berbew | cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ff

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 04:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe
Size

100KB
MD5

d5b96b3ac914c1aea6fe0fbaa96bf8b0
SHA1

1654b83fe1f3fd2f4c244141edd85660f5475f66
SHA256

cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ff
SHA512

9a029afc2962f076120a98588bb55ef20affa97ee6b542a84b8c2dd103ec208b28b41c0e3c428bba12f0531dd24343827e376ede5df2c461a4b798e3b98fe1ef
SSDEEP

3072:1k6zBsokiT1yOpu+vILQR9JeEtvdemgb3a3+X13XRz:XNsbCgLQRyENdef7aOl3Bz

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhnjna32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkcmjlio.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oljoen32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocdgahag.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pokanf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhpgca32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfiagd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmhkflnj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmckbjdl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nchhfild.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mociol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfknmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odedipge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Okfbgiij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlgbon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhpgca32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdpagc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nchhfild.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pecpknke.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfknmd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbdkhe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oomelheh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aijlgkjq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mojopk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Odljjo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfbgiij.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 41 IoCs

pid	Process
4892	Mdnebc32.exe
2332	Mociol32.exe
4036	Memalfcb.exe
4560	Mdpagc32.exe
4740	Mcabej32.exe
1104	Mhnjna32.exe
4448	Mklfjm32.exe
2960	Mhpgca32.exe
2252	Mojopk32.exe
676	Mdghhb32.exe
1444	Nchhfild.exe
4744	Nheqnpjk.exe
3140	Nkcmjlio.exe
2400	Nfiagd32.exe
4276	Nkeipk32.exe
2564	Nfknmd32.exe
1228	Nlgbon32.exe
3304	Nbdkhe32.exe
4284	Oljoen32.exe
2248	Ocdgahag.exe
3716	Odedipge.exe
1420	Ocfdgg32.exe
544	Odgqopeb.exe
3764	Oomelheh.exe
4056	Obkahddl.exe
4088	Ocknbglo.exe
1048	Odljjo32.exe
3620	Okfbgiij.exe
4984	Pmeoqlpl.exe
756	Pmhkflnj.exe
2184	Pecpknke.exe
964	Pcdqhecd.exe
3588	Pokanf32.exe
648	Pmoagk32.exe
1168	Pomncfge.exe
2872	Qmanljfo.exe
1644	Qbngeadf.exe
2340	Qmckbjdl.exe
4908	Aijlgkjq.exe
1376	Apddce32.exe
4796	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Nfiagd32.exe	Nkcmjlio.exe
File created	C:\Windows\SysWOW64\Pecpknke.exe	Pmhkflnj.exe
File opened for modification	C:\Windows\SysWOW64\Qmanljfo.exe	Pomncfge.exe
File created	C:\Windows\SysWOW64\Odgqopeb.exe	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Kkacdofa.dll	Odgqopeb.exe
File opened for modification	C:\Windows\SysWOW64\Qmckbjdl.exe	Qbngeadf.exe
File opened for modification	C:\Windows\SysWOW64\Apddce32.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Bhejfl32.dll	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Ffmnibme.dll	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Kpdejagg.dll	Nheqnpjk.exe
File opened for modification	C:\Windows\SysWOW64\Nlgbon32.exe	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Apddce32.exe	Aijlgkjq.exe
File created	C:\Windows\SysWOW64\Ocfdgg32.exe	Odedipge.exe
File created	C:\Windows\SysWOW64\Oomelheh.exe	Odgqopeb.exe
File opened for modification	C:\Windows\SysWOW64\Oomelheh.exe	Odgqopeb.exe
File created	C:\Windows\SysWOW64\Inkqjp32.dll	Oomelheh.exe
File created	C:\Windows\SysWOW64\Dlqgpnjq.dll	Pmeoqlpl.exe
File created	C:\Windows\SysWOW64\Pcdqhecd.exe	Pecpknke.exe
File opened for modification	C:\Windows\SysWOW64\Pmoagk32.exe	Pokanf32.exe
File created	C:\Windows\SysWOW64\Mklfjm32.exe	Mhnjna32.exe
File opened for modification	C:\Windows\SysWOW64\Nfiagd32.exe	Nkcmjlio.exe
File opened for modification	C:\Windows\SysWOW64\Oljoen32.exe	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Kchhih32.dll	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe
File created	C:\Windows\SysWOW64\Jbjabqbh.dll	Mklfjm32.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Nkeipk32.exe	Nfiagd32.exe
File created	C:\Windows\SysWOW64\Pomncfge.exe	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Encnaa32.dll	Memalfcb.exe
File opened for modification	C:\Windows\SysWOW64\Mcabej32.exe	Mdpagc32.exe
File opened for modification	C:\Windows\SysWOW64\Nchhfild.exe	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Fmfbakio.dll	Nchhfild.exe
File created	C:\Windows\SysWOW64\Nbdkhe32.exe	Nlgbon32.exe
File created	C:\Windows\SysWOW64\Oljoen32.exe	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Ocknbglo.exe	Obkahddl.exe
File created	C:\Windows\SysWOW64\Lgilmo32.dll	Aijlgkjq.exe
File opened for modification	C:\Windows\SysWOW64\Mdghhb32.exe	Mojopk32.exe
File created	C:\Windows\SysWOW64\Ocdgahag.exe	Oljoen32.exe
File created	C:\Windows\SysWOW64\Odedipge.exe	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Okfbgiij.exe	Odljjo32.exe
File created	C:\Windows\SysWOW64\Lcoeiajc.dll	Pmhkflnj.exe
File created	C:\Windows\SysWOW64\Aijlgkjq.exe	Qmckbjdl.exe
File opened for modification	C:\Windows\SysWOW64\Mdnebc32.exe	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe
File opened for modification	C:\Windows\SysWOW64\Nkcmjlio.exe	Nheqnpjk.exe
File opened for modification	C:\Windows\SysWOW64\Nbdkhe32.exe	Nlgbon32.exe
File created	C:\Windows\SysWOW64\Mociol32.exe	Mdnebc32.exe
File created	C:\Windows\SysWOW64\Iagpbgig.dll	Mdpagc32.exe
File created	C:\Windows\SysWOW64\Mojopk32.exe	Mhpgca32.exe
File created	C:\Windows\SysWOW64\Ohhbfe32.dll	Mojopk32.exe
File created	C:\Windows\SysWOW64\Cbpijjbj.dll	Nbdkhe32.exe
File created	C:\Windows\SysWOW64\Odpldj32.dll	Ocfdgg32.exe
File created	C:\Windows\SysWOW64\Hblaceei.dll	Pokanf32.exe
File created	C:\Windows\SysWOW64\Kkpdnm32.dll	Pcdqhecd.exe
File created	C:\Windows\SysWOW64\Mcabej32.exe	Mdpagc32.exe
File created	C:\Windows\SysWOW64\Mdghhb32.exe	Mojopk32.exe
File created	C:\Windows\SysWOW64\Mokjbgbf.dll	Nkcmjlio.exe
File created	C:\Windows\SysWOW64\Gnggfhnm.dll	Nfiagd32.exe
File opened for modification	C:\Windows\SysWOW64\Odedipge.exe	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Dfhegp32.dll	Ocdgahag.exe
File opened for modification	C:\Windows\SysWOW64\Odljjo32.exe	Ocknbglo.exe
File created	C:\Windows\SysWOW64\Qbngeadf.exe	Qmanljfo.exe
File created	C:\Windows\SysWOW64\Mfppnk32.dll	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Conkjj32.dll	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Cqgkidki.dll	Oljoen32.exe
File created	C:\Windows\SysWOW64\Chdjpphi.dll	Ocknbglo.exe

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkcmjlio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlgbon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmhkflnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aijlgkjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhpgca32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nchhfild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nheqnpjk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocknbglo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmanljfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcabej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcdqhecd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Memalfcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhnjna32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odljjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odedipge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pecpknke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oljoen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdgahag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmckbjdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbdkhe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mklfjm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkeipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oomelheh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mociol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdpagc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfknmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mojopk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfiagd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagpbgig.dll"	Mdpagc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpijjbj.dll"	Nbdkhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhbfe32.dll"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgedpmpf.dll"	Nkeipk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odedipge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Memalfcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pecpknke.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pokanf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbdkhe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkeki32.dll"	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhmbdka.dll"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmanljfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoikj32.dll"	Mcabej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmfbakio.dll"	Nchhfild.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcoeiajc.dll"	Pmhkflnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mociol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdejagg.dll"	Nheqnpjk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apddce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pmeoqlpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfknmd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aijlgkjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qbngeadf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mcabej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mojopk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codncb32.dll"	Nlgbon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhegp32.dll"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Obkahddl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfppnk32.dll"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encnaa32.dll"	Memalfcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfiagd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqgkidki.dll"	Oljoen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhalpn32.dll"	Mdnebc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mhnjna32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Apddce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mklfjm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbjabqbh.dll"	Mklfjm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obkahddl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdjpphi.dll"	Ocknbglo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcdqhecd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nkcmjlio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfiagd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Okfbgiij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkidlkmq.dll"	Odljjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdghfg32.dll"	Mociol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdpagc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4892	4540	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe	89
PID 4540 wrote to memory of 4892	4540	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe	89
PID 4540 wrote to memory of 4892	4540	cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe	89
PID 4892 wrote to memory of 2332	4892	Mdnebc32.exe	90
PID 4892 wrote to memory of 2332	4892	Mdnebc32.exe	90
PID 4892 wrote to memory of 2332	4892	Mdnebc32.exe	90
PID 2332 wrote to memory of 4036	2332	Mociol32.exe	91
PID 2332 wrote to memory of 4036	2332	Mociol32.exe	91
PID 2332 wrote to memory of 4036	2332	Mociol32.exe	91
PID 4036 wrote to memory of 4560	4036	Memalfcb.exe	92
PID 4036 wrote to memory of 4560	4036	Memalfcb.exe	92
PID 4036 wrote to memory of 4560	4036	Memalfcb.exe	92
PID 4560 wrote to memory of 4740	4560	Mdpagc32.exe	93
PID 4560 wrote to memory of 4740	4560	Mdpagc32.exe	93
PID 4560 wrote to memory of 4740	4560	Mdpagc32.exe	93
PID 4740 wrote to memory of 1104	4740	Mcabej32.exe	94
PID 4740 wrote to memory of 1104	4740	Mcabej32.exe	94
PID 4740 wrote to memory of 1104	4740	Mcabej32.exe	94
PID 1104 wrote to memory of 4448	1104	Mhnjna32.exe	95
PID 1104 wrote to memory of 4448	1104	Mhnjna32.exe	95
PID 1104 wrote to memory of 4448	1104	Mhnjna32.exe	95
PID 4448 wrote to memory of 2960	4448	Mklfjm32.exe	96
PID 4448 wrote to memory of 2960	4448	Mklfjm32.exe	96
PID 4448 wrote to memory of 2960	4448	Mklfjm32.exe	96
PID 2960 wrote to memory of 2252	2960	Mhpgca32.exe	97
PID 2960 wrote to memory of 2252	2960	Mhpgca32.exe	97
PID 2960 wrote to memory of 2252	2960	Mhpgca32.exe	97
PID 2252 wrote to memory of 676	2252	Mojopk32.exe	98
PID 2252 wrote to memory of 676	2252	Mojopk32.exe	98
PID 2252 wrote to memory of 676	2252	Mojopk32.exe	98
PID 676 wrote to memory of 1444	676	Mdghhb32.exe	99
PID 676 wrote to memory of 1444	676	Mdghhb32.exe	99
PID 676 wrote to memory of 1444	676	Mdghhb32.exe	99
PID 1444 wrote to memory of 4744	1444	Nchhfild.exe	100
PID 1444 wrote to memory of 4744	1444	Nchhfild.exe	100
PID 1444 wrote to memory of 4744	1444	Nchhfild.exe	100
PID 4744 wrote to memory of 3140	4744	Nheqnpjk.exe	101
PID 4744 wrote to memory of 3140	4744	Nheqnpjk.exe	101
PID 4744 wrote to memory of 3140	4744	Nheqnpjk.exe	101
PID 3140 wrote to memory of 2400	3140	Nkcmjlio.exe	102
PID 3140 wrote to memory of 2400	3140	Nkcmjlio.exe	102
PID 3140 wrote to memory of 2400	3140	Nkcmjlio.exe	102
PID 2400 wrote to memory of 4276	2400	Nfiagd32.exe	103
PID 2400 wrote to memory of 4276	2400	Nfiagd32.exe	103
PID 2400 wrote to memory of 4276	2400	Nfiagd32.exe	103
PID 4276 wrote to memory of 2564	4276	Nkeipk32.exe	104
PID 4276 wrote to memory of 2564	4276	Nkeipk32.exe	104
PID 4276 wrote to memory of 2564	4276	Nkeipk32.exe	104
PID 2564 wrote to memory of 1228	2564	Nfknmd32.exe	105
PID 2564 wrote to memory of 1228	2564	Nfknmd32.exe	105
PID 2564 wrote to memory of 1228	2564	Nfknmd32.exe	105
PID 1228 wrote to memory of 3304	1228	Nlgbon32.exe	106
PID 1228 wrote to memory of 3304	1228	Nlgbon32.exe	106
PID 1228 wrote to memory of 3304	1228	Nlgbon32.exe	106
PID 3304 wrote to memory of 4284	3304	Nbdkhe32.exe	107
PID 3304 wrote to memory of 4284	3304	Nbdkhe32.exe	107
PID 3304 wrote to memory of 4284	3304	Nbdkhe32.exe	107
PID 4284 wrote to memory of 2248	4284	Oljoen32.exe	108
PID 4284 wrote to memory of 2248	4284	Oljoen32.exe	108
PID 4284 wrote to memory of 2248	4284	Oljoen32.exe	108
PID 2248 wrote to memory of 3716	2248	Ocdgahag.exe	109
PID 2248 wrote to memory of 3716	2248	Ocdgahag.exe	109
PID 2248 wrote to memory of 3716	2248	Ocdgahag.exe	109
PID 3716 wrote to memory of 1420	3716	Odedipge.exe	110

C:\Users\Admin\AppData\Local\Temp\cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe
"C:\Users\Admin\AppData\Local\Temp\cba21245f218f5bcf41047b02346c3cbda724192a53197685088ae886803a6ffN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\SysWOW64\Mdnebc32.exe
  C:\Windows\system32\Mdnebc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\Mociol32.exe
    C:\Windows\system32\Mociol32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\Memalfcb.exe
      C:\Windows\system32\Memalfcb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4036
    - - C:\Windows\SysWOW64\Mdpagc32.exe
        
        C:\Windows\system32\Mdpagc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4560
      - C:\Windows\SysWOW64\Mcabej32.exe
        
        C:\Windows\system32\Mcabej32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Mhnjna32.exe
        
        C:\Windows\system32\Mhnjna32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\SysWOW64\Mklfjm32.exe
        
        C:\Windows\system32\Mklfjm32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Mhpgca32.exe
        
        C:\Windows\system32\Mhpgca32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Mojopk32.exe
        
        C:\Windows\system32\Mojopk32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Nchhfild.exe
        
        C:\Windows\system32\Nchhfild.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Nheqnpjk.exe
        
        C:\Windows\system32\Nheqnpjk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Nkcmjlio.exe
        
        C:\Windows\system32\Nkcmjlio.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3140
        
        C:\Windows\SysWOW64\Nfiagd32.exe
        
        C:\Windows\system32\Nfiagd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Nkeipk32.exe
        
        C:\Windows\system32\Nkeipk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Nlgbon32.exe
        
        C:\Windows\system32\Nlgbon32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Nbdkhe32.exe
        
        C:\Windows\system32\Nbdkhe32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3304
        
        C:\Windows\SysWOW64\Oljoen32.exe
        
        C:\Windows\system32\Oljoen32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Odedipge.exe
        
        C:\Windows\system32\Odedipge.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\Oomelheh.exe
        
        C:\Windows\system32\Oomelheh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\Ocknbglo.exe
        
        C:\Windows\system32\Ocknbglo.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Odljjo32.exe
        
        C:\Windows\system32\Odljjo32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3620
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Pmhkflnj.exe
        
        C:\Windows\system32\Pmhkflnj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\Pecpknke.exe
        
        C:\Windows\system32\Pecpknke.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Pcdqhecd.exe
        
        C:\Windows\system32\Pcdqhecd.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Qmanljfo.exe
        
        C:\Windows\system32\Qmanljfo.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Qmckbjdl.exe
        
        C:\Windows\system32\Qmckbjdl.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\Windows\SysWOW64\Aijlgkjq.exe
        
        C:\Windows\system32\Aijlgkjq.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=1040 /prefetch:8
1⤵
PID:408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apddce32.exe

Filesize
100KB

MD5
232dedc152962fd2529afac6b9897c7f

SHA1
6ffa43d21639ce06d2e45b78c0eec3e81b3845ca

SHA256
7684794ed891a2db8dc961eea5a27d67d0e73025743ed0f8b7665ba1a7888a84

SHA512
9836b4b1fec3e784473f0cff8c8bd880bda60cdc53efdcf6bb6a35ab6df4eae263174696df17a341c099a1dea4081fabdf47d6053fa3043052b5d91b85212182

Download Submit
C:\Windows\SysWOW64\Iagpbgig.dll

Filesize
7KB

MD5
5da7e991e04f27651e3c445d8f80f801

SHA1
9dc15f542e5602b934f2a938d8eefc3c1677bb55

SHA256
e54110d0d668ce582ea69f72a7a89176d53ac4032b4308330849341b0cc64c7f

SHA512
473722691706ce91c6953c7366a9ec5abbd8998766fe7863d892cbe333285b2fa73551688e478305601c87c06fcd74dc27163149b554300b1236002ebc880f9c

Download Submit
C:\Windows\SysWOW64\Mcabej32.exe

Filesize
100KB

MD5
555fa412a31876b2b221041dc74d228d

SHA1
c53ced3b2fd3d309b3fa208a60a6b189257d6573

SHA256
3806042b640723cd42661c9f414fa4f1de0178cea557d0e0424f5f36af72947e

SHA512
e159a5ac3957cfa0843d04a412714373cafa727a8178501665f2ad66c97b64efd42042037fc99cf067b3533d4539ad07a0295aacdbf7a80504bbae99231f065b

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
100KB

MD5
8cf5433e200ea41e097e271ad1be575e

SHA1
dd6202c614f6740f626a63f8e085767176548be6

SHA256
439273c7e5d048ecd63db30c27f8100c20694c45dc68c36b6762056af2f08757

SHA512
3448c3c3f6516fd4eda9086e9d571419a1dc37a0914cf8ecfe635aec939323b21a722f75935363b8cf577602ad44ed1a179b465b0e8b59a76816f383ea2ee43c

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
100KB

MD5
3f622243a98f39c657e761769c761b10

SHA1
b8a46c101439a7c26e38d516022abddbfcdcf225

SHA256
87a4f7a9964ba7d9aa75bb35c9169ff50125d76b48bb45481b3354384a57c4b6

SHA512
458438ced8bf624d6a35d295c863463a8f17279c8a7c4c4d98d4808ff9295b978ca816ac77fd59edc02d20282f8d5d947a09e03cc0346fb7dfa06c03c70ce7c1

Download Submit
C:\Windows\SysWOW64\Mdpagc32.exe

Filesize
100KB

MD5
1fcb184e63e5868ac6bbcb595196582f

SHA1
04f5e9ae6efa2443cc4bd7e64e154ab6fadef195

SHA256
d0d2ce32439f3a07feff9e35c18263630154a0f29d8658d25b202aa892478485

SHA512
4c5c15acf375385c3bc7d855a4f5665559d06179db0a3c6fcd1daacedd6e006dcffdc2ffde0f5396ed4a8e1c60c9024c01415925b9f8ad9b0f7cffecc0295c7f

Download Submit
C:\Windows\SysWOW64\Memalfcb.exe

Filesize
100KB

MD5
4ad46c79f8e4b7d58b10170a38eaa6b8

SHA1
acded0d93f34aedfd9c8bdeb6a65b4071e1ced5a

SHA256
0c8c38469a652de3eaba6dfab74dbb748000a4d0868cd9d12a40092d4c2d7079

SHA512
fdfea335037f0a80ad5984075117941f16bc9c057615a75152267b9e93a2b85e5e83345569a275843760565c986d9a300346fd0295685492f5f9ae3d2188e625

Download Submit
C:\Windows\SysWOW64\Mhnjna32.exe

Filesize
100KB

MD5
8cb0aaf14f941aee16c93333c5b16791

SHA1
2a47b87ea40ee9220795878ffd3bf767caf9dd27

SHA256
ad0eb7eaf765ceb5db0c4521a8acd3bdb42e8f779376130581a9129371b45ce4

SHA512
cf66f505ed323b7cd34562984383c33e14ed79ac842a20f0e5029ffe3af5fb41a5192759586400ef883582dfff433ecdd3571372db2bb5053e14adf2d3420dfa

Download Submit
C:\Windows\SysWOW64\Mhpgca32.exe

Filesize
100KB

MD5
7f3129cd1553b0bb2299c59cf2836b12

SHA1
8981f8f70965df0e8e09381db4b7f06f4767dd65

SHA256
b7f158adb464580d3366d550d890076b79dc62f1d03bbda5c4dce837ad19c7dc

SHA512
6d601735cd972451713fd8abfbb34d8e83ffaf434b077c29b3b2173189a91da2fa93aaae5e292f46364716b71dcaac340d81a9b04abca8f9ed7151f6751c1c8a

Download Submit
C:\Windows\SysWOW64\Mklfjm32.exe

Filesize
100KB

MD5
27f7b11ed3638ccd9e4eda2a0378cb95

SHA1
48fd104fbfa348d8cc83aacc526b7a85736a4ef0

SHA256
74f3d64bc99333d5433873b5b584a9950b266bd0c867d19a19f9549f13b08955

SHA512
b189a9bc9a8044bf365bd9ff2f5eb8addf9ce4509efe9f21c694c7afc6d0d08483ae70283423a069cbe7116e09bbad6f2b7a92737240670eb504e64eb898e031

Download Submit
C:\Windows\SysWOW64\Mociol32.exe

Filesize
100KB

MD5
d0ff23f47df5487fe9f61146adec4419

SHA1
570707b1fdfe088b1ba1d8c11543f425d608ea8c

SHA256
cd580529b45d5e0fd41b9ebcd62f55ba0c229f52af4fa6f1b9eb8449073a8407

SHA512
e46ab14b045fff22fa46ae2c6f119a6afea39415a5e0d008423187bdd3cd6df7641be012df3c7076d2db9a48e2ab81ac227f9c2bce97328fcad68d3ab947243c

Download Submit
C:\Windows\SysWOW64\Mojopk32.exe

Filesize
100KB

MD5
e03da8912b3598dd7270c985f296d5ad

SHA1
d3da87f0c7f32b4429014838abe852f664ece748

SHA256
332f42f19766e3df81f263802d7ba691776f01738369a6d03b0b777364efd477

SHA512
37abc2ef1e17aa1ddac46c4000ba1c7a2e296baedad0f10a765b73bc6f2887de7464dd04ebbf0ec5eed0707ae84369d9c330e156f609c9ea1aff58d6c84b1a63

Download Submit
C:\Windows\SysWOW64\Nbdkhe32.exe

Filesize
100KB

MD5
3a5e922c6ffc7ff0a25448873485abc5

SHA1
db1d60f51195b0df85eb5a7402d274a91120bc08

SHA256
939576bd4032e88b803c01adb010f62fab49fb1b2180f972cb46d2d69fbe3d97

SHA512
cf69d82e2b6153167fe1771edf2fe589720f9963d2f192cfec08d71db76d618bc62c78ea15c9c4b27117831f7ed813b163a0f988f7bc893d84e30957cfb63655

Download Submit
C:\Windows\SysWOW64\Nchhfild.exe

Filesize
100KB

MD5
894803d341a7071cf22955e87397b79e

SHA1
7fc97c92f4efd25aed62df494025c40627b33b87

SHA256
0bd04e8232cbb313c7fc6684c716723f81061b34c7d4195ea486de67381377ba

SHA512
cbda37233eaab50e2d71ba019d5c90f4c88e7aca510431dd5bd15ea4c0101e7f2b1630824c71e897622ececb9e6e824c219db8ca1d80e1f4bfb04417c14735a3

Download Submit
C:\Windows\SysWOW64\Nfiagd32.exe

Filesize
100KB

MD5
1ebd813608214559d6d3217573d814be

SHA1
de24e28e3fbd9ec9c30cc7db4c0a241c9270c2fa

SHA256
2d64812dee8d9c134edd8f7401b364df10522d09898a8765cd208365365f67e6

SHA512
90d8b38986172361bf75094cea87e1546816f85f179ddb8a99623b582bd3d685abbc42e6cd8d5273417ee411e7d96e4d5b7ce364d77f97cff09780deb02cf1a4

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
100KB

MD5
76768420577bbc1fdc3d08d0f40907fc

SHA1
67f9ae2436a675d8f0b06739438a701afee2fa59

SHA256
b9d08d771e924f0af89d7e5b6b082e194818ca27b45927211f4f7c604bd9fb57

SHA512
c0645b1160258d73178511860122abc6f85897e12a4e84a0b01c8921375eed3635f492a6a2268da034347c564c0e810b54b7c11e3c8617bdfe5052b5ffce85bc

Download Submit
C:\Windows\SysWOW64\Nheqnpjk.exe

Filesize
100KB

MD5
04f1f899d80ec2ef22b0d6c666279805

SHA1
16113f5fc26edf0e90372d727588cff1ee5e2b47

SHA256
bd86844ccd04f062716b203a8055332fe5573da30ee333e901b20579e6f9f624

SHA512
39dca2ec791591a95e6b2f334909701f06a73bff480dc674de35d52fd8bd210ce1da1b475efc4e7fac0f2ea3419778a36e8ed5ab11b705a095198b8e9dca0c11

Download Submit
C:\Windows\SysWOW64\Nkcmjlio.exe

Filesize
100KB

MD5
064eaac62d45389f356118796073de35

SHA1
5c2a0c7ff9474a5644691ff7475191ceac644326

SHA256
7a78452e89ac704ac1854d83927183bfb34bcf503216ebbeef7faba7622f8d5a

SHA512
85c8b3642266ea9e7d0abb526227fea9b65e2d5ab06a196212b1a3d7563d971b9699a539f9042a0240b415b4e011fbb90ddd735fc24aa6b64b1e2d78f8844070

Download Submit
C:\Windows\SysWOW64\Nkeipk32.exe

Filesize
100KB

MD5
66a22e55e0bc9e164fa3256befe06ed9

SHA1
a7f9b85cb782e617ccfec574e8e1802a616c595a

SHA256
880a8eebd75f4f55e37322701ee2e8bdc74425c03c7cd7de85523f4ba406dcdc

SHA512
9caad5733ea66d11e3635e8e4d9a051c4d64baca705b14cb1797757a9c08c425721c7323f4ce65a4ae5e09ea854a67922cca0156ca5e566e407acf09cd648a5e

Download Submit
C:\Windows\SysWOW64\Nlgbon32.exe

Filesize
100KB

MD5
f2f2102888f41feeee7a899a70c80f21

SHA1
56afd1294f60921025d5269e0aab1bb36af6987a

SHA256
4b60c90a4e6e0d15ad7edb1bf265b6e21680536a1bed17b0b0d241525a4a0d40

SHA512
ff4167687b88697a22f33dce7c26438846267d8251b3f9b5deea046192c169d7402a99eb3b3d3f7cdc05129bd811fc915c263161b52f9e339c222de79fd3cc11

Download Submit
C:\Windows\SysWOW64\Obkahddl.exe

Filesize
100KB

MD5
66e52bb82157074d36549aeb56817b9d

SHA1
940b205fe5bf524332db451be513e01fc84cc54e

SHA256
7c4e8ac56a5d76bde2b64949e824716ffd22c433f927c2e355485a0249db7cf0

SHA512
386cf39960681297fdac8bd8419d16d7fdedf1e65925009b267a11b0478b355f1a7bf8ffaaed3402aa9e55d1b32335e000baaa4d64d1b96bad17af4574bd7ffd

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
100KB

MD5
185a466e3c7891264eeb092c437fde06

SHA1
3df757017bcb9e1830fa10f6a972ed866a6d6a37

SHA256
831ff434b8117402bf41f83cb9dee4d6d45e220b393a1d16ab183349a12ca170

SHA512
45a7df75aa7dd982cb6d103d9777cf90e423ddcfb0fa0a2cf7f431caaf308424bd319585f934dd0aef3f161ac0bdbe29233d785cc88d9d64d377771e0ddeb1b0

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
100KB

MD5
2bb3f21d86e973728a4f17325337a15d

SHA1
d99b72a757ba47d6ceefb2e629366964bdca2c82

SHA256
34f652e7c5915c1f35578a6c4364cd3ed7ef0b3f48e2484c3141454bea9622aa

SHA512
ac17ced31e6c6e8721d03475ff7ea598f9ab76c0f41b328ace61501e6d90ee462e4a4925d1102f608c4dba095c2474eccdc9806dd8a4723d3b7d1775c32618bd

Download Submit
C:\Windows\SysWOW64\Ocknbglo.exe

Filesize
100KB

MD5
0e979f7a33799a3c3c32ec51fd29b74e

SHA1
ac235e75d0ae610e226efe5e3ffa29b64596d11b

SHA256
2b96c02cc93069a2ccb5b4ec1ec9c54947795f3ba01aae2b8ffb90db8cd327c7

SHA512
625baf41e97caa389acc5405eca9cdbb446a98c4a120f4043bdaccc3568850d893cc5685c65196a11d66987839f7a965e3d52bb4c8ef08259c25f6855de2cd23

Download Submit
C:\Windows\SysWOW64\Odedipge.exe

Filesize
100KB

MD5
013ae16362c1382e73ba5c81dc4140c7

SHA1
a860101ccb8216de28f2c77409aca3881b78d509

SHA256
d55ce927d75d7d19dcf9c75fcb8b3e6a7cfecf36f7ed2256f06d71f6493df9f8

SHA512
936633060594c77dcf0283586506e3720ffdbed1050e97a3e5546cfc2fd3e47e2f349a00c4affb4f60483979357a842efb27dd253ba4b54be10834dd34f92ec4

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
100KB

MD5
a7c4f7a23e7f9c50b25cc7549ee66779

SHA1
7688d9bb54881bd5e012af85b62a72618d4df902

SHA256
2bd2ecd8fcb05d4274172745bc5bafde23cb6761d70dd7b31e5bd5f00b5fa6d9

SHA512
c65ccdd95f4b00bd700018aa27b4dfe25559273a54a8936dd40afc761dc29643179450ff6baf6e943ce6ecb9fa9339cb23ac567e78a8320d2632896f1640ebef

Download Submit
C:\Windows\SysWOW64\Odljjo32.exe

Filesize
100KB

MD5
26092f70315a81ff54eabd138f58ebdd

SHA1
2b6079d3fd0e54fcaed111aaa703e3192f524819

SHA256
5e8444f671f57968bb888185dadecbae37cc380558c621ebd4eb6760f2749535

SHA512
2ad782e1b376b52169348816618d281a7dc516302d2e5089f07b01b9d14dd944c8349899a63d9a03d41e06c1b9cd37071650ff4f9655d2120403c78567894d4b

Download Submit
C:\Windows\SysWOW64\Okfbgiij.exe

Filesize
100KB

MD5
fb69e482f9decf8fd71e4d90134fc816

SHA1
4ce52c643dd578de10c6319ba1c073eebcd59aa9

SHA256
7c2f6ae0ffde156b4a9d0a37e9306741eebe783a5058810bd3ea80072a742830

SHA512
c5091557d978efb142712dda464b219db3159c299a92dc614d24ca97cc874e825d7865f61ebb6089fe4e6e6a188cd60c98e49df43b6b6e861417c5fb0b044466

Download Submit
C:\Windows\SysWOW64\Oljoen32.exe

Filesize
100KB

MD5
52b3e00d7b3f4e201f80648c0e02d57d

SHA1
6f3bddcf48a49405b93f81d62e889442daff89cc

SHA256
62ed2bf25fe7b5999548b26d22e2bed45e964e6c47b7a37733fc271605b2d3b8

SHA512
e011f34b0da96a4ecb70dd73c5384bb81fbf206eef4b9cf453637b91e54d05035dda14b381b1fab4831e52b2807072889f5a141cc025b45af08f581bab3a1b0b

Download Submit
C:\Windows\SysWOW64\Oomelheh.exe

Filesize
100KB

MD5
6c756b191b40d7311b9c7c379a00eb00

SHA1
4283c7ef9fe1f68ad25444486e14b35a1b42b8c0

SHA256
bbe55313ba6eafa64060a9cfb402e320f7ed156d0191f8142ed695ed1b3821e6

SHA512
49123c81a490c1546e3b978345d1961adb24c55e5e692937fae5a1dd3bf02b7fd97cb4c73e414571e91e215d3a3058902e7a081796430bc2e76931fe4e8f22a5

Download Submit
C:\Windows\SysWOW64\Pcdqhecd.exe

Filesize
100KB

MD5
d5dd99174f8f4bedeb29657e7c4ea77d

SHA1
3730a21c1222d7690652d9fd099f232e3f480864

SHA256
831037d01824c884dddaeaa9a21f5ec957c4627b1580b01580a6c1053b434ae1

SHA512
a83625b40bcd6a574a88ac9df54417be6d886439865a3461c21332fca04d01b8d4334a373374d6987a18b3049aecde0125a590007e359ef04db03db51b2cb343

Download Submit
C:\Windows\SysWOW64\Pecpknke.exe

Filesize
100KB

MD5
41056c1769b201855c0072f6e990da88

SHA1
02135208cfd63740dc79af957ff943a66476fcfc

SHA256
df40acd7fad25ad61a5db515d578fa159a6844c340a151c3e0fb164e684c1a85

SHA512
20866b0db91bc86a59fccd4c5ea3ae5468fd5881943e100caee941c943f4c85d56b5b2a7e86ec8446c4142d835fec521d9661d9038b492084ae8564ae37d4341

Download Submit
C:\Windows\SysWOW64\Pmeoqlpl.exe

Filesize
100KB

MD5
4709a6d4435470486a419facc8c0ce7c

SHA1
8762032b6b5021c5942cc3f4d56ddad90075156c

SHA256
1943794bb96060d7700631014d63d3b3f2b484797f0a8d1c2d3c54c55d919183

SHA512
46bd3d4df5305a5dd3ec2f50fb14f5d2c3c7d2d1687bea10701a018e6a2d22d58a5525ac84b7008cfd110b7ea33528baa912cf70f9c080c082d8c8962098bbbb

Download Submit
C:\Windows\SysWOW64\Pmhkflnj.exe

Filesize
100KB

MD5
0d459b9eee3e1d8e532a4a58c105496d

SHA1
070fbe6d33d47f814c9609d31a18f9339b28d0b0

SHA256
b46a9792f756f445a063294b7689d232c247db712a535bcebe45e72ac548752d

SHA512
5e5976bb59ae7cbeaab26fa443ca493bef7413ea312ed409dea77a69240919c7354e4fffa2cf1429e9693ff83a6e6eccc3a21a2319d707b55bb26e15819c7d62

Download Submit
C:\Windows\SysWOW64\Qbngeadf.exe

Filesize
100KB

MD5
237dc66ed4edb8d95fe0e19160928f94

SHA1
b77909f408f8c012dddfec99ef2719fe72f3c183

SHA256
1e47df3b2cceec8959b478a504ed18632966e036d6246c3d7248de6a5aeba794

SHA512
5508085db9e0a091b50bccbc788fb3636eb3df84e6f2799bc5855d504963dd55dfa1d5ff0b146acb8c20144cccc09f7aa9945f0f377a125ab7792957b1b6c1e0

Download Submit
memory/544-188-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/648-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/648-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/676-321-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/676-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/756-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/756-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/964-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/964-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1048-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-317-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1104-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1168-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1168-345-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-350-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1420-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1420-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-347-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1644-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2184-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2248-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2248-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2252-320-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2340-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2400-325-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2400-112-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2564-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2960-319-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3140-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3140-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3304-143-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3304-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3588-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3588-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3620-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3716-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3764-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3764-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4036-314-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4036-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4056-199-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-207-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4088-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4276-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4276-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4284-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4448-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4540-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4560-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4560-315-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4740-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4740-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4744-96-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4744-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4796-351-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4892-313-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4892-7-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4908-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4908-349-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads