berbew | 497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 22:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
Size

448KB
MD5

69f1f22c8989dcae0acc64df21391303
SHA1

70ecb3492ab7cafe6205077ecf662d5496b98036
SHA256

497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968
SHA512

9b220c4503438ef897a7d51fbba71f6e8dcb13fc92bf91577775539a920e1d285b55a541ca12030ed055c607c1de1af1044b41127d79108a98b627d1cbe980e6
SSDEEP

6144:0gFGA88HPQ///NR5fLYG3eujPQ///NR5fGV3cmbZDBZojykPQ///NR5fLYG3eujw:0gd8R/NcZ7/N+V3cS/NcZ7/N

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nadpgggp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oghopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acpdko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Maedhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odoloalf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbnoliap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mholen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odeiibdq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Abphal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bilmcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oghopm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odoloalf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mholen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
2832	Mkklljmg.exe
2940	Maedhd32.exe
2848	Mholen32.exe
2740	Npagjpcd.exe
2780	Nadpgggp.exe
708	Odeiibdq.exe
2376	Ocfigjlp.exe
1332	Oghopm32.exe
3000	Odoloalf.exe
2424	Pngphgbf.exe
3004	Pomfkndo.exe
1676	Pbnoliap.exe
2140	Qijdocfj.exe
2136	Qqeicede.exe
1920	Amnfnfgg.exe
1504	Ajbggjfq.exe
1088	Abphal32.exe
2104	Acpdko32.exe
1348	Bilmcf32.exe
2760	Bpfeppop.exe
1544	Bphbeplm.exe
1432	Bhdgjb32.exe
2972	Bjbcfn32.exe
1036	Bhfcpb32.exe
2344	Bejdiffp.exe
1596	Bkglameg.exe
2932	Bmeimhdj.exe
1644	Cacacg32.exe

Loads dropped DLL 60 IoCs

pid	Process
2876	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
2876	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
2832	Mkklljmg.exe
2832	Mkklljmg.exe
2940	Maedhd32.exe
2940	Maedhd32.exe
2848	Mholen32.exe
2848	Mholen32.exe
2740	Npagjpcd.exe
2740	Npagjpcd.exe
2780	Nadpgggp.exe
2780	Nadpgggp.exe
708	Odeiibdq.exe
708	Odeiibdq.exe
2376	Ocfigjlp.exe
2376	Ocfigjlp.exe
1332	Oghopm32.exe
1332	Oghopm32.exe
3000	Odoloalf.exe
3000	Odoloalf.exe
2424	Pngphgbf.exe
2424	Pngphgbf.exe
3004	Pomfkndo.exe
3004	Pomfkndo.exe
1676	Pbnoliap.exe
1676	Pbnoliap.exe
2140	Qijdocfj.exe
2140	Qijdocfj.exe
2136	Qqeicede.exe
2136	Qqeicede.exe
1920	Amnfnfgg.exe
1920	Amnfnfgg.exe
1504	Ajbggjfq.exe
1504	Ajbggjfq.exe
1088	Abphal32.exe
1088	Abphal32.exe
2104	Acpdko32.exe
2104	Acpdko32.exe
1348	Bilmcf32.exe
1348	Bilmcf32.exe
2760	Bpfeppop.exe
2760	Bpfeppop.exe
1544	Bphbeplm.exe
1544	Bphbeplm.exe
1432	Bhdgjb32.exe
1432	Bhdgjb32.exe
2972	Bjbcfn32.exe
2972	Bjbcfn32.exe
1036	Bhfcpb32.exe
1036	Bhfcpb32.exe
2344	Bejdiffp.exe
2344	Bejdiffp.exe
1596	Bkglameg.exe
1596	Bkglameg.exe
2932	Bmeimhdj.exe
2932	Bmeimhdj.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe
1092	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Mholen32.exe
File opened for modification	C:\Windows\SysWOW64\Nadpgggp.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Odoloalf.exe	Oghopm32.exe
File opened for modification	C:\Windows\SysWOW64\Odoloalf.exe	Oghopm32.exe
File opened for modification	C:\Windows\SysWOW64\Acpdko32.exe	Abphal32.exe
File created	C:\Windows\SysWOW64\Jbodgd32.dll	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Mkklljmg.exe	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
File created	C:\Windows\SysWOW64\Maedhd32.exe	Mkklljmg.exe
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	Odoloalf.exe
File opened for modification	C:\Windows\SysWOW64\Pomfkndo.exe	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Amnfnfgg.exe
File opened for modification	C:\Windows\SysWOW64\Bphbeplm.exe	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Ldhfglad.dll	Bpfeppop.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Mahqjm32.dll	Mholen32.exe
File created	C:\Windows\SysWOW64\Migkgb32.dll	Nadpgggp.exe
File created	C:\Windows\SysWOW64\Nmmfff32.dll	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Mholen32.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Bphbeplm.exe	Bpfeppop.exe
File opened for modification	C:\Windows\SysWOW64\Bhfcpb32.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Nldodg32.dll	Maedhd32.exe
File created	C:\Windows\SysWOW64\Fnahcn32.dll	Ocfigjlp.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Amnfnfgg.exe
File created	C:\Windows\SysWOW64\Pqncgcah.dll	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Mlcpdacl.dll	Bjbcfn32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Bmeimhdj.exe
File opened for modification	C:\Windows\SysWOW64\Maedhd32.exe	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Ibafdk32.dll	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Lclclfdi.dll	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Abphal32.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Bhdgjb32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeimhdj.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Oghopm32.exe	Ocfigjlp.exe
File opened for modification	C:\Windows\SysWOW64\Pbnoliap.exe	Pomfkndo.exe
File opened for modification	C:\Windows\SysWOW64\Odeiibdq.exe	Nadpgggp.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Bmeimhdj.exe
File created	C:\Windows\SysWOW64\Ecjdib32.dll	Abphal32.exe
File created	C:\Windows\SysWOW64\Bhdgjb32.exe	Bphbeplm.exe
File opened for modification	C:\Windows\SysWOW64\Bejdiffp.exe	Bhfcpb32.exe
File created	C:\Windows\SysWOW64\Oghopm32.exe	Ocfigjlp.exe
File created	C:\Windows\SysWOW64\Qijdocfj.exe	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Mholen32.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Abphal32.exe	Ajbggjfq.exe
File opened for modification	C:\Windows\SysWOW64\Bilmcf32.exe	Acpdko32.exe
File created	C:\Windows\SysWOW64\Bejdiffp.exe	Bhfcpb32.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Mkklljmg.exe	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
File created	C:\Windows\SysWOW64\Macalohk.dll	Mkklljmg.exe
File created	C:\Windows\SysWOW64\Bpfeppop.exe	Bilmcf32.exe
File created	C:\Windows\SysWOW64\Odeiibdq.exe	Nadpgggp.exe
File created	C:\Windows\SysWOW64\Qniedg32.dll	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Ocfigjlp.exe	Odeiibdq.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Odoloalf.exe
File created	C:\Windows\SysWOW64\Pomfkndo.exe	Pngphgbf.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Pbnoliap.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Bhdgjb32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bejdiffp.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Mholen32.exe
File created	C:\Windows\SysWOW64\Nadpgggp.exe	Npagjpcd.exe
File created	C:\Windows\SysWOW64\Bilmcf32.exe	Acpdko32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1092	1644	WerFault.exe	57

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odeiibdq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbnoliap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhfcpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfeppop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejdiffp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bilmcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maedhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfigjlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pngphgbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomfkndo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bphbeplm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeimhdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nadpgggp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abphal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mholen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnfnfgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acpdko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhdgjb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odoloalf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkklljmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oghopm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bphbeplm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnahcn32.dll"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Bmeimhdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahqjm32.dll"	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhfglad.dll"	Bpfeppop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimbjlde.dll"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migkgb32.dll"	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nadpgggp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Abphal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mholen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oghopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaajloig.dll"	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpjaq32.dll"	Oghopm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pomfkndo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclclfdi.dll"	Pomfkndo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahjhop.dll"	Acpdko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqncgcah.dll"	Bilmcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmeimhdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocfigjlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbgfk32.dll"	Odoloalf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajbggjfq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejdiffp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maedhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mholen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibafdk32.dll"	Npagjpcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oghopm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bejdiffp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqlhpf32.dll"	Bhdgjb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmfff32.dll"	Bhfcpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnaga32.dll"	Odeiibdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbnoliap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfeppop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcpdacl.dll"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkklljmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Amnfnfgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Abphal32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2832	2876	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe	30
PID 2876 wrote to memory of 2832	2876	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe	30
PID 2876 wrote to memory of 2832	2876	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe	30
PID 2876 wrote to memory of 2832	2876	497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe	30
PID 2832 wrote to memory of 2940	2832	Mkklljmg.exe	31
PID 2832 wrote to memory of 2940	2832	Mkklljmg.exe	31
PID 2832 wrote to memory of 2940	2832	Mkklljmg.exe	31
PID 2832 wrote to memory of 2940	2832	Mkklljmg.exe	31
PID 2940 wrote to memory of 2848	2940	Maedhd32.exe	32
PID 2940 wrote to memory of 2848	2940	Maedhd32.exe	32
PID 2940 wrote to memory of 2848	2940	Maedhd32.exe	32
PID 2940 wrote to memory of 2848	2940	Maedhd32.exe	32
PID 2848 wrote to memory of 2740	2848	Mholen32.exe	33
PID 2848 wrote to memory of 2740	2848	Mholen32.exe	33
PID 2848 wrote to memory of 2740	2848	Mholen32.exe	33
PID 2848 wrote to memory of 2740	2848	Mholen32.exe	33
PID 2740 wrote to memory of 2780	2740	Npagjpcd.exe	34
PID 2740 wrote to memory of 2780	2740	Npagjpcd.exe	34
PID 2740 wrote to memory of 2780	2740	Npagjpcd.exe	34
PID 2740 wrote to memory of 2780	2740	Npagjpcd.exe	34
PID 2780 wrote to memory of 708	2780	Nadpgggp.exe	35
PID 2780 wrote to memory of 708	2780	Nadpgggp.exe	35
PID 2780 wrote to memory of 708	2780	Nadpgggp.exe	35
PID 2780 wrote to memory of 708	2780	Nadpgggp.exe	35
PID 708 wrote to memory of 2376	708	Odeiibdq.exe	36
PID 708 wrote to memory of 2376	708	Odeiibdq.exe	36
PID 708 wrote to memory of 2376	708	Odeiibdq.exe	36
PID 708 wrote to memory of 2376	708	Odeiibdq.exe	36
PID 2376 wrote to memory of 1332	2376	Ocfigjlp.exe	37
PID 2376 wrote to memory of 1332	2376	Ocfigjlp.exe	37
PID 2376 wrote to memory of 1332	2376	Ocfigjlp.exe	37
PID 2376 wrote to memory of 1332	2376	Ocfigjlp.exe	37
PID 1332 wrote to memory of 3000	1332	Oghopm32.exe	38
PID 1332 wrote to memory of 3000	1332	Oghopm32.exe	38
PID 1332 wrote to memory of 3000	1332	Oghopm32.exe	38
PID 1332 wrote to memory of 3000	1332	Oghopm32.exe	38
PID 3000 wrote to memory of 2424	3000	Odoloalf.exe	39
PID 3000 wrote to memory of 2424	3000	Odoloalf.exe	39
PID 3000 wrote to memory of 2424	3000	Odoloalf.exe	39
PID 3000 wrote to memory of 2424	3000	Odoloalf.exe	39
PID 2424 wrote to memory of 3004	2424	Pngphgbf.exe	40
PID 2424 wrote to memory of 3004	2424	Pngphgbf.exe	40
PID 2424 wrote to memory of 3004	2424	Pngphgbf.exe	40
PID 2424 wrote to memory of 3004	2424	Pngphgbf.exe	40
PID 3004 wrote to memory of 1676	3004	Pomfkndo.exe	41
PID 3004 wrote to memory of 1676	3004	Pomfkndo.exe	41
PID 3004 wrote to memory of 1676	3004	Pomfkndo.exe	41
PID 3004 wrote to memory of 1676	3004	Pomfkndo.exe	41
PID 1676 wrote to memory of 2140	1676	Pbnoliap.exe	42
PID 1676 wrote to memory of 2140	1676	Pbnoliap.exe	42
PID 1676 wrote to memory of 2140	1676	Pbnoliap.exe	42
PID 1676 wrote to memory of 2140	1676	Pbnoliap.exe	42
PID 2140 wrote to memory of 2136	2140	Qijdocfj.exe	43
PID 2140 wrote to memory of 2136	2140	Qijdocfj.exe	43
PID 2140 wrote to memory of 2136	2140	Qijdocfj.exe	43
PID 2140 wrote to memory of 2136	2140	Qijdocfj.exe	43
PID 2136 wrote to memory of 1920	2136	Qqeicede.exe	44
PID 2136 wrote to memory of 1920	2136	Qqeicede.exe	44
PID 2136 wrote to memory of 1920	2136	Qqeicede.exe	44
PID 2136 wrote to memory of 1920	2136	Qqeicede.exe	44
PID 1920 wrote to memory of 1504	1920	Amnfnfgg.exe	45
PID 1920 wrote to memory of 1504	1920	Amnfnfgg.exe	45
PID 1920 wrote to memory of 1504	1920	Amnfnfgg.exe	45
PID 1920 wrote to memory of 1504	1920	Amnfnfgg.exe	45

C:\Users\Admin\AppData\Local\Temp\497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe
"C:\Users\Admin\AppData\Local\Temp\497600158337da312363de8fd7f7e6bfa675ac3dd0de6943275c8facaeaff968.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\Mkklljmg.exe
  C:\Windows\system32\Mkklljmg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\Maedhd32.exe
    C:\Windows\system32\Maedhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\Mholen32.exe
      C:\Windows\system32\Mholen32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
      - C:\Windows\SysWOW64\Nadpgggp.exe
        
        C:\Windows\system32\Nadpgggp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\SysWOW64\Odeiibdq.exe
        
        C:\Windows\system32\Odeiibdq.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:708
        
        C:\Windows\SysWOW64\Ocfigjlp.exe
        
        C:\Windows\system32\Ocfigjlp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Oghopm32.exe
        
        C:\Windows\system32\Oghopm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Odoloalf.exe
        
        C:\Windows\system32\Odoloalf.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Pomfkndo.exe
        
        C:\Windows\system32\Pomfkndo.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Pbnoliap.exe
        
        C:\Windows\system32\Pbnoliap.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Amnfnfgg.exe
        
        C:\Windows\system32\Amnfnfgg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Abphal32.exe
        
        C:\Windows\system32\Abphal32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\Acpdko32.exe
        
        C:\Windows\system32\Acpdko32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Bilmcf32.exe
        
        C:\Windows\system32\Bilmcf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Bpfeppop.exe
        
        C:\Windows\system32\Bpfeppop.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2760
        
        C:\Windows\SysWOW64\Bphbeplm.exe
        
        C:\Windows\system32\Bphbeplm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1544
        
        C:\Windows\SysWOW64\Bhdgjb32.exe
        
        C:\Windows\system32\Bhdgjb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Bhfcpb32.exe
        
        C:\Windows\system32\Bhfcpb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Bejdiffp.exe
        
        C:\Windows\system32\Bejdiffp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Bmeimhdj.exe
        
        C:\Windows\system32\Bmeimhdj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Abphal32.exe

Filesize
448KB

MD5
98fe976a20647ed4005115d183c3ed1b

SHA1
5242e1942a5b26cd2946fc4d863d0afdca2311b3

SHA256
b4a5917998173a879512d268acc473328ac2373f5ce209095751675d0dfd2b7b

SHA512
4ca73b7f5ecde73cde3035193815720edd69df5c0b4786f356069f28e63fa3e6822d0c0fcf79637b75e4b7b5ac881e5ab1eb7548ac79b798a3e12fdfea9c2b51

Download Submit
C:\Windows\SysWOW64\Acpdko32.exe

Filesize
448KB

MD5
fb3285c9d4d2fd8420f3ae102e98fbf9

SHA1
c83d8237c8ea05ca2f8fcd8062ac2b56549a3e4d

SHA256
b1d65145af6df93ccc8d3404535a553aeb1929fc2f12f11f59a35dfe0df3b190

SHA512
b5a7a163604d67b15351bf5652b9d76430ee3f440cd7284a658128ae2a8320613468e0c547e5393b5001f1203ccf15b5f3589142c5e20146f057ca961ac68f74

Download Submit
C:\Windows\SysWOW64\Ajbggjfq.exe

Filesize
448KB

MD5
81afb96b37ad2ddaca22dc7491270271

SHA1
1fbef6e0cc4194ca7d56432e77e23d726d9890c3

SHA256
f13924da9fa6ec8a252e1c8afbef4e9d010d578bd57cb491028b82b70214ee85

SHA512
ba1de907396eedf6b36031b5864037880b96898cc7bfaeb454ae2cd542ae0057903d21ee4792c150cdac3dbfeb7b06a624286618c9b01462a46fe1592d553cfb

Download Submit
C:\Windows\SysWOW64\Bejdiffp.exe

Filesize
448KB

MD5
624ac4ad251bf5cb0b52dc6b861a1393

SHA1
f7dfdbe4631487f39a54a8ab7a7018e6f73e655f

SHA256
cacf13ade8ec0f0d14853e10220521524630e1312af5b1975c44ce7537204aa3

SHA512
55a7c0c4cb05d303895b65324d65f5cbf607a8148c1746bcfc4a2811d6f98bd220735e16b1ad5dc8f9e921fe4ace69702e5e62773effdd380327f7e79f755f6d

Download Submit
C:\Windows\SysWOW64\Bhdgjb32.exe

Filesize
448KB

MD5
ef161dbc7a008109a15e0bce4b21b2e6

SHA1
99f78fea2dfe1ca1241779278addcd5557f462b1

SHA256
06371b1c8cc5be8f2bfa2946a6c09bdd1a7f6009b202366db1a0891d27e20f59

SHA512
e38a7bb0e889afb80f770ad59096e94ec8605c1790d59b23ef76374d16c66483c841f3826b44e3cd0012b731b7426d5b122b861af187919da10ff95a1e31fd2d

Download Submit
C:\Windows\SysWOW64\Bhfcpb32.exe

Filesize
448KB

MD5
ba44679b250cfd65d608c6677a62959c

SHA1
50c0d2046873ced39224f4e247d64d7afcf23c03

SHA256
ae139f2b0fdac6deb65104d0424bcdd9ab3a240309527ad3392c287df30510bd

SHA512
2778bc387c5b952dc4a15224b21890f9b9e896e22e5e635aee5b6359f36fe2b18feea1a38f31f0251225871900a403b527f18731de6c6aaaeef4250585cbecaf

Download Submit
C:\Windows\SysWOW64\Bilmcf32.exe

Filesize
448KB

MD5
74ce629ad19431fe64de361045bb8e8a

SHA1
9291b65345e179a1763bc261b3c8daf0a64d9f8c

SHA256
45c79dda2e5b097fc10b2e684d6164c0d4e9654b25897057497af0035f09d53d

SHA512
f41d77781a98cdd94e0f25d477b976df529da1bde1d0e6e3260526305c9d17906666c80886d587720f6363fed427665f014c46df37b47dbc61b7734f3fd10a59

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
448KB

MD5
aaca00f60d6aafc7c628f18f973ded9e

SHA1
7fd77e3210d64db3606a78f20ba460ac0ee60a81

SHA256
8b074dc2486ff4044e014ff3c9a0b100c333192f022f0a2d6b9984dd3259ff5f

SHA512
4a2f7e02d6057574c1d99f42211f28ce2f1f0bb10fec89bed4b86bb904550a2d8118bcfbce2fb501ce4cb8b6654964b647a5ad9238ffc00a1d9f48eb1d88cd4d

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
448KB

MD5
e93e115a653c01566fde2f836af1382b

SHA1
6471073c4a7e9876c74155fe4bfc2211f77b2e8a

SHA256
f112a5d3b487e234e23b9d98b9dcdf8e2813f6f53baafcfce0977c73b6a9cc22

SHA512
8c015f87626a47e51dd9cbed1423cf261218fbbf19fe66e750013b805ab9a90ad12c70f8dc9b4b41911d413ddbb8c96f381f6327799aeee3c0ed13e7cb6a9358

Download Submit
C:\Windows\SysWOW64\Bmeimhdj.exe

Filesize
448KB

MD5
0c18cfecce27d53f8fba9fc556c17115

SHA1
5c02f60286038d4bc3f69dbb109ac8e2db01f747

SHA256
22c554778757f9f4adbe9549d58e61ac0e63eec4bfef12d278aadce5da945747

SHA512
ea446ba2dd62a54e0af05c634b19d6dc18a4ab0e511c56ad8d58264ea88bf1a213205b8f69d246ec89ae4d9c525ba829d902140e0a529c66fc1344f37e5fee9f

Download Submit
C:\Windows\SysWOW64\Bpfeppop.exe

Filesize
448KB

MD5
f5050d9c71abcd6e87393982ccd1cd6a

SHA1
16ee952e3a360415146e1ca75eda77be0da44a1d

SHA256
2a583cfde93b0382cb53d11eb2722a7e9621044c9c3338634657d38adde57b45

SHA512
9d606a8ca8841f8ccf35f5198b68a6e80098448957b8b6ab396fb8b031934e0bdee55178ab3e4b8196bbc0e5ab78129fafe4006477d91638baeb0d0d42943498

Download Submit
C:\Windows\SysWOW64\Bphbeplm.exe

Filesize
448KB

MD5
c36173cd510cad88c7b9736be6566a06

SHA1
cdcfd86b6f2729ec59a1bb1933c5ab6cc9fef319

SHA256
41ec443dd3824ead2ab6a0ce6b1425a06d3d98d7782b7665c850f91d59886fdb

SHA512
cf6deee9051a8e6979a99b55b97d4c799acef73518f5183ddc8a4e1adbe4f4a47d1c2e09aecd68284bf988903f28ae16e360c75965081dabb8d79ed258955451

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
448KB

MD5
0e98eaaf94710c5805042896d4474f94

SHA1
cb76cd5bbcbc700630ebba7cc913beac4780a2c3

SHA256
b35143a5b4e7c972ab1f00deceaa565b2ecfd5f8436f19016cc3b2e14c82e225

SHA512
b792c3c43940ef82975d9d97b0d195919c78eaac7ad72bf39160cb8c157abc54fd5c2f5913e746c6b32a066e312961c29d9ba37a44a2611c5e3013aa6e9bb2cb

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
448KB

MD5
848e3ae3f0fe92481d716c513a0dc380

SHA1
4881ee10ae6658347b12913375ec3f0a991d83bb

SHA256
2922dc254c0843d158abf29ab4f35d98d6c79e62c3b093640aaa58c024aadb57

SHA512
621d2f7863dbb2c84e3ee21180d7cc3268565f489afd3c3db11ae14a13a791c2c6759807aebe6020934c9c10925f7c3a655e95792aeb6ec90bb9ac750fec5e00

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
448KB

MD5
2c0e35e4dbc2c6eaacfb30731364bb48

SHA1
47db34a7308ba13579d89b9375bd8d7761b26e90

SHA256
8c9a9b9422fb6c38c4134f7686ee700fe147d254e02289ba1d71a6efea4d13fb

SHA512
e7c82fa13a6b2cfc9f7c9a055fe55a660109bfc77fa22aaeea01d71576c76bde8dba1f8e0e2517003d9ca9eba85ab89aa146716bf600dd2e98a0afe6dbf8b9e4

Download Submit
C:\Windows\SysWOW64\Pngphgbf.exe

Filesize
448KB

MD5
d6755b067794c56318a7d8835388320d

SHA1
75eb0b6495120b25ad42dbf05f9b5ad2a339ac37

SHA256
b5697fbde41cc2ceec13113279f932cccca3b06493455afb4e3a530e5cd8d0fb

SHA512
0bfa1ee49836cd9ce109c581c2654d261ca7014d439b9789375c39d787130563f5936533729e848cd54f7b24ccf4c193c4efe2773054d4bbbd6deb1489c5667b

Download Submit
\Windows\SysWOW64\Amnfnfgg.exe

Filesize
448KB

MD5
60233fbddfc9924b8f65eb2c7891977e

SHA1
fd96111aa7777557381b52aaa16200b1457279a4

SHA256
5abe720fed72389441d22d194a69540135650aa2ce6ea767b9f5980992522f40

SHA512
2962602cdee7c77ea0d50db57a6f9d18bfe79387e3fbd7212e2e1f25a527b7cb8f7ceed8cdf08df24f333ec3c4a6a473a19cb583d62fa0d6b50eedf4f73ec2e6

Download Submit
\Windows\SysWOW64\Mholen32.exe

Filesize
448KB

MD5
91d38765c7395110b6fbc67da42c986f

SHA1
0c08f8455602029213213d149cc7a175d4766e5d

SHA256
ef2a293f1bcf7cd27243abc29798896e04659bfe7d4c665d8f84776042e7839d

SHA512
7b6fd2b0608a14706ee40acaddb72190a1ffecb714b0ba64ee6338e7712b71337c11347204a0bbb26fc0b59ad4923137e4aff5e47998f5b4fe7107605757bec2

Download Submit
\Windows\SysWOW64\Mkklljmg.exe

Filesize
448KB

MD5
9dc5fffa0698eb24c3de208d4ad18fc1

SHA1
37c234a061c3f00f0bd1a5a96f0943b1a42127ff

SHA256
2d602219083dc2f2607e8e9604eb01dae1db1fa713575d8ead3b9a3f3da6a8a6

SHA512
6df3b355d475c71a18619d35290d7fd2a00fc494e413fb9d0f00d5dff645bfe66e88d0c01cc82fbb82f5f333fec4972d166e26a154c2f89d589326a14fa6f9ad

Download Submit
\Windows\SysWOW64\Nadpgggp.exe

Filesize
448KB

MD5
901344e8ce6613a006c12f43b320b1ab

SHA1
9dd57951697d7cf193af53f7cc5683d3e0a53c2f

SHA256
79230e69bb6c9e8ce8040d24235e14b46d13d955d344e11902247b1360247a4d

SHA512
cfa788d8d2b35df8c2dbb3e427a79b05586b58432c969f80697f9d8f3ff5c23131c31f20eadbaf6c8b920ab6c14810e82908eccc00f398f7abb0b0bb18544e56

Download Submit
\Windows\SysWOW64\Ocfigjlp.exe

Filesize
448KB

MD5
3125e5b276be7326f326ef0637547945

SHA1
5bca81d64ee8fb42a54dae5ed51838b59c94a4d7

SHA256
205067628185c886321995fac70f2d4ffeca5c117e16d8e5d86fae13fe79e6fc

SHA512
8220d704dc8b34562f6e68f4932062460346162de3fbc645a6eb920f7801718bbfe6d5522eb8b08a81eddfe56d5db9ebc17b1ceaf4edd340cd4f82056c17c9ec

Download Submit
\Windows\SysWOW64\Odeiibdq.exe

Filesize
448KB

MD5
9a315017700886d21479a3c038e62151

SHA1
3f1106a3fa893d6a19b17424481bb870d38c0c4c

SHA256
a14b3c490045a11c31d31dc6501005f41ea1e919446f4f9c7db8ee89b4da958e

SHA512
373a8263d806ef5ddfb3d9ce793876d8309abbb767a01a69b3438d80e4112390120fdea0ee672b5de7e35679595d266bada1aeee57e0f376e55a19d8f42f9231

Download Submit
\Windows\SysWOW64\Odoloalf.exe

Filesize
448KB

MD5
bd4ccf5a64055a7810318c368e18b91e

SHA1
a1a68d6c4d85111661141273350b2089d7bdc109

SHA256
51145ec72cb41782744c5df993bd77f9f3d2e93b9f27d085c64621943c86b99a

SHA512
8e2b224985a6219c7836ddf42a176333bd04b917020137bd67634917e42e723df5408579f772070326621d0d26a17a173af167d868d2680b7620dafa702f9652

Download Submit
\Windows\SysWOW64\Oghopm32.exe

Filesize
448KB

MD5
9e6e37b9dde930c86186b1b7ee06d330

SHA1
82d3bff926b4b410ae784cc458922e9184427f2a

SHA256
9ec492793d1544949323ec402f0c4fc2b0063967da568e138e721f4cdb2f486f

SHA512
719bd2716394b3d652387606a693dbeb3bfc3f5f911d8d723da0e5978d80e5db1bef7a399024c5f631d56e5afa98b72458effffd0c091780ac3ea9613648d7b3

Download Submit
\Windows\SysWOW64\Pbnoliap.exe

Filesize
448KB

MD5
1bce5cacdd56f5ab9c8d94754cfe8a1d

SHA1
865eef1f61a5172ae258c99b8fef7166cccb1cc0

SHA256
f312da861debe353abec067b27d7794505e85a51af0cf3b77eb8231a91da8724

SHA512
4517ec7239ec58700d732799611b98db906b958b14351c9d711a5e20ed88a71a7e99d4e53ee1876bb5b82b65734f394129125d7e261ed1b2f84e45eca408dac8

Download Submit
\Windows\SysWOW64\Pomfkndo.exe

Filesize
448KB

MD5
a12d3cb8f1798071577725148d1ec292

SHA1
0674e09cec48c83c157226317d02279948a7f7fb

SHA256
6ba28754f682d236fa9af13f42f5e8f0d1fcd9f71b8d9830461ea7bf8d3499ad

SHA512
d28a62e78a4de55a76aced11132be433dd525f1e2ef7a4c1751c21c4291a2702e2235c1653d63b9a11c53e827d7af49196a8981b8c219b1ce0f8abea58dbba2c

Download Submit
\Windows\SysWOW64\Qijdocfj.exe

Filesize
448KB

MD5
83b19e9e08005d252418c95209ac86aa

SHA1
2227fdeca2be3a39f82465f0fa0ea6f05c050bfa

SHA256
7b3e5de132c71c459126d678083e65f8bdce2fc85aba68a4b7ebd50ac488ae0f

SHA512
17ed34858db80a2a03c8c9fed036560907d9e4f6630eb1da1f90c531b9da56d8a38c2afa6f34d3a19824b200d22dc50f20640a26094b912935742f9f933368cc

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
448KB

MD5
6d577b1c43bfcb342afb624607e3e02b

SHA1
3a88c83fa7748d92ae67f4316dea029c69b3df16

SHA256
d1d8a494165f9ed1ff74426757874e2daa18a47ef0664b9925c3345cc1705adb

SHA512
62e5319ae86cdf8fddb7ae893867ade20e82aa434c99108372c5f26515ce58e097c8d85112801f2c81c1c53c58d450dba55685f452a7983f8ba0ad98033c91be

Download Submit
memory/708-389-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/708-91-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1036-314-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1036-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1036-315-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1036-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1088-240-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/1332-391-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-119-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1332-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-259-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1348-373-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1348-260-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1432-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-289-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1432-293-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1504-221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-228-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/1504-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-363-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1544-281-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1544-282-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1596-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-336-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1596-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1596-337-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1644-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-174-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1920-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-213-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-247-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2104-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-201-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2136-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-188-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2140-390-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2344-326-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2344-325-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2344-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2376-105-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2376-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-147-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2424-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2740-63-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2740-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2760-270-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2760-271-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2780-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2780-82-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2780-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2832-26-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2832-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-53-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2848-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-54-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2876-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-17-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2876-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-350-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2876-18-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2932-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-344-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2932-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-348-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2940-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-404-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2940-35-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2972-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-304-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2972-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-300-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3000-384-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3000-137-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/3004-165-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/3004-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3004-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads