	94
PID 1556 wrote to memory of 568	1556	Adepji32.exe	94
PID 568 wrote to memory of 1496	568	Ajdbac32.exe	95
PID 568 wrote to memory of 1496	568	Ajdbac32.exe	95
PID 568 wrote to memory of 1496	568	Ajdbac32.exe	95
PID 1496 wrote to memory of 3008	1496	Bmdkcnie.exe	96
PID 1496 wrote to memory of 3008	1496	Bmdkcnie.exe	96
PID 1496 wrote to memory of 3008	1496	Bmdkcnie.exe	96
PID 3008 wrote to memory of 1500	3008	Bdapehop.exe	97
PID 3008 wrote to memory of 1500	3008	Bdapehop.exe	97
PID 3008 wrote to memory of 1500	3008	Bdapehop.exe	97
PID 1500 wrote to memory of 2368	1500	Bdeiqgkj.exe	98
PID 1500 wrote to memory of 2368	1500	Bdeiqgkj.exe	98
PID 1500 wrote to memory of 2368	1500	Bdeiqgkj.exe	98
PID 2368 wrote to memory of 3244	2368	Cbkfbcpb.exe	99
PID 2368 wrote to memory of 3244	2368	Cbkfbcpb.exe	99
PID 2368 wrote to memory of 3244	2368	Cbkfbcpb.exe	99
PID 3244 wrote to memory of 3844	3244	Cdolgfbp.exe	100
PID 3244 wrote to memory of 3844	3244	Cdolgfbp.exe	100
PID 3244 wrote to memory of 3844	3244	Cdolgfbp.exe	100

C:\Users\Admin\AppData\Local\Temp\NEAS.eb086d45f528914ae6c06dc752cc79f0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.eb086d45f528914ae6c06dc752cc79f0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4536
- C:\Windows\SysWOW64\Njedbjej.exe
  C:\Windows\system32\Njedbjej.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\SysWOW64\Nimmifgo.exe
    C:\Windows\system32\Nimmifgo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\Ofckhj32.exe
      C:\Windows\system32\Ofckhj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4176
    - - C:\Windows\SysWOW64\Ocgkan32.exe
        
        C:\Windows\system32\Ocgkan32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3944
      - C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Omdieb32.exe
        
        C:\Windows\system32\Omdieb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Pakdbp32.exe
        
        C:\Windows\system32\Pakdbp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Pblajhje.exe
        
        C:\Windows\system32\Pblajhje.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Abcgjg32.exe
        
        C:\Windows\system32\Abcgjg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\Adepji32.exe
        
        C:\Windows\system32\Adepji32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\SysWOW64\Ajdbac32.exe
        
        C:\Windows\system32\Ajdbac32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Bdeiqgkj.exe
        
        C:\Windows\system32\Bdeiqgkj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        19⤵
        Executes dropped EXE
        
        PID:3844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3844 -s 412
        20⤵
        Program crash
        
        PID:420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3844 -ip 3844
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abcgjg32.exe

Filesize
378KB

MD5
ce2608761f48d0d6e02a7214b6ed3402

SHA1
08bbfb11b7c5b1ae01ab0d027c5e12b36ce16aac

SHA256
746ff47ee2060745e368e387b9642f4ebc4455a49081d23dc71a439e7c843013

SHA512
9cc9594e0ca35c607c935eb05b062c0f2db97d19c53ebadbd5cc0976d1f7508fa9ba685d4361bdb57d7ce07f83492426c776abee387deb4b074ec7ad25b8937b

Download Submit
C:\Windows\SysWOW64\Abcgjg32.exe

Filesize
378KB

MD5
ce2608761f48d0d6e02a7214b6ed3402

SHA1
08bbfb11b7c5b1ae01ab0d027c5e12b36ce16aac

SHA256
746ff47ee2060745e368e387b9642f4ebc4455a49081d23dc71a439e7c843013

SHA512
9cc9594e0ca35c607c935eb05b062c0f2db97d19c53ebadbd5cc0976d1f7508fa9ba685d4361bdb57d7ce07f83492426c776abee387deb4b074ec7ad25b8937b

Download Submit
C:\Windows\SysWOW64\Adepji32.exe

Filesize
378KB

MD5
c39d4cb245bc1ba25f4d04163943a315

SHA1
fddc34e7aa3bbf1f3b3a5f4a9410a73710566186

SHA256
bdd34e9bcb903e3ff2e48455bb18541d539324bdcc11cd56c6c27d7463053f93

SHA512
34c7723899838d96ce4fc5083b3349da270378d54aa228adf2a0633bf12f86b788f67c39e1b9b00e6cfe8be249b6b915c4a70d7a6fd4d3d43e6fdf8799a31194

Download Submit
C:\Windows\SysWOW64\Adepji32.exe

Filesize
378KB

MD5
c39d4cb245bc1ba25f4d04163943a315

SHA1
fddc34e7aa3bbf1f3b3a5f4a9410a73710566186

SHA256
bdd34e9bcb903e3ff2e48455bb18541d539324bdcc11cd56c6c27d7463053f93

SHA512
34c7723899838d96ce4fc5083b3349da270378d54aa228adf2a0633bf12f86b788f67c39e1b9b00e6cfe8be249b6b915c4a70d7a6fd4d3d43e6fdf8799a31194

Download Submit
C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
378KB

MD5
b3ea5e7c78b5335fef2cebd24b97f4a2

SHA1
913e06a83df18741eed69365da46fcf4cced2e1d

SHA256
688e71e02d0edfcf0ab388d5d08160dc4ef934515f36fcdffc447ce944618aa4

SHA512
3367745a047a5605fde8e0adb4ecd4f834fe6bad1fda159481bf3e3539b5b9e7502cf799d9b1d7f9282e4cddf074394a91d775c38df521be804a5670362d1258

Download Submit
C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
378KB

MD5
b3ea5e7c78b5335fef2cebd24b97f4a2

SHA1
913e06a83df18741eed69365da46fcf4cced2e1d

SHA256
688e71e02d0edfcf0ab388d5d08160dc4ef934515f36fcdffc447ce944618aa4

SHA512
3367745a047a5605fde8e0adb4ecd4f834fe6bad1fda159481bf3e3539b5b9e7502cf799d9b1d7f9282e4cddf074394a91d775c38df521be804a5670362d1258

Download Submit
C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
378KB

MD5
b3ea5e7c78b5335fef2cebd24b97f4a2

SHA1
913e06a83df18741eed69365da46fcf4cced2e1d

SHA256
688e71e02d0edfcf0ab388d5d08160dc4ef934515f36fcdffc447ce944618aa4

SHA512
3367745a047a5605fde8e0adb4ecd4f834fe6bad1fda159481bf3e3539b5b9e7502cf799d9b1d7f9282e4cddf074394a91d775c38df521be804a5670362d1258

Download Submit
C:\Windows\SysWOW64\Bdapehop.exe

Filesize
378KB

MD5
0c172acfbdaa97804870e20270442b0e

SHA1
20195dc0a9a151c4c291dfaa4050b8a0c78de6c3

SHA256
7a39f7805265f2614a732718377969bd56681d9753c9d9e5f98bb0ec5db791ae

SHA512
df3767e0528f71c00047a1cc68c268c460564ecac6511ee848f279e696438d8ea84327dc56abf99a575a64f3b34e648a577772b9ab84f0b9b1e1a6d4faa5fbf0

Download Submit
C:\Windows\SysWOW64\Bdapehop.exe

Filesize
378KB

MD5
133aeac5c149a09ec55fee9b8bc89d26

SHA1
958a25565a831900922c9aeccf088c9af99bf867

SHA256
0abbfbb4fe82d66012432eadf8cc6403b73b7c310d8c6ba58b99547e8e749ed0

SHA512
d9afc9551f61c73fbf5326d7d5cb99f25c7ed90ead6f17ea2ef4b278798c6013d3ee15920c87ab2ccfecb6cd3e94a1ddf56a6a6ae9bc985f1646b0f6118268e5

Download Submit
C:\Windows\SysWOW64\Bdapehop.exe

Filesize
378KB

MD5
133aeac5c149a09ec55fee9b8bc89d26

SHA1
958a25565a831900922c9aeccf088c9af99bf867

SHA256
0abbfbb4fe82d66012432eadf8cc6403b73b7c310d8c6ba58b99547e8e749ed0

SHA512
d9afc9551f61c73fbf5326d7d5cb99f25c7ed90ead6f17ea2ef4b278798c6013d3ee15920c87ab2ccfecb6cd3e94a1ddf56a6a6ae9bc985f1646b0f6118268e5

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
378KB

MD5
a6b8b350f6ec0fae8af8fc5de006ef10

SHA1
55e3c1f31391a71b1195237a5a70e7f5ee5b1b65

SHA256
89494d07b5774af7e47b3b1f67a60f3c8ea878fc6ebab5643d1ef9a6cc6899a0

SHA512
5f4c914d5d95eea2247fc3361cdf21dadd79dc71b883f3c0f5b34de2035b57d7b8f09db76aa1d277986265d71a3f2c08a938d0195375b1cee264afabb665a082

Download Submit
C:\Windows\SysWOW64\Bdeiqgkj.exe

Filesize
378KB

MD5
a6b8b350f6ec0fae8af8fc5de006ef10

SHA1
55e3c1f31391a71b1195237a5a70e7f5ee5b1b65

SHA256
89494d07b5774af7e47b3b1f67a60f3c8ea878fc6ebab5643d1ef9a6cc6899a0

SHA512
5f4c914d5d95eea2247fc3361cdf21dadd79dc71b883f3c0f5b34de2035b57d7b8f09db76aa1d277986265d71a3f2c08a938d0195375b1cee264afabb665a082

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
378KB

MD5
b74bee31769d2275a140202fd5b2426c

SHA1
2461c7eb03cd1594211791b7a9693e32a4ab5a3b

SHA256
7da03b67cbf511a330adb281722b23618eb368c76cb2f0b63768e4a74a3ddd44

SHA512
ac47aa66e715f9b5f7022bec4dc7e403727ec95f3ff8a9e472ea1a648355942c571fe7c254837ad98eb206a4c70c9f07ea1e5fd813b10fc2e566f09b17c3cf2f

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
378KB

MD5
b74bee31769d2275a140202fd5b2426c

SHA1
2461c7eb03cd1594211791b7a9693e32a4ab5a3b

SHA256
7da03b67cbf511a330adb281722b23618eb368c76cb2f0b63768e4a74a3ddd44

SHA512
ac47aa66e715f9b5f7022bec4dc7e403727ec95f3ff8a9e472ea1a648355942c571fe7c254837ad98eb206a4c70c9f07ea1e5fd813b10fc2e566f09b17c3cf2f

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
378KB

MD5
3081fa61e2b46f1a767d1796d36c1af9

SHA1
46a8df3bd6aaff947084dc7ef85377ef65e2383c

SHA256
6c73e0c1a718f369224f2ffc63649f5b77d7fcd54e257e62d6e6571ba0f1c554

SHA512
685f208d0486c48db464e74762649ff1d6d3120ea3e7ea8eee5420f6941869082994909307d19bc4d34ae031c90904d129fe3d9b9ba955a43b37af2adcb217a4

Download Submit
C:\Windows\SysWOW64\Cbkfbcpb.exe

Filesize
378KB

MD5
3081fa61e2b46f1a767d1796d36c1af9

SHA1
46a8df3bd6aaff947084dc7ef85377ef65e2383c

SHA256
6c73e0c1a718f369224f2ffc63649f5b77d7fcd54e257e62d6e6571ba0f1c554

SHA512
685f208d0486c48db464e74762649ff1d6d3120ea3e7ea8eee5420f6941869082994909307d19bc4d34ae031c90904d129fe3d9b9ba955a43b37af2adcb217a4

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
378KB

MD5
d4b1c21497101a994916dff5207b8fa2

SHA1
662e07b330cb85b785a8548675d10b7ce6aa1b01

SHA256
2b0cb956d8ff94894396ae8187e15c971dcf50b7f3282c89cda6c742d8d52482

SHA512
171eeecbe79773d33a141a19e567513ac2582a05d6fb9be77eb0f16ecd4a4b6c2e1047ed14caabc796933205de1b2dd65f20ddb059327527e935c5233961cf72

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
378KB

MD5
d4b1c21497101a994916dff5207b8fa2

SHA1
662e07b330cb85b785a8548675d10b7ce6aa1b01

SHA256
2b0cb956d8ff94894396ae8187e15c971dcf50b7f3282c89cda6c742d8d52482

SHA512
171eeecbe79773d33a141a19e567513ac2582a05d6fb9be77eb0f16ecd4a4b6c2e1047ed14caabc796933205de1b2dd65f20ddb059327527e935c5233961cf72

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
378KB

MD5
ec05c2012493226059d30bb2963f64b1

SHA1
735bfc69b66a9b91a5d532098321c82c99725edd

SHA256
4ef1892e960b5262fbd139b74ea1c6048f7ea4b89dbaf7ff23bf075f6edece48

SHA512
c04f81730111602174915aa9f3635d7fa9b547b37f5e267ef39c82e60ae66fed831c7a23cd7c9494be4b674c688c8e4f862975bbe9ee8c43bce71ffc0c5bfc5e

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
378KB

MD5
ec05c2012493226059d30bb2963f64b1

SHA1
735bfc69b66a9b91a5d532098321c82c99725edd

SHA256
4ef1892e960b5262fbd139b74ea1c6048f7ea4b89dbaf7ff23bf075f6edece48

SHA512
c04f81730111602174915aa9f3635d7fa9b547b37f5e267ef39c82e60ae66fed831c7a23cd7c9494be4b674c688c8e4f862975bbe9ee8c43bce71ffc0c5bfc5e

Download Submit
C:\Windows\SysWOW64\Gejimf32.dll

Filesize
7KB

MD5
367152248f49d511d793b4a0bf081047

SHA1
daf1314178a611e740408ddc6ca0dfd0ab300d6f

SHA256
cb9307b80cebb6f8c97a5c8ae2bf4f5813c5f18e76d0f64c8cf10d501facf9f9

SHA512
551c1a5005e79f769d49dea258ddec9b55b6560347ac27c617428938804123f2a14e449c2aa5fa25051ddfea891903c7d6ef42c7bd4b4b9dd0b28feb1895dceb

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
378KB

MD5
83fedcd277df9a44c41e5afad05c6620

SHA1
089b0cd4d418c5ed1b9c3a2922887e0a41584d53

SHA256
34da93a397e34edffa6a9ac070d0b9b9aa58952ec04787d22e837668852ad791

SHA512
6fc46061311ef1f8dcb4bbfcf66ce76eeffb69fcbe97b7347841a000fbb77276c4c3f91fefad1844095fd62106fe2823fb11ce5b175882b467964798da0c7f31

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
378KB

MD5
83fedcd277df9a44c41e5afad05c6620

SHA1
089b0cd4d418c5ed1b9c3a2922887e0a41584d53

SHA256
34da93a397e34edffa6a9ac070d0b9b9aa58952ec04787d22e837668852ad791

SHA512
6fc46061311ef1f8dcb4bbfcf66ce76eeffb69fcbe97b7347841a000fbb77276c4c3f91fefad1844095fd62106fe2823fb11ce5b175882b467964798da0c7f31

Download Submit
C:\Windows\SysWOW64\Njedbjej.exe

Filesize
378KB

MD5
5b0bf6441c07fe1effdeee14e1c4a2de

SHA1
034cf36e54145305858b0c6d413a2c55ac2295bd

SHA256
69a3c7aa352fc90b6690bdd10f7cb6bc1278e0ce3dc14e802797bcb241e90452

SHA512
212d62cdd39dc8a8c2b1e4be8a124e4360ef98801fa92272f147cc6466aa7225e5fc9af55abeb7b75bf205bde405c4ff435da63157bdec59f07a95d348427a82

Download Submit
C:\Windows\SysWOW64\Njedbjej.exe

Filesize
378KB

MD5
5b0bf6441c07fe1effdeee14e1c4a2de

SHA1
034cf36e54145305858b0c6d413a2c55ac2295bd

SHA256
69a3c7aa352fc90b6690bdd10f7cb6bc1278e0ce3dc14e802797bcb241e90452

SHA512
212d62cdd39dc8a8c2b1e4be8a124e4360ef98801fa92272f147cc6466aa7225e5fc9af55abeb7b75bf205bde405c4ff435da63157bdec59f07a95d348427a82

Download Submit
C:\Windows\SysWOW64\Ocgkan32.exe

Filesize
378KB

MD5
850f1b04bde7679f94d76ed6d8566274

SHA1
5f40bd678d4d92e8750c7e9669b2389b2805c516

SHA256
881ec5b2be37533804c65a262eca4a42e8ed0248dc13e31e4e99688794ab322d

SHA512
1b644bff6db876478f655818a52bf79d7edda292e88d1c1d687771c1e5a3dfa64a015975d6c6bc825b241c91b396fa6ae2689804a24f1a2ad779af0e7cc3043e

Download Submit
C:\Windows\SysWOW64\Ocgkan32.exe

Filesize
378KB

MD5
850f1b04bde7679f94d76ed6d8566274

SHA1
5f40bd678d4d92e8750c7e9669b2389b2805c516

SHA256
881ec5b2be37533804c65a262eca4a42e8ed0248dc13e31e4e99688794ab322d

SHA512
1b644bff6db876478f655818a52bf79d7edda292e88d1c1d687771c1e5a3dfa64a015975d6c6bc825b241c91b396fa6ae2689804a24f1a2ad779af0e7cc3043e

Download Submit
C:\Windows\SysWOW64\Ofckhj32.exe

Filesize
378KB

MD5
7c577e17492e11f86d224e348ac05f85

SHA1
0fa5b5a2eb9accfad84f9fbe896ab363217fdad6

SHA256
37d855eaf83b6b73d39107cd53af12f15f4d41dab8bbd9c1bafe87a298d61915

SHA512
3dfcea724ed7f065948b9571191c65ac00746bdac815520d892e159ca00a43af0f8f86c440fe4cdc14aa54077a00840282ad876ca98ca0126f8d23e8d9db0a60

Download Submit
C:\Windows\SysWOW64\Ofckhj32.exe

Filesize
378KB

MD5
886e0615d98afd93957180cad533ac09

SHA1
90c7d1065018c93ead0c2b1f804bd7e0a7c65dea

SHA256
e830c3def1fa3c5451840980af86bade42bea64915688b8dd3ddc31dc34277b0

SHA512
9a2a699588ee7cb431cd3eacd4a1a40b929898917ac06331e2b11086943a1f2547c4c545f4a6ff247e1e9454b82614d9348973c573908a576e6b771549dba50a

Download Submit
C:\Windows\SysWOW64\Ofckhj32.exe

Filesize
378KB

MD5
886e0615d98afd93957180cad533ac09

SHA1
90c7d1065018c93ead0c2b1f804bd7e0a7c65dea

SHA256
e830c3def1fa3c5451840980af86bade42bea64915688b8dd3ddc31dc34277b0

SHA512
9a2a699588ee7cb431cd3eacd4a1a40b929898917ac06331e2b11086943a1f2547c4c545f4a6ff247e1e9454b82614d9348973c573908a576e6b771549dba50a

Download Submit
C:\Windows\SysWOW64\Ofgdcipq.exe

Filesize
378KB

MD5
15bb073197eb90e287b37b637904a9e0

SHA1
41c47bbb1d18702c288532411a16a23b1eef3fdf

SHA256
57d287cb7c3781ee624965a73e951db763b99c101eb0271a1636064dd2e26a6c

SHA512
87321d9d1ae4cc508aeac9448e1851689162ec64a0c5f8f71a018c10eb9d91fe7d34e36d9d0f617066431dedf88568249296356c6498335aecb023c6ea36c3e0

Download Submit
C:\Windows\SysWOW64\Ofgdcipq.exe

Filesize
378KB

MD5
15bb073197eb90e287b37b637904a9e0

SHA1
41c47bbb1d18702c288532411a16a23b1eef3fdf

SHA256
57d287cb7c3781ee624965a73e951db763b99c101eb0271a1636064dd2e26a6c

SHA512
87321d9d1ae4cc508aeac9448e1851689162ec64a0c5f8f71a018c10eb9d91fe7d34e36d9d0f617066431dedf88568249296356c6498335aecb023c6ea36c3e0

Download Submit
C:\Windows\SysWOW64\Omdieb32.exe

Filesize
378KB

MD5
9d2bacae02ab7548f83ed55fbf4aee89

SHA1
38d3fb97fb2116ac730dce4f5b26180d235e8d10

SHA256
723e623d8695133d4d11ea1260a8e940954d15abe1a4ca99361759d7ae561896

SHA512
660dbb38df864b39115a6b0d3b94d8db18da40d62960313e73c748f0dcdb3a89e3bea5c4842069225c268d84670a31266721fb9460a65f92fd469f5cc63bc96e

Download Submit
C:\Windows\SysWOW64\Omdieb32.exe

Filesize
378KB

MD5
f19d99024478b24bd2c542fe94a7894a

SHA1
31e977cec82e4d7e061c3cb6226ffb48508568c0

SHA256
ae934964ff8e1a4c056cd8e67dd85db44863cd0fa6545c2431ca8200029e5910

SHA512
27b59410aed0957205717ed5ae7fdf8685f693df240cd932388717bf0fef8faede39d04c68ea29945546176ac210c017938c157e9985db19e7688c2b146e982e

Download Submit
C:\Windows\SysWOW64\Omdieb32.exe

Filesize
378KB

MD5
f19d99024478b24bd2c542fe94a7894a

SHA1
31e977cec82e4d7e061c3cb6226ffb48508568c0

SHA256
ae934964ff8e1a4c056cd8e67dd85db44863cd0fa6545c2431ca8200029e5910

SHA512
27b59410aed0957205717ed5ae7fdf8685f693df240cd932388717bf0fef8faede39d04c68ea29945546176ac210c017938c157e9985db19e7688c2b146e982e

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
378KB

MD5
d404963b1f9a4eaa0f94842ce3b1c5e5

SHA1
b0d162f96c8c22621ff997e9709c78d17c260062

SHA256
1c07da679329938ff1b58f39158defd51eba4689817c8f581390395dc0ad9154

SHA512
805208fd3442a3c65d1e0cbfc16b89e7432b90becef992fde65d85969d4f949fc752cc248078d1011641c99748abd28c22cf110ad76c8d18500e4acb8f0319e4

Download Submit
C:\Windows\SysWOW64\Pakdbp32.exe

Filesize
378KB

MD5
d404963b1f9a4eaa0f94842ce3b1c5e5

SHA1
b0d162f96c8c22621ff997e9709c78d17c260062

SHA256
1c07da679329938ff1b58f39158defd51eba4689817c8f581390395dc0ad9154

SHA512
805208fd3442a3c65d1e0cbfc16b89e7432b90becef992fde65d85969d4f949fc752cc248078d1011641c99748abd28c22cf110ad76c8d18500e4acb8f0319e4

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
378KB

MD5
eefd73bc0c3893fb9f1e55bc04ed7831

SHA1
d0960f3ccef9610e41f1765a6d0f5947a616ea08

SHA256
bb943e86e237361b6578bf856796db4ee472e590077cec18a2956ac9de5c827b

SHA512
841d1c7d1cc338189cecac6c0a0b07482b40df76e311a0bb039f38a4b82c72164d4958898e36e2fd1a8655141e4568815133d1d6a30b340dc2f572627e58d9e7

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
378KB

MD5
eefd73bc0c3893fb9f1e55bc04ed7831

SHA1
d0960f3ccef9610e41f1765a6d0f5947a616ea08

SHA256
bb943e86e237361b6578bf856796db4ee472e590077cec18a2956ac9de5c827b

SHA512
841d1c7d1cc338189cecac6c0a0b07482b40df76e311a0bb039f38a4b82c72164d4958898e36e2fd1a8655141e4568815133d1d6a30b340dc2f572627e58d9e7

Download Submit
C:\Windows\SysWOW64\Pblajhje.exe

Filesize
378KB

MD5
858985d1a972434fb506a8c213487d20

SHA1
3fb0f53c73052f72a3b47a2e092bb30187277755

SHA256
66afa13d2822689a1342d99f66a02944be41b774eceadbd81315afd29ff1c519

SHA512
d14168034bc0b2326f4269efad25a4dee0e7398961ddde55156fac99aeb387fd9f1f337c821f4a7f0311aa0d94a19bab4a65932aaafe0e9e210fe21aca779182

Download Submit
C:\Windows\SysWOW64\Pblajhje.exe

Filesize
378KB

MD5
858985d1a972434fb506a8c213487d20

SHA1
3fb0f53c73052f72a3b47a2e092bb30187277755

SHA256
66afa13d2822689a1342d99f66a02944be41b774eceadbd81315afd29ff1c519

SHA512
d14168034bc0b2326f4269efad25a4dee0e7398961ddde55156fac99aeb387fd9f1f337c821f4a7f0311aa0d94a19bab4a65932aaafe0e9e210fe21aca779182

Download Submit
memory/212-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/568-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1496-104-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1500-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1556-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2052-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2368-128-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2604-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3008-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3244-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3744-72-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3768-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3844-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3872-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4168-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4176-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4684-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads