berbew | 34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 10:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
Size

872KB
MD5

c222833a952c8e92b7dce02c215fb010
SHA1

502270fef45b26cd77b2081d5a49fad468ffbebe
SHA256

34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3
SHA512

37852ac59515f682c615e9716b7a34403a383cb6ccfc3e8f68fa8154927c6be428ad24a32035714c36ab2f69b8ed16181e31d87dbb187bb7185e190a39d44ed8
SSDEEP

24576:41HFh2kkkkK4kXkkkkkkkkhLX3a20R0v50+Y:41xbazR0v

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpjhkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knpemf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icfofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikfmfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kcakaipc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Illgimph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mponel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nibebfpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmlhnagm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iedkbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jbdonb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jqilooij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jbdonb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knpemf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmlhnagm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mponel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcojjmea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mencccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Illgimph.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikfmfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mencccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iedkbc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jqilooij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcmafj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icfofg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndemjoae.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew

Executes dropped EXE 32 IoCs

pid	Process
3004	Illgimph.exe
2744	Icfofg32.exe
2496	Iedkbc32.exe
2572	Ikfmfi32.exe
2536	Jbdonb32.exe
1960	Jqilooij.exe
992	Jgfqaiod.exe
2700	Jcmafj32.exe
2824	Kfmjgeaj.exe
1924	Kcakaipc.exe
852	Kpjhkjde.exe
2636	Knpemf32.exe
1884	Lcojjmea.exe
2312	Lfmffhde.exe
2036	Lfbpag32.exe
2108	Lmlhnagm.exe
2128	Mponel32.exe
2084	Mhjbjopf.exe
1448	Mbpgggol.exe
1732	Mencccop.exe
1384	Mmihhelk.exe
1028	Meppiblm.exe
1608	Moidahcn.exe
1308	Mpjqiq32.exe
672	Ndemjoae.exe
1432	Nibebfpl.exe
2080	Ngfflj32.exe
2768	Niebhf32.exe
2088	Nekbmgcn.exe
2784	Nlekia32.exe
2456	Niikceid.exe
1744	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2920	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
2920	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
3004	Illgimph.exe
3004	Illgimph.exe
2744	Icfofg32.exe
2744	Icfofg32.exe
2496	Iedkbc32.exe
2496	Iedkbc32.exe
2572	Ikfmfi32.exe
2572	Ikfmfi32.exe
2536	Jbdonb32.exe
2536	Jbdonb32.exe
1960	Jqilooij.exe
1960	Jqilooij.exe
992	Jgfqaiod.exe
992	Jgfqaiod.exe
2700	Jcmafj32.exe
2700	Jcmafj32.exe
2824	Kfmjgeaj.exe
2824	Kfmjgeaj.exe
1924	Kcakaipc.exe
1924	Kcakaipc.exe
852	Kpjhkjde.exe
852	Kpjhkjde.exe
2636	Knpemf32.exe
2636	Knpemf32.exe
1884	Lcojjmea.exe
1884	Lcojjmea.exe
2312	Lfmffhde.exe
2312	Lfmffhde.exe
2036	Lfbpag32.exe
2036	Lfbpag32.exe
2108	Lmlhnagm.exe
2108	Lmlhnagm.exe
2128	Mponel32.exe
2128	Mponel32.exe
2084	Mhjbjopf.exe
2084	Mhjbjopf.exe
1448	Mbpgggol.exe
1448	Mbpgggol.exe
1732	Mencccop.exe
1732	Mencccop.exe
1384	Mmihhelk.exe
1384	Mmihhelk.exe
1028	Meppiblm.exe
1028	Meppiblm.exe
1608	Moidahcn.exe
1608	Moidahcn.exe
1308	Mpjqiq32.exe
1308	Mpjqiq32.exe
672	Ndemjoae.exe
672	Ndemjoae.exe
1432	Nibebfpl.exe
1432	Nibebfpl.exe
2080	Ngfflj32.exe
2080	Ngfflj32.exe
2768	Niebhf32.exe
2768	Niebhf32.exe
2088	Nekbmgcn.exe
2088	Nekbmgcn.exe
2784	Nlekia32.exe
2784	Nlekia32.exe
2456	Niikceid.exe
2456	Niikceid.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Illgimph.exe	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
File created	C:\Windows\SysWOW64\Kcakaipc.exe	Kfmjgeaj.exe
File created	C:\Windows\SysWOW64\Mencccop.exe	Mbpgggol.exe
File created	C:\Windows\SysWOW64\Meppiblm.exe	Mmihhelk.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Ihclng32.dll	Kpjhkjde.exe
File opened for modification	C:\Windows\SysWOW64\Lfmffhde.exe	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Effqclic.dll	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Hendhe32.dll	Mbpgggol.exe
File opened for modification	C:\Windows\SysWOW64\Nibebfpl.exe	Ndemjoae.exe
File opened for modification	C:\Windows\SysWOW64\Mpjqiq32.exe	Moidahcn.exe
File created	C:\Windows\SysWOW64\Dempblao.dll	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
File created	C:\Windows\SysWOW64\Jgfqaiod.exe	Jqilooij.exe
File created	C:\Windows\SysWOW64\Kfmjgeaj.exe	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Bjdmohgl.dll	Lcojjmea.exe
File created	C:\Windows\SysWOW64\Lmlhnagm.exe	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Mmihhelk.exe	Mencccop.exe
File created	C:\Windows\SysWOW64\Mpjqiq32.exe	Moidahcn.exe
File created	C:\Windows\SysWOW64\Gfkdmglc.dll	Moidahcn.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Nibebfpl.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Nlekia32.exe
File created	C:\Windows\SysWOW64\Imfegi32.dll	Jbdonb32.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	Lfmffhde.exe
File created	C:\Windows\SysWOW64\Ndemjoae.exe	Mpjqiq32.exe
File created	C:\Windows\SysWOW64\Gbdalp32.dll	Ndemjoae.exe
File opened for modification	C:\Windows\SysWOW64\Iedkbc32.exe	Icfofg32.exe
File created	C:\Windows\SysWOW64\Jcmafj32.exe	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Epecke32.dll	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Kpjhkjde.exe	Kcakaipc.exe
File created	C:\Windows\SysWOW64\Lcojjmea.exe	Knpemf32.exe
File created	C:\Windows\SysWOW64\Mponel32.exe	Lmlhnagm.exe
File created	C:\Windows\SysWOW64\Moidahcn.exe	Meppiblm.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Niikceid.exe
File opened for modification	C:\Windows\SysWOW64\Illgimph.exe	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
File created	C:\Windows\SysWOW64\Ikfmfi32.exe	Iedkbc32.exe
File created	C:\Windows\SysWOW64\Mhjbjopf.exe	Mponel32.exe
File opened for modification	C:\Windows\SysWOW64\Mencccop.exe	Mbpgggol.exe
File created	C:\Windows\SysWOW64\Ngfflj32.exe	Nibebfpl.exe
File opened for modification	C:\Windows\SysWOW64\Icfofg32.exe	Illgimph.exe
File created	C:\Windows\SysWOW64\Dddaaf32.dll	Illgimph.exe
File created	C:\Windows\SysWOW64\Giegfm32.dll	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Fpahiebe.dll	Mhjbjopf.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Nekbmgcn.exe
File created	C:\Windows\SysWOW64\Jqilooij.exe	Jbdonb32.exe
File opened for modification	C:\Windows\SysWOW64\Jcmafj32.exe	Jgfqaiod.exe
File created	C:\Windows\SysWOW64\Jcjbelmp.dll	Kfmjgeaj.exe
File created	C:\Windows\SysWOW64\Ancjqghh.dll	Kcakaipc.exe
File opened for modification	C:\Windows\SysWOW64\Knpemf32.exe	Kpjhkjde.exe
File opened for modification	C:\Windows\SysWOW64\Mbpgggol.exe	Mhjbjopf.exe
File opened for modification	C:\Windows\SysWOW64\Meppiblm.exe	Mmihhelk.exe
File opened for modification	C:\Windows\SysWOW64\Moidahcn.exe	Meppiblm.exe
File opened for modification	C:\Windows\SysWOW64\Jbdonb32.exe	Ikfmfi32.exe
File created	C:\Windows\SysWOW64\Badffggh.dll	Jqilooij.exe
File opened for modification	C:\Windows\SysWOW64\Kfmjgeaj.exe	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Knpemf32.exe	Kpjhkjde.exe
File created	C:\Windows\SysWOW64\Khqpfa32.dll	Lfmffhde.exe
File opened for modification	C:\Windows\SysWOW64\Lmlhnagm.exe	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Mponel32.exe	Lmlhnagm.exe
File opened for modification	C:\Windows\SysWOW64\Jqilooij.exe	Jbdonb32.exe
File opened for modification	C:\Windows\SysWOW64\Kpjhkjde.exe	Kcakaipc.exe
File created	C:\Windows\SysWOW64\Noomnjpj.dll	Mpjqiq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2940	1744	WerFault.exe	59

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcojjmea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfmffhde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mencccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpjqiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iedkbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jqilooij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Illgimph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mponel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhjbjopf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jbdonb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpjhkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbpgggol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmihhelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndemjoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikfmfi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jgfqaiod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcmafj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kcakaipc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lmlhnagm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meppiblm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moidahcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nibebfpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Icfofg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kfmjgeaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Knpemf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffjeaid.dll"	Knpemf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhjbjopf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafcif32.dll"	Iedkbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knpemf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikfmfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effqclic.dll"	Lmlhnagm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll"	Mpjqiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kcakaipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jbdonb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqpfa32.dll"	Lfmffhde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfegi32.dll"	Jbdonb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nibebfpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jbdonb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badffggh.dll"	Jqilooij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmihhelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jqilooij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfmjgeaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiiddiab.dll"	Ikfmfi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hendhe32.dll"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iedkbc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdmohgl.dll"	Lcojjmea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfmffhde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmlhnagm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhjbjopf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffdil32.dll"	Icfofg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iedkbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Meppiblm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll"	Moidahcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjbelmp.dll"	Kfmjgeaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpjhkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlekia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Illgimph.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jgfqaiod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjcbn32.dll"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdalp32.dll"	Ndemjoae.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 3004	2920	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe	28
PID 2920 wrote to memory of 3004	2920	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe	28
PID 2920 wrote to memory of 3004	2920	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe	28
PID 2920 wrote to memory of 3004	2920	34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe	28
PID 3004 wrote to memory of 2744	3004	Illgimph.exe	29
PID 3004 wrote to memory of 2744	3004	Illgimph.exe	29
PID 3004 wrote to memory of 2744	3004	Illgimph.exe	29
PID 3004 wrote to memory of 2744	3004	Illgimph.exe	29
PID 2744 wrote to memory of 2496	2744	Icfofg32.exe	30
PID 2744 wrote to memory of 2496	2744	Icfofg32.exe	30
PID 2744 wrote to memory of 2496	2744	Icfofg32.exe	30
PID 2744 wrote to memory of 2496	2744	Icfofg32.exe	30
PID 2496 wrote to memory of 2572	2496	Iedkbc32.exe	31
PID 2496 wrote to memory of 2572	2496	Iedkbc32.exe	31
PID 2496 wrote to memory of 2572	2496	Iedkbc32.exe	31
PID 2496 wrote to memory of 2572	2496	Iedkbc32.exe	31
PID 2572 wrote to memory of 2536	2572	Ikfmfi32.exe	32
PID 2572 wrote to memory of 2536	2572	Ikfmfi32.exe	32
PID 2572 wrote to memory of 2536	2572	Ikfmfi32.exe	32
PID 2572 wrote to memory of 2536	2572	Ikfmfi32.exe	32
PID 2536 wrote to memory of 1960	2536	Jbdonb32.exe	33
PID 2536 wrote to memory of 1960	2536	Jbdonb32.exe	33
PID 2536 wrote to memory of 1960	2536	Jbdonb32.exe	33
PID 2536 wrote to memory of 1960	2536	Jbdonb32.exe	33
PID 1960 wrote to memory of 992	1960	Jqilooij.exe	34
PID 1960 wrote to memory of 992	1960	Jqilooij.exe	34
PID 1960 wrote to memory of 992	1960	Jqilooij.exe	34
PID 1960 wrote to memory of 992	1960	Jqilooij.exe	34
PID 992 wrote to memory of 2700	992	Jgfqaiod.exe	35
PID 992 wrote to memory of 2700	992	Jgfqaiod.exe	35
PID 992 wrote to memory of 2700	992	Jgfqaiod.exe	35
PID 992 wrote to memory of 2700	992	Jgfqaiod.exe	35
PID 2700 wrote to memory of 2824	2700	Jcmafj32.exe	36
PID 2700 wrote to memory of 2824	2700	Jcmafj32.exe	36
PID 2700 wrote to memory of 2824	2700	Jcmafj32.exe	36
PID 2700 wrote to memory of 2824	2700	Jcmafj32.exe	36
PID 2824 wrote to memory of 1924	2824	Kfmjgeaj.exe	37
PID 2824 wrote to memory of 1924	2824	Kfmjgeaj.exe	37
PID 2824 wrote to memory of 1924	2824	Kfmjgeaj.exe	37
PID 2824 wrote to memory of 1924	2824	Kfmjgeaj.exe	37
PID 1924 wrote to memory of 852	1924	Kcakaipc.exe	38
PID 1924 wrote to memory of 852	1924	Kcakaipc.exe	38
PID 1924 wrote to memory of 852	1924	Kcakaipc.exe	38
PID 1924 wrote to memory of 852	1924	Kcakaipc.exe	38
PID 852 wrote to memory of 2636	852	Kpjhkjde.exe	39
PID 852 wrote to memory of 2636	852	Kpjhkjde.exe	39
PID 852 wrote to memory of 2636	852	Kpjhkjde.exe	39
PID 852 wrote to memory of 2636	852	Kpjhkjde.exe	39
PID 2636 wrote to memory of 1884	2636	Knpemf32.exe	40
PID 2636 wrote to memory of 1884	2636	Knpemf32.exe	40
PID 2636 wrote to memory of 1884	2636	Knpemf32.exe	40
PID 2636 wrote to memory of 1884	2636	Knpemf32.exe	40
PID 1884 wrote to memory of 2312	1884	Lcojjmea.exe	41
PID 1884 wrote to memory of 2312	1884	Lcojjmea.exe	41
PID 1884 wrote to memory of 2312	1884	Lcojjmea.exe	41
PID 1884 wrote to memory of 2312	1884	Lcojjmea.exe	41
PID 2312 wrote to memory of 2036	2312	Lfmffhde.exe	42
PID 2312 wrote to memory of 2036	2312	Lfmffhde.exe	42
PID 2312 wrote to memory of 2036	2312	Lfmffhde.exe	42
PID 2312 wrote to memory of 2036	2312	Lfmffhde.exe	42
PID 2036 wrote to memory of 2108	2036	Lfbpag32.exe	43
PID 2036 wrote to memory of 2108	2036	Lfbpag32.exe	43
PID 2036 wrote to memory of 2108	2036	Lfbpag32.exe	43
PID 2036 wrote to memory of 2108	2036	Lfbpag32.exe	43

C:\Users\Admin\AppData\Local\Temp\34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe
"C:\Users\Admin\AppData\Local\Temp\34004ffa9d7d94c5103be372a4906238f8b9e52b69588864aeb6374e83f221b3N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\Illgimph.exe
  C:\Windows\system32\Illgimph.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\Icfofg32.exe
    C:\Windows\system32\Icfofg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Windows\SysWOW64\Iedkbc32.exe
      C:\Windows\system32\Iedkbc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2496
    - - C:\Windows\SysWOW64\Ikfmfi32.exe
        
        C:\Windows\system32\Ikfmfi32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2572
      - C:\Windows\SysWOW64\Jbdonb32.exe
        
        C:\Windows\system32\Jbdonb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Jqilooij.exe
        
        C:\Windows\system32\Jqilooij.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Jgfqaiod.exe
        
        C:\Windows\system32\Jgfqaiod.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:992
        
        C:\Windows\SysWOW64\Jcmafj32.exe
        
        C:\Windows\system32\Jcmafj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Kfmjgeaj.exe
        
        C:\Windows\system32\Kfmjgeaj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Kcakaipc.exe
        
        C:\Windows\system32\Kcakaipc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\SysWOW64\Kpjhkjde.exe
        
        C:\Windows\system32\Kpjhkjde.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Knpemf32.exe
        
        C:\Windows\system32\Knpemf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\Lcojjmea.exe
        
        C:\Windows\system32\Lcojjmea.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\Lfmffhde.exe
        
        C:\Windows\system32\Lfmffhde.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Lfbpag32.exe
        
        C:\Windows\system32\Lfbpag32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Lmlhnagm.exe
        
        C:\Windows\system32\Lmlhnagm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Mponel32.exe
        
        C:\Windows\system32\Mponel32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Mhjbjopf.exe
        
        C:\Windows\system32\Mhjbjopf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Mbpgggol.exe
        
        C:\Windows\system32\Mbpgggol.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Mencccop.exe
        
        C:\Windows\system32\Mencccop.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Mmihhelk.exe
        
        C:\Windows\system32\Mmihhelk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\Meppiblm.exe
        
        C:\Windows\system32\Meppiblm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\Moidahcn.exe
        
        C:\Windows\system32\Moidahcn.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\Mpjqiq32.exe
        
        C:\Windows\system32\Mpjqiq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:672
        
        C:\Windows\SysWOW64\Nibebfpl.exe
        
        C:\Windows\system32\Nibebfpl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1744 -s 140
        34⤵
        Program crash
        
        PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Icfofg32.exe

Filesize
872KB

MD5
7da4c2635b2f5ae67f2857873c2a931e

SHA1
6234cfb317f8c7d82b059cd6e0e2348ff0627076

SHA256
4b4b8a5e32ffa9a0390498193cf72335f5841b83306c50099194ae79cc2295e1

SHA512
c4845567b1e054780d878488f6971af44a9573daf80616759fabddca5da37db05c8e2597343c578f61baa9d7041db97ab3cc448863c1bc6e60e42c91328c33f4

Download Submit
C:\Windows\SysWOW64\Ikfmfi32.exe

Filesize
872KB

MD5
057ac569ffd86f40450933ec619df2e7

SHA1
afefeb1f1df46061202519aaec2ec7235d52edbe

SHA256
cd9fb8c2a2827d2cfe49c777acbb89ae2fa5e5fb1cb0ba63f03140415529d07d

SHA512
c865da5760fb77e5977573c36391cf265d90a9487c9f40c004414558b025648abfd3fdf98691956c0e2038f616103985863d90087faa9c1f8e4eadd5fbf57d56

Download Submit
C:\Windows\SysWOW64\Jqilooij.exe

Filesize
872KB

MD5
85134fa693fc5b736ae5688a72c906b5

SHA1
55f7fc7c645e9aca07fe975af445aa026c3e565c

SHA256
256ff894e17a9d32f258f456e21d3e18e23c6dadc3b10bbb734f4b23745e284f

SHA512
024f053a6cbcb694aad9538d0bdebf905c3ba4f1a736a6bc31f801b52f7990626485730114da71a521d9b55db7cf56d47062e9fce6f7d22769714a3f2c8ef4c6

Download Submit
C:\Windows\SysWOW64\Kcakaipc.exe

Filesize
872KB

MD5
e1f4f5ad81b2e54e896a0ad2e01d5cf9

SHA1
afca0cdd987a10c67ddd46d9fa344c93eb053fd0

SHA256
73f47e126e023bedea6febaaf3601a88e87f317c4acb1c28e9372b2939764b1c

SHA512
3e56e386cbac1717cf500d8db2a9b2965b52b35046ed01e80ec5ec0d9916b90bb7f1e32b4eda5406750ebff729f0d6ae15b48a747e6175895b50706cffaaba0e

Download Submit
C:\Windows\SysWOW64\Lmlhnagm.exe

Filesize
872KB

MD5
54fe99fa5f8ed1e1d41c986357a409e2

SHA1
36b957d16bd2bed7dd0e767c01953a95238834aa

SHA256
859b467159ab21bc50e9a17788a071963b9af239d63e2650f7ec4aa116e2bc15

SHA512
19e0be2ab235e0c028532fee0863c561ab485bde05b588268c62b4a106eff6d64bf6bec5f281f57f35193c8b0cbe6651e6412fd9080973c79e6af3c40aaced3d

Download Submit
C:\Windows\SysWOW64\Mbpgggol.exe

Filesize
872KB

MD5
0f88d29ae05c08db302d9a585908393a

SHA1
b4b446d7fc8695b37e9c629884281c1e636ecc02

SHA256
9b2acb11da45f26698d3de94bbeab4d5635fcb39354f2a13684ed9d7b9467c0e

SHA512
b0986073aef9f638dc90bc2bd089689aabf7bda70eafc2d9259d62f7d7a4b5ff57fd1d87d3c326ef75a10f65f0d234496b5835863cc8517c4c394cf704a97d98

Download Submit
C:\Windows\SysWOW64\Mencccop.exe

Filesize
872KB

MD5
f8b99bd256d9bb7fc0f08c2e00e838ac

SHA1
2bcafe976b320dcbfd4e526f4c0529171c4318e2

SHA256
1bd1a5e9f3b24e98ca497958bfc1b6ea48e141b112c02ae61d5ff26b03244bd7

SHA512
ee656b81688704128034210a9bcec7a7b0fb2c5343b0d8e6e1e70eb3c08190be4b428b6599e18620446ba0a3e793af9816a617a6efe355c79593fbbb0d5a90f7

Download Submit
C:\Windows\SysWOW64\Meppiblm.exe

Filesize
872KB

MD5
6b11e68ab518dadef554f6457023f176

SHA1
227861f6b5706a4b4f5ad1c47a90fde5ef7f14ac

SHA256
5a45e8ede93d927e9e1a2a7fb45137996b79815a2b30a0a5e0108eed7770acb1

SHA512
5b9f65331a0ea48e1e536c5eda48357d2c04f325a24c3237c01ec4a4a319973ffc6b8e769a7864fb4015af09a7baf10aa29cb64ef04a8d0167633183e9b5e96c

Download Submit
C:\Windows\SysWOW64\Mhjbjopf.exe

Filesize
872KB

MD5
227f0ed483ddb87ea1751f8436465742

SHA1
f7e4950b659e99a314dd64fc0e620d98eb08fdf1

SHA256
d6d68b820fc0f4135dfbac6f32dc99814644594f18f633be33fde6204600d2d0

SHA512
4b3eaa06c04f299e47d3f5c6761642658bd5cdb86dc0a75fda4b6e38e7b4e1f2629a9222b64b4253e23dde8fcb60868f8fb38f71bc48316f0a532d56a16e0479

Download Submit
C:\Windows\SysWOW64\Mmihhelk.exe

Filesize
872KB

MD5
f723dc4e0faafcea993817233ed89528

SHA1
cea4e5c950305dafd61ea3d6bceba9c8b2bf79d2

SHA256
b7ec3f2e924fe72c69da290cd6eb307a530c4ed34d5ae59de1da266ade5cc696

SHA512
f0e1c0607aa0f7ae335431f08a855d3856c569ba30a6dea8ff6a2da5fee037bf7bf51867a5d1feb22ac42980ab707f50a1b7afd60b44c346962b4c2878788703

Download Submit
C:\Windows\SysWOW64\Moidahcn.exe

Filesize
872KB

MD5
dc8ae79d96148d2137eb9a01fbb8a3fa

SHA1
f7918da5d80c531f1368e8648c0e347b7d6343b4

SHA256
77e14420da2c355deef089314eeeed2728b3e6482e6b70a9d80fdd8510a3aa35

SHA512
7c09f4f942eeb19cbc6dc2cfb1bcb63eff24061a0109e1d40f8d9bb720a5056aa6a4fa3a3f72835f36295314789e9fe8cdc74c1faa1126d0befa873d2b4f53bc

Download Submit
C:\Windows\SysWOW64\Mpjqiq32.exe

Filesize
872KB

MD5
b8cb86d700e47ba6845e7e96c98d2894

SHA1
5ced9f716c1c4c0af58b79fefc754e5893fb5b81

SHA256
0abeaef58ce418f5d160bf6cc06336494fdd5a45bc419283bf7d70d3fff13b36

SHA512
9f5980ef2342dd21cc57d91e514a84ce937f81cb6f16e5f4b38a76e0f839efdfe4aecd34a6318c5336af993046210f6d7e54dbad16c2b75f533a26d311873c88

Download Submit
C:\Windows\SysWOW64\Mponel32.exe

Filesize
872KB

MD5
dd423d1ded2ccf0c05f1ffd4cfecd2c7

SHA1
5c3ab7bfaae3f7fdf979f8f299e6f5c0f8704834

SHA256
a15a104c7cf5cc733b0e4025eb0f1767e5a252943cc24817afc5c92f00d70dbb

SHA512
3a827a320701fa42b6df776dcf1276deaa702f4d154aea79e831b69339f790ef6a77922c16f106494658238232d882883df035224fa60dfdd0569baf0ff71f21

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe

Filesize
872KB

MD5
df35ddccfae24cce2b9f6d7c055a7f54

SHA1
c3c4287785ec515db29991abf526836361449352

SHA256
1f4c4684eb361119b3bc81bff4b4831accbd7338d1b448afda548a9c6afb59ff

SHA512
30480d1f310989452e974f81c343f2514aab3dfd798064b786c2b0cd0b9afb406ed9327537729174c220a48ec7d0c73c74ee4576b984d993abdb33459ef8423b

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
872KB

MD5
abd8c68764a18f26483372cdfe8337b9

SHA1
a0122debaf47fc1553ad1b6374d55e6195a6f046

SHA256
0ddf2255db0bd93418f17c98d766b40f4b1695d461bf8708b5eaf8680c9c4c67

SHA512
b5db8dddcd01608ebaacb558bfa90651912d2448af89dd84632fccf03376f7f426dd1476307197c98c87537586fd5fc54772644687bbbb496616559592f1ee69

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
872KB

MD5
fcc1e29c7794aa47feb047cc99d9d152

SHA1
ceea05c01b59b2f73cd535d78d750677e66e1df4

SHA256
e0932d0c45c6db8cde227c1250f435bad270188ca42f01a413f0f76eb4863c4c

SHA512
f737dab7cd9517a416ac793d4b8d47e1e44cf8609dda748f6a7408127b0c27f1151632292ab080cd1502babf56fd706be3590c9c9b89c5572ffeab5e1e95a433

Download Submit
C:\Windows\SysWOW64\Nibebfpl.exe

Filesize
872KB

MD5
b5e604ad5eba7d35c8d34ed6d6bfb6bb

SHA1
8aa06b69e12769737cf62631de638dfcc1121079

SHA256
a8e109ef849d8f7697fb92cc15b3931eaac946cbbf9c2051c4a2655e4dd61f68

SHA512
fd811381dfbf577c6ef9bfa304689629116f8d51de0fbc34a17ad11ff53b498db8b34e9416588d9125ae8066a25996fabf768adcb6844a17c8f0e9c96e2d6e48

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
872KB

MD5
1fa91b4fce51e6fcd2160edfc6aa9384

SHA1
a8a40ccf0e31955c7036b5e5bdc5cca454e573ae

SHA256
7265dfa9ed4958b0550a98677671a5035b0056dfc21996d1aae7ac8151f7b4b5

SHA512
1a0ec11a920a5d071e8e5fa43322f4bcb3f26a9f4f653691a0e2b4e32904033cc4e1e177849bb84ce856516b2888d6cf8e4916038a404c3e7833c0d88c096cd2

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
872KB

MD5
f1e07cc52b87e68112741f53cd60d1ca

SHA1
d1f95792122d9a4fed2999ca3350af0e445d7f3c

SHA256
4630dbf057195788f544339d3ef60ec4b40720548535c26b40ce997438841da8

SHA512
ce3f16e372696238ba437dac329b373f4cf8ed180d6dc4a1b24a79f3e12572916b988ca487e2855d5930c88b9a3120442cbee03ffcac492012df48feeca89c91

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
872KB

MD5
ae6298ff0f8acd9546383962f036407f

SHA1
e1ed5a240ef1e66c9f78bc5e2b93c1e417c93736

SHA256
70e143550b65a171378ac3705f4c33f1921fbcc465fc5ab2cd0567d2f0412e32

SHA512
977840ed8f39f770d108da3e45b21a32fc2c095715c1b41af70af478766578135df2c40e9c03096d07d7e24bec7695cc68d117057536d34589a9b3d7c584b312

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
872KB

MD5
bc3679ae17aa8d9532a577524bf8bfd3

SHA1
803ed6f14f441415625fe90055c592d6c528a436

SHA256
fc001183cab351357f2a326ccdd430841af4ebf28e1cbab563d82050e0313bdf

SHA512
266c9f7ea57f9dea61125df2dfc6341501a0cc53b65c2a73a5f2bdce5d1ddc64b3e832916ba10cd567b579f1a75857393b6c55efdbb73b951ae8f617876a5f2d

Download Submit
\Windows\SysWOW64\Iedkbc32.exe

Filesize
872KB

MD5
926b0478fbf34dd80418f3b2994c8101

SHA1
45f45831a06f7502bec3a7fefcf31aa798493831

SHA256
1c67f08258bcb6962bd8d96bee1afc09d9fc3670045401746ee4f68f3db969eb

SHA512
85852d6fdb08b36e22c02ecdef87cb04b091c4db3306d7e3cd341f4420108228c99e4c79c9efdc8de8a85dc719cc9dc645a0d4c187eab7d19458685f8587dba8

Download Submit
\Windows\SysWOW64\Illgimph.exe

Filesize
872KB

MD5
6a8a84b34c0922ff9f2a53b7131d7707

SHA1
8aef8306050c2017cebf43d345f340082385d197

SHA256
bef3dc64ce6d8a6b9a4b0445a3f3f8684ea4b229d15606b7f59ca62618562f76

SHA512
c8ea1f883db1bb2de6a9403829b335078c18b6a549e9898f3b8835cebc9d6cdea3f8bc6252c27d32a5238db204bd5db80de9b37c048b92ffda27f10098db20db

Download Submit
\Windows\SysWOW64\Jbdonb32.exe

Filesize
872KB

MD5
37fb4727f844ecb91dfcf9b29aa0aecb

SHA1
759101b8bb3d7eb13d39c490aca22973d0c422fc

SHA256
b032c200b87e3451b6bb3865986575a3802925cd6a419e62407968effb30291e

SHA512
7ec1a0e24cec1eb7fec92450cb68ae8864926ae7cdbec6fe3fe084185868acf7b92881574388c7f787d258383bda9f116b866a72c49880fa1e501ee79de05fa9

Download Submit
\Windows\SysWOW64\Jcmafj32.exe

Filesize
872KB

MD5
9d440dd4e80f9523b7b913e7ac909f74

SHA1
b343745ed61aa0436798b9090bf6d286f03cb848

SHA256
bb978a51086fd751feefa6e7a4ecafc1fe9e2520cdbf8852060bc90bc987ccbe

SHA512
deb756af1d5b1a26c48f2220943828846ca354dc31ed4eb24504c380d3c9f1ff3915f304d4157378a7de9f139d185640c63551051271238f64aaa5081ac4ae4c

Download Submit
\Windows\SysWOW64\Jgfqaiod.exe

Filesize
872KB

MD5
879d3e573155715cf8cbe328f4e7351f

SHA1
a4d784faed3faae7e450f68269a59cc2275a482b

SHA256
8e5bb7617c3cd3c18f7f48c3c746a28a4024c6606dca3b37fe79330db30a6b76

SHA512
da400d039cb68d99cf899899ce25c9d3b9995cbf1ab3c56c65279c0dca17a3fe63728a7565935b8328f31000866ba71a1bbd5021fafec43169ecfefdfb3829db

Download Submit
\Windows\SysWOW64\Kfmjgeaj.exe

Filesize
872KB

MD5
ef574f85ace773b14efcc35aaa014cd8

SHA1
3666b438d6bc8a974686921c32b8f4e442592c27

SHA256
75a6c65f20a19ecf9b534e0afa926815ffb192a4407d19045f45e02c1b2fdd04

SHA512
b4e6befe05c9a3a4245fcf918a1349c4a70952dba290b6f74b5ea1cc42a2c45d34114e018de7d7bac146e91cff2b6621bded479be517cb3d8d79c5e2a17f9fc4

Download Submit
\Windows\SysWOW64\Knpemf32.exe

Filesize
872KB

MD5
2e47741609b27f49d323a89f1c176b43

SHA1
f13da540877e6092182f7b57aea1ddcae7e389b3

SHA256
691abed66505a1fb35d8258356a33200420b89db7995f9399855500a531eb74e

SHA512
4afb674b6e940409b418f889e65cdfed51be7a7aac4c95d839863d364e0d51dafc6c4fa20fcdd40732c653e7d480e55002dc6ed8493ba85512d065a1a159f361

Download Submit
\Windows\SysWOW64\Kpjhkjde.exe

Filesize
872KB

MD5
2269e7e158cb3dffd686eb5abe96d4d9

SHA1
ce23619bdc5a21fd1afb72f1e8c72e1db856af04

SHA256
157b927994e0282d9f0f1bf6b7712e4c7fd06b47cc4af582bdf9e44173c56d82

SHA512
46de9ff6fadcd0ea1acac909dc2af192646621babfd29958b25492330ee532d970efe9a9e526b2e7d46df456780fb30b2273048c42e4a19becc17d9cc4cc8877

Download Submit
\Windows\SysWOW64\Lcojjmea.exe

Filesize
872KB

MD5
291bb9e11c511561668ac9eb4e54f80d

SHA1
4bc800712ad03874dfb281787346cdea19573b80

SHA256
b76065ec9636760c19c7c2b1e554e1cadbedfc268d4b5ed3128112ca68d9f4e4

SHA512
3a21c433e122e0be851c540d20bcfc38735ee960653fab2480b49e0c775db4c9b2dc5ccc754b854df810c0bbf8bb148ac4cfc8b805c5fefe5f7d7b4219b765e4

Download Submit
\Windows\SysWOW64\Lfbpag32.exe

Filesize
872KB

MD5
afeff45b6b8a8eb8579b0668280060dc

SHA1
90e5378dd823f1635f16ba28c809923a4ad680a0

SHA256
145ad67fffcd228f0123a965cc00e96ab72ba023c5cd7f45b2b6235588a81ba3

SHA512
e7051e074b9b03a040ed79f0e8fc774286cafa95e74fc9cb334c7a0b1b6b27dcc564a65f0953437788b8d109da0f116505962663aa1a3266277d3cd4dea41605

Download Submit
\Windows\SysWOW64\Lfmffhde.exe

Filesize
872KB

MD5
3dfd357d15583273443ed44e1874828a

SHA1
1104acec4dc6039c80dcae2c1055e25a07edad88

SHA256
9b22283b32b7c9e6d27e89fc1386ee49108548bdd5b77c41f76e90ec254dabe8

SHA512
1d235a72d973c1009d44e6bda7e3713bac4d4d20ba379c5d47ee7ed6528557c9ec186b7d04aaac47d8f18e6f9ee19b1e67bcbec029e72b2dcb5063a00f9105f8

Download Submit
memory/672-321-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/672-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-320-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/852-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-164-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/852-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-438-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1028-287-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1028-288-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1028-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1308-314-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1308-313-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1384-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1432-328-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1432-332-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1432-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-299-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1608-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1608-298-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1732-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-265-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1732-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1744-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1884-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1924-145-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1924-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-94-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2036-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2036-423-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-339-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2080-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-249-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2084-245-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2084-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-228-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2108-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-239-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2128-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-235-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2312-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-391-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2456-392-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2456-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2496-379-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2496-55-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2496-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-395-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2536-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-83-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2536-84-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2536-71-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-64-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2572-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2636-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-119-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2744-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-368-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2744-41-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2744-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-367-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2768-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2768-352-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2768-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-375-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2784-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-380-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2920-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-345-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2920-344-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2920-18-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2920-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-17-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/3004-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3004-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-356-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3004-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads