c388ee8ef938e2f1249922df6bd8828da865d54bd5dfe409b14d069b6d770dbe

Analysis

max time kernel
138s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
15-11-2023 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Size

112KB
MD5

b6e0dd0cef61576ef6af6d5ec5530040
SHA1

15575dc1f11b8357e15ff156c37c9fff48d44e47
SHA256

c388ee8ef938e2f1249922df6bd8828da865d54bd5dfe409b14d069b6d770dbe
SHA512

f8dfac572754b7e2befac6b70b52d3e95127039343e8efd5ef3847b0cd3cd57a6d6868aa07579bb8ef7d3e949095a7346bf36b996511100c6985fedb321c3898
SSDEEP

3072:8QckcAiQbh+4G1D8mHBMQH2qC7ZQOlzSLUK6MwGsGnDc9o:Jcr9QV+4MHBMQWfdQOhwJ6MwGsw

Score

10^/10

dropper persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 36 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agimkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkndie32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Panhbfep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bddcenpi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkndie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akkffkhk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Panhbfep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnlme32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chiblk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe

Malware Backdoor - Berbew 64 IoCs

Berbew is a malware infection classified as a 'backdoor' Trojan. This malicious program's primary function is to cause chain infections - it can download/install additional malware such as other Trojans, ransomware, and cryptominers.

persistence dropper trojan

resource	yara_rule
behavioral2/memory/4528-0-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/4528-1-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0002000000022307-7.dat	family_berbew
behavioral2/memory/1192-9-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0002000000022307-8.dat	family_berbew
behavioral2/files/0x0006000000022cdf-15.dat	family_berbew
behavioral2/memory/2200-16-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cdf-17.dat	family_berbew
behavioral2/files/0x0006000000022ce1-23.dat	family_berbew
behavioral2/memory/2788-25-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022ce1-24.dat	family_berbew
behavioral2/memory/3112-33-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022ce3-32.dat	family_berbew
behavioral2/files/0x0006000000022ce3-31.dat	family_berbew
behavioral2/files/0x0006000000022ce5-39.dat	family_berbew
behavioral2/memory/548-45-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022ce7-47.dat	family_berbew
behavioral2/files/0x0006000000022ce5-40.dat	family_berbew
behavioral2/files/0x0006000000022ce7-49.dat	family_berbew
behavioral2/memory/4068-48-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022ce9-55.dat	family_berbew
behavioral2/files/0x0006000000022ce9-56.dat	family_berbew
behavioral2/memory/4528-57-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/1260-62-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022ced-64.dat	family_berbew
behavioral2/memory/3832-65-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022ced-66.dat	family_berbew
behavioral2/files/0x0006000000022cef-74.dat	family_berbew
behavioral2/memory/472-73-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cef-72.dat	family_berbew
behavioral2/files/0x0006000000022cf1-80.dat	family_berbew
behavioral2/memory/624-82-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cf1-81.dat	family_berbew
behavioral2/files/0x0006000000022cf3-88.dat	family_berbew
behavioral2/memory/1192-89-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3144-91-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cf3-90.dat	family_berbew
behavioral2/files/0x0006000000022cf5-98.dat	family_berbew
behavioral2/files/0x0006000000022cf5-97.dat	family_berbew
behavioral2/memory/2200-99-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cf8-106.dat	family_berbew
behavioral2/files/0x0006000000022cf8-107.dat	family_berbew
behavioral2/memory/2788-108-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2332-113-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2492-105-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cfa-115.dat	family_berbew
behavioral2/memory/3112-116-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3500-117-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cfa-118.dat	family_berbew
behavioral2/files/0x0006000000022cfc-124.dat	family_berbew
behavioral2/files/0x0006000000022cfc-125.dat	family_berbew
behavioral2/memory/1028-126-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cfe-132.dat	family_berbew
behavioral2/memory/4068-133-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/2748-139-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022cfe-134.dat	family_berbew
behavioral2/files/0x0006000000022d00-141.dat	family_berbew
behavioral2/memory/4324-142-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/files/0x0006000000022d00-143.dat	family_berbew
behavioral2/files/0x0006000000022d03-149.dat	family_berbew
behavioral2/files/0x0006000000022d03-150.dat	family_berbew
behavioral2/memory/3832-151-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/3580-152-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew
behavioral2/memory/472-153-0x0000000000400000-0x0000000000441000-memory.dmp	family_berbew

Executes dropped EXE 18 IoCs

pid	Process
1192	Panhbfep.exe
2200	Qfmmplad.exe
2788	Akkffkhk.exe
3112	Adcjop32.exe
548	Amnlme32.exe
4068	Aonhghjl.exe
1260	Agimkk32.exe
3832	Bgkiaj32.exe
472	Bdagpnbk.exe
624	Bddcenpi.exe
3144	Bnlhncgi.exe
2492	Cdimqm32.exe
2332	Cdkifmjq.exe
3500	Chiblk32.exe
1028	Cnhgjaml.exe
2748	Cogddd32.exe
4324	Dkndie32.exe
3580	Dkqaoe32.exe

Drops file in System32 directory 54 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bpcaaeme.dll	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Adcjop32.exe	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Ojjhjm32.dll	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
File created	C:\Windows\SysWOW64\Oblknjim.dll	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Aonhghjl.exe	Amnlme32.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bddcenpi.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Bnlhncgi.exe
File opened for modification	C:\Windows\SysWOW64\Bddcenpi.exe	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Hgncclck.dll	Chiblk32.exe
File created	C:\Windows\SysWOW64\Cogddd32.exe	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Qfmmplad.exe	Panhbfep.exe
File opened for modification	C:\Windows\SysWOW64\Amnlme32.exe	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Akkffkhk.exe	Qfmmplad.exe
File opened for modification	C:\Windows\SysWOW64\Agimkk32.exe	Aonhghjl.exe
File opened for modification	C:\Windows\SysWOW64\Bgkiaj32.exe	Agimkk32.exe
File opened for modification	C:\Windows\SysWOW64\Chiblk32.exe	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Bdagpnbk.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Chiblk32.exe	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Chnpamkc.dll	Amnlme32.exe
File created	C:\Windows\SysWOW64\Bgkiaj32.exe	Agimkk32.exe
File opened for modification	C:\Windows\SysWOW64\Cdkifmjq.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Qfmmplad.exe	Panhbfep.exe
File created	C:\Windows\SysWOW64\Adnbpqkj.dll	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Mnpofk32.dll	Cogddd32.exe
File created	C:\Windows\SysWOW64\Bddcenpi.exe	Bdagpnbk.exe
File opened for modification	C:\Windows\SysWOW64\Cogddd32.exe	Cnhgjaml.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dkndie32.exe
File created	C:\Windows\SysWOW64\Agimkk32.exe	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Cnhgjaml.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnhgjaml.exe	Chiblk32.exe
File opened for modification	C:\Windows\SysWOW64\Dkndie32.exe	Cogddd32.exe
File created	C:\Windows\SysWOW64\Dkqaoe32.exe	Dkndie32.exe
File opened for modification	C:\Windows\SysWOW64\Panhbfep.exe	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
File opened for modification	C:\Windows\SysWOW64\Adcjop32.exe	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Mfgomdnj.dll	Akkffkhk.exe
File created	C:\Windows\SysWOW64\Ndikch32.dll	Bdagpnbk.exe
File created	C:\Windows\SysWOW64\Kolfbd32.dll	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Aonhghjl.exe	Amnlme32.exe
File created	C:\Windows\SysWOW64\Mioaanec.dll	Agimkk32.exe
File created	C:\Windows\SysWOW64\Bdagpnbk.exe	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bnlhncgi.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Amnlme32.exe	Adcjop32.exe
File created	C:\Windows\SysWOW64\Onahgf32.dll	Aonhghjl.exe
File created	C:\Windows\SysWOW64\Lelgfl32.dll	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dkndie32.exe
File created	C:\Windows\SysWOW64\Panhbfep.exe	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
File created	C:\Windows\SysWOW64\Godcje32.dll	Panhbfep.exe
File created	C:\Windows\SysWOW64\Akkffkhk.exe	Qfmmplad.exe
File created	C:\Windows\SysWOW64\Kdebopdl.dll	Adcjop32.exe
File created	C:\Windows\SysWOW64\Mmlmhc32.dll	Cdkifmjq.exe
File created	C:\Windows\SysWOW64\Dkndie32.exe	Cogddd32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1876	3580	WerFault.exe	110

Modifies registry class 57 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agimkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogddd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkndie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlmhc32.dll"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnhgjaml.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmmplad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdebopdl.dll"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onahgf32.dll"	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdkifmjq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chiblk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpcaaeme.dll"	Qfmmplad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll"	Bgkiaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgncclck.dll"	Chiblk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oblknjim.dll"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpofk32.dll"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhjm32.dll"	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Panhbfep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll"	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgkiaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godcje32.dll"	Panhbfep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnlme32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mioaanec.dll"	Agimkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agimkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdagpnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnhgjaml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogddd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfgomdnj.dll"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkndie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akkffkhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll"	Bdagpnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chiblk32.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 1192	4528	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe	91
PID 4528 wrote to memory of 1192	4528	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe	91
PID 4528 wrote to memory of 1192	4528	NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe	91
PID 1192 wrote to memory of 2200	1192	Panhbfep.exe	92
PID 1192 wrote to memory of 2200	1192	Panhbfep.exe	92
PID 1192 wrote to memory of 2200	1192	Panhbfep.exe	92
PID 2200 wrote to memory of 2788	2200	Qfmmplad.exe	93
PID 2200 wrote to memory of 2788	2200	Qfmmplad.exe	93
PID 2200 wrote to memory of 2788	2200	Qfmmplad.exe	93
PID 2788 wrote to memory of 3112	2788	Akkffkhk.exe	95
PID 2788 wrote to memory of 3112	2788	Akkffkhk.exe	95
PID 2788 wrote to memory of 3112	2788	Akkffkhk.exe	95
PID 3112 wrote to memory of 548	3112	Adcjop32.exe	96
PID 3112 wrote to memory of 548	3112	Adcjop32.exe	96
PID 3112 wrote to memory of 548	3112	Adcjop32.exe	96
PID 548 wrote to memory of 4068	548	Amnlme32.exe	97
PID 548 wrote to memory of 4068	548	Amnlme32.exe	97
PID 548 wrote to memory of 4068	548	Amnlme32.exe	97
PID 4068 wrote to memory of 1260	4068	Aonhghjl.exe	99
PID 4068 wrote to memory of 1260	4068	Aonhghjl.exe	99
PID 4068 wrote to memory of 1260	4068	Aonhghjl.exe	99
PID 1260 wrote to memory of 3832	1260	Agimkk32.exe	100
PID 1260 wrote to memory of 3832	1260	Agimkk32.exe	100
PID 1260 wrote to memory of 3832	1260	Agimkk32.exe	100
PID 3832 wrote to memory of 472	3832	Bgkiaj32.exe	101
PID 3832 wrote to memory of 472	3832	Bgkiaj32.exe	101
PID 3832 wrote to memory of 472	3832	Bgkiaj32.exe	101
PID 472 wrote to memory of 624	472	Bdagpnbk.exe	102
PID 472 wrote to memory of 624	472	Bdagpnbk.exe	102
PID 472 wrote to memory of 624	472	Bdagpnbk.exe	102
PID 624 wrote to memory of 3144	624	Bddcenpi.exe	103
PID 624 wrote to memory of 3144	624	Bddcenpi.exe	103
PID 624 wrote to memory of 3144	624	Bddcenpi.exe	103
PID 3144 wrote to memory of 2492	3144	Bnlhncgi.exe	104
PID 3144 wrote to memory of 2492	3144	Bnlhncgi.exe	104
PID 3144 wrote to memory of 2492	3144	Bnlhncgi.exe	104
PID 2492 wrote to memory of 2332	2492	Cdimqm32.exe	105
PID 2492 wrote to memory of 2332	2492	Cdimqm32.exe	105
PID 2492 wrote to memory of 2332	2492	Cdimqm32.exe	105
PID 2332 wrote to memory of 3500	2332	Cdkifmjq.exe	106
PID 2332 wrote to memory of 3500	2332	Cdkifmjq.exe	106
PID 2332 wrote to memory of 3500	2332	Cdkifmjq.exe	106
PID 3500 wrote to memory of 1028	3500	Chiblk32.exe	107
PID 3500 wrote to memory of 1028	3500	Chiblk32.exe	107
PID 3500 wrote to memory of 1028	3500	Chiblk32.exe	107
PID 1028 wrote to memory of 2748	1028	Cnhgjaml.exe	108
PID 1028 wrote to memory of 2748	1028	Cnhgjaml.exe	108
PID 1028 wrote to memory of 2748	1028	Cnhgjaml.exe	108
PID 2748 wrote to memory of 4324	2748	Cogddd32.exe	109
PID 2748 wrote to memory of 4324	2748	Cogddd32.exe	109
PID 2748 wrote to memory of 4324	2748	Cogddd32.exe	109
PID 4324 wrote to memory of 3580	4324	Dkndie32.exe	110
PID 4324 wrote to memory of 3580	4324	Dkndie32.exe	110
PID 4324 wrote to memory of 3580	4324	Dkndie32.exe	110

C:\Users\Admin\AppData\Local\Temp\NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b6e0dd0cef61576ef6af6d5ec5530040.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\Panhbfep.exe
  C:\Windows\system32\Panhbfep.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\Qfmmplad.exe
    C:\Windows\system32\Qfmmplad.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\Akkffkhk.exe
      C:\Windows\system32\Akkffkhk.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3112
      - C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Agimkk32.exe
        
        C:\Windows\system32\Agimkk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1260
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Bdagpnbk.exe
        
        C:\Windows\system32\Bdagpnbk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Chiblk32.exe
        
        C:\Windows\system32\Chiblk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Cnhgjaml.exe
        
        C:\Windows\system32\Cnhgjaml.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        19⤵
        Executes dropped EXE
        
        PID:3580
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 408
        20⤵
        Program crash
        
        PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3580 -ip 3580
1⤵
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcjop32.exe

Filesize
112KB

MD5
c4b9d21e60c945ed3e85cd9836dead02

SHA1
5bc6fdda909e51ca3c5a16d2a3e5a426f007c183

SHA256
3f80bf0e6de5c56cb10e6a89313f98bca308182771b7f2a39bb49b248c886557

SHA512
5f0863965a07bf92df8611053bfe71c9c659fb0919ae413d639fa18467ce89798b09a478175cd4860938ab267b6cc3919d59eee1110bd827519f54072fc9e6c6

Download Submit
C:\Windows\SysWOW64\Adcjop32.exe

Filesize
112KB

MD5
c4b9d21e60c945ed3e85cd9836dead02

SHA1
5bc6fdda909e51ca3c5a16d2a3e5a426f007c183

SHA256
3f80bf0e6de5c56cb10e6a89313f98bca308182771b7f2a39bb49b248c886557

SHA512
5f0863965a07bf92df8611053bfe71c9c659fb0919ae413d639fa18467ce89798b09a478175cd4860938ab267b6cc3919d59eee1110bd827519f54072fc9e6c6

Download Submit
C:\Windows\SysWOW64\Agimkk32.exe

Filesize
112KB

MD5
9c08f8aa13ffb82c098e1863d5177621

SHA1
5e0b4b5ae98b9ba2f07339a46e69f33d3f5527b9

SHA256
25d518e07620128ab844662e7bff904d06a910c9e3fdef8021e60f84601ccde1

SHA512
055bc8492f28834da7795c995f40a5909e60047dfe74033defa2929108743aec310f96e9fcb13d883c737471457a3864933bfc0b14674a7feaf235e0aae35957

Download Submit
C:\Windows\SysWOW64\Agimkk32.exe

Filesize
112KB

MD5
9c08f8aa13ffb82c098e1863d5177621

SHA1
5e0b4b5ae98b9ba2f07339a46e69f33d3f5527b9

SHA256
25d518e07620128ab844662e7bff904d06a910c9e3fdef8021e60f84601ccde1

SHA512
055bc8492f28834da7795c995f40a5909e60047dfe74033defa2929108743aec310f96e9fcb13d883c737471457a3864933bfc0b14674a7feaf235e0aae35957

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
112KB

MD5
a7eb8e6d1d322fbe2a71f34e96249df6

SHA1
158484f8b1fee967325f17a47858276de2d6fc9c

SHA256
bd817b424b4ca3be34ddb4d25339cdfdea28c6045e27d93c6bc8e4d7d4f354b0

SHA512
6c0e3812cc18cb953243a378f05834db54969aff1dedf46bcc491fbace13293c4ef3c2326536268285201ed507f91a796429c78c448758d330450a0145f54ff9

Download Submit
C:\Windows\SysWOW64\Akkffkhk.exe

Filesize
112KB

MD5
a7eb8e6d1d322fbe2a71f34e96249df6

SHA1
158484f8b1fee967325f17a47858276de2d6fc9c

SHA256
bd817b424b4ca3be34ddb4d25339cdfdea28c6045e27d93c6bc8e4d7d4f354b0

SHA512
6c0e3812cc18cb953243a378f05834db54969aff1dedf46bcc491fbace13293c4ef3c2326536268285201ed507f91a796429c78c448758d330450a0145f54ff9

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
112KB

MD5
f522bf8598581e87f8762f0eff2559c3

SHA1
18a8d3e9d2ed9766d38e94fbf6d7bb8a4b33dd65

SHA256
fce5f32d88dd1ab735b5cab5e444e7447579f92eee879fe1f5d24b2e2755f30f

SHA512
528a9596e0e5553b7c4e09ea7691272a8fdf0b3600020ac7c5d77f83902eba0540aa882c7a9e98a831c8287df9a5345bbf0ad6aa8e2dc5784e7aca4b283f5682

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
112KB

MD5
f522bf8598581e87f8762f0eff2559c3

SHA1
18a8d3e9d2ed9766d38e94fbf6d7bb8a4b33dd65

SHA256
fce5f32d88dd1ab735b5cab5e444e7447579f92eee879fe1f5d24b2e2755f30f

SHA512
528a9596e0e5553b7c4e09ea7691272a8fdf0b3600020ac7c5d77f83902eba0540aa882c7a9e98a831c8287df9a5345bbf0ad6aa8e2dc5784e7aca4b283f5682

Download Submit
C:\Windows\SysWOW64\Aonhghjl.exe

Filesize
112KB

MD5
549025855d416b7174271d006ade728a

SHA1
494f553298ff0551497af3fce183f8c484334380

SHA256
606f7e01cb313db9cace558acd4a170e2ef53479b71eeb9282006580b66eaf39

SHA512
acb9fe352647608b7dca44145412d504ab6259e84d8f5da17c956b2dd464a61c5aa13a8827091eb07395dd3d2e92c81bb63f463b5f6fa5b0d3f9c5714f5ce75b

Download Submit
C:\Windows\SysWOW64\Aonhghjl.exe

Filesize
112KB

MD5
549025855d416b7174271d006ade728a

SHA1
494f553298ff0551497af3fce183f8c484334380

SHA256
606f7e01cb313db9cace558acd4a170e2ef53479b71eeb9282006580b66eaf39

SHA512
acb9fe352647608b7dca44145412d504ab6259e84d8f5da17c956b2dd464a61c5aa13a8827091eb07395dd3d2e92c81bb63f463b5f6fa5b0d3f9c5714f5ce75b

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
112KB

MD5
832fbc208edebf3570d1aad21069a216

SHA1
db8e75fec795f7c20e169ae232bb79582b9b8e50

SHA256
1d97088ae36dcafba801d7ba0092df940d8c2d5b9d8d1458797b4fcc08347799

SHA512
679569d6bc594a085e4d53998121dacb89aef9a2d0c2722f0e201553e949dce4966ef012f43583006d19b1fb57025896638eab22b1010bea4ea918a483da9691

Download Submit
C:\Windows\SysWOW64\Bdagpnbk.exe

Filesize
112KB

MD5
832fbc208edebf3570d1aad21069a216

SHA1
db8e75fec795f7c20e169ae232bb79582b9b8e50

SHA256
1d97088ae36dcafba801d7ba0092df940d8c2d5b9d8d1458797b4fcc08347799

SHA512
679569d6bc594a085e4d53998121dacb89aef9a2d0c2722f0e201553e949dce4966ef012f43583006d19b1fb57025896638eab22b1010bea4ea918a483da9691

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
112KB

MD5
cf385ed26e702cfca8998addba958dfc

SHA1
cdb9abce54b2f8c6c3d3cff8eea9667ae1454391

SHA256
0e1b2b8dff89bc9296d8d2a0930ae32f651f4bdf81305918a04210fca956b9ff

SHA512
220db76713c4d2b57b6f9afc57d100954e4ed2e76b90b4a0be19362830f499d1380d11afd78b698e80c56e4fd18cbc460b107f3520cf355aa59aabcaea3463b6

Download Submit
C:\Windows\SysWOW64\Bddcenpi.exe

Filesize
112KB

MD5
cf385ed26e702cfca8998addba958dfc

SHA1
cdb9abce54b2f8c6c3d3cff8eea9667ae1454391

SHA256
0e1b2b8dff89bc9296d8d2a0930ae32f651f4bdf81305918a04210fca956b9ff

SHA512
220db76713c4d2b57b6f9afc57d100954e4ed2e76b90b4a0be19362830f499d1380d11afd78b698e80c56e4fd18cbc460b107f3520cf355aa59aabcaea3463b6

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
112KB

MD5
1eceef67927849e2740e859a098013c8

SHA1
3022f2ec9c9688c92aae8c401f5c4319a0ef69a2

SHA256
66941e0b91680a54c7cc4ec5b1907bf39e814ee8f65d175a57a0b5aa4b8201d8

SHA512
8ecebc72231bce10ab583ec0659f25a7aba803e3192b17cfc7a3af0cc524f6e67942f5151014d346841940ec2bfa335c327ff3f50a404e21de805a2f688f91bb

Download Submit
C:\Windows\SysWOW64\Bgkiaj32.exe

Filesize
112KB

MD5
1eceef67927849e2740e859a098013c8

SHA1
3022f2ec9c9688c92aae8c401f5c4319a0ef69a2

SHA256
66941e0b91680a54c7cc4ec5b1907bf39e814ee8f65d175a57a0b5aa4b8201d8

SHA512
8ecebc72231bce10ab583ec0659f25a7aba803e3192b17cfc7a3af0cc524f6e67942f5151014d346841940ec2bfa335c327ff3f50a404e21de805a2f688f91bb

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
112KB

MD5
2a751d1920d1b49b3150d01a0e046328

SHA1
9eab5360334f063e132e6752272bbeff7bb5d281

SHA256
9f00f8fc591320c501dcf477754015ea40839e221297eb5df8243eab4532da53

SHA512
e6d881b9e85a286845a9a839f07d7478079a99e0a8301a9b1ab31818bd4d16cf68f4610d4ea08ade38933797217d3803c37599c040f493f7268ad4f34b2a7b29

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
112KB

MD5
2a751d1920d1b49b3150d01a0e046328

SHA1
9eab5360334f063e132e6752272bbeff7bb5d281

SHA256
9f00f8fc591320c501dcf477754015ea40839e221297eb5df8243eab4532da53

SHA512
e6d881b9e85a286845a9a839f07d7478079a99e0a8301a9b1ab31818bd4d16cf68f4610d4ea08ade38933797217d3803c37599c040f493f7268ad4f34b2a7b29

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
112KB

MD5
0e2263a879099d39e2619409c6766f41

SHA1
aac31e81bb1ecd2fbc1b7fd4e422e6b7a628ddc5

SHA256
f66289131c5af3d378fac832d1d3e4b3dfe310f637991a03edca29bc27e9853f

SHA512
47d56c564983a0f259b6fc8270495b1772c891717532b17405e389eb3cd82dd41a65830610fa57c66abc970b6efdebb78580c84944d9541a9c94e045ad676275

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
112KB

MD5
0e2263a879099d39e2619409c6766f41

SHA1
aac31e81bb1ecd2fbc1b7fd4e422e6b7a628ddc5

SHA256
f66289131c5af3d378fac832d1d3e4b3dfe310f637991a03edca29bc27e9853f

SHA512
47d56c564983a0f259b6fc8270495b1772c891717532b17405e389eb3cd82dd41a65830610fa57c66abc970b6efdebb78580c84944d9541a9c94e045ad676275

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
112KB

MD5
70fbc437c4a7bfc841f0e36700d862ce

SHA1
c95c87e0506cd7ee28cfed43332b2769ade7b2e0

SHA256
8e2f0a83d9894717dc5eb729a637d2c9f5c92128d545909cdb954157ee698991

SHA512
cfdcf7dcccd802380efa1e6285cc2e12e824f5fcf565a178a9b86019d39833ea6fcb496c30cd3d8543b643c68ea40adfbb7139a34c2b53bc81aeb66e294fbb77

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
112KB

MD5
70fbc437c4a7bfc841f0e36700d862ce

SHA1
c95c87e0506cd7ee28cfed43332b2769ade7b2e0

SHA256
8e2f0a83d9894717dc5eb729a637d2c9f5c92128d545909cdb954157ee698991

SHA512
cfdcf7dcccd802380efa1e6285cc2e12e824f5fcf565a178a9b86019d39833ea6fcb496c30cd3d8543b643c68ea40adfbb7139a34c2b53bc81aeb66e294fbb77

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
112KB

MD5
ace4921e4a2c84fda5c49211bef78a68

SHA1
91fb7ee2cc57e40ca1ef8ef55c2f2db212829ee8

SHA256
10b3b70be805ed126af84a2ec76bd338611b907735d11f7361585e66da25aa6b

SHA512
8ec7d0d8bd7a6c48a9a3133548539acf71e4e73587f2d63fd6daee22e72cf1071ce823111508c65dead4f6d5d1c3f113d7c4ef5ee367a87b668fb9a6e3b4a998

Download Submit
C:\Windows\SysWOW64\Chiblk32.exe

Filesize
112KB

MD5
ace4921e4a2c84fda5c49211bef78a68

SHA1
91fb7ee2cc57e40ca1ef8ef55c2f2db212829ee8

SHA256
10b3b70be805ed126af84a2ec76bd338611b907735d11f7361585e66da25aa6b

SHA512
8ec7d0d8bd7a6c48a9a3133548539acf71e4e73587f2d63fd6daee22e72cf1071ce823111508c65dead4f6d5d1c3f113d7c4ef5ee367a87b668fb9a6e3b4a998

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
112KB

MD5
c48792ed5376eebfc900d8e8ffbbca58

SHA1
3664b0c51fe9168e55277a149a0b16da6623b87b

SHA256
554e4648a8b8749e59241bd1b0fcb4539cfc099e996ea550a51b210aed27c59a

SHA512
be035d5550bfe2650647893936a1888dce97c14fd08e963ea605ec959a40fb257eeb5adb9bc64628fdac6224c7e738392ac7d76c39a1f3e9dbecfd565654d2e9

Download Submit
C:\Windows\SysWOW64\Cnhgjaml.exe

Filesize
112KB

MD5
c48792ed5376eebfc900d8e8ffbbca58

SHA1
3664b0c51fe9168e55277a149a0b16da6623b87b

SHA256
554e4648a8b8749e59241bd1b0fcb4539cfc099e996ea550a51b210aed27c59a

SHA512
be035d5550bfe2650647893936a1888dce97c14fd08e963ea605ec959a40fb257eeb5adb9bc64628fdac6224c7e738392ac7d76c39a1f3e9dbecfd565654d2e9

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
112KB

MD5
26d1ea5ae35e433041c2d6924fcb3d00

SHA1
b7ad83fc2ef214254e39879d2780256609cfaa6f

SHA256
0ac3960cda8e089fc04c83b60c96961623c56a04d50c64f74dde2e07a1d0daec

SHA512
b4bd7a3c7dcf270f035f447e5e1cc5b01c7e15a2a160b38e08112ae1e514f76a74a997d781618a37c0b7d1ce152daa9441859e5fa45dbf494e8fc5f4ed95fc8d

Download Submit
C:\Windows\SysWOW64\Cogddd32.exe

Filesize
112KB

MD5
26d1ea5ae35e433041c2d6924fcb3d00

SHA1
b7ad83fc2ef214254e39879d2780256609cfaa6f

SHA256
0ac3960cda8e089fc04c83b60c96961623c56a04d50c64f74dde2e07a1d0daec

SHA512
b4bd7a3c7dcf270f035f447e5e1cc5b01c7e15a2a160b38e08112ae1e514f76a74a997d781618a37c0b7d1ce152daa9441859e5fa45dbf494e8fc5f4ed95fc8d

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
112KB

MD5
04d232a27ab8ed6a83523657efd12caa

SHA1
839743e86bba7cbc706952995c1064c173670f32

SHA256
9feffccc49cbe834ad89e50e7f77023993fbf7afbf2615a6a3a037e7e443e327

SHA512
a43ff82d92a71922d49115c8c2a837b59632db1faf46339fdc969cabb832d9410219bfaf8416c2c0b57fd641ac201c07427d1a4039b2e6519e47dfd2cc77dd2f

Download Submit
C:\Windows\SysWOW64\Dkndie32.exe

Filesize
112KB

MD5
04d232a27ab8ed6a83523657efd12caa

SHA1
839743e86bba7cbc706952995c1064c173670f32

SHA256
9feffccc49cbe834ad89e50e7f77023993fbf7afbf2615a6a3a037e7e443e327

SHA512
a43ff82d92a71922d49115c8c2a837b59632db1faf46339fdc969cabb832d9410219bfaf8416c2c0b57fd641ac201c07427d1a4039b2e6519e47dfd2cc77dd2f

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
112KB

MD5
782e0755b6636ca587e58eb98c624a59

SHA1
f239763cf03b421d9629fbb397f53fece204f31e

SHA256
c7d4e23b70aae4f4ff899c27908896f6e311b3ef7eae5e7c422c66b890d399a5

SHA512
6f1ba123013eb280e091dc43d1ea1c2a44a749adf2a565be00eed728dbd31a67d0b589a51aca2a8aed6c4c2361d2ec0fb5e330792a501786d611cf7154e98551

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
112KB

MD5
782e0755b6636ca587e58eb98c624a59

SHA1
f239763cf03b421d9629fbb397f53fece204f31e

SHA256
c7d4e23b70aae4f4ff899c27908896f6e311b3ef7eae5e7c422c66b890d399a5

SHA512
6f1ba123013eb280e091dc43d1ea1c2a44a749adf2a565be00eed728dbd31a67d0b589a51aca2a8aed6c4c2361d2ec0fb5e330792a501786d611cf7154e98551

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
112KB

MD5
7c7b233fd75d1aaefcde6b6b9baef8a2

SHA1
acd5f68388c61a949cc8274e286a2a6f5efe0f28

SHA256
ca1e13170bfa6ee1dc6745158bdc2b936f791395889b77303937f1ec03f1dc16

SHA512
953c77a43fee8a7f71b1c96c60b9f05b30c49eb22730538fe927a1a3417e49137f610bcd009fb72fbf409c56c0fcd5a2cd500fb244c849dd19a653047170d797

Download Submit
C:\Windows\SysWOW64\Panhbfep.exe

Filesize
112KB

MD5
7c7b233fd75d1aaefcde6b6b9baef8a2

SHA1
acd5f68388c61a949cc8274e286a2a6f5efe0f28

SHA256
ca1e13170bfa6ee1dc6745158bdc2b936f791395889b77303937f1ec03f1dc16

SHA512
953c77a43fee8a7f71b1c96c60b9f05b30c49eb22730538fe927a1a3417e49137f610bcd009fb72fbf409c56c0fcd5a2cd500fb244c849dd19a653047170d797

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
112KB

MD5
3629d180f07d3be77b3f17a79ffb94b0

SHA1
383e5a48fe7d5bafab59886b891f4e6f89afce6f

SHA256
1ab3ea7af1b826d4a5ba27dd87290b25e0c27e56c09ad806ba97f8eeb72d2f14

SHA512
3bbb2f0ce9c2e606baf13971722bb817800be26ee83f6f4d3f7183138076115c635efa1289a056da510b53184a6729788ffbba8fab555b2e7565fc8488ef701d

Download Submit
C:\Windows\SysWOW64\Qfmmplad.exe

Filesize
112KB

MD5
3629d180f07d3be77b3f17a79ffb94b0

SHA1
383e5a48fe7d5bafab59886b891f4e6f89afce6f

SHA256
1ab3ea7af1b826d4a5ba27dd87290b25e0c27e56c09ad806ba97f8eeb72d2f14

SHA512
3bbb2f0ce9c2e606baf13971722bb817800be26ee83f6f4d3f7183138076115c635efa1289a056da510b53184a6729788ffbba8fab555b2e7565fc8488ef701d

Download Submit
memory/472-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/472-73-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/548-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/624-158-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1028-155-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1192-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1260-62-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2200-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2332-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-105-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-25-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3112-33-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3112-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-91-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3144-157-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3500-117-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3500-156-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3580-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3832-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3832-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4068-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-142-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4324-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-1-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-57-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads