berbew | 5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
Size

483KB
MD5

8e6387b6080b4369bd5f679d654ed244
SHA1

ceb1d89f839c5352e2fd78d6eb29f52475e9449b
SHA256

5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3
SHA512

5c91ee4bf342e27d356b79b9e9b472f6e00cb1d4314435671323e5370c5990ba190e30f4986d0a9d10317535547151ccb1c0485f0698d499fd86acb2b2703825
SSDEEP

12288:m0JekrtY5vARM0RM/3ARMSG0dhvARMoHG:m0JeetY58dhMHG

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 60 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onmgeb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pedokpcm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qeglqpaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gljdlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Galfpgpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlcfnk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdailaib.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgomoboc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbdpblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhgpcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbaafocg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofklpa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdhigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gebiefle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebpgoh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Galfpgpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mglpjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeglqpaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bohoogbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmlpd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mnakjaoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onmgeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbdpblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fholmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdemap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpojlp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmlpd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cccgni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdhigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gljdlq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgomoboc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdailaib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mglpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adcobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bohoogbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndoof32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpojlp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gebiefle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgkknm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcfenn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ollncgjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pedokpcm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dndoof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ollncgjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cccgni32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fholmo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgkknm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhgpcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcfenn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mnakjaoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlcfnk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebpgoh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdemap32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcocnk32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 30 IoCs

pid	Process
1184	Mglpjc32.exe
2912	Mgomoboc.exe
2408	Mnakjaoc.exe
2740	Nbaafocg.exe
2784	Ofklpa32.exe
2696	Ollncgjq.exe
2808	Onmgeb32.exe
1688	Pedokpcm.exe
3064	Qeglqpaj.exe
1532	Adcobk32.exe
2540	Ajbdpblo.exe
1840	Bohoogbk.exe
2504	Cnmlpd32.exe
2088	Cccgni32.exe
2052	Dlcfnk32.exe
2620	Dndoof32.exe
1636	Ebpgoh32.exe
288	Fholmo32.exe
1820	Fdemap32.exe
1640	Fdhigo32.exe
1988	Fpojlp32.exe
2376	Gcocnk32.exe
2268	Gljdlq32.exe
2324	Gebiefle.exe
2276	Galfpgpg.exe
1708	Hgkknm32.exe
2468	Hhjhgpcn.exe
2928	Hdailaib.exe
2148	Hcfenn32.exe
3016	Iqmcmaja.exe

Loads dropped DLL 64 IoCs

pid	Process
2380	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
2380	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
1184	Mglpjc32.exe
1184	Mglpjc32.exe
2912	Mgomoboc.exe
2912	Mgomoboc.exe
2408	Mnakjaoc.exe
2408	Mnakjaoc.exe
2740	Nbaafocg.exe
2740	Nbaafocg.exe
2784	Ofklpa32.exe
2784	Ofklpa32.exe
2696	Ollncgjq.exe
2696	Ollncgjq.exe
2808	Onmgeb32.exe
2808	Onmgeb32.exe
1688	Pedokpcm.exe
1688	Pedokpcm.exe
3064	Qeglqpaj.exe
3064	Qeglqpaj.exe
1532	Adcobk32.exe
1532	Adcobk32.exe
2540	Ajbdpblo.exe
2540	Ajbdpblo.exe
1840	Bohoogbk.exe
1840	Bohoogbk.exe
2504	Cnmlpd32.exe
2504	Cnmlpd32.exe
2088	Cccgni32.exe
2088	Cccgni32.exe
2052	Dlcfnk32.exe
2052	Dlcfnk32.exe
2620	Dndoof32.exe
2620	Dndoof32.exe
1636	Ebpgoh32.exe
1636	Ebpgoh32.exe
288	Fholmo32.exe
288	Fholmo32.exe
1820	Fdemap32.exe
1820	Fdemap32.exe
1640	Fdhigo32.exe
1640	Fdhigo32.exe
1988	Fpojlp32.exe
1988	Fpojlp32.exe
2376	Gcocnk32.exe
2376	Gcocnk32.exe
2268	Gljdlq32.exe
2268	Gljdlq32.exe
2324	Gebiefle.exe
2324	Gebiefle.exe
2276	Galfpgpg.exe
2276	Galfpgpg.exe
1708	Hgkknm32.exe
1708	Hgkknm32.exe
2468	Hhjhgpcn.exe
2468	Hhjhgpcn.exe
2928	Hdailaib.exe
2928	Hdailaib.exe
2148	Hcfenn32.exe
2148	Hcfenn32.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe
2536	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mbmffd32.dll	Fdhigo32.exe
File created	C:\Windows\SysWOW64\Fbgdlq32.dll	Fpojlp32.exe
File created	C:\Windows\SysWOW64\Opmaii32.dll	Hhjhgpcn.exe
File opened for modification	C:\Windows\SysWOW64\Mglpjc32.exe	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
File created	C:\Windows\SysWOW64\Nbihec32.dll	Ofklpa32.exe
File created	C:\Windows\SysWOW64\Ajbdpblo.exe	Adcobk32.exe
File created	C:\Windows\SysWOW64\Cofdbh32.dll	Bohoogbk.exe
File created	C:\Windows\SysWOW64\Oifbhdjc.dll	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
File created	C:\Windows\SysWOW64\Dgcdjk32.dll	Mgomoboc.exe
File created	C:\Windows\SysWOW64\Kcindbjd.dll	Gebiefle.exe
File created	C:\Windows\SysWOW64\Jgqmmiph.dll	Hdailaib.exe
File opened for modification	C:\Windows\SysWOW64\Bohoogbk.exe	Ajbdpblo.exe
File created	C:\Windows\SysWOW64\Cccgni32.exe	Cnmlpd32.exe
File created	C:\Windows\SysWOW64\Lfamkl32.dll	Fdemap32.exe
File created	C:\Windows\SysWOW64\Gljdlq32.exe	Gcocnk32.exe
File opened for modification	C:\Windows\SysWOW64\Mnakjaoc.exe	Mgomoboc.exe
File created	C:\Windows\SysWOW64\Keniknoh.dll	Nbaafocg.exe
File opened for modification	C:\Windows\SysWOW64\Adcobk32.exe	Qeglqpaj.exe
File created	C:\Windows\SysWOW64\Dcecef32.dll	Qeglqpaj.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhgpcn.exe	Hgkknm32.exe
File created	C:\Windows\SysWOW64\Hdailaib.exe	Hhjhgpcn.exe
File opened for modification	C:\Windows\SysWOW64\Hdailaib.exe	Hhjhgpcn.exe
File opened for modification	C:\Windows\SysWOW64\Iqmcmaja.exe	Hcfenn32.exe
File created	C:\Windows\SysWOW64\Nbaafocg.exe	Mnakjaoc.exe
File created	C:\Windows\SysWOW64\Nghehm32.dll	Pedokpcm.exe
File opened for modification	C:\Windows\SysWOW64\Cccgni32.exe	Cnmlpd32.exe
File created	C:\Windows\SysWOW64\Fholmo32.exe	Ebpgoh32.exe
File created	C:\Windows\SysWOW64\Eaodhk32.dll	Fholmo32.exe
File created	C:\Windows\SysWOW64\Gebiefle.exe	Gljdlq32.exe
File opened for modification	C:\Windows\SysWOW64\Hgkknm32.exe	Galfpgpg.exe
File opened for modification	C:\Windows\SysWOW64\Pedokpcm.exe	Onmgeb32.exe
File created	C:\Windows\SysWOW64\Iljccajl.dll	Ajbdpblo.exe
File created	C:\Windows\SysWOW64\Dndoof32.exe	Dlcfnk32.exe
File created	C:\Windows\SysWOW64\Ebpgoh32.exe	Dndoof32.exe
File created	C:\Windows\SysWOW64\Fdemap32.exe	Fholmo32.exe
File created	C:\Windows\SysWOW64\Gcocnk32.exe	Fpojlp32.exe
File created	C:\Windows\SysWOW64\Hgkknm32.exe	Galfpgpg.exe
File created	C:\Windows\SysWOW64\Qeglqpaj.exe	Pedokpcm.exe
File created	C:\Windows\SysWOW64\Opfjnm32.dll	Cnmlpd32.exe
File created	C:\Windows\SysWOW64\Odqknf32.dll	Cccgni32.exe
File opened for modification	C:\Windows\SysWOW64\Dndoof32.exe	Dlcfnk32.exe
File created	C:\Windows\SysWOW64\Coccggfi.dll	Ebpgoh32.exe
File created	C:\Windows\SysWOW64\Bnaacb32.dll	Onmgeb32.exe
File created	C:\Windows\SysWOW64\Cnmlpd32.exe	Bohoogbk.exe
File created	C:\Windows\SysWOW64\Dlcfnk32.exe	Cccgni32.exe
File opened for modification	C:\Windows\SysWOW64\Ebpgoh32.exe	Dndoof32.exe
File created	C:\Windows\SysWOW64\Bohoogbk.exe	Ajbdpblo.exe
File opened for modification	C:\Windows\SysWOW64\Gcocnk32.exe	Fpojlp32.exe
File created	C:\Windows\SysWOW64\Mbenmb32.dll	Galfpgpg.exe
File created	C:\Windows\SysWOW64\Hcfenn32.exe	Hdailaib.exe
File created	C:\Windows\SysWOW64\Mgomoboc.exe	Mglpjc32.exe
File created	C:\Windows\SysWOW64\Ofklpa32.exe	Nbaafocg.exe
File opened for modification	C:\Windows\SysWOW64\Ofklpa32.exe	Nbaafocg.exe
File opened for modification	C:\Windows\SysWOW64\Qeglqpaj.exe	Pedokpcm.exe
File created	C:\Windows\SysWOW64\Galfpgpg.exe	Gebiefle.exe
File created	C:\Windows\SysWOW64\Maonll32.dll	Hcfenn32.exe
File opened for modification	C:\Windows\SysWOW64\Nbaafocg.exe	Mnakjaoc.exe
File created	C:\Windows\SysWOW64\Adcobk32.exe	Qeglqpaj.exe
File created	C:\Windows\SysWOW64\Fpojlp32.exe	Fdhigo32.exe
File opened for modification	C:\Windows\SysWOW64\Gljdlq32.exe	Gcocnk32.exe
File created	C:\Windows\SysWOW64\Mglpjc32.exe	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
File opened for modification	C:\Windows\SysWOW64\Mgomoboc.exe	Mglpjc32.exe
File opened for modification	C:\Windows\SysWOW64\Ajbdpblo.exe	Adcobk32.exe
File created	C:\Windows\SysWOW64\Fdhigo32.exe	Fdemap32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2536	3016	WerFault.exe	58

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeglqpaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmlpd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gebiefle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcfenn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgomoboc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbaafocg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ollncgjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cccgni32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onmgeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bohoogbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Galfpgpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hgkknm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndoof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdemap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcocnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqmcmaja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mglpjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fholmo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdhigo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlcfnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebpgoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gljdlq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpojlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhjhgpcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mnakjaoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofklpa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pedokpcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbdpblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdailaib.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cccgni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hgkknm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifbhdjc.dll"	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcdjk32.dll"	Mgomoboc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ollncgjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofklpa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneddmal.dll"	Adcobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljccajl.dll"	Ajbdpblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bohoogbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjcfdm32.dll"	Dlcfnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fholmo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mnakjaoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keniknoh.dll"	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qeglqpaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdemap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdhigo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdailaib.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcfenn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cccgni32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlcfnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcocnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gljdlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gljdlq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmjkbjpm.dll"	Mnakjaoc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qeglqpaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpojlp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmlpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odqknf32.dll"	Cccgni32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dndoof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebpgoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mglpjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgomoboc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajbdpblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbh32.dll"	Bohoogbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gebiefle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhgpcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcindbjd.dll"	Gebiefle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dndoof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fdemap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdhigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbaafocg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbdpblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Napdqm32.dll"	Dndoof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbihec32.dll"	Ofklpa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onmgeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfamkl32.dll"	Fdemap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opmaii32.dll"	Hhjhgpcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnaacb32.dll"	Onmgeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfjnm32.dll"	Cnmlpd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgjllbn.dll"	Mglpjc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fholmo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgeahmik.dll"	Gcocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcfenn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcecef32.dll"	Qeglqpaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbenmb32.dll"	Galfpgpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbajcaio.dll"	Hgkknm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdailaib.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghehm32.dll"	Pedokpcm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1184	2380	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe	29
PID 2380 wrote to memory of 1184	2380	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe	29
PID 2380 wrote to memory of 1184	2380	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe	29
PID 2380 wrote to memory of 1184	2380	5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe	29
PID 1184 wrote to memory of 2912	1184	Mglpjc32.exe	30
PID 1184 wrote to memory of 2912	1184	Mglpjc32.exe	30
PID 1184 wrote to memory of 2912	1184	Mglpjc32.exe	30
PID 1184 wrote to memory of 2912	1184	Mglpjc32.exe	30
PID 2912 wrote to memory of 2408	2912	Mgomoboc.exe	31
PID 2912 wrote to memory of 2408	2912	Mgomoboc.exe	31
PID 2912 wrote to memory of 2408	2912	Mgomoboc.exe	31
PID 2912 wrote to memory of 2408	2912	Mgomoboc.exe	31
PID 2408 wrote to memory of 2740	2408	Mnakjaoc.exe	32
PID 2408 wrote to memory of 2740	2408	Mnakjaoc.exe	32
PID 2408 wrote to memory of 2740	2408	Mnakjaoc.exe	32
PID 2408 wrote to memory of 2740	2408	Mnakjaoc.exe	32
PID 2740 wrote to memory of 2784	2740	Nbaafocg.exe	33
PID 2740 wrote to memory of 2784	2740	Nbaafocg.exe	33
PID 2740 wrote to memory of 2784	2740	Nbaafocg.exe	33
PID 2740 wrote to memory of 2784	2740	Nbaafocg.exe	33
PID 2784 wrote to memory of 2696	2784	Ofklpa32.exe	34
PID 2784 wrote to memory of 2696	2784	Ofklpa32.exe	34
PID 2784 wrote to memory of 2696	2784	Ofklpa32.exe	34
PID 2784 wrote to memory of 2696	2784	Ofklpa32.exe	34
PID 2696 wrote to memory of 2808	2696	Ollncgjq.exe	35
PID 2696 wrote to memory of 2808	2696	Ollncgjq.exe	35
PID 2696 wrote to memory of 2808	2696	Ollncgjq.exe	35
PID 2696 wrote to memory of 2808	2696	Ollncgjq.exe	35
PID 2808 wrote to memory of 1688	2808	Onmgeb32.exe	36
PID 2808 wrote to memory of 1688	2808	Onmgeb32.exe	36
PID 2808 wrote to memory of 1688	2808	Onmgeb32.exe	36
PID 2808 wrote to memory of 1688	2808	Onmgeb32.exe	36
PID 1688 wrote to memory of 3064	1688	Pedokpcm.exe	37
PID 1688 wrote to memory of 3064	1688	Pedokpcm.exe	37
PID 1688 wrote to memory of 3064	1688	Pedokpcm.exe	37
PID 1688 wrote to memory of 3064	1688	Pedokpcm.exe	37
PID 3064 wrote to memory of 1532	3064	Qeglqpaj.exe	38
PID 3064 wrote to memory of 1532	3064	Qeglqpaj.exe	38
PID 3064 wrote to memory of 1532	3064	Qeglqpaj.exe	38
PID 3064 wrote to memory of 1532	3064	Qeglqpaj.exe	38
PID 1532 wrote to memory of 2540	1532	Adcobk32.exe	39
PID 1532 wrote to memory of 2540	1532	Adcobk32.exe	39
PID 1532 wrote to memory of 2540	1532	Adcobk32.exe	39
PID 1532 wrote to memory of 2540	1532	Adcobk32.exe	39
PID 2540 wrote to memory of 1840	2540	Ajbdpblo.exe	40
PID 2540 wrote to memory of 1840	2540	Ajbdpblo.exe	40
PID 2540 wrote to memory of 1840	2540	Ajbdpblo.exe	40
PID 2540 wrote to memory of 1840	2540	Ajbdpblo.exe	40
PID 1840 wrote to memory of 2504	1840	Bohoogbk.exe	41
PID 1840 wrote to memory of 2504	1840	Bohoogbk.exe	41
PID 1840 wrote to memory of 2504	1840	Bohoogbk.exe	41
PID 1840 wrote to memory of 2504	1840	Bohoogbk.exe	41
PID 2504 wrote to memory of 2088	2504	Cnmlpd32.exe	42
PID 2504 wrote to memory of 2088	2504	Cnmlpd32.exe	42
PID 2504 wrote to memory of 2088	2504	Cnmlpd32.exe	42
PID 2504 wrote to memory of 2088	2504	Cnmlpd32.exe	42
PID 2088 wrote to memory of 2052	2088	Cccgni32.exe	43
PID 2088 wrote to memory of 2052	2088	Cccgni32.exe	43
PID 2088 wrote to memory of 2052	2088	Cccgni32.exe	43
PID 2088 wrote to memory of 2052	2088	Cccgni32.exe	43
PID 2052 wrote to memory of 2620	2052	Dlcfnk32.exe	44
PID 2052 wrote to memory of 2620	2052	Dlcfnk32.exe	44
PID 2052 wrote to memory of 2620	2052	Dlcfnk32.exe	44
PID 2052 wrote to memory of 2620	2052	Dlcfnk32.exe	44

C:\Users\Admin\AppData\Local\Temp\5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe
"C:\Users\Admin\AppData\Local\Temp\5157a5dacb59bf8134b3c77fc6861dab9ee665e0f0f344904c5ca9dc878177d3.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\Mglpjc32.exe
  C:\Windows\system32\Mglpjc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\SysWOW64\Mgomoboc.exe
    C:\Windows\system32\Mgomoboc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\SysWOW64\Mnakjaoc.exe
      C:\Windows\system32\Mnakjaoc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\Nbaafocg.exe
        
        C:\Windows\system32\Nbaafocg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Ofklpa32.exe
        
        C:\Windows\system32\Ofklpa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\SysWOW64\Ollncgjq.exe
        
        C:\Windows\system32\Ollncgjq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\SysWOW64\Onmgeb32.exe
        
        C:\Windows\system32\Onmgeb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Pedokpcm.exe
        
        C:\Windows\system32\Pedokpcm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\Qeglqpaj.exe
        
        C:\Windows\system32\Qeglqpaj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Adcobk32.exe
        
        C:\Windows\system32\Adcobk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Ajbdpblo.exe
        
        C:\Windows\system32\Ajbdpblo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Bohoogbk.exe
        
        C:\Windows\system32\Bohoogbk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\Cnmlpd32.exe
        
        C:\Windows\system32\Cnmlpd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Cccgni32.exe
        
        C:\Windows\system32\Cccgni32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\Dlcfnk32.exe
        
        C:\Windows\system32\Dlcfnk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Dndoof32.exe
        
        C:\Windows\system32\Dndoof32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Ebpgoh32.exe
        
        C:\Windows\system32\Ebpgoh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Fholmo32.exe
        
        C:\Windows\system32\Fholmo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:288
        
        C:\Windows\SysWOW64\Fdemap32.exe
        
        C:\Windows\system32\Fdemap32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\Fdhigo32.exe
        
        C:\Windows\system32\Fdhigo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Fpojlp32.exe
        
        C:\Windows\system32\Fpojlp32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Gcocnk32.exe
        
        C:\Windows\system32\Gcocnk32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\Gljdlq32.exe
        
        C:\Windows\system32\Gljdlq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Gebiefle.exe
        
        C:\Windows\system32\Gebiefle.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2324
        
        C:\Windows\SysWOW64\Galfpgpg.exe
        
        C:\Windows\system32\Galfpgpg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Hgkknm32.exe
        
        C:\Windows\system32\Hgkknm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Hhjhgpcn.exe
        
        C:\Windows\system32\Hhjhgpcn.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Hdailaib.exe
        
        C:\Windows\system32\Hdailaib.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Hcfenn32.exe
        
        C:\Windows\system32\Hcfenn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2148
        
        C:\Windows\SysWOW64\Iqmcmaja.exe
        
        C:\Windows\system32\Iqmcmaja.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 140
        32⤵
        Loads dropped DLL
        Program crash
        
        PID:2536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cccgni32.exe

Filesize
483KB

MD5
44a20f80cc0c354ef8f0123686088ede

SHA1
2189c87b6868ba98d0c17be7ce6eaa0bdf82495f

SHA256
9207bf43935b3630d76de707631550cfc42ec05886798a6ddbfd4f5dfc3a84e9

SHA512
94f9e4a577107919e2b8eeb868cad13987f6638bd8fb1246825f067905d92c35c9966bb463c7bb9a8cdd082851f7a54880f07c8dc08d814ff7253f5cb7038413

Download Submit
C:\Windows\SysWOW64\Dlcfnk32.exe

Filesize
483KB

MD5
7776526b92c3eee473aa01d0f8ac4ad9

SHA1
599f938aea54d781aaa6e1243521eb5e18591547

SHA256
435dc50ea93f3c6bb54f2821a990c861142edaacea656a273b302a1fe32f7b7d

SHA512
d9f9051d238a4957da3ddfade562722a3dff8490ebc0123272d81e47332c859d0c4ce0e60c7080f3d546d0a229038b6583fb74c2504f6b17d6ba0e4bb2c4658f

Download Submit
C:\Windows\SysWOW64\Ebpgoh32.exe

Filesize
483KB

MD5
4856cf2ea9f24eed16e013003e20de99

SHA1
ff1bf111867cb43a7ce4b0516793181dceeb9974

SHA256
85ad2ff92fc034ac4a4ca8f618333b4690b5ddd5208dda10bbdca47d2563260f

SHA512
036d59fba86c8259c29da5c65df1dd6925b150b055bf121dfc3807513c085d0c5e0fd91060a1b9c4b80e6e0efa24fe25a19893ec25cd498235ac4e19412803ae

Download Submit
C:\Windows\SysWOW64\Fdemap32.exe

Filesize
483KB

MD5
bf641de30d2b065c382fdc04b79dc76a

SHA1
c31fa0a6317e986d7d1b7e059081b8d39b35bfa5

SHA256
fcf9da2f1d081c515c48374200a40a8b5e770776e1be1122001110bcd4545098

SHA512
8f2228a454a32d0bb30c8bffc4c86be48a316afdd7ceb74c0e560adee4e5e0feba0ef67be0fd4d969e261e142836f68735250a4742d32c56f7202b424dbfee71

Download Submit
C:\Windows\SysWOW64\Fdhigo32.exe

Filesize
483KB

MD5
e0aa9d8574325ab44fb4307321f1e482

SHA1
7b725ee88d6d8e00ce8919c10c419b133be48180

SHA256
b92b1fcbbe0f0dba54cecb8a6b35fa3f738d182ad484b97efb9d09d60290db36

SHA512
9dafe7081f9e7d39043b104591759453771d75920f8bcb0f3d1d30f27a5f38038cba959ab56b0acf97b482ff252b162cc85ada8faadc8186fbe9096af583bb3f

Download Submit
C:\Windows\SysWOW64\Fholmo32.exe

Filesize
483KB

MD5
469c1add61c99c05666f596e8554cf75

SHA1
c5c925803944fbc5c0544b9479fd0d61670f2274

SHA256
543e850e6603a91bff48ee50cb4aa630ba4e6a7f7d9d1751f10e56c7f0cacc92

SHA512
97c627aa7601e129a08104468f0ae699e1d6d7fa805827e37c018e4dd46242b521dd402c1d4bc58c66062ba785779f4ec5606003459e11c46f7fc144f3f2928c

Download Submit
C:\Windows\SysWOW64\Fpojlp32.exe

Filesize
483KB

MD5
13ed7a07c42f9a0220a02303755af756

SHA1
4c8e944a2a31dd4d0373b47f2306e0e6a035836e

SHA256
6f59b1ea82e496663cacf37c151c32df59587eee47ba7c76e26b3bf6b277a2c3

SHA512
0099f1cc8aa6b9e521d6dbf0786f4b16ddb59a05a21642dbd91294c8b4c4008e69d0b77a5e73169786995cbe37b8c0c88cc8c5bd871eafcd7bb75410c5bbafdd

Download Submit
C:\Windows\SysWOW64\Galfpgpg.exe

Filesize
483KB

MD5
e64cfcb84997e48b12f2de3939690553

SHA1
0aea185c236c45e841c323c0b1da6b6f41315d7f

SHA256
9277ef7bef6c1f3c9b2476fe1cebd648e204126b2afa4865d9e643eb6582d41f

SHA512
40c00a0df9f22f85afb43bbcf3f811c0a85b06bce076c652d9d8681af0254828a40717937ed87eb9d516ee2f10372fe639ba28fddd5b96c56a36d67c81fc4db7

Download Submit
C:\Windows\SysWOW64\Gcocnk32.exe

Filesize
483KB

MD5
fe9443d8b8bd93de27dda1dea8cf70b2

SHA1
6f066be39d3536c0ea0dd69bf44b620cfe6c7afe

SHA256
a6c21546be9f30f305d5e3a864c689ad31c759fa0bc4689a1e044061e2104f36

SHA512
e7c8901c2799f2803bb61cf82e6015800a904237041d7847556dfd7248e2f9adb37095a198872e30e3694ccbdbfeab10d27120437f08cd7c7c8ed5a780274d02

Download Submit
C:\Windows\SysWOW64\Gebiefle.exe

Filesize
483KB

MD5
ee1f7a3fb497a067335533c83690a0a6

SHA1
101a30d05dde45fa06d8858bfa49e7af681fafbe

SHA256
970e4d571dc73feeef1cd5b6a0eb8328738e7d8e1ee5b7fe00250abcac9b576d

SHA512
31d5242068b0dde7aedfaa24e6de22c11b06f53c33915483cce5b8551213048fa2d2b713834c6e7891ea9d451d8b62885030468afde732cd2810256fb92f14d9

Download Submit
C:\Windows\SysWOW64\Gljdlq32.exe

Filesize
483KB

MD5
e469c8edceb79c16e97704df777e35f2

SHA1
a8c594b40d2ac3938385640826484b2c16a60663

SHA256
8eec3b55f6445f42fe0e2331f74234b8a3556b1139b69aa61b18045e3916d74a

SHA512
b02c2ee2ab0546597c5ed6831ae86f032bc584ab951abe55988d3081eeb02c383511e97ae371da964c681021706bcd6465c6868deec43310bca53816646a79f7

Download Submit
C:\Windows\SysWOW64\Hcfenn32.exe

Filesize
483KB

MD5
65fc2af915cf8f237ed65cd885767267

SHA1
b52c98ea02501536bf816559a7b27621ad193b1a

SHA256
22cf58c49899cd41a151d0a203e47cea21e2a5b63e2c69182ebc16fc3a51ebe5

SHA512
4412a92400a1432e9461aa693dd229332a50264dc943a9536148b6ccca7b33fc36f1a5f0091436202cca41682b182bc4207ade9c42ca0848e92c2ed0d9241b8b

Download Submit
C:\Windows\SysWOW64\Hdailaib.exe

Filesize
483KB

MD5
1532c46bc3f975c3e51c5b34c7da7b3f

SHA1
4e23bb05d61cc9958760e75c034fda2340411f4f

SHA256
a58dee91430098690f019d617c4bbae566e1c5976ec02962e8e81c6fd307cae4

SHA512
a45cf32afe692d8c37860ebac5c63f1a8a0891dc495f62b4ab9eec94b3287de4350b4e26cbc0275ddffc1784752164ab7f904dccfb214e8e3191ed4abfe116f8

Download Submit
C:\Windows\SysWOW64\Hgkknm32.exe

Filesize
483KB

MD5
08e24fc99efacfd5735d9ead0bb90c97

SHA1
91ace8bb4ec1354ca80571d92de368e36a170e3a

SHA256
7cf8642f6411420eff5cd6727011ed72c2bdc78b66681f72fed4736581e55313

SHA512
bdcd25aab441ea64f62cfdd7843149ad480011ef5416472ac778b6e520493a64dd7f0f79888c6be1709c6aeb3afd991a0d508644bdb04963dc6b0f2ad59e22c2

Download Submit
C:\Windows\SysWOW64\Hhjhgpcn.exe

Filesize
483KB

MD5
28179d5d4234976eae40c8020c7edb27

SHA1
5a160c68ff4750dc54b84b1b377c276d65a4dd6f

SHA256
4551012221ef8301bb60a78f207ef85172525eaab81373e716494cc96dd880ed

SHA512
6ca76af9117767fd094fb906dba79ac1233d37c3dc95b5a65c697dca27b07b9e8615d4f8b35aa1042ea4fa42d528f3a8c0292c95e05a23ac0d8e254ac8725441

Download Submit
C:\Windows\SysWOW64\Iqmcmaja.exe

Filesize
483KB

MD5
47bc99a9528267f73c303b662136876c

SHA1
6373de620886cf998c89de70e46c27a03cc45ae5

SHA256
492ed953f085f4d2af4297bb90f9e8624fe736636d35f9712cdaeac3748d0cb4

SHA512
570924e6588224aaaf137bbe252f6bee0ac63c42d5ae21fb754131ff50f388725c4a7fd7ad4edfd4c8d798ac7ede24362ba9b0283b21ccc758742335f32fd418

Download Submit
C:\Windows\SysWOW64\Nbaafocg.exe

Filesize
483KB

MD5
482c7ee0c5aec997ee19efb232c3bd6c

SHA1
c83faa0ce97a98a0011437c30626123d0236d26f

SHA256
75ff20f3e9a8e233e733e42dbd5c8d133f20c51847c5062299305272f74c196d

SHA512
0c2bd66fbcd3111778070716ae6b90460b207bb5fcad0c11479254a596d2d883af88a542a4521db8fbb8b00810f57b50447a289b0203d1d8f31fb0e6d92e3009

Download Submit
C:\Windows\SysWOW64\Ollncgjq.exe

Filesize
483KB

MD5
7da36bb4c584c475840542c6ab7ed60a

SHA1
ee302f97a6759154871a46cf28879349d9eba5bf

SHA256
eceaac640f8d8ad26e60132a1a9b55c4b89d388438c036d34cce5cb1add6a263

SHA512
fb41ad203d29e24c8f96976caf5553d7dd191b75ea0a852e71100293d37381112de985fed7a0873b0aa0f72d6ac50683d7aa4a1438f964b6784384b14337c3e5

Download Submit
\Windows\SysWOW64\Adcobk32.exe

Filesize
483KB

MD5
25a887a4c96db721443779032666a5f1

SHA1
094815e41400683d2486c34c5164b0fbd0968457

SHA256
bcfa1c3db36d25dc05f307cece30312a7c0e892ec645c2a7abb322af42f730dd

SHA512
5a63db88fa88991bd9284baac1c3456d0dd196d174aa472ce0899eb4e04cfc9560c211a0d09be8f149f28f1ab0c78f5659b764883d0866f44204d972ea1bbec3

Download Submit
\Windows\SysWOW64\Ajbdpblo.exe

Filesize
483KB

MD5
18f6ba07e67d54599aca16c3a888f12c

SHA1
f3a558ba069e9d2e2efd59a5b3e392ef323e4c01

SHA256
4b5d6d091e948ba8f6a92314a7232ae886fb85ebfa5c188f33bf793ff9666f05

SHA512
0847628242afbb96bd11f7e4e6536561c673c3c315fb4af08cb49caba6db4ef714503550e282006abfe6989c76aead0e93f9d77cc9d7ae623ae23a5bb0405a69

Download Submit
\Windows\SysWOW64\Bohoogbk.exe

Filesize
483KB

MD5
cb78f3b264b19e004d5beb6df755a347

SHA1
181e5f6b5fcb0a22632005f94321d4a17e0e0ed8

SHA256
4beaa1f427ceed018c866d094868620ad63fe310ffc1ba723efc4ae798f50474

SHA512
2fa619dd988693dd85234615d51acd8d4ffcd851a257f61a7bb1c51c6aeef4db7de465b665ae22ff30348aa72e4d93e932494ea58c6d1aad4edefb1ea4121cd5

Download Submit
\Windows\SysWOW64\Cnmlpd32.exe

Filesize
483KB

MD5
754323343e838bdf30562d7d0471153f

SHA1
8693d8451dd40eda1d0bfb308845c083d8b91985

SHA256
487c4d4db2f1adfb45641198567578efabd11ae87997e5e89cb2f09ae10797fe

SHA512
03b3afa4ef23ef33a3017e5a56dc472f7cc713b8670b0e113d589e9e161cffa9bd4c88a379c6b60c76732196f6e3e9a501615030f40c41ae06b59371a5516d8a

Download Submit
\Windows\SysWOW64\Dndoof32.exe

Filesize
483KB

MD5
c4f03c675454a9f3b1e89491c29db54d

SHA1
5c65fa42e776102cacc4de939c2149e64152ab24

SHA256
4ede55f3aec8b2290decd8faedc62e7a0ee98c55f1ebc12a47fce70a10be04d9

SHA512
4f6dfccb92d057c4d4c7c480df4bb06da2d3e2a6db4f504e2998827a7d0ba4a429ec5f8ea52c71c472777e6a10460310b21d5ffb2a95dd3e3091135bbcd436c6

Download Submit
\Windows\SysWOW64\Mglpjc32.exe

Filesize
483KB

MD5
71dee39e4dc717542da287a894111ebf

SHA1
1d481770b9d0aab291ad8971bb857e19519b677d

SHA256
22f35144f35334fe206287c448b10b5a80cab9f4519f6c74afa240f9555a1e5c

SHA512
2dfc1ac913cbb4e81c86c75387fdae93eec41714f5ab0bd43b91bd6a7236089944efd6e27131d2a479411e79e0a5ba4bb67d3f09416a22a71df9f0524293d3c5

Download Submit
\Windows\SysWOW64\Mgomoboc.exe

Filesize
483KB

MD5
8050c136135c8c4569c93aada243ecd3

SHA1
598fa1006cfe4d69bf6f108e8d3cc97a420907e4

SHA256
ce0f29c67a84673e8eef4d8f652a6ed521143c4f607e480b507f6548991099ef

SHA512
bf0a17660bc518720e97324a1e6133040e940786bf57e47e63525370dbe98734ffba1b9268f9cfeb3bf40f85679cb192bf2749ed2696c5e90305b07c238c7528

Download Submit
\Windows\SysWOW64\Mnakjaoc.exe

Filesize
483KB

MD5
27e669b2b84b051d8705ff20ceadf5a2

SHA1
eaf9293bf6dfbe76bec0dbc314519c5f7e323e7c

SHA256
5e8c5c473c7f69391f8facf83b9b42dbf7e7df712cbebb4044af8192f203494b

SHA512
db8b933d3606e76d5181b2c2d5985faa0339b99d66b55a417c9cf36aec831d9b199deffbcab969699fc5cacdc7cc228ee7d30b65a2292ea3d4503cb37f1acd90

Download Submit
\Windows\SysWOW64\Ofklpa32.exe

Filesize
483KB

MD5
abf21350652744cf56bc913f1183abb8

SHA1
6a04037688996fc7e0eaee9044e3f6bf7990a1ce

SHA256
bdcc30ba28972f48f805e9267a135198f6fc40a797bd8dd4276850f9d1058cff

SHA512
4d5f398e8082ca5afcc726ebb68d96f047ef7c474f71ed0046e95fa61cf198eb8375aa0a3bee1d6faf523cea7eb4d48135f2eac1ec17f9706e0180c9ad66eadf

Download Submit
\Windows\SysWOW64\Onmgeb32.exe

Filesize
483KB

MD5
b622998ed102d6e414d4ff7098da4555

SHA1
68f647ec4a8a7d444acf7ccd773c6b239e174256

SHA256
61d5aad85f953d2fe1a364507560abc5ff55ecd1ccb0fb53dae1af46a825517b

SHA512
c6e5350adfac3f0eece8f3c07d8236b03ae9bec8649bb57e66c0712abeebed2c88f4fd9f1ac2871832f803f288ddc2cb0d9e744f993da13e363e78da25eb9949

Download Submit
\Windows\SysWOW64\Pedokpcm.exe

Filesize
483KB

MD5
a593fcbedf7972e1636c6e737e634d37

SHA1
46ab692e208364415d362b33dae0e61df6d56afa

SHA256
814ea7fd8cdf22cec48be80291c5823cae9c1835115512441ddd8002c609b286

SHA512
9a9768ad80ccd735476cbf73334f186526da929ec5e5a31d3885184f2098d5ff0c5f5d21a956845cc4a845036740ad7a9babdab4d9ae1bf41445064010ab951e

Download Submit
\Windows\SysWOW64\Qeglqpaj.exe

Filesize
483KB

MD5
c48769d576a9dbecb2e589b5594898a4

SHA1
16b9b2e0fb137d1c5b6bebf3e9e2a366c6ce6f09

SHA256
6cc0b7170b6d7c15874397a9265235d9c7b96c3995624107f5f8f359f3dcfb41

SHA512
777d6f38b829ec7c6ce3e02ae0afa5364ac301fa328747b07f794aa9f0460703cd10c3b29a99da654ca2d8f2e6ac35374f0fb53ba5f9ca82b24e1b3cc3879d84

Download Submit
memory/288-383-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/288-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-395-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1184-22-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1184-26-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1532-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1532-155-0x0000000001B60000-0x0000000001B9F000-memory.dmp

Filesize
252KB

Download
memory/1532-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1636-246-0x0000000000230000-0x000000000026F000-memory.dmp

Filesize
252KB

Download
memory/1636-397-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1640-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1640-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1640-277-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1640-276-0x00000000001B0000-0x00000000001EF000-memory.dmp

Filesize
252KB

Download
memory/1688-114-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-396-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1688-127-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1708-341-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1708-335-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1820-266-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1820-265-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1820-260-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1840-172-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1840-384-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-278-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-398-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1988-284-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/1988-288-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2052-221-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2052-214-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2052-223-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2052-386-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-389-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-200-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-213-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2148-377-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-367-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2148-373-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2148-372-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2268-305-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2268-309-0x0000000000290000-0x00000000002CF000-memory.dmp

Filesize
252KB

Download
memory/2268-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2268-379-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2276-334-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2276-390-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2276-321-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-380-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2324-320-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2324-319-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2376-300-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2376-378-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2376-301-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2380-4-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2380-15-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2380-375-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2408-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-345-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2468-351-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/2468-350-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/2504-185-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-392-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2504-197-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/2540-171-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2540-165-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2540-157-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-393-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-387-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-234-0x0000000001B60000-0x0000000001B9F000-memory.dmp

Filesize
252KB

Download
memory/2696-85-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2696-97-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2696-98-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2696-391-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-55-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-68-0x0000000001B60000-0x0000000001B9F000-memory.dmp

Filesize
252KB

Download
memory/2740-385-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2740-67-0x0000000001B60000-0x0000000001B9F000-memory.dmp

Filesize
252KB

Download
memory/2784-84-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2784-381-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-70-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-78-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2808-112-0x00000000002A0000-0x00000000002DF000-memory.dmp

Filesize
252KB

Download
memory/2808-100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2808-399-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2912-53-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2912-52-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-357-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-362-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/2928-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2928-361-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/3016-374-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-128-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3064-136-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download
memory/3064-141-0x0000000000220000-0x000000000025F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads