berbew | 1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
Size

80KB
MD5

02adc10ef760e7eedb5bf268e82b53c0
SHA1

c71cd3a9c0cb94c8e8aad2415f326a770c368066
SHA256

1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5
SHA512

4a52e214230990d33b15e992affeba008ffdb05fd29357fe30d49973e9ecc754dac9b4b591fada8547a6b02b0c87e1cf38c3a7b6242a3e789587177a8e7a3b4a
SSDEEP

1536:5eA0Fbxj0RXysCCaeUnI4NaXrLGjz9j22laHGSmCLEY+Z2LdaS5DUHRbPa9b6i+I:5exF9jqPBaeUngXrLGjz922yypY8S5DP

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgcpjmcb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lnbbbffj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Liplnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nigome32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knmhgf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lpjdjmfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kincipnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lndohedg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knpemf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kklpekno.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meppiblm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckjkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Keednado.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgcpjmcb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmpnhdfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjfeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kincipnk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kconkibf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kklpekno.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlaeonld.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kofopj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lgjfkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Labkdack.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nmbknddp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 56 IoCs

pid	Process
2140	Kconkibf.exe
2892	Kfmjgeaj.exe
2536	Kofopj32.exe
2584	Kcakaipc.exe
2460	Kincipnk.exe
2996	Kklpekno.exe
572	Keednado.exe
1780	Kgcpjmcb.exe
2796	Knmhgf32.exe
640	Kegqdqbl.exe
1440	Kgemplap.exe
1984	Knpemf32.exe
2872	Lclnemgd.exe
1864	Lnbbbffj.exe
3028	Lapnnafn.exe
1588	Lgjfkk32.exe
2264	Lndohedg.exe
3012	Labkdack.exe
2364	Lcagpl32.exe
2268	Ljkomfjl.exe
2768	Lccdel32.exe
1692	Lfbpag32.exe
1452	Liplnc32.exe
2924	Lpjdjmfp.exe
2156	Libicbma.exe
2560	Mlaeonld.exe
1532	Meijhc32.exe
2740	Mhhfdo32.exe
2452	Mbmjah32.exe
2532	Migbnb32.exe
1196	Mhjbjopf.exe
536	Mabgcd32.exe
1404	Mencccop.exe
936	Mofglh32.exe
2820	Maedhd32.exe
2812	Meppiblm.exe
840	Mgalqkbk.exe
1724	Magqncba.exe
2600	Mpjqiq32.exe
1860	Nhaikn32.exe
1888	Nibebfpl.exe
904	Naimccpo.exe
2392	Nckjkl32.exe
2372	Nkbalifo.exe
1948	Nmpnhdfc.exe
3040	Ndjfeo32.exe
1216	Ncmfqkdj.exe
632	Nigome32.exe
340	Nmbknddp.exe
2020	Npagjpcd.exe
2692	Nodgel32.exe
2456	Ncpcfkbg.exe
2420	Ngkogj32.exe
2720	Nenobfak.exe
1044	Nhllob32.exe
2504	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2960	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
2960	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
2140	Kconkibf.exe
2140	Kconkibf.exe
2892	Kfmjgeaj.exe
2892	Kfmjgeaj.exe
2536	Kofopj32.exe
2536	Kofopj32.exe
2584	Kcakaipc.exe
2584	Kcakaipc.exe
2460	Kincipnk.exe
2460	Kincipnk.exe
2996	Kklpekno.exe
2996	Kklpekno.exe
572	Keednado.exe
572	Keednado.exe
1780	Kgcpjmcb.exe
1780	Kgcpjmcb.exe
2796	Knmhgf32.exe
2796	Knmhgf32.exe
640	Kegqdqbl.exe
640	Kegqdqbl.exe
1440	Kgemplap.exe
1440	Kgemplap.exe
1984	Knpemf32.exe
1984	Knpemf32.exe
2872	Lclnemgd.exe
2872	Lclnemgd.exe
1864	Lnbbbffj.exe
1864	Lnbbbffj.exe
3028	Lapnnafn.exe
3028	Lapnnafn.exe
1588	Lgjfkk32.exe
1588	Lgjfkk32.exe
2264	Lndohedg.exe
2264	Lndohedg.exe
3012	Labkdack.exe
3012	Labkdack.exe
2364	Lcagpl32.exe
2364	Lcagpl32.exe
2268	Ljkomfjl.exe
2268	Ljkomfjl.exe
2768	Lccdel32.exe
2768	Lccdel32.exe
1692	Lfbpag32.exe
1692	Lfbpag32.exe
1452	Liplnc32.exe
1452	Liplnc32.exe
2924	Lpjdjmfp.exe
2924	Lpjdjmfp.exe
2156	Libicbma.exe
2156	Libicbma.exe
2560	Mlaeonld.exe
2560	Mlaeonld.exe
1532	Meijhc32.exe
1532	Meijhc32.exe
2740	Mhhfdo32.exe
2740	Mhhfdo32.exe
2452	Mbmjah32.exe
2452	Mbmjah32.exe
2532	Migbnb32.exe
2532	Migbnb32.exe
1196	Mhjbjopf.exe
1196	Mhjbjopf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lnbbbffj.exe	Lclnemgd.exe
File created	C:\Windows\SysWOW64\Lndohedg.exe	Lgjfkk32.exe
File created	C:\Windows\SysWOW64\Mhjbjopf.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Gbdalp32.dll	Nhaikn32.exe
File opened for modification	C:\Windows\SysWOW64\Knmhgf32.exe	Kgcpjmcb.exe
File created	C:\Windows\SysWOW64\Daifmohp.dll	Mlaeonld.exe
File opened for modification	C:\Windows\SysWOW64\Nhaikn32.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Kcakaipc.exe	Kofopj32.exe
File created	C:\Windows\SysWOW64\Djmffb32.dll	Labkdack.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	Lccdel32.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	Lpjdjmfp.exe
File opened for modification	C:\Windows\SysWOW64\Mlaeonld.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Mencccop.exe	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Kcakaipc.exe	Kofopj32.exe
File created	C:\Windows\SysWOW64\Kklpekno.exe	Kincipnk.exe
File opened for modification	C:\Windows\SysWOW64\Lapnnafn.exe	Lnbbbffj.exe
File created	C:\Windows\SysWOW64\Lgjfkk32.exe	Lapnnafn.exe
File created	C:\Windows\SysWOW64\Mbmjah32.exe	Mhhfdo32.exe
File opened for modification	C:\Windows\SysWOW64\Migbnb32.exe	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Imbiaa32.dll	Migbnb32.exe
File created	C:\Windows\SysWOW64\Nmbknddp.exe	Nigome32.exe
File created	C:\Windows\SysWOW64\Jcjbelmp.dll	Kofopj32.exe
File created	C:\Windows\SysWOW64\Hfjiem32.dll	Lclnemgd.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lpjdjmfp.exe
File created	C:\Windows\SysWOW64\Elonamqm.dll	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Oqaedifk.dll	Ncmfqkdj.exe
File opened for modification	C:\Windows\SysWOW64\Kconkibf.exe	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
File opened for modification	C:\Windows\SysWOW64\Liplnc32.exe	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Njfppiho.dll	Mhhfdo32.exe
File created	C:\Windows\SysWOW64\Ndjfeo32.exe	Nmpnhdfc.exe
File created	C:\Windows\SysWOW64\Nhllob32.exe	Nenobfak.exe
File created	C:\Windows\SysWOW64\Kfmjgeaj.exe	Kconkibf.exe
File created	C:\Windows\SysWOW64\Pecomlgc.dll	Libicbma.exe
File created	C:\Windows\SysWOW64\Mencccop.exe	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Kjbgng32.dll	Nmpnhdfc.exe
File opened for modification	C:\Windows\SysWOW64\Kklpekno.exe	Kincipnk.exe
File created	C:\Windows\SysWOW64\Mmdcie32.dll	Lapnnafn.exe
File created	C:\Windows\SysWOW64\Fdbnmk32.dll	Ljkomfjl.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Nhaikn32.exe
File opened for modification	C:\Windows\SysWOW64\Nckjkl32.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Lmnppf32.dll	Nkbalifo.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Npagjpcd.exe
File opened for modification	C:\Windows\SysWOW64\Ncmfqkdj.exe	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Kconkibf.exe	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
File created	C:\Windows\SysWOW64\Lapnnafn.exe	Lnbbbffj.exe
File opened for modification	C:\Windows\SysWOW64\Lgjfkk32.exe	Lapnnafn.exe
File created	C:\Windows\SysWOW64\Migbnb32.exe	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Cpbplnnk.dll	Mbmjah32.exe
File created	C:\Windows\SysWOW64\Maedhd32.exe	Mofglh32.exe
File opened for modification	C:\Windows\SysWOW64\Meppiblm.exe	Maedhd32.exe
File created	C:\Windows\SysWOW64\Kgdjgo32.dll	Ndjfeo32.exe
File created	C:\Windows\SysWOW64\Khqpfa32.dll	Lccdel32.exe
File opened for modification	C:\Windows\SysWOW64\Mhjbjopf.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Mgalqkbk.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Npagjpcd.exe	Nmbknddp.exe
File created	C:\Windows\SysWOW64\Hloopaak.dll	Keednado.exe
File created	C:\Windows\SysWOW64\Lclnemgd.exe	Knpemf32.exe
File created	C:\Windows\SysWOW64\Lccdel32.exe	Ljkomfjl.exe
File created	C:\Windows\SysWOW64\Kincipnk.exe	Kcakaipc.exe
File created	C:\Windows\SysWOW64\Ddbddikd.dll	Kklpekno.exe

System Location Discovery: System Language Discovery 1 TTPs 57 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lapnnafn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knmhgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mofglh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhllob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lnbbbffj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Liplnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcakaipc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kklpekno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckjkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nigome32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npagjpcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncpcfkbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kconkibf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lndohedg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nodgel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Keednado.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjbjopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgalqkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kincipnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Labkdack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgemplap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lclnemgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maedhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmpnhdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knpemf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncmfqkdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmjgeaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjfeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbmjah32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcagpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lpjdjmfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkbalifo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nenobfak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kofopj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibebfpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kegqdqbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlaeonld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhhfdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meppiblm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magqncba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nmbknddp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kgcpjmcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lgjfkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lccdel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhaikn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meijhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mabgcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljkomfjl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kofopj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kincipnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbiaa32.dll"	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpnnfqg.dll"	Naimccpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncpcfkbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hloopaak.dll"	Keednado.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkcfcoqm.dll"	Liplnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhajpc32.dll"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mgalqkbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Npagjpcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncpcfkbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mehjml32.dll"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lapnnafn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbnmk32.dll"	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjbgng32.dll"	Nmpnhdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kgcpjmcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lgjfkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ljkomfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhhfdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbmjah32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfca32.dll"	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihclng32.dll"	Kgemplap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knpemf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Lccdel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Mbmjah32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lccdel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meijhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfppiho.dll"	Mhhfdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maedhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Liplnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfblnnh.dll"	Meijhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kegqdqbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikhak32.dll"	Lnbbbffj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aepjgc32.dll"	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lndohedg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Labkdack.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Macalohk.dll"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmceh32.dll"	Kcakaipc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2140	2960	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe	28
PID 2960 wrote to memory of 2140	2960	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe	28
PID 2960 wrote to memory of 2140	2960	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe	28
PID 2960 wrote to memory of 2140	2960	1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe	28
PID 2140 wrote to memory of 2892	2140	Kconkibf.exe	29
PID 2140 wrote to memory of 2892	2140	Kconkibf.exe	29
PID 2140 wrote to memory of 2892	2140	Kconkibf.exe	29
PID 2140 wrote to memory of 2892	2140	Kconkibf.exe	29
PID 2892 wrote to memory of 2536	2892	Kfmjgeaj.exe	30
PID 2892 wrote to memory of 2536	2892	Kfmjgeaj.exe	30
PID 2892 wrote to memory of 2536	2892	Kfmjgeaj.exe	30
PID 2892 wrote to memory of 2536	2892	Kfmjgeaj.exe	30
PID 2536 wrote to memory of 2584	2536	Kofopj32.exe	31
PID 2536 wrote to memory of 2584	2536	Kofopj32.exe	31
PID 2536 wrote to memory of 2584	2536	Kofopj32.exe	31
PID 2536 wrote to memory of 2584	2536	Kofopj32.exe	31
PID 2584 wrote to memory of 2460	2584	Kcakaipc.exe	32
PID 2584 wrote to memory of 2460	2584	Kcakaipc.exe	32
PID 2584 wrote to memory of 2460	2584	Kcakaipc.exe	32
PID 2584 wrote to memory of 2460	2584	Kcakaipc.exe	32
PID 2460 wrote to memory of 2996	2460	Kincipnk.exe	33
PID 2460 wrote to memory of 2996	2460	Kincipnk.exe	33
PID 2460 wrote to memory of 2996	2460	Kincipnk.exe	33
PID 2460 wrote to memory of 2996	2460	Kincipnk.exe	33
PID 2996 wrote to memory of 572	2996	Kklpekno.exe	34
PID 2996 wrote to memory of 572	2996	Kklpekno.exe	34
PID 2996 wrote to memory of 572	2996	Kklpekno.exe	34
PID 2996 wrote to memory of 572	2996	Kklpekno.exe	34
PID 572 wrote to memory of 1780	572	Keednado.exe	35
PID 572 wrote to memory of 1780	572	Keednado.exe	35
PID 572 wrote to memory of 1780	572	Keednado.exe	35
PID 572 wrote to memory of 1780	572	Keednado.exe	35
PID 1780 wrote to memory of 2796	1780	Kgcpjmcb.exe	36
PID 1780 wrote to memory of 2796	1780	Kgcpjmcb.exe	36
PID 1780 wrote to memory of 2796	1780	Kgcpjmcb.exe	36
PID 1780 wrote to memory of 2796	1780	Kgcpjmcb.exe	36
PID 2796 wrote to memory of 640	2796	Knmhgf32.exe	37
PID 2796 wrote to memory of 640	2796	Knmhgf32.exe	37
PID 2796 wrote to memory of 640	2796	Knmhgf32.exe	37
PID 2796 wrote to memory of 640	2796	Knmhgf32.exe	37
PID 640 wrote to memory of 1440	640	Kegqdqbl.exe	38
PID 640 wrote to memory of 1440	640	Kegqdqbl.exe	38
PID 640 wrote to memory of 1440	640	Kegqdqbl.exe	38
PID 640 wrote to memory of 1440	640	Kegqdqbl.exe	38
PID 1440 wrote to memory of 1984	1440	Kgemplap.exe	39
PID 1440 wrote to memory of 1984	1440	Kgemplap.exe	39
PID 1440 wrote to memory of 1984	1440	Kgemplap.exe	39
PID 1440 wrote to memory of 1984	1440	Kgemplap.exe	39
PID 1984 wrote to memory of 2872	1984	Knpemf32.exe	40
PID 1984 wrote to memory of 2872	1984	Knpemf32.exe	40
PID 1984 wrote to memory of 2872	1984	Knpemf32.exe	40
PID 1984 wrote to memory of 2872	1984	Knpemf32.exe	40
PID 2872 wrote to memory of 1864	2872	Lclnemgd.exe	41
PID 2872 wrote to memory of 1864	2872	Lclnemgd.exe	41
PID 2872 wrote to memory of 1864	2872	Lclnemgd.exe	41
PID 2872 wrote to memory of 1864	2872	Lclnemgd.exe	41
PID 1864 wrote to memory of 3028	1864	Lnbbbffj.exe	42
PID 1864 wrote to memory of 3028	1864	Lnbbbffj.exe	42
PID 1864 wrote to memory of 3028	1864	Lnbbbffj.exe	42
PID 1864 wrote to memory of 3028	1864	Lnbbbffj.exe	42
PID 3028 wrote to memory of 1588	3028	Lapnnafn.exe	43
PID 3028 wrote to memory of 1588	3028	Lapnnafn.exe	43
PID 3028 wrote to memory of 1588	3028	Lapnnafn.exe	43
PID 3028 wrote to memory of 1588	3028	Lapnnafn.exe	43

C:\Users\Admin\AppData\Local\Temp\1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe
"C:\Users\Admin\AppData\Local\Temp\1c8a1a2f42fd70f262b091743ad8853b9ab7884f21c9c8a5b0145c5e74880ed5N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\Kconkibf.exe
  C:\Windows\system32\Kconkibf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\Kfmjgeaj.exe
    C:\Windows\system32\Kfmjgeaj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Kofopj32.exe
      C:\Windows\system32\Kofopj32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\SysWOW64\Kcakaipc.exe
        
        C:\Windows\system32\Kcakaipc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\SysWOW64\Kincipnk.exe
        
        C:\Windows\system32\Kincipnk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\SysWOW64\Kklpekno.exe
        
        C:\Windows\system32\Kklpekno.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Keednado.exe
        
        C:\Windows\system32\Keednado.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\Kgcpjmcb.exe
        
        C:\Windows\system32\Kgcpjmcb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Knmhgf32.exe
        
        C:\Windows\system32\Knmhgf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Kegqdqbl.exe
        
        C:\Windows\system32\Kegqdqbl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Kgemplap.exe
        
        C:\Windows\system32\Kgemplap.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Knpemf32.exe
        
        C:\Windows\system32\Knpemf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Lclnemgd.exe
        
        C:\Windows\system32\Lclnemgd.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Lnbbbffj.exe
        
        C:\Windows\system32\Lnbbbffj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Lapnnafn.exe
        
        C:\Windows\system32\Lapnnafn.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Lgjfkk32.exe
        
        C:\Windows\system32\Lgjfkk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Lndohedg.exe
        
        C:\Windows\system32\Lndohedg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Labkdack.exe
        
        C:\Windows\system32\Labkdack.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Lcagpl32.exe
        
        C:\Windows\system32\Lcagpl32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Ljkomfjl.exe
        
        C:\Windows\system32\Ljkomfjl.exe
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Lccdel32.exe
        
        C:\Windows\system32\Lccdel32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1692
        
        C:\Windows\SysWOW64\Liplnc32.exe
        
        C:\Windows\system32\Liplnc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Lpjdjmfp.exe
        
        C:\Windows\system32\Lpjdjmfp.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\Mlaeonld.exe
        
        C:\Windows\system32\Mlaeonld.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\Meijhc32.exe
        
        C:\Windows\system32\Meijhc32.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Mhhfdo32.exe
        
        C:\Windows\system32\Mhhfdo32.exe
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Mbmjah32.exe
        
        C:\Windows\system32\Mbmjah32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\Mhjbjopf.exe
        
        C:\Windows\system32\Mhjbjopf.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1196
        
        C:\Windows\SysWOW64\Mabgcd32.exe
        
        C:\Windows\system32\Mabgcd32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Maedhd32.exe
        
        C:\Windows\system32\Maedhd32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Meppiblm.exe
        
        C:\Windows\system32\Meppiblm.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:904
        
        C:\Windows\SysWOW64\Nckjkl32.exe
        
        C:\Windows\system32\Nckjkl32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Nkbalifo.exe
        
        C:\Windows\system32\Nkbalifo.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\Nmpnhdfc.exe
        
        C:\Windows\system32\Nmpnhdfc.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Ndjfeo32.exe
        
        C:\Windows\system32\Ndjfeo32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Nigome32.exe
        
        C:\Windows\system32\Nigome32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\Nmbknddp.exe
        
        C:\Windows\system32\Nmbknddp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\Windows\SysWOW64\Npagjpcd.exe
        
        C:\Windows\system32\Npagjpcd.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Ncpcfkbg.exe
        
        C:\Windows\system32\Ncpcfkbg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Nenobfak.exe
        
        C:\Windows\system32\Nenobfak.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\Nhllob32.exe
        
        C:\Windows\system32\Nhllob32.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Kcakaipc.exe

Filesize
80KB

MD5
f509f4d2fe25c49839915cdf99bb4e8a

SHA1
2c7e3be2d74d1208c0ce3a15802a1f9bbc522f83

SHA256
afd684630e5d41400a95520b5d1cf153c94642a596d415c20ecedb36c0ff4527

SHA512
a9681a117046d628df96638826af6ac1b70be70a62ec67fa38ce66d9d6e10061c3dfed8fdcb38f8e1d6038adb106e10cba0cb063ad39f659b07491dd0074b16e

Download Submit
C:\Windows\SysWOW64\Kklpekno.exe

Filesize
80KB

MD5
11987238abcf9b0cd992c99ad5feecee

SHA1
dd4277a4ab23d9fe45e199d5b39033760029fce7

SHA256
338515979dfb675ebfee5fa684a88437c0b3edeab03f3d66b5fb93e6e109afb5

SHA512
b60ccd1313373ce845dd623c61709a7499dfa3ffaaa4bcbb9b7a58d4474bafb87f683084dccfcbcf31bd19bcb38c6af1065c0506f5afc50f797300008b65ee2d

Download Submit
C:\Windows\SysWOW64\Labkdack.exe

Filesize
80KB

MD5
224f3d95bd1e3ce66a13409af0d78520

SHA1
373703365cbf289f8e60d6bfd7aeb711687bc5c1

SHA256
2b6ae3c70f2dd7ddf2cf740bf242efc84da84b675bd92dfcbf2f5202d7ce93af

SHA512
2cba878d2aaafe4e08446aed2c508dd6a33abc1cba04b3aea9d65c1de08fdb64140f3e0493d4dc966f11de93698676a30fe200b5c00c2e2a6922df15724678b6

Download Submit
C:\Windows\SysWOW64\Lcagpl32.exe

Filesize
80KB

MD5
4354ceb503ef96df25b9cfa8e351ed0c

SHA1
ad19a956d1c4ae458b033315d5231d368cd58a39

SHA256
b8f4a25edde8013cbd7d68f2af09a00bf3d9a3a1609a0c8209ae0cf9580ce80b

SHA512
1606f039956d942b7d6d58276153e5662e12a062ba97602fa5881af347b703bd44363b648cb7fbaae36960f29e047ca9cb44d82d435085c01fdb5f72aad3960f

Download Submit
C:\Windows\SysWOW64\Lccdel32.exe

Filesize
80KB

MD5
3df81c957fd1eefa1dedfe584b7ba5f0

SHA1
b9f424dc2897d24c150d04dacc7599f2da3329a3

SHA256
d11a474ac1fe83d195eb2d152ab13bf858a1a853fb40d58fe8fbae69cfa5e910

SHA512
109f622d8913cdc831d34ecc7e047fecd1142efb8e8d1aacf4d1376ed5874225d4fd85825141835f75cfb3faeb7c51bd3bd4dbb2a4381d76ae4cf68133ff2fa0

Download Submit
C:\Windows\SysWOW64\Lfbpag32.exe

Filesize
80KB

MD5
5aee6a2adcff8610771da44299a82164

SHA1
2a6966246c23cf1369114566177b97a55bfad2ba

SHA256
646f2e845d08110f9e5223bf295b9d0b531ab33f58c4a540af0aad2a659fc897

SHA512
6b966c3892c0fa1e8cc9d11fd714bd52979f61d03c5c66ade406ee31546a4d56d9630d50c4dced946e524381c88111c4c55bed9a599aae53f3b1034f7732a34e

Download Submit
C:\Windows\SysWOW64\Lgjfkk32.exe

Filesize
80KB

MD5
b4aed82c7f42da231ff516ce0d2b32bd

SHA1
99f446c6ecd275e5ca4cfb0ec93d14ecbf177ae9

SHA256
32c4e5312ba2e1d4cedb2c31c91f98dcc8d4abb2126ec7195739e117ee4892e7

SHA512
dfa1c22ce5e338e82c14bd13d2795ae2f2d8c1bb4cc730af883f1e5a99a8f956e8fe2294efc8114a53d817374ecad29a422f82c4e81eea43e43bf92a5333a643

Download Submit
C:\Windows\SysWOW64\Libicbma.exe

Filesize
80KB

MD5
762bb5cbc9377eda4c9af07e2a367ba4

SHA1
bfd9c5a383f477c1a3af53451cbb9c6bef87a65f

SHA256
c0e3dd18e2aaddb971481ac07c563040b58b830bf5314a2e36911e783d70fb5b

SHA512
2386ed2a900cbc5832c4d3c6b97aea0dbf7bf736922bb7615879dbbdf36246b31ec6371dfe5549497296f86be0b9a2d9ad1233187586e04e4915058a8d3b7029

Download Submit
C:\Windows\SysWOW64\Liplnc32.exe

Filesize
80KB

MD5
35336e563b46aeebf69d47ad3efa53ed

SHA1
46a822aa6d30d68c3e1e36558d199e291d534a13

SHA256
e5cf3aaaf3d527589f3117e2b89a3594938b05e5ec60c0eb17255dce0dc60ba6

SHA512
e3724ea942a644829a9cf5a81bc774b28e334d4664792a5907ea780a78cea93638607d4d550089e79d9ef8aa3d9c86a783fb207ea34a2399179441380cc83680

Download Submit
C:\Windows\SysWOW64\Ljkomfjl.exe

Filesize
80KB

MD5
baedd6a87a2d954b300d2f8b18529aae

SHA1
70ba9101b9b946312f838b63e7eeada29dee5c57

SHA256
a708f6bd0b961659a66b04a6572b392703ce340dfa453d44dbe9fee94f001051

SHA512
8260f985156bd07f2466a734ff07aba4131860442d76218e18b37e5eed2e0b1b574dc9f2f0806b8c106d05d19ee2a8f336ea763bab0749a4b14a9f2d085d2296

Download Submit
C:\Windows\SysWOW64\Lndohedg.exe

Filesize
80KB

MD5
3c55a406f7b6d8dce8d4a9bbae73a61a

SHA1
c84d48378bdcd9c573dbe1c0b59047bd7ac023d6

SHA256
12a6ac020d0a489ad08865ec11bd02030eac3a5233c5f0f3251c88b7b2f03815

SHA512
312d20866922f10a9388242d6fdd8d42179e7acf0df59e5b3d529060969270f63588386057340110477e0c40e7b8dff123e4baa91becb9bb6360ea38e27b808f

Download Submit
C:\Windows\SysWOW64\Lpjdjmfp.exe

Filesize
80KB

MD5
253a1b253b78a8744891208d22e365c1

SHA1
4fe0ad8370f6e0f72e62409733bdb780c9237ec0

SHA256
8803c5ae21a7d65d60f33b1352305f1f596575e77a593c9902daa556ae6d3a71

SHA512
8ab13a0d674b8e86d316f1dcdfa84e410f2141bc76e3486bb6a2f9246635acc60e1f7f680a5943167b062fa75cf0f91be3b065c8a098b15fffcf0b738274601b

Download Submit
C:\Windows\SysWOW64\Mabgcd32.exe

Filesize
80KB

MD5
c18225305cfda4e485674d15faebb005

SHA1
fa04abb3507dac20feeff1a1b003a663f6fb5013

SHA256
6ba457b60f009c12ae2dc9231614a4c2af06cc80fb14b165aa1ca80983c39404

SHA512
408aaea15833e5b79ff3f0b40c684d9ecf2f6df117296225d1ee324eb681b709feec3adb8a0898c8cfae079bc58f6d511432e5dfcb7f199da8fe9f813e66ec2d

Download Submit
C:\Windows\SysWOW64\Maedhd32.exe

Filesize
80KB

MD5
a8c69b4ccb71d8e954199bb3e2b05542

SHA1
28167374efca8228e62599460a648aef47a36d0c

SHA256
3b758e4e815a0c626748278a30898cda37ab7abcd1ab36f31d6fc28a3bfb1dfa

SHA512
84833c21bc13783f65475b243cde1c8488ac4675605cabfe8e5cf067a0e3377069107e76c232f9df53f17dafb3cb7c24fa035c42532139ba32b45b26e202622b

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
80KB

MD5
613b7c642af828efdbefad24db723dc9

SHA1
7dede0cd4328005f0ca26611b4b5b34003f97639

SHA256
bc80cb7b8cedac9fd7fa40f2764e720d0f019facfc0de6c25c322f39f07e1ca4

SHA512
37183c9519180923953f0f1254e5f2c18920457d8461a371e7e196e00bd81d477f8591b44639906668a222aa252cbbc9e6013b20d82e6722a490ac13ecebe695

Download Submit
C:\Windows\SysWOW64\Mbmjah32.exe

Filesize
80KB

MD5
dd10b8c7d92c6434024ad7a75c43a4ed

SHA1
02ee551cbf058eac64f594ad628c7df81d66aef2

SHA256
fbce938a42f9505ed676b3eb0cf9e5664278277a8369ee182efea5a061b57ec8

SHA512
e59eedda455ea3fbd931066f17e29bec570e58a376b858821367b2a50fe81022c5367678868b73ce449592de9f02ef20b651f8f97f3aed12e229315b535ce690

Download Submit
C:\Windows\SysWOW64\Meijhc32.exe

Filesize
80KB

MD5
7aa0c8e9655da2bacb7fc527660859bd

SHA1
158e9ecf778993e2ea23289d16c7991b37908344

SHA256
bd4971ba479b3a4002c2b7371b40bb272fb96c8c96d174560c13f093ce20177d

SHA512
487e72bde10a10c17abf150979fed62f13c0ccf33049d832f4fc9b36496c02a6ed8d18d003f5f87194200584dbda5cc02e59c0dcf0ee48662dee1d282ccb63b5

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
80KB

MD5
79e1effd6310befdf07820bfcb50221b

SHA1
b3a3d0f5fe1173f04f296e1cbdd9031a7bf06700

SHA256
90a6a4c67e2b8a2c11598fcf54598b657bfc347f211435e40237a7d9cf6cbf03

SHA512
8fc96e4847d5d90c58dec73bcecfd0abcfcfa7e0160292f9ddc69f69a1286aa16d0fe13f64b98e026698a3494ac5aa1e70159b5b51b538224942a9927f39a618

Download Submit
C:\Windows\SysWOW64\Meppiblm.exe

Filesize
80KB

MD5
22170518f3cbc5c31996823d8bf270e5

SHA1
b4998810fce76117d432333d3502299c764ed9a3

SHA256
8600d3bacb70420ecd82d050aa214bc512d215751b3a7921759749092d6dc3bb

SHA512
54c2f5711a3466d1c3996888468b173afa5f858d51ee7cde2274338ccadcfea9fa4c6a2f48a672248b440d80a1e0dc5e0ceba36f9fd8ff569f25bda6754c8ee8

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
80KB

MD5
37ce885c55a076e9a878f174f5defbf3

SHA1
88f48088ddb7546b100f679431c2d4b2a42bc3c1

SHA256
225f524459b663624701fe4d4693318597018e36cef2379daac04a19758a6732

SHA512
81b88944dca249b026549213915a0f467258f2ac5a5136ee6542035efca188e4da8ac6ead9f2f125f8993a33564f8f41c00aac968492890a3d815ca137e8280c

Download Submit
C:\Windows\SysWOW64\Mhhfdo32.exe

Filesize
80KB

MD5
c70fe8ae6aa13acb95c6375a8df993a8

SHA1
1da39d663f01b21eea601bbae0b109fc68230b6e

SHA256
a621ebde07a27d75fe8c8b6cfdeb94f3351d8ddf5dfaa44e625a19f90898de39

SHA512
ad0ec392e40d1dff846f8703ca1aced4b2e36a1bab492f0213d68b326221fcb02f61cea51c3060df72ed8aab18c0dd2cb9667e48f42f95df009e4643e6df172f

Download Submit
C:\Windows\SysWOW64\Mhjbjopf.exe

Filesize
80KB

MD5
2b9e7f491f7fad124dc17ac22313b21a

SHA1
fef1fab14d7e7fbd54745179cc64aa238aa6bc3c

SHA256
129b9a930e64cc81793d843d45f3b84b0778a6426f0541fc0644214f88027189

SHA512
f29dcc2a4c1f395dc854edb8ba0f7e2e9dc2c13dd03e272b078af26071255e3fe1a3161f6b5da515789fc6a9b45e40fbd2627065d94d34bcde69dd4cb898a344

Download Submit
C:\Windows\SysWOW64\Migbnb32.exe

Filesize
80KB

MD5
939b0ab0494882d47322986eeb58fbb9

SHA1
3ff90f4b1f4f5e58c7f25a1a0f60b7f4a53586ad

SHA256
38890097fc697fc33a27e63f3e649853acd62742bf19b1475636abdef5cf897d

SHA512
fc9d7185d5244aa6698bc28b185607d5d75e8ee367cf3286a4c55a6a7a3fbc59746777a0ced0ffbae8a0cab92a559f4d110c7e6492030f6e4f885a2279f6a642

Download Submit
C:\Windows\SysWOW64\Mlaeonld.exe

Filesize
80KB

MD5
cc1c41e8bde612f1d63804d567bd513b

SHA1
626305a5382cd1169b04d11b840e0f25cec42da5

SHA256
0d61c540f8c2d8fc86e962e521ad17bad0ccfbb0d7bc6d0cd169e0cb6ff09958

SHA512
6490a5ac9af3a589774ec58c882b832f71189f9788886630093de43f4a443faa4aa8882d5bd29d8173fdcf7be1cc0a095c0dbfb69c1b5b1a4897022f403626c3

Download Submit
C:\Windows\SysWOW64\Mofglh32.exe

Filesize
80KB

MD5
459b8ab3df1cdf922266b57e7b22638c

SHA1
bb8a1f1a07be9544490b02cee9e9dc76f7e6059c

SHA256
317447c4f24ec165323671fbd1e761fc5eefaa65b4afbe24c91dbcde4db9f965

SHA512
b539cbaf3c6824a37bc4720d5be1a6a954718a9b308e2a0e462472228d425e1030618c6eaa5f571eac5fa978a0729c8b07e81c5a3854b70b64f0bcf1f4f83e7e

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
80KB

MD5
565dfa9cef4da53d6535faf0172b97fa

SHA1
e3ddd80563f37d8eb5e89f2812ec9bb661a80251

SHA256
f5728a684af99bad7726dbe95f28aa309e210db2c8aa13b126bf55aacc98a569

SHA512
525be7e7fe3557bed4a5b6313346ba6c81ab1db87684377369724ad870d45397be49a1cdff6486aed0aeb026607777fcc4b3e16dfcc014019420ab5bd2bc1d14

Download Submit
C:\Windows\SysWOW64\Naimccpo.exe

Filesize
80KB

MD5
5a7e8fcebc73c3815c7ef5b260b9da11

SHA1
e3060aab57192c73b54f097e7ebb581e380be959

SHA256
a8c62ee2644087d446c77f002976fecd671de52035c37ff0ed5ef93dc7fbca51

SHA512
521bf32a5bdb332dd4c63b49f628c044619fe2a613d6d07027d9df787e5693acefca2b2ef2963568ee8a99f3324a46232fa78828d34ed1dc8fb018f770a5c75a

Download Submit
C:\Windows\SysWOW64\Nckjkl32.exe

Filesize
80KB

MD5
13cff37f13b112fb5952f7a9785e3ad3

SHA1
e752b7fd76c0b45da791321832bf52297dc626d6

SHA256
340aa9a21d8bc978d3880a7e12517e3ffc9d6704395dd9771a6ceab7fdb971c7

SHA512
2807ca5a828e197fb77048badb004ec2e95e626e58bc483ca45cc80405d8e5856bf5bae7eb9081ccb825d64fdd8472c746675b37ed3cee5a85f7af1c63787e21

Download Submit
C:\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
80KB

MD5
821e68bfff7dc921f2a7c0c29fb1b848

SHA1
80b18d04a48a1070767614f21cae323c84f8f739

SHA256
8a32a128cee143281d1cb86756f1523f8517c794b022d0474174b50c89d0fd44

SHA512
7d1f742e6efc49f28c44f2c1eee2973ea38aa0c568b4a408bbb936c4a3a9d472a80c339f1fb406d34a30bee848074d80c94b975f4981f1376d80ca6c56015399

Download Submit
C:\Windows\SysWOW64\Ncpcfkbg.exe

Filesize
80KB

MD5
1476f8775c20eaa80aefccafb61838fa

SHA1
b07584909ea95229a2caa058485dc1f2ffeade49

SHA256
22e421788e928e63504805cc3ef4d6ba432421891d99bfdec395c283de1f0de3

SHA512
8f1af5fe8360d691a5399bcc1f0da1126c3c32e9bd8116fea73f83e9593a79dea1362f5cc1f03154dfacbb618fe408be3f9ff65642b97ee530fa201a46c5223e

Download Submit
C:\Windows\SysWOW64\Ndjfeo32.exe

Filesize
80KB

MD5
79fc718ffa423a93a8879dc35ed6d42a

SHA1
92f4e05a9aa729dc570e9f388fc20b915d81f6e3

SHA256
9464eee5a294e879dba2a4c1f62a1baa682281efbf65fd662a328ef5eab16c73

SHA512
7b8ce064efa0a666fcfb06e15238c4852d57aea6353b51c159d5ef446069de59c983461ef7fb7f499895bce3af50152c2804ee3783bc7dae26aa015a09e63cc2

Download Submit
C:\Windows\SysWOW64\Nenobfak.exe

Filesize
80KB

MD5
64bcf0edd5a5f88e8ef963cb0851f34f

SHA1
088ed99c41c97a95bf02a9f2dd21413216a98709

SHA256
80f09765f846a71b93adb9a2ad5ff4b9fa59b8219918088354d67de2c0ee5bb3

SHA512
cd769130960d514af16023119800618fa6176ce2bd32bc81d53ec4184eedc35afa360005008255088692f25ccf36a62d5ce29500d4bb65f6ed8c7cfc21c571db

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
80KB

MD5
98fbf0b02458fbee35efa852b3b639c2

SHA1
d866ef878288e15ba1d37439da72ac6ea425469c

SHA256
cdee8de1deffbd2b61e2e796d91d43943370fbf56f1e13b4d81fe4017a52561d

SHA512
9c474287d552c928de40acac6e6284d280b67dc5682c25d0b7fd87db010a27b5b4558b3c77e07cc36e8fd714b472e2f6c9464edc841460674d14a5eafd58af48

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
80KB

MD5
99246ad556be4f32216ae21fe1ed369c

SHA1
c2e9e5d631a5d6bc24a44c7b746c8efd9e94549d

SHA256
00486e1e36675f8879892f5dd025becae1ffa08aa34b9065c5b1cab9a6a8470d

SHA512
919dad8da037175d9b1d66c1234ba2d80518bf794f8a1ac4c17c340f72141971e3c3a963a839d66d6bbd62ae37685c69e143807cb9e6ddf0b9ffcb5aa0266ab8

Download Submit
C:\Windows\SysWOW64\Nhllob32.exe

Filesize
80KB

MD5
e16b34e023ddecaa322899f617502b88

SHA1
e42b0cb53b8e9b67ffa900b9ad7d62d09f7b6def

SHA256
9889e37cdcde64f0d5b6ec4da98f574e4cf7d30fc47d206f4913bcf6b11bfa7a

SHA512
443d461bcad22429f77950e59761ed2965b77e91c274a3400317567fe62891a6f16723dbd66b6f53b4f03d41e6ea75f4921300bd16e944d5d34c3f137e093937

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
80KB

MD5
d750b33b203ef8b758471d236596dec9

SHA1
f3a5153f615c43fee9de2ae471b6729fb55d83af

SHA256
fc2edb40163ca34cdd610cf78e27843c42e15ee3f3d575bbff3b47226c5f4806

SHA512
83793075a01b0edba0a5690a6e7113c7f563861da831b30adb5b3c5bddf648cc76f9a28dadd80bd6cd67e1de32c48c55f7489e26218a80455a99ffbbb4614934

Download Submit
C:\Windows\SysWOW64\Nigome32.exe

Filesize
80KB

MD5
d48b37296d2e7cb2fc9f7d635416a7c8

SHA1
e02c6ad83c88264e49a88ee510797f6eb316f5f2

SHA256
d219b20c16e431ab323b0c10641aff1028ef458ef86f227c93afeb29c914521c

SHA512
0ac4ceab479f3f5a5fddb3688461bcd7ccaa78dd9c8248975cbbdea6a9ad971b8c691f78d2d3aaae72fe4108f72ec85c97d1872c04e7e47a547b2469c9109249

Download Submit
C:\Windows\SysWOW64\Nkbalifo.exe

Filesize
80KB

MD5
468639b143341a6fb4e84aad8c6e4cd4

SHA1
b8be5ff6991595421768c38d2d524e21e992f472

SHA256
68140e1d92abd79f30b01aecc26b522b5e96e228799c22b7aa6afaf961d34926

SHA512
2132e8decefc318c39584852c0108cc9821dc01c001d788a13c7130b3e6d5363bd822a5abbaf2dfcba15274ae26f283c668f189abff952c0a6b1a7339aa41ec8

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
80KB

MD5
c76ae77b804211c569d662c551d42ef8

SHA1
6c94a818e8eb34e9fd39a21dfa0be76d343ee7a4

SHA256
2cff416836b145ae75f905614b48374d7aad0be16aec9b5f34c176893336a40c

SHA512
6f8c20c9c9651bf7002b2570374383e25c41363c2294b4467c5fcf8abffd9de46c30efa4fb0bd40447831cc0e339ff3e55f8cfe3456345709ea5d7754827c26b

Download Submit
C:\Windows\SysWOW64\Nmbknddp.exe

Filesize
80KB

MD5
f5a7b09849bc4fb39b6f013694cf9c9e

SHA1
ec07ce50a352da41aed1ad3a00771e4cba03a732

SHA256
58a7fc8842443e38006c0b6f5e750b34e422de3a205ea712e7fe5b13baf21036

SHA512
3347fd2ceceb37cd5fdaa9ab98958426d38013393d6cf574e5ad1e32338ee7bd21c877f1f2adb9f4f06d4fd8c7d7de01844e58359d7862a416aa6d1b4cffbc96

Download Submit
C:\Windows\SysWOW64\Nmpnhdfc.exe

Filesize
80KB

MD5
d928223962a8771242fd785604bf7b52

SHA1
8d189553a791edf1f62e0a69dcf94080b548f61e

SHA256
622f37a319c6cf27f3ff9bd4c1181d6657b354e468303a56ea2a3d1d75bfab66

SHA512
07409b1ddb079f62d6d3b9ed65213d2d0e6aba5e1f9f2a324eadce0e29342bc1340c9925f92d4cc0cb9bc801b5cb35ffa2f50a2914f62270d04e604a0f6261d2

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
80KB

MD5
ba54362c23e684dc162464ec7a00184c

SHA1
902b3d67843b545006ca645cff8a2ec6d0a2884d

SHA256
8be0210b19ebce23233e24b0505780ee5f06dacef957e0a3cf2ad7b6d90ded47

SHA512
b185105a30038ef90217057a58be49668998a6b9d9e6f62878b864ad58393a33c15f9a69864d07814c0e02aa7b0b1d1e70411a444087484294aeacce009951db

Download Submit
C:\Windows\SysWOW64\Npagjpcd.exe

Filesize
80KB

MD5
6aaafdefc22ab4c0fccd1d90d4d7470b

SHA1
5ea796ba05ce62e2b0c0696a032d5703ee51e38a

SHA256
51081426d6aae8690007ec3534396c4092937cea4645639f5ed148515fef5b8a

SHA512
f8a5533795d8052b4693db6e12fbecda60dab31f390581e1880380b9e4d6ef2f5be31bb3d81c82f469cf2da62015d00e274efd31d64c38c4c6db6bf71e64d0c0

Download Submit
\Windows\SysWOW64\Kconkibf.exe

Filesize
80KB

MD5
8a22fa523f3bf361747da69bb43bb6e9

SHA1
58ae5eff572548e4b7061c6a3926eb5a03b75377

SHA256
2f95c0094c38414ec105b1050e91f7cffc031491dc24afc80c882a7b44d2027e

SHA512
a8577f26ed4831fe48c5950461bb2db962cbc992a83211350c040492eb48ba236b8a26bf3404823dbedc08cd7e688b18fbca2ea682002bd7d2c90c7406e9f7da

Download Submit
\Windows\SysWOW64\Keednado.exe

Filesize
80KB

MD5
f291091bf6350f12542b30cd710a35a8

SHA1
45404ec0f0ac51603dc63210c6738d1aa6871698

SHA256
44af513aa092dbad2888e3031f7b6facb8b1d1d6d924fe7a162c146c3c19377b

SHA512
388be7b22c69bc5483ba0e007e8beadd5c3162332a023387fcddc76d83e3ee24e9aeb442683775bfe05810dd1ca774bb5ed6f1a4ada61c3502a680d29e0422a0

Download Submit
\Windows\SysWOW64\Kegqdqbl.exe

Filesize
80KB

MD5
abe51388c9b087bf18b7b82cf7d97ded

SHA1
19846b7159d2d4ee9af3f0ba9c5d96b59cc95c15

SHA256
2d399a4cbd161275bb5fc4fdf54468bc081e37e26b0b7933fb338f9b2c1db857

SHA512
1025d84aa55505b2c16b354ddf2bbebc1d3da35bc7a4f240dc49c9add57cf9611acb6513db0ee9d67905862104efa639883a76f1ddaf582b796fd824d1489f78

Download Submit
\Windows\SysWOW64\Kfmjgeaj.exe

Filesize
80KB

MD5
c354afb89eabddc6bbeea62cfb642c52

SHA1
c42533858c7ce40cedb959e5898c0956b778fdf2

SHA256
cc3bc8bfb8c9a87eb70c78a188c6fe02cd29e9efb50c8f16aa1ea0bdd3cf1c55

SHA512
97c92bcf5c7a5900837aefc07f0fc1451d69e402204de185579449b9802845393b67c45dc6848a5995a62932ab86a49a2f0de66f0d2ed333b7625c9ad3c9c84b

Download Submit
\Windows\SysWOW64\Kgcpjmcb.exe

Filesize
80KB

MD5
b08ada10e44c344a3afb42aaa502b773

SHA1
5cd7d1352efddd4d540466e3d82b4d0b4adb8e38

SHA256
27bd36eab3257e055669f931ef1849c38af6f9998ef285fe52c926ed5614770b

SHA512
239f0873404f5ceb228a1d6f52067d4efc7751809ed7a47f714b3d2de2808f090c86ab8190201bd60955de7430e8719cdad67de84be1f882c0bb87c3e1a12dab

Download Submit
\Windows\SysWOW64\Kgemplap.exe

Filesize
80KB

MD5
a7e8083546cc8a4d8fbe65de145d935e

SHA1
d3501ea74944d9c5cc150724d374d84f2020eb64

SHA256
a3f22c45d530d10f6788746f72b0665f055e57d7b201bb0817dc199bf32499b2

SHA512
8e497a1e13c32a36f5a71514b846387d4a79082c1186ccf40312bcd24ac5100c07bfcadb367f9fab39b1612c788ae3cc92eac2c9460a04d8ddef9a09d5ec0079

Download Submit
\Windows\SysWOW64\Kincipnk.exe

Filesize
80KB

MD5
1973e3e4e8cb88656c2cf16e2e5f5ff0

SHA1
d119054e8db5b38e4535f6e4c44a0c4723e9dc49

SHA256
821e837eca948d34f32299ab42f4102ba142d43f0794e94cc6fbc47bb00f6b5c

SHA512
3e6da81ea0f922699877093901ca7eb090a12a0d7e41f30b133a5d4d4100bc91d78468d6ebc86c791dc0736b7355689a4308ab8b6421e7766203a15955f13e3f

Download Submit
\Windows\SysWOW64\Knmhgf32.exe

Filesize
80KB

MD5
9c0ea8eb86bb561385001a2dd41f9d23

SHA1
55de1161ba0102d9a74bc4d7ef2bcbbc80870c9f

SHA256
dff45a5414560d9e0b01d5343990f98937db2d5c166ba6af7e317a69f020830a

SHA512
977c6435df6dc11a2d9bfe79910d8ca2061bd43546d2375d0cd3b1d3762b2bb0e8f7eaea5e458b2d49779f6ccfffac367359b28982e65edb184a376a28d0597a

Download Submit
\Windows\SysWOW64\Knpemf32.exe

Filesize
80KB

MD5
e938475b08177aede6670b377f3d94e0

SHA1
5396dbf6fbc1bc601bead8650d7a249a21a3bc87

SHA256
eb8013fcfc445b430d75745782b60909f895422653370f2efcfc2519fc347f42

SHA512
aedaa3fccde1252ea6d56e187afd8a03d619479e0d7e4ea0bbf5d50961864c2c418376d361138f5181baacdd3cf6335a30392505bee2eead2cc57a88d090b026

Download Submit
\Windows\SysWOW64\Kofopj32.exe

Filesize
80KB

MD5
df3fec4a4c78b519085dd903c8ddccc8

SHA1
ed4a59abb536708c48f0eccf13a3b742c50810f6

SHA256
88d59eb04153c7bc4dfdde3c9e4b8588cac13e0c38b486cfc14a11831a75303b

SHA512
5622788f826fb5083fc9458e96a76e6e3c9ea783a4e93513fdb800eac0ebb5a32aee51b7b44730c7199b618339658cdd3a924dec178f13e9fe104cd9afc7466c

Download Submit
\Windows\SysWOW64\Lapnnafn.exe

Filesize
80KB

MD5
253067c68c52ff03a863cd7441f40515

SHA1
86d6d78cea7f7d5791e02d55c342e3bb56f24b9a

SHA256
8276fb114d58ca413212245c284badeed3943486c1a06a0cd4cfd159adcccfb6

SHA512
757c602520c9d268695644c0aa33234af6973b581de6523903f84dc54fec15d741fe0599c8e307c1444a24a8fde7522e8158d6f8705fe820d7cbe781a63bdbf2

Download Submit
\Windows\SysWOW64\Lclnemgd.exe

Filesize
80KB

MD5
f4ec2a3c91b9949bf0d4c348c1e47479

SHA1
8f7825bccdeec970252be8b63ce94ecd65b8cd87

SHA256
f6004a844f79866e49b08a2858249a3006560e8b7340baedacf206aa038ffd92

SHA512
16ced79753472beb33094095dcbf291205db582d2e321f1d1bd083b0cead998b12fadd43af2f032bb9d7e68bf94482ed82a695bc8630f2bd0c82f82060a881e6

Download Submit
\Windows\SysWOW64\Lnbbbffj.exe

Filesize
80KB

MD5
d3e3dcd60a26fab97face0b4a8f103c4

SHA1
d80064dba1fbe611ca352c271a7755b77b7591fd

SHA256
69b719c9f6d66eb8b4a3df4c467860f9c557c6ee324eb0292b1677a0fa5567b6

SHA512
221d14a45843936b0d88851cb8e1f9c078b44bf5c28e2d414500805e72ba13f715fe1ca5bafaf5e8e77831019995672403882962bb6c7a70f5de01c446b88a2c

Download Submit
memory/536-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/572-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/572-432-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-133-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-469-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/640-141-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/840-433-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/840-439-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/904-495-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/904-488-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-411-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/936-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1196-371-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1196-381-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1404-392-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1440-487-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/1440-149-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1440-476-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1440-155-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/1452-295-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1452-296-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1452-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-335-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1532-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-339-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1588-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-220-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1692-275-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1692-285-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/1692-284-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/1724-443-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1724-453-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1780-107-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-452-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1860-474-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1860-464-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1860-475-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1864-187-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1864-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1864-194-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1888-481-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1888-486-0x0000000001F70000-0x0000000001FAE000-memory.dmp

Filesize
248KB

Download
memory/1984-493-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-168-0x0000000000300000-0x000000000033E000-memory.dmp

Filesize
248KB

Download
memory/2140-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-313-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2156-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2156-318-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2268-253-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2268-259-0x0000000001F50000-0x0000000001F8E000-memory.dmp

Filesize
248KB

Download
memory/2268-263-0x0000000001F50000-0x0000000001F8E000-memory.dmp

Filesize
248KB

Download
memory/2364-251-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/2364-252-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/2364-250-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2372-518-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2372-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2392-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2452-360-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2452-361-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2452-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2460-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2532-366-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2536-387-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2560-324-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2560-328-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2584-66-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2584-401-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2584-60-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2584-53-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2740-346-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2740-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2768-273-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2768-274-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2796-463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2796-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2812-421-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2820-416-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2872-179-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-377-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-27-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2892-35-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2924-307-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2924-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2924-306-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2960-12-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2960-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2960-11-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2996-81-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2996-431-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2996-426-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3012-241-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/3012-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3028-519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads