berbew | 919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
Size

96KB
MD5

3060af6f46d5eb54fe41ee89b2a7d56f
SHA1

6676f39f1b8aa15fde0d5e328f7925697785bc23
SHA256

919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab
SHA512

52ce5b71a542a65b6e8517f3da5c7aec0cc0cdc9761f275db249c614641ef5bfc82828a81a3ec1ccd43b2fd2f41d38a5c46e4b5da71a953c83452ffbc541daf9
SSDEEP

1536:YOm1BdrJuA7TBdq7yh1mOyK50+GfAJC2Lq7RZObZUUWaegPYAS:Lm6Av7qGDmOz0+JhqClUUWae/

Score

10^/10

berbew bruteratel backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nmbmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Onlooh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mjddnjdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfmahkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Miiaogio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neghdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ogmngn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odanqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkbcgnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Neghdg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogmngn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbpibm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfmahkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbfobllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndmeecmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndmeecmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjddnjdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbpibm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nebnigmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odanqb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ophoecoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ophoecoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Onlooh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nebnigmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbfobllj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkbcgnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgo32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018b50-41.dat	family_bruteratel

Executes dropped EXE 16 IoCs

pid	Process
2052	Mjddnjdf.exe
2816	Mbpibm32.exe
2852	Miiaogio.exe
2756	Nfmahkhh.exe
2792	Nebnigmp.exe
2832	Nbfobllj.exe
2688	Nkbcgnie.exe
984	Neghdg32.exe
2964	Nmbmii32.exe
1924	Ndmeecmb.exe
1724	Ogmngn32.exe
1156	Odanqb32.exe
2700	Ophoecoa.exe
1940	Onlooh32.exe
2316	Ocihgo32.exe
2352	Ockdmn32.exe

Loads dropped DLL 36 IoCs

pid	Process
2248	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
2248	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
2052	Mjddnjdf.exe
2052	Mjddnjdf.exe
2816	Mbpibm32.exe
2816	Mbpibm32.exe
2852	Miiaogio.exe
2852	Miiaogio.exe
2756	Nfmahkhh.exe
2756	Nfmahkhh.exe
2792	Nebnigmp.exe
2792	Nebnigmp.exe
2832	Nbfobllj.exe
2832	Nbfobllj.exe
2688	Nkbcgnie.exe
2688	Nkbcgnie.exe
984	Neghdg32.exe
984	Neghdg32.exe
2964	Nmbmii32.exe
2964	Nmbmii32.exe
1924	Ndmeecmb.exe
1924	Ndmeecmb.exe
1724	Ogmngn32.exe
1724	Ogmngn32.exe
1156	Odanqb32.exe
1156	Odanqb32.exe
2700	Ophoecoa.exe
2700	Ophoecoa.exe
1940	Onlooh32.exe
1940	Onlooh32.exe
2316	Ocihgo32.exe
2316	Ocihgo32.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe
1296	WerFault.exe

Drops file in System32 directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Miiaogio.exe	Mbpibm32.exe
File opened for modification	C:\Windows\SysWOW64\Nbfobllj.exe	Nebnigmp.exe
File opened for modification	C:\Windows\SysWOW64\Nkbcgnie.exe	Nbfobllj.exe
File opened for modification	C:\Windows\SysWOW64\Ogmngn32.exe	Ndmeecmb.exe
File opened for modification	C:\Windows\SysWOW64\Ophoecoa.exe	Odanqb32.exe
File opened for modification	C:\Windows\SysWOW64\Onlooh32.exe	Ophoecoa.exe
File created	C:\Windows\SysWOW64\Cfekom32.dll	Ophoecoa.exe
File created	C:\Windows\SysWOW64\Iifedg32.dll	Onlooh32.exe
File created	C:\Windows\SysWOW64\Miiaogio.exe	Mbpibm32.exe
File created	C:\Windows\SysWOW64\Djfoghqi.dll	Mbpibm32.exe
File opened for modification	C:\Windows\SysWOW64\Nfmahkhh.exe	Miiaogio.exe
File created	C:\Windows\SysWOW64\Madikm32.dll	Nfmahkhh.exe
File created	C:\Windows\SysWOW64\Ncnhfi32.dll	Nebnigmp.exe
File created	C:\Windows\SysWOW64\Nkbcgnie.exe	Nbfobllj.exe
File created	C:\Windows\SysWOW64\Boghbgla.dll	Nbfobllj.exe
File created	C:\Windows\SysWOW64\Gnhapl32.dll	Neghdg32.exe
File created	C:\Windows\SysWOW64\Mkfpqgco.dll	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
File created	C:\Windows\SysWOW64\Fbofhpaj.dll	Miiaogio.exe
File opened for modification	C:\Windows\SysWOW64\Nmbmii32.exe	Neghdg32.exe
File created	C:\Windows\SysWOW64\Ogmngn32.exe	Ndmeecmb.exe
File created	C:\Windows\SysWOW64\Ophoecoa.exe	Odanqb32.exe
File created	C:\Windows\SysWOW64\Onlooh32.exe	Ophoecoa.exe
File created	C:\Windows\SysWOW64\Ocihgo32.exe	Onlooh32.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgo32.exe	Onlooh32.exe
File created	C:\Windows\SysWOW64\Mjddnjdf.exe	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
File opened for modification	C:\Windows\SysWOW64\Mbpibm32.exe	Mjddnjdf.exe
File created	C:\Windows\SysWOW64\Nfmahkhh.exe	Miiaogio.exe
File created	C:\Windows\SysWOW64\Flgdah32.dll	Ndmeecmb.exe
File created	C:\Windows\SysWOW64\Nbfobllj.exe	Nebnigmp.exe
File created	C:\Windows\SysWOW64\Agpmcpfm.dll	Nkbcgnie.exe
File opened for modification	C:\Windows\SysWOW64\Ndmeecmb.exe	Nmbmii32.exe
File created	C:\Windows\SysWOW64\Ppicjm32.dll	Mjddnjdf.exe
File created	C:\Windows\SysWOW64\Neghdg32.exe	Nkbcgnie.exe
File opened for modification	C:\Windows\SysWOW64\Neghdg32.exe	Nkbcgnie.exe
File created	C:\Windows\SysWOW64\Odanqb32.exe	Ogmngn32.exe
File opened for modification	C:\Windows\SysWOW64\Odanqb32.exe	Ogmngn32.exe
File created	C:\Windows\SysWOW64\Oaecdo32.dll	Ogmngn32.exe
File created	C:\Windows\SysWOW64\Ejegcc32.dll	Odanqb32.exe
File created	C:\Windows\SysWOW64\Ockdmn32.exe	Ocihgo32.exe
File created	C:\Windows\SysWOW64\Mbpibm32.exe	Mjddnjdf.exe
File opened for modification	C:\Windows\SysWOW64\Ockdmn32.exe	Ocihgo32.exe
File created	C:\Windows\SysWOW64\Khhaomjd.dll	Ocihgo32.exe
File opened for modification	C:\Windows\SysWOW64\Mjddnjdf.exe	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
File created	C:\Windows\SysWOW64\Nebnigmp.exe	Nfmahkhh.exe
File opened for modification	C:\Windows\SysWOW64\Nebnigmp.exe	Nfmahkhh.exe
File created	C:\Windows\SysWOW64\Nmbmii32.exe	Neghdg32.exe
File created	C:\Windows\SysWOW64\Ndmeecmb.exe	Nmbmii32.exe
File created	C:\Windows\SysWOW64\Fchpmeni.dll	Nmbmii32.exe

Program crash 1 IoCs

pid	pid_target	Process
1296	2352	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogmngn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ophoecoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkbcgnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odanqb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Onlooh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mjddnjdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbpibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfmahkhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nebnigmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbfobllj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndmeecmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Miiaogio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neghdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbmii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ockdmn32.exe

Modifies registry class 51 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Neghdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Onlooh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfpqgco.dll"	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nfmahkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpmcpfm.dll"	Nkbcgnie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nmbmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nmbmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndmeecmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogmngn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ophoecoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppicjm32.dll"	Mjddnjdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfmahkhh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchpmeni.dll"	Nmbmii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogmngn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odanqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocihgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madikm32.dll"	Nfmahkhh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nebnigmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkbcgnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Neghdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocihgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbpibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfoghqi.dll"	Mbpibm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nebnigmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhapl32.dll"	Neghdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejegcc32.dll"	Odanqb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfekom32.dll"	Ophoecoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbpibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boghbgla.dll"	Nbfobllj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndmeecmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgdah32.dll"	Ndmeecmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odanqb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ophoecoa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbfobllj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifedg32.dll"	Onlooh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhaomjd.dll"	Ocihgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mjddnjdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mjddnjdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkbcgnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaecdo32.dll"	Ogmngn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Onlooh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbofhpaj.dll"	Miiaogio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnhfi32.dll"	Nebnigmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbfobllj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2052	2248	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe	29
PID 2248 wrote to memory of 2052	2248	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe	29
PID 2248 wrote to memory of 2052	2248	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe	29
PID 2248 wrote to memory of 2052	2248	919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe	29
PID 2052 wrote to memory of 2816	2052	Mjddnjdf.exe	30
PID 2052 wrote to memory of 2816	2052	Mjddnjdf.exe	30
PID 2052 wrote to memory of 2816	2052	Mjddnjdf.exe	30
PID 2052 wrote to memory of 2816	2052	Mjddnjdf.exe	30
PID 2816 wrote to memory of 2852	2816	Mbpibm32.exe	31
PID 2816 wrote to memory of 2852	2816	Mbpibm32.exe	31
PID 2816 wrote to memory of 2852	2816	Mbpibm32.exe	31
PID 2816 wrote to memory of 2852	2816	Mbpibm32.exe	31
PID 2852 wrote to memory of 2756	2852	Miiaogio.exe	32
PID 2852 wrote to memory of 2756	2852	Miiaogio.exe	32
PID 2852 wrote to memory of 2756	2852	Miiaogio.exe	32
PID 2852 wrote to memory of 2756	2852	Miiaogio.exe	32
PID 2756 wrote to memory of 2792	2756	Nfmahkhh.exe	33
PID 2756 wrote to memory of 2792	2756	Nfmahkhh.exe	33
PID 2756 wrote to memory of 2792	2756	Nfmahkhh.exe	33
PID 2756 wrote to memory of 2792	2756	Nfmahkhh.exe	33
PID 2792 wrote to memory of 2832	2792	Nebnigmp.exe	34
PID 2792 wrote to memory of 2832	2792	Nebnigmp.exe	34
PID 2792 wrote to memory of 2832	2792	Nebnigmp.exe	34
PID 2792 wrote to memory of 2832	2792	Nebnigmp.exe	34
PID 2832 wrote to memory of 2688	2832	Nbfobllj.exe	35
PID 2832 wrote to memory of 2688	2832	Nbfobllj.exe	35
PID 2832 wrote to memory of 2688	2832	Nbfobllj.exe	35
PID 2832 wrote to memory of 2688	2832	Nbfobllj.exe	35
PID 2688 wrote to memory of 984	2688	Nkbcgnie.exe	36
PID 2688 wrote to memory of 984	2688	Nkbcgnie.exe	36
PID 2688 wrote to memory of 984	2688	Nkbcgnie.exe	36
PID 2688 wrote to memory of 984	2688	Nkbcgnie.exe	36
PID 984 wrote to memory of 2964	984	Neghdg32.exe	37
PID 984 wrote to memory of 2964	984	Neghdg32.exe	37
PID 984 wrote to memory of 2964	984	Neghdg32.exe	37
PID 984 wrote to memory of 2964	984	Neghdg32.exe	37
PID 2964 wrote to memory of 1924	2964	Nmbmii32.exe	38
PID 2964 wrote to memory of 1924	2964	Nmbmii32.exe	38
PID 2964 wrote to memory of 1924	2964	Nmbmii32.exe	38
PID 2964 wrote to memory of 1924	2964	Nmbmii32.exe	38
PID 1924 wrote to memory of 1724	1924	Ndmeecmb.exe	39
PID 1924 wrote to memory of 1724	1924	Ndmeecmb.exe	39
PID 1924 wrote to memory of 1724	1924	Ndmeecmb.exe	39
PID 1924 wrote to memory of 1724	1924	Ndmeecmb.exe	39
PID 1724 wrote to memory of 1156	1724	Ogmngn32.exe	40
PID 1724 wrote to memory of 1156	1724	Ogmngn32.exe	40
PID 1724 wrote to memory of 1156	1724	Ogmngn32.exe	40
PID 1724 wrote to memory of 1156	1724	Ogmngn32.exe	40
PID 1156 wrote to memory of 2700	1156	Odanqb32.exe	41
PID 1156 wrote to memory of 2700	1156	Odanqb32.exe	41
PID 1156 wrote to memory of 2700	1156	Odanqb32.exe	41
PID 1156 wrote to memory of 2700	1156	Odanqb32.exe	41
PID 2700 wrote to memory of 1940	2700	Ophoecoa.exe	42
PID 2700 wrote to memory of 1940	2700	Ophoecoa.exe	42
PID 2700 wrote to memory of 1940	2700	Ophoecoa.exe	42
PID 2700 wrote to memory of 1940	2700	Ophoecoa.exe	42
PID 1940 wrote to memory of 2316	1940	Onlooh32.exe	43
PID 1940 wrote to memory of 2316	1940	Onlooh32.exe	43
PID 1940 wrote to memory of 2316	1940	Onlooh32.exe	43
PID 1940 wrote to memory of 2316	1940	Onlooh32.exe	43
PID 2316 wrote to memory of 2352	2316	Ocihgo32.exe	44
PID 2316 wrote to memory of 2352	2316	Ocihgo32.exe	44
PID 2316 wrote to memory of 2352	2316	Ocihgo32.exe	44
PID 2316 wrote to memory of 2352	2316	Ocihgo32.exe	44

C:\Users\Admin\AppData\Local\Temp\919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe
"C:\Users\Admin\AppData\Local\Temp\919170ead8f40b1af4a38a282a9a05f1d57bae357be0458eaa54a355fd2080ab.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\Mjddnjdf.exe
  C:\Windows\system32\Mjddnjdf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\Mbpibm32.exe
    C:\Windows\system32\Mbpibm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\Miiaogio.exe
      C:\Windows\system32\Miiaogio.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\SysWOW64\Nfmahkhh.exe
        
        C:\Windows\system32\Nfmahkhh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Nebnigmp.exe
        
        C:\Windows\system32\Nebnigmp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Nbfobllj.exe
        
        C:\Windows\system32\Nbfobllj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Nkbcgnie.exe
        
        C:\Windows\system32\Nkbcgnie.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\SysWOW64\Neghdg32.exe
        
        C:\Windows\system32\Neghdg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Nmbmii32.exe
        
        C:\Windows\system32\Nmbmii32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Ndmeecmb.exe
        
        C:\Windows\system32\Ndmeecmb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Ogmngn32.exe
        
        C:\Windows\system32\Ogmngn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Odanqb32.exe
        
        C:\Windows\system32\Odanqb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\SysWOW64\Ophoecoa.exe
        
        C:\Windows\system32\Ophoecoa.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Onlooh32.exe
        
        C:\Windows\system32\Onlooh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\Ocihgo32.exe
        
        C:\Windows\system32\Ocihgo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Ockdmn32.exe
        
        C:\Windows\system32\Ockdmn32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 140
        18⤵
        Loads dropped DLL
        Program crash
        
        PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Mbpibm32.exe

Filesize
96KB

MD5
5a56100d8d7677bd9389eb3195ecd9b7

SHA1
4e250f6214db8d1e7c201d848a9cc0f26e1263e6

SHA256
68d570102eb5ca62257277fc024664af62c3f11a458529c9518426bc5c025960

SHA512
052f68fb524808cfcf0f2f9025e65491d8b425aa132d895b286d35a0e2cfce5fcf576125567dbdeb6f2c1531e6f5fa72140eef3443f55961b2ae08b0edfed4d3

Download Submit
C:\Windows\SysWOW64\Miiaogio.exe

Filesize
96KB

MD5
fe981bc5420f6e6dbaf32d34d831193b

SHA1
96f426203f80185a79f9590917e637ad6c5e3143

SHA256
37a3dfce236e4384c96db4030fc5f81656310950ae468a9603edff5ab9693a2c

SHA512
e550203c0b19d02ecd63217720d077968218d7e475d2423a18b8b2cfa3b3ff844cdcc1162917f7a0e65ad7eec2af62e09ca3cf4c1dddd11f8f9ec90360c0f4d2

Download Submit
C:\Windows\SysWOW64\Mjddnjdf.exe

Filesize
96KB

MD5
fe5ebe42e09ff670e12d8dcf9fbd7335

SHA1
bd530e3fe07e3f2e5518a8068ac18c6ae6d4ada7

SHA256
cb90393f117b19fba610da4439533f56c3ff4b9bc43594406999513b59514611

SHA512
d015f40dc9e571a73c8d62e83e3691c4a519fdcb1afb799b759efc08d582ded72c8eb10b83e8d94ff08d85d902d170bf51427f78360e90c5789acc133f017110

Download Submit
C:\Windows\SysWOW64\Nbfobllj.exe

Filesize
96KB

MD5
83f647d3003ac1f3b50585e44578e61a

SHA1
32f1b4eea4eb52cda17d6f19ab2b565ae3eff500

SHA256
ea2031936d45f290f447560e71638064dfca9764db4f463ba5b9cce076cc1c11

SHA512
5b6d58c45bba82bdf21507c8e13323bd923b070049492dbf4b53d43a31147ae2d556c094aacd359fe541d9ef33b39652e66428e9bd927716f559ebd53413b0ae

Download Submit
C:\Windows\SysWOW64\Ndmeecmb.exe

Filesize
96KB

MD5
485bcf421ee4993d5d1f67f68bc29c39

SHA1
ef480ee28518543830183a4e4161eff0bb2837a3

SHA256
10c37a20afffa939e7c7fbf8cf35027aae5524b92b38bee185f9cfbf2fd53fcb

SHA512
8a71867e5ea153a7cf4e26d9b846e6185329f59f4ed203a0fa08b86bebca2e055dccf50230146a5c5c3cbd0a6dff16d99aca0b148937c30c4cac3ef31a9830b2

Download Submit
C:\Windows\SysWOW64\Nebnigmp.exe

Filesize
96KB

MD5
d743f8c844b41da1ad3d97b08498ea61

SHA1
b08cdcef5680ee71f7f05ad5306b296f9a90597e

SHA256
587c6788681e959ea9b48b95ab51cdedd72084fca875e13aab0390ce62cc266b

SHA512
550b8f2f6eaf024733cdf245be7c8807e574fdb21632457f35fec7b0c75ca99243d2bcde4d1e2057a9f36b17107323b19e73d15fb6dcb0a38dd5fa2786e78c9a

Download Submit
C:\Windows\SysWOW64\Neghdg32.exe

Filesize
96KB

MD5
e78bf4b1bb9a3ece55cbc628f1acba87

SHA1
e330eeea09c9dcfadd9f7ed27dac88c5e9c91a34

SHA256
1ece3902ca9c64a60566b09e2185249c9932dd13fd2813dc17ec2e907bb12aed

SHA512
9086ba670990090fbbea0bac7132cc985e25c228f8f5f87ec75df5c53f63b439af6cf45af2e5d0ed9fc38229ffa6594471b235384f89208042b66267682dcc81

Download Submit
C:\Windows\SysWOW64\Nfmahkhh.exe

Filesize
96KB

MD5
d318454ea79d3e53c3663345839b2042

SHA1
99cd92b99d09664224c6b6278f3c2a4cff7c3826

SHA256
1533c0e149bf5e566cb066f52521cbf3c8b27802aad92b75fd770afa9c42fb31

SHA512
dc22bb143706f77b07d70a636efe8b93dc81f8f78c8fbf0665e1471198da5943df7cc9543d7c042fffd1bf5580f2de2dce440c9cce3f7143ec4d235e89112cd5

Download Submit
C:\Windows\SysWOW64\Nkbcgnie.exe

Filesize
96KB

MD5
3b550652a75d67a40fdac2f65055097b

SHA1
d55b04e61f9875f1710a4e0d84f0722560860181

SHA256
b824d39b83fd755dd937543313bd80ab08f50a0bc19b2dfbbeee21b99040896c

SHA512
c4d28cdd4ed702d0ca90a0cbaf874f56dc2a9e2a07a7d200890e359dc8d4244be0c8ad745275b0d5fe17871c12155458aa5dab524ca69182fef5cd40a85f40bd

Download Submit
C:\Windows\SysWOW64\Nmbmii32.exe

Filesize
96KB

MD5
dfc7d1b489bd5d5f125c0d3cfe6d84c0

SHA1
e323e48a43cf3030fd735594a4f5f627146e48e9

SHA256
2e83e680b84e61d22f8bc453704b0f5871ef56c74bcdd02ae0b3340a751bfaf8

SHA512
1654ee3fd560816df89a965d4d2381f100901a4396e3265402ef7097d13518f69ef2ff5faa118e3eb30dd53ce4f59a4960e97383f3c3eada338c838141a37715

Download Submit
C:\Windows\SysWOW64\Ocihgo32.exe

Filesize
96KB

MD5
c9e75e981170c281f6eeabd96e505cd9

SHA1
f52cb5dd1cbd5e1706df35fbcba8974565d91d95

SHA256
802a76ec74f7708f1a65bc59ac1a908949f72943ed08d478ff33c8773a19da01

SHA512
284fa97585c5adc5a5986dbb5dd434162697dd5b1b30511478a277987b873712d1280753d8c0f1f346fa16e55911026eed328ce76ac8840d5af2162228d70810

Download Submit
C:\Windows\SysWOW64\Odanqb32.exe

Filesize
96KB

MD5
14f5d51fbbb95b59644cb682bc7bee90

SHA1
24d46ccd44539b0534e1cea323ccd5d7c7719449

SHA256
11f0df3f374b755485d406d3eecb0d79b1e7e11a170e783a5c0b89b62e4b3523

SHA512
780c06c60d2956519fa384cf35de70c59cdacb09ffc528783533f53ab470ceeb9911f6f2fbed227192ea012f53b7319716bd9b59aa08fb5c73f108395768d971

Download Submit
C:\Windows\SysWOW64\Ogmngn32.exe

Filesize
96KB

MD5
dcde632e551ea0826f83c728a46e1a21

SHA1
cfc5d6e8081b01990035adbb6e7be78b2c73a13d

SHA256
9ffd3326dacba263418f3aaadd13507734c4d042aa923e37aa5d02eae82234fe

SHA512
ebae9104485ce749536dfc13a364f00779134a3c5e6b2de24803e8a84aaac50276d54da97205a2cd6201cb217edcbfded8d0b4b803fa75374bbb87c1a8f27990

Download Submit
C:\Windows\SysWOW64\Onlooh32.exe

Filesize
96KB

MD5
685b76a325f14a51fe42a118162bd213

SHA1
e5e28e5b4938540de7f923cc0a3e7737892ab9aa

SHA256
9ac2e05f2ab25839ae640116a21a8544355f3f8a30b8ee688769e37e45f69dc6

SHA512
b329374d9e7e3e06df5d54b69b05327d15694d01c780b6c1e596a0771e40baec3a1a5293974499b8448a4f8c30d1717d34aaa78f13377eb2d4acf44239401723

Download Submit
C:\Windows\SysWOW64\Ophoecoa.exe

Filesize
96KB

MD5
537943031ca828686727a91b32244e2b

SHA1
de940dd478752541780dde7b86262ededd79a7bf

SHA256
42a1825a090f62001c4685456d19ffa77a9ecc735455260d7865499d1b30203b

SHA512
02186d09eda3aaab207bc9aa201966eedf003a3dbb141025ee18ccff2c71e5c7ad8869a6eff8f15528995bfdde03cb4b18091bf5ec321f218e3b0f2067adbc32

Download Submit
\Windows\SysWOW64\Ockdmn32.exe

Filesize
96KB

MD5
a79e3ca0f9ada3388d44f7fdbe6428db

SHA1
623072a82340ee41e99bd8de2ce7f0e4737d9b05

SHA256
9f9ec338c723d72a72c8b61808e6f4bca5ba63d9d3f24272ef6e375a0fc686a2

SHA512
9d5acdc5f7d211072238606e29185f333e81ba8dc39e880961350ea75c39f302597b6ced0eac29a589ba4d29bd1fc6f25a67ee4aa1046ca4989442136cbedc46

Download Submit
memory/984-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1156-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-152-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/1724-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-185-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2052-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-12-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2248-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-11-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2316-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-210-0x00000000001B0000-0x00000000001E3000-memory.dmp

Filesize
204KB

Download
memory/2352-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-178-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2756-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-61-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2756-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-74-0x00000000002A0000-0x00000000002D3000-memory.dmp

Filesize
204KB

Download
memory/2816-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2816-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-87-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download
memory/2832-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-126-0x0000000000220000-0x0000000000253000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads