berbew | 770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87

Analysis

max time kernel
96s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe
Size

92KB
MD5

aea93eda335291b77433771dcae9c069
SHA1

f727b5cb301ca4feccd7dc3fd4201ec6722daa22
SHA256

770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87
SHA512

53e38d6c34ed27e5876aebcb2bb7cf695925e3ac86bbe69eeb0a693ba34a9d0f22c6a885c6c7bc4478fdb65cf3038577a0f7794ff956f95eb34e474a456a61a8
SSDEEP

1536:W+r9Ei8Gz/OCt0wW5e874xP6Edd+/6kzoQYx+QS9zm4LO++/+1m6KadhYxU33HX2:eZCKwW5n2E6k8QYxQdLrCimBaH8UH32

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://master-x.com/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://crutop.ru/index.php

http://kaspersky.ru/index.php

http://color-bank.ru/index.php

http://adult-empire.com/index.php

http://virus-list.com/index.php

http://trojan.ru/index.php

http://xware.cjb.net/index.htm

http://konfiskat.org/index.htm

http://parex-bank.ru/index.htm

http://fethard.biz/index.htm

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nofefp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nimmifgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiccje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oiagde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oifppdpd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oihmedma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Padnaq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhmjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofjqihnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqhoeb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obqanjdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nofefp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjjfdfbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piocecgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Objkmkjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nijqcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niojoeel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpeaoih.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqoefand.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbekii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfepdg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obgohklm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oiagde32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piocecgj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pciqnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omopjcjp.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 41 IoCs

pid	Process
5620	Nfldgk32.exe
3808	Nijqcf32.exe
4372	Nodiqp32.exe
2124	Ncpeaoih.exe
2668	Nimmifgo.exe
1124	Nofefp32.exe
4176	Nbebbk32.exe
1276	Niojoeel.exe
4072	Nqfbpb32.exe
1800	Obgohklm.exe
976	Oiagde32.exe
2520	Oqhoeb32.exe
3212	Objkmkjj.exe
4388	Oiccje32.exe
396	Omopjcjp.exe
4324	Ocihgnam.exe
444	Oifppdpd.exe
576	Oqmhqapg.exe
5476	Ofjqihnn.exe
1920	Oihmedma.exe
3380	Oqoefand.exe
2536	Obqanjdb.exe
1668	Ojhiogdd.exe
1828	Omfekbdh.exe
1036	Pcpnhl32.exe
1528	Pjjfdfbb.exe
224	Padnaq32.exe
5004	Pbekii32.exe
4044	Pjlcjf32.exe
3336	Piocecgj.exe
6020	Pafkgphl.exe
4012	Pbhgoh32.exe
5920	Pjoppf32.exe
1700	Pmmlla32.exe
2156	Pplhhm32.exe
1524	Pfepdg32.exe
2656	Pjaleemj.exe
4956	Pmphaaln.exe
5668	Pciqnk32.exe
3568	Pfhmjf32.exe
3152	Pififb32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Igkilc32.dll	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe
File created	C:\Windows\SysWOW64\Nbebbk32.exe	Nofefp32.exe
File opened for modification	C:\Windows\SysWOW64\Pjlcjf32.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Iheocj32.dll	Pjlcjf32.exe
File created	C:\Windows\SysWOW64\Piocecgj.exe	Pjlcjf32.exe
File created	C:\Windows\SysWOW64\Dhlbgmif.dll	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Pififb32.exe	Pfhmjf32.exe
File opened for modification	C:\Windows\SysWOW64\Piocecgj.exe	Pjlcjf32.exe
File opened for modification	C:\Windows\SysWOW64\Ncpeaoih.exe	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Pplhhm32.exe	Pmmlla32.exe
File opened for modification	C:\Windows\SysWOW64\Obgohklm.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Oqhoeb32.exe	Oiagde32.exe
File created	C:\Windows\SysWOW64\Pjjfdfbb.exe	Pcpnhl32.exe
File opened for modification	C:\Windows\SysWOW64\Pbhgoh32.exe	Pafkgphl.exe
File created	C:\Windows\SysWOW64\Qckcba32.dll	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Blcnqjjo.dll	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Fefmmcgh.dll	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Ofjqihnn.exe	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Oqoefand.exe	Oihmedma.exe
File created	C:\Windows\SysWOW64\Nodiqp32.exe	Nijqcf32.exe
File created	C:\Windows\SysWOW64\Gejqna32.dll	Ocihgnam.exe
File created	C:\Windows\SysWOW64\Klhhpb32.dll	Oqmhqapg.exe
File created	C:\Windows\SysWOW64\Kqkplq32.dll	Pcpnhl32.exe
File created	C:\Windows\SysWOW64\Pjoppf32.exe	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Nfldgk32.exe	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe
File created	C:\Windows\SysWOW64\Llgdkbfj.dll	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Pfigmnlg.dll	Nodiqp32.exe
File created	C:\Windows\SysWOW64\Nimmifgo.exe	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Klndfknp.dll	Ncpeaoih.exe
File created	C:\Windows\SysWOW64\Nofefp32.exe	Nimmifgo.exe
File opened for modification	C:\Windows\SysWOW64\Omopjcjp.exe	Oiccje32.exe
File created	C:\Windows\SysWOW64\Nohjfifo.dll	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Niojoeel.exe	Nbebbk32.exe
File opened for modification	C:\Windows\SysWOW64\Oqhoeb32.exe	Oiagde32.exe
File opened for modification	C:\Windows\SysWOW64\Oiccje32.exe	Objkmkjj.exe
File created	C:\Windows\SysWOW64\Pjaleemj.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Pjaleemj.exe
File opened for modification	C:\Windows\SysWOW64\Pfhmjf32.exe	Pciqnk32.exe
File created	C:\Windows\SysWOW64\Nqfbpb32.exe	Niojoeel.exe
File opened for modification	C:\Windows\SysWOW64\Pafkgphl.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Hjcbmgnb.dll	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Ghaeocdd.dll	Oqhoeb32.exe
File opened for modification	C:\Windows\SysWOW64\Pjoppf32.exe	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Pfhmjf32.exe	Pciqnk32.exe
File opened for modification	C:\Windows\SysWOW64\Nbebbk32.exe	Nofefp32.exe
File created	C:\Windows\SysWOW64\Pafkgphl.exe	Piocecgj.exe
File created	C:\Windows\SysWOW64\Pfepdg32.exe	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Pjaleemj.exe	Pfepdg32.exe
File created	C:\Windows\SysWOW64\Nlhego32.dll	Nimmifgo.exe
File created	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Pbekii32.exe	Padnaq32.exe
File opened for modification	C:\Windows\SysWOW64\Nimmifgo.exe	Ncpeaoih.exe
File opened for modification	C:\Windows\SysWOW64\Oiagde32.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Oifppdpd.exe	Ocihgnam.exe
File opened for modification	C:\Windows\SysWOW64\Pcpnhl32.exe	Omfekbdh.exe
File created	C:\Windows\SysWOW64\Oiagde32.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Ocihgnam.exe	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Balgcpkn.dll	Omopjcjp.exe
File created	C:\Windows\SysWOW64\Gaaklfpn.dll	Pfhmjf32.exe
File opened for modification	C:\Windows\SysWOW64\Nfldgk32.exe	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe
File created	C:\Windows\SysWOW64\Ojhiogdd.exe	Obqanjdb.exe
File created	C:\Windows\SysWOW64\Fllhjc32.dll	Obqanjdb.exe
File opened for modification	C:\Windows\SysWOW64\Pbekii32.exe	Padnaq32.exe
File created	C:\Windows\SysWOW64\Kpqgeihg.dll	Pbekii32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4856	3152	WerFault.exe	127

System Location Discovery: System Language Discovery 1 TTPs 42 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oihmedma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padnaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmmlla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhmjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Objkmkjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nijqcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqhoeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nofefp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niojoeel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiagde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqoefand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbekii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piocecgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjoppf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfepdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbebbk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqfbpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obgohklm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pafkgphl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pplhhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omfekbdh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcpnhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pififb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfldgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodiqp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjlcjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpeaoih.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oiccje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofjqihnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojhiogdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjjfdfbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nimmifgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oifppdpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oqmhqapg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obqanjdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbhgoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjaleemj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmphaaln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pciqnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omopjcjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgnam.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknofqcc.dll"	Piocecgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodiqp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Obqanjdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Padnaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll"	Pjaleemj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nimmifgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oiccje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqmhqapg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oihmedma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Niojoeel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll"	Oqhoeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfepdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqolaipg.dll"	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll"	Padnaq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjlcjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefmmcgh.dll"	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oifppdpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpqgeihg.dll"	Pbekii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmcadl.dll"	Oiagde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqhoeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfgnho32.dll"	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaklfpn.dll"	Pfhmjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niojoeel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiagde32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oiccje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgljk32.dll"	Pjjfdfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblamanm.dll"	Pafkgphl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll"	Ocihgnam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcpnhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndfknp.dll"	Ncpeaoih.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll"	Oiccje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhhpb32.dll"	Oqmhqapg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oihmedma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llgdkbfj.dll"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll"	Pjoppf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcilohid.dll"	Pmphaaln.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pciqnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Objkmkjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcpnhl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 5620	1940	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe	86
PID 1940 wrote to memory of 5620	1940	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe	86
PID 1940 wrote to memory of 5620	1940	770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe	86
PID 5620 wrote to memory of 3808	5620	Nfldgk32.exe	87
PID 5620 wrote to memory of 3808	5620	Nfldgk32.exe	87
PID 5620 wrote to memory of 3808	5620	Nfldgk32.exe	87
PID 3808 wrote to memory of 4372	3808	Nijqcf32.exe	88
PID 3808 wrote to memory of 4372	3808	Nijqcf32.exe	88
PID 3808 wrote to memory of 4372	3808	Nijqcf32.exe	88
PID 4372 wrote to memory of 2124	4372	Nodiqp32.exe	89
PID 4372 wrote to memory of 2124	4372	Nodiqp32.exe	89
PID 4372 wrote to memory of 2124	4372	Nodiqp32.exe	89
PID 2124 wrote to memory of 2668	2124	Ncpeaoih.exe	90
PID 2124 wrote to memory of 2668	2124	Ncpeaoih.exe	90
PID 2124 wrote to memory of 2668	2124	Ncpeaoih.exe	90
PID 2668 wrote to memory of 1124	2668	Nimmifgo.exe	91
PID 2668 wrote to memory of 1124	2668	Nimmifgo.exe	91
PID 2668 wrote to memory of 1124	2668	Nimmifgo.exe	91
PID 1124 wrote to memory of 4176	1124	Nofefp32.exe	92
PID 1124 wrote to memory of 4176	1124	Nofefp32.exe	92
PID 1124 wrote to memory of 4176	1124	Nofefp32.exe	92
PID 4176 wrote to memory of 1276	4176	Nbebbk32.exe	93
PID 4176 wrote to memory of 1276	4176	Nbebbk32.exe	93
PID 4176 wrote to memory of 1276	4176	Nbebbk32.exe	93
PID 1276 wrote to memory of 4072	1276	Niojoeel.exe	94
PID 1276 wrote to memory of 4072	1276	Niojoeel.exe	94
PID 1276 wrote to memory of 4072	1276	Niojoeel.exe	94
PID 4072 wrote to memory of 1800	4072	Nqfbpb32.exe	95
PID 4072 wrote to memory of 1800	4072	Nqfbpb32.exe	95
PID 4072 wrote to memory of 1800	4072	Nqfbpb32.exe	95
PID 1800 wrote to memory of 976	1800	Obgohklm.exe	96
PID 1800 wrote to memory of 976	1800	Obgohklm.exe	96
PID 1800 wrote to memory of 976	1800	Obgohklm.exe	96
PID 976 wrote to memory of 2520	976	Oiagde32.exe	97
PID 976 wrote to memory of 2520	976	Oiagde32.exe	97
PID 976 wrote to memory of 2520	976	Oiagde32.exe	97
PID 2520 wrote to memory of 3212	2520	Oqhoeb32.exe	98
PID 2520 wrote to memory of 3212	2520	Oqhoeb32.exe	98
PID 2520 wrote to memory of 3212	2520	Oqhoeb32.exe	98
PID 3212 wrote to memory of 4388	3212	Objkmkjj.exe	100
PID 3212 wrote to memory of 4388	3212	Objkmkjj.exe	100
PID 3212 wrote to memory of 4388	3212	Objkmkjj.exe	100
PID 4388 wrote to memory of 396	4388	Oiccje32.exe	101
PID 4388 wrote to memory of 396	4388	Oiccje32.exe	101
PID 4388 wrote to memory of 396	4388	Oiccje32.exe	101
PID 396 wrote to memory of 4324	396	Omopjcjp.exe	102
PID 396 wrote to memory of 4324	396	Omopjcjp.exe	102
PID 396 wrote to memory of 4324	396	Omopjcjp.exe	102
PID 4324 wrote to memory of 444	4324	Ocihgnam.exe	103
PID 4324 wrote to memory of 444	4324	Ocihgnam.exe	103
PID 4324 wrote to memory of 444	4324	Ocihgnam.exe	103
PID 444 wrote to memory of 576	444	Oifppdpd.exe	104
PID 444 wrote to memory of 576	444	Oifppdpd.exe	104
PID 444 wrote to memory of 576	444	Oifppdpd.exe	104
PID 576 wrote to memory of 5476	576	Oqmhqapg.exe	105
PID 576 wrote to memory of 5476	576	Oqmhqapg.exe	105
PID 576 wrote to memory of 5476	576	Oqmhqapg.exe	105
PID 5476 wrote to memory of 1920	5476	Ofjqihnn.exe	106
PID 5476 wrote to memory of 1920	5476	Ofjqihnn.exe	106
PID 5476 wrote to memory of 1920	5476	Ofjqihnn.exe	106
PID 1920 wrote to memory of 3380	1920	Oihmedma.exe	107
PID 1920 wrote to memory of 3380	1920	Oihmedma.exe	107
PID 1920 wrote to memory of 3380	1920	Oihmedma.exe	107
PID 3380 wrote to memory of 2536	3380	Oqoefand.exe	108

C:\Users\Admin\AppData\Local\Temp\770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe
"C:\Users\Admin\AppData\Local\Temp\770c6c989d8c5a169aa1ce64a690f41057b821f19e61663603b704275e9b7f87.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\Nfldgk32.exe
  C:\Windows\system32\Nfldgk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5620
- - C:\Windows\SysWOW64\Nijqcf32.exe
    C:\Windows\system32\Nijqcf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\SysWOW64\Nodiqp32.exe
      C:\Windows\system32\Nodiqp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4372
    - - C:\Windows\SysWOW64\Ncpeaoih.exe
        
        C:\Windows\system32\Ncpeaoih.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\SysWOW64\Nimmifgo.exe
        
        C:\Windows\system32\Nimmifgo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Nofefp32.exe
        
        C:\Windows\system32\Nofefp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\Niojoeel.exe
        
        C:\Windows\system32\Niojoeel.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Nqfbpb32.exe
        
        C:\Windows\system32\Nqfbpb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Oiagde32.exe
        
        C:\Windows\system32\Oiagde32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Oqhoeb32.exe
        
        C:\Windows\system32\Oqhoeb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Objkmkjj.exe
        
        C:\Windows\system32\Objkmkjj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Oiccje32.exe
        
        C:\Windows\system32\Oiccje32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Ocihgnam.exe
        
        C:\Windows\system32\Ocihgnam.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Oifppdpd.exe
        
        C:\Windows\system32\Oifppdpd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\SysWOW64\Oqmhqapg.exe
        
        C:\Windows\system32\Oqmhqapg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\Ofjqihnn.exe
        
        C:\Windows\system32\Ofjqihnn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5476
        
        C:\Windows\SysWOW64\Oihmedma.exe
        
        C:\Windows\system32\Oihmedma.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Obqanjdb.exe
        
        C:\Windows\system32\Obqanjdb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Pcpnhl32.exe
        
        C:\Windows\system32\Pcpnhl32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Pjjfdfbb.exe
        
        C:\Windows\system32\Pjjfdfbb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Padnaq32.exe
        
        C:\Windows\system32\Padnaq32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Pbekii32.exe
        
        C:\Windows\system32\Pbekii32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Pjlcjf32.exe
        
        C:\Windows\system32\Pjlcjf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Piocecgj.exe
        
        C:\Windows\system32\Piocecgj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\Pafkgphl.exe
        
        C:\Windows\system32\Pafkgphl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6020
        
        C:\Windows\SysWOW64\Pbhgoh32.exe
        
        C:\Windows\system32\Pbhgoh32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Pjoppf32.exe
        
        C:\Windows\system32\Pjoppf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5920
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Pfepdg32.exe
        
        C:\Windows\system32\Pfepdg32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1524
        
        C:\Windows\SysWOW64\Pjaleemj.exe
        
        C:\Windows\system32\Pjaleemj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Pmphaaln.exe
        
        C:\Windows\system32\Pmphaaln.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Pciqnk32.exe
        
        C:\Windows\system32\Pciqnk32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5668
        
        C:\Windows\SysWOW64\Pfhmjf32.exe
        
        C:\Windows\system32\Pfhmjf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\Pififb32.exe
        
        C:\Windows\system32\Pififb32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3152 -s 408
        43⤵
        Program crash
        
        PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3152 -ip 3152
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Nbebbk32.exe

Filesize
92KB

MD5
0d4543190229f5591dc2f38da75eb882

SHA1
c3d183344f5c0e0f173d54d54eb35d9cce2ebad4

SHA256
9e7e2e9f6c7da51bdd5b98dbf54feae388361b5c23d67b5486473348b720f87e

SHA512
40baea844a38ce23f4426ac5322e3c45ecbfd03cdf9cbce696c3e455ddf93837fa5634b5f00db0310463d57f4c0ce9b09119d92188d61987fedb43c19f64cfe8

Download Submit
C:\Windows\SysWOW64\Ncpeaoih.exe

Filesize
92KB

MD5
9985f2d74c1bc0ae05b45558dc5fed59

SHA1
f1eee17ff4e5e7e17f75bb8538252ffdfb61e0d9

SHA256
979af2875d0837a99f859b1f6f0ccf9564a6094534f79b643d277528f00769a5

SHA512
6e54973f5a491e9d96974107ab10a46596359f8aa479d39a4be4eb0238f219bbe2154c5fe7f3a34e3c684a1204ed3ea6177dd29f203283ea0e5cc8897d671c6f

Download Submit
C:\Windows\SysWOW64\Nfldgk32.exe

Filesize
92KB

MD5
74ed1cf7ebceeac1cab82f107b6b614d

SHA1
2f42b8f5c2854ac6946fd5663f93acab54df6711

SHA256
9513e19ebbd82efde1187f8a631a9205fee7463d1f6c05375fbfeab2ed1f18cf

SHA512
3c1e363a8f7168f240a4dd78fa128998e97b5a751e68e46df9735449d96891d0e776045a1f6d439c7200c3e921accb96fa8188d4d609783815a5eea61d6ee937

Download Submit
C:\Windows\SysWOW64\Nijqcf32.exe

Filesize
92KB

MD5
a89aa2c01d299f6955bea372206fde77

SHA1
e75dcf83989783ab20f1d6e94efd33e86db08ff3

SHA256
a3c057d09877540471bf07954af60a82c7137d45584eada20dcb38995d1ae6a1

SHA512
3bb1d7fdc04182077ecb75983b32281964c8b11c809d9672c179978bad1649c43600027228708872594b447853e4b749312b49c5efe137f164b201a21f1a9728

Download Submit
C:\Windows\SysWOW64\Nimmifgo.exe

Filesize
92KB

MD5
1de5617b47cd5492b1fad52d6086fd67

SHA1
75ddf2d592b9e3fd8166845452c89c3f8b45a4c9

SHA256
6786a52ffc3c2a730d0717c53e791b59cd3f85b6becaadd18c4ca92d487d3437

SHA512
c1ec95304e9f78af93d0d3646a96e19521ddbb5aca2a491ee3dc1de252253eec7499e29e3b6d75790b8f1dad08c8970405dae4a9e382bb73b7666b3c14cc0888

Download Submit
C:\Windows\SysWOW64\Niojoeel.exe

Filesize
92KB

MD5
c0ffde5516f68e17820cf640062a769f

SHA1
da8be61e4dd7d6e84f2ccc71c4c4ebca2c6739fc

SHA256
0599136e72f617659a57094b17f370b61a66e119042f8798ac23e7ee40e67ca7

SHA512
cdf866582fa337554c2546632c234e9afd11a722e54e5ea64a4a395c37403c8f9a3b1edd09253f5a4b6ba9efd273a3911bd7ab1bfa55746afcf1805d19f10de4

Download Submit
C:\Windows\SysWOW64\Nodiqp32.exe

Filesize
92KB

MD5
1500fd64ea80909f8a236f56a2f118ab

SHA1
5d5dd8dd1fa0840438a409f73e628fb669895c52

SHA256
9476f8ec248dcf0e936bcc29dd2ad687fd49365114f1852481ec80ade4ae13ca

SHA512
2c0011bbb017a835cea4d6b866f85879438f91cb55d6299bf5ec91e1b6cb196e0956a8606b78e2c2b4705a4a67e1f3c67b20347fe548e98c29add4994b518287

Download Submit
C:\Windows\SysWOW64\Nofefp32.exe

Filesize
92KB

MD5
13816dc848c3037bef9808d7a215a6dd

SHA1
988d0ba9cb21414db175bda6e18ef52ab9666bfd

SHA256
d26f10d32c938f6c887c8cd74edc126ab19f33148c7287f86aa35380c5b26fd5

SHA512
3846b5a77d62fea1901afff4876bbfdea0200a261d5c353d1ee3f52e14c834170307261b58da4a7f56a20191b6f2ad2a8b1b4c0da74ad9b54389cd4d452eca45

Download Submit
C:\Windows\SysWOW64\Nqfbpb32.exe

Filesize
92KB

MD5
42d83b3f268f5a23d7fc0f20ccad6152

SHA1
687c9c2b24644cae1207d710cc65d505b20d5536

SHA256
59e2c9ca1c4d2cc40a754ba4cb91051b134d86ad939eec4be08bc4d73c98c11c

SHA512
5488992609c9bdaf40590596eafd10d74cc1b50de231bf02b8962ab6a4c4838c1d18fd79e598850d0519106e35bed67bda5c52fdd8197b94a975db236d6aa227

Download Submit
C:\Windows\SysWOW64\Obgohklm.exe

Filesize
92KB

MD5
309e385ef720957618ec79e567c15665

SHA1
9e16879278081faedfa5650b1dea0bbb7f88c2cc

SHA256
0fdba5506611375d6f790a551b1b7fbdd1cc2c2d6dfe5124b353fa0c07f3c0c8

SHA512
a8d4be2fa9b4372413f741e192e88e54d11e7737a63d539a18a4a97aac39868a6d8cde285be7a331e048dcefc13392dd6d6717c8a703d61989385be40aa79cbb

Download Submit
C:\Windows\SysWOW64\Objkmkjj.exe

Filesize
92KB

MD5
90c7d5075ef680e4e1f3ba66f6dd42be

SHA1
dcff84cfff395e43947ba5d53099be5f672efd86

SHA256
6bf8207d83753f9257f9916e58c661a770c0aa3b18267d588480e1d4cbbc3342

SHA512
08b805d913492f994969df3c19e6704f7194cff59c928e69901e79fb27c17a35e0ba558764dbec61be8b12fdb883c02de3a88ab2e35d658c46b034083a7bb810

Download Submit
C:\Windows\SysWOW64\Obqanjdb.exe

Filesize
92KB

MD5
4671dcf6fc8c6abc5915a0c97cf55ef3

SHA1
50ff7664644088e6300b55800453df9b6ba10183

SHA256
1782fa3430f2c79e9588ca394a0d570d681b9abd1a73e7dd9fdf928504289ddd

SHA512
7dfd60648d95278ed340482a479b275dc41136418dbfec7a7cadd04e00ca73b48f21d300deb4eef86a32101c3c4b07f32726c21977ff68d40e4caf4a390c95e9

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
92KB

MD5
ace2c76c248ebf9e227e42f8e369e8a9

SHA1
efed7fa7815df2872e1bdb9a4cc88903599d8448

SHA256
ca930c00e9c8ea882d54d9ffd8530c3442fc6edd8598e7553edf3e9152645390

SHA512
5ef413016c87fbfa60ef35711447855f70df825c1b32d15daa661a01e597d820d5eec7066ce10c0c59ade723f31ac2c6fcd797e8dc93a490a69f9522134137f7

Download Submit
C:\Windows\SysWOW64\Ofjqihnn.exe

Filesize
92KB

MD5
4ea57961a134b20e2da7ddb53c5cbcf2

SHA1
f644cd5b397b271efe69ed8b51182c94e8358712

SHA256
6c1d183c472a381ea4b05bc2fcc1f9c6022375f45acf6260091c935dd94ad470

SHA512
04d77f876f98e4594a33b0f0ffacb34bfa3e8a1d67fc2080e3b96c03193fbe5a13bc0078f3462a5003d59be7963f8f2f599af18fed5d93c73213b279f0f68334

Download Submit
C:\Windows\SysWOW64\Oiagde32.exe

Filesize
92KB

MD5
33b964fd949dd4ea0e0dae91dff3d979

SHA1
58d7910e5f9cc9b06948c2ec1bb0b8b1dccbc7ed

SHA256
45a398c89656b9ad7493f3c0f4cc64866c8b534150494836281a754622cc3585

SHA512
755daaba67f7dbd3f8dd083edf4b83128a62e08e9fc012ef47d50ef0ee455b82e1c108f5344f283182ca3c310151d8fbc192b50ccb9fdc7fccc208dc679091ad

Download Submit
C:\Windows\SysWOW64\Oiccje32.exe

Filesize
92KB

MD5
569e1f1a98c120d069a423c25c150290

SHA1
bf4652e990602e55cc4c51141be1613ae6138053

SHA256
708ae3725b6c9e575032ad54b2ec4250d689a83dd7e30b27825e45d89cfa2523

SHA512
e2b9fa07d66c9075814ecac7194575cd77dcf717cc731eb363fe9368f205038da56e0d0ba750152e8380a1b4ab6139d0885455e74206a361c3b8176971bfa001

Download Submit
C:\Windows\SysWOW64\Oifppdpd.exe

Filesize
92KB

MD5
d66b1799bef6942b89c9f5b378b7321e

SHA1
828282d56f703b2b2632d07cc1ec1cb4a2014cef

SHA256
a7bc9f51a4e4d523513a179ba1a058e14e99439cdd24894edd0893ae9cdd55c2

SHA512
de61db135d37d21f0a0ec3e89ad4ec4071ca56a7b974749a25a37f995572ac01f11871501bf0318804954b8a714e2b3dd9c7c8e7bc69a9cf2d700a7a1e998dfc

Download Submit
C:\Windows\SysWOW64\Oihmedma.exe

Filesize
92KB

MD5
288a8872b32b3742fc536ccd7dbe607a

SHA1
5ed484edc5103091330d2e35f0d01a7971a765ce

SHA256
ba0aac7a9f2206235d29d3318eba3e15e6cc23d7ab650533559179aec170b674

SHA512
c8ee40e3eaaf809ae67661f747b39a1f9608d6290d55a4862e00d18eb5174b51092ffc493c2b2284effafa950dfc9e5e1dbda7e1d7d63feccf919af2f2ff9ac6

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
92KB

MD5
9cc6a6f210579f66ba7a3cc37bd85348

SHA1
07196a93e86a00084d500725878819becc00cb95

SHA256
99e9eb584eaa31ef199fb495f3cf34999983ba81d81a32be8e4d28a3b78032b2

SHA512
3b28fa6e7926e82ac6137abf729d3923648a8b56e67b0c46e48a4550c319c8e95a24653934a92d758b20558c3abf778653634536c140b1c3ef6e0936040a2f9f

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
92KB

MD5
cabff1f1d88c7cea1814ffd5f7d3f3c0

SHA1
490a55499476845c1adeedc23ab2419bcf58022f

SHA256
53a7c42bc17f0ad7b238c83317b4688b20526748ff4da576050cab4d3d8901b8

SHA512
ff6b675c036787c29afe1625ded27f7bf490a81b8d6ed94e0de37dc87bc45ae89146491ad96594e882babd99d6763346e533a209866cb557609e9e74e9e27b79

Download Submit
C:\Windows\SysWOW64\Omopjcjp.exe

Filesize
92KB

MD5
521d5808f0b55c68f99083c8adabebe3

SHA1
4a73e4819bd6ef59269744cc9bdbfc314df43264

SHA256
cb8e59b047901df141e08aab7ad90de49eb4e1fb7b3f2d01f07e21815fda38a7

SHA512
b2d6b723dbd1aba0b72fbfecc3f8ba7b81d4891204573a1ef2ea83c3da66026ce2221b254fe204da1fbc1da3cb7cdadf365d2dde30651384fcd14c8c442913c2

Download Submit
C:\Windows\SysWOW64\Oqhoeb32.exe

Filesize
92KB

MD5
8732e3a36dcf0e474b6b65a9cc5e9996

SHA1
88edc3d0cd4fc2757188f729f7cf26b11ed07b6d

SHA256
df66195eefe2679076702ef84fbcd4c3ef76522d595054e03b5dea6c846be284

SHA512
ae2f1daf8b3708634cdcb4cd2b90e0c10f2b6cd4db0a043ae28906fa8771114a35e1569801ab27a58d049266973a908ba953f83a5290804c864e7b1789de9f2b

Download Submit
C:\Windows\SysWOW64\Oqmhqapg.exe

Filesize
92KB

MD5
8777dcaeb23b5027aff855533c9fb024

SHA1
f7b8620c615ac6083a5c16e9de143ab392e2b6e9

SHA256
6783e8160fe3796223203bde4caf599e551f86e49e6845d534b7d817886cda5c

SHA512
597b67de7daf2c91328aabb3057ce03739941da6cccd6ae895739a069d7d9c09c5091fcfb1b4cb5b91c6ad630fe6f50512cd6b9ce3dfa12a34e020eafcd28590

Download Submit
C:\Windows\SysWOW64\Oqoefand.exe

Filesize
92KB

MD5
b8b136754d0aa85c77981c0ffa0e2057

SHA1
bc9ef11277c7653dacdaa881efa3c2a848182722

SHA256
02c846529d8d4dd0560a735b550075e952af742a91cc9f08b77877e45192f29d

SHA512
3152ae19992f128ff69297f66bdc920d7d3b1c4e04b5b252968839622059e1cd35d1fdf56b4fbbc1d26a98326f000c111a28d5874e2192793a9ade741c14b24a

Download Submit
C:\Windows\SysWOW64\Padnaq32.exe

Filesize
92KB

MD5
08891f4bd1f17ff1e77dac0070aab05e

SHA1
d62a1c2cf8f012532f90207a0b252e79108c8e22

SHA256
deef41b57095c7263daf7c44e9a3e78ec75c85163d358b056c0586f37cd95709

SHA512
95e32e36fcdcc167209fd10178e779405cac1581fb8e2458e3f9aad6fcd60a67cbe6b6127d7113e974124fd641aee12dd06bb069e2f31fe475708a771079b8a0

Download Submit
C:\Windows\SysWOW64\Pafkgphl.exe

Filesize
92KB

MD5
4b90e6a9b1915540036092f493c01f7b

SHA1
78aaddb439be8d8f4aa50a8c7c6879959b04dacd

SHA256
f9929fbe3e41cda3ec4ad13ef30f3bb1e8d73c1400eb5233e6e0b28f451e0fe7

SHA512
e05872aceadc5c445d28f0dfd64179e7809111c51764936a961d9fe8692484749071242c92a3117e5530ecf8942c35fb2b6bcfc31f8c3e5f15a36f2a77fdf00c

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
92KB

MD5
2a64ae317cdc550efc3e31ef38d4d901

SHA1
6f00ebd3dd005aee8f568f4edc8fb12886a39bc5

SHA256
032331e825fe5f2c5934b8857da7600ed62ed32251fb54b2068038d48a1aaa60

SHA512
707ac7f11a74d20e2eff67a0b5073c47607d7b814522dbe965ffd6f8da99d07821c83bffc7a3f60481e33f2af300b326411495b9d6971e6f15eab8d01aa437d5

Download Submit
C:\Windows\SysWOW64\Pbhgoh32.exe

Filesize
92KB

MD5
557a3e1a16234e1bf345e2201ab7f762

SHA1
7a8a2c6bb9f723efd96ae24a4458265489b1706e

SHA256
06115ddfdd70e0425b9334179954bc1aae2fad3e3a4a80c40692cb23197b397e

SHA512
9249ef6ad1f6c0297fa85fc24ba460a9635871b838c0606c8a2f8aaeedbe408961937859716814a6869a84c8a20802ddd275572737be9c56d9c3862a3877f4db

Download Submit
C:\Windows\SysWOW64\Pcpnhl32.exe

Filesize
92KB

MD5
32200f5b4ce8cd6d7dee255414fd3fb4

SHA1
97f9e30cadc2ab090aa852091aed2afd9189a92a

SHA256
d76cd000c5edf7ac67796fae5496b2108e33d5d7bc294edfc899afd13578f8b5

SHA512
a6797c931b279d0fe124bbade9f0cb9bb7eddea1b275da26a544e33bbc24bc121b339b5d4781946a282b0a6a2bde1e87d037e0262e7243e3623ff33d7debf154

Download Submit
C:\Windows\SysWOW64\Piocecgj.exe

Filesize
92KB

MD5
aebdd2519c0ecd945da948718f07a3ce

SHA1
dc5cb45be20541ab05b6e82e79e42c78c46b393a

SHA256
666ee730dbcff46e748330be2e5495cc4c145914cbb98ef831800609ac99c48f

SHA512
6c793898b15a025418146955684a63985a4cf7b55a85ffb944760116b75e08eab48fa2417b63e4750398226e556117c7e91eff74fda1943f08a372945602097c

Download Submit
C:\Windows\SysWOW64\Pjjfdfbb.exe

Filesize
92KB

MD5
37462bc441167e152977b21478581471

SHA1
18f8dbb64f544b6489b823c36206bfd2bba84275

SHA256
9dddbced47af43dc248c4e484048f09e671ac4ea08bb94245985c52fb088e26e

SHA512
3674a819ec8322b2cb119aaa2d9431bb3b04cc04f236e1bb424af260d6e188ea9de294693d02e426e69dcc4cfce2ab2781de81bd92d0f9744f2b3158b8bfc77e

Download Submit
C:\Windows\SysWOW64\Pjlcjf32.exe

Filesize
92KB

MD5
b9e3602590da55a08c233a8460231754

SHA1
ae6dfcb3a28fd17effa2a8a55ed63fb6adb09b9b

SHA256
65e702502df2bea844113a30636b7dada2232335bab4b8bca0e267656fa273c6

SHA512
c9db2be07bfdebe526b6dac62da0ceb2183aab493a7659044ae3f7fa1eedeba67d2a5e8c36e9c82449d72bdaa8858d596bec610cb3538fe7973849f2ec356669

Download Submit
memory/224-217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/224-324-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/396-336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/444-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/444-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/576-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/576-144-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/976-88-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/976-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1036-326-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1036-201-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1124-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1276-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1276-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1524-317-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1524-281-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-184-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1700-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1800-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1800-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1828-327-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1828-192-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1920-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1920-161-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1940-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1940-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1940-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2124-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2124-33-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-318-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2520-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2520-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-329-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-315-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2668-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2668-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3152-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3152-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-338-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3212-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3336-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3336-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-330-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3568-313-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3808-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3808-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-321-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4044-237-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4072-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4176-344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4176-57-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4324-128-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4372-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4388-113-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4956-293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5004-323-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5476-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5476-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5620-350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5620-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5668-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5668-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5920-263-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5920-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6020-249-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6020-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads