berbew | 8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd

Analysis

max time kernel
15s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe
Size

74KB
MD5

b8903d3225ef992bf3ee684336d9dd0d
SHA1

cbc0f3a46a41bec28edc8d6a33a5f8f1bffdba9f
SHA256

8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd
SHA512

9971880ca26397354a473560d22624883fafbaf47321bfd6997a468d0a8dc24635a28bea7a5fd8ee1c70631fb245296db92e2ea44f8c136d88321375592c9aec
SSDEEP

768:m+RAOLk4OLeAzu1tg4N6Bp45hvybJDhJPP47gU8ViutWDerzPz0rV4I2z8uMXD3/:m+qOLkqAzuLJ6Ghv6N5PuuiKzPdzC8M

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://f/wcmd.htm

http://f/ppslog.php

http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mhbflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdkcgk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilnqhddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilnqhddd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Johlpoij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpblne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Leaallcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lolbjahp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mliibj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdigakic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njmejaqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Opcaiggo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jnafop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mliibj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ipgpcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjhgdqef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leaallcb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljhppo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lcqdidim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Imfgahao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jnafop32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfcfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfcfob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jephgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqdaal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ipgpcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kpnbcfkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbhnpplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njjieace.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbmcjc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Inajql32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jephgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ombhgljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Njmejaqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Inajql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Klimcf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhbflj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Njjieace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mfamko32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbhnpplb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Johlpoij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kaieai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klimcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lkccob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ljhppo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Imfgahao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lolbjahp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbmcjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbokda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpblne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkccob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jplinckj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jjhgdqef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbokda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpnbcfkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nqdaal32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ombhgljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kaieai32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jplinckj.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 33 IoCs

pid	Process
2552	Inajql32.exe
2868	Imfgahao.exe
2844	Ipgpcc32.exe
3024	Ilnqhddd.exe
2776	Jplinckj.exe
2832	Jnafop32.exe
2692	Jjhgdqef.exe
2808	Jephgi32.exe
1844	Johlpoij.exe
3048	Kaieai32.exe
2540	Kpnbcfkc.exe
1148	Kbokda32.exe
2488	Kpblne32.exe
2480	Klimcf32.exe
2056	Leaallcb.exe
1552	Lolbjahp.exe
340	Lkccob32.exe
1052	Ljhppo32.exe
640	Lcqdidim.exe
2164	Mliibj32.exe
1736	Mfamko32.exe
964	Mbhnpplb.exe
1528	Mhbflj32.exe
2680	Mdigakic.exe
1680	Mdkcgk32.exe
2124	Njjieace.exe
2820	Nqdaal32.exe
1044	Njmejaqb.exe
2828	Nfcfob32.exe
2736	Nbmcjc32.exe
2716	Ombhgljn.exe
2608	Opcaiggo.exe
1060	Ohnemidj.exe

Loads dropped DLL 64 IoCs

pid	Process
2792	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe
2792	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe
2552	Inajql32.exe
2552	Inajql32.exe
2868	Imfgahao.exe
2868	Imfgahao.exe
2844	Ipgpcc32.exe
2844	Ipgpcc32.exe
3024	Ilnqhddd.exe
3024	Ilnqhddd.exe
2776	Jplinckj.exe
2776	Jplinckj.exe
2832	Jnafop32.exe
2832	Jnafop32.exe
2692	Jjhgdqef.exe
2692	Jjhgdqef.exe
2808	Jephgi32.exe
2808	Jephgi32.exe
1844	Johlpoij.exe
1844	Johlpoij.exe
3048	Kaieai32.exe
3048	Kaieai32.exe
2540	Kpnbcfkc.exe
2540	Kpnbcfkc.exe
1148	Kbokda32.exe
1148	Kbokda32.exe
2488	Kpblne32.exe
2488	Kpblne32.exe
2480	Klimcf32.exe
2480	Klimcf32.exe
2056	Leaallcb.exe
2056	Leaallcb.exe
1552	Lolbjahp.exe
1552	Lolbjahp.exe
340	Lkccob32.exe
340	Lkccob32.exe
1052	Ljhppo32.exe
1052	Ljhppo32.exe
640	Lcqdidim.exe
640	Lcqdidim.exe
2164	Mliibj32.exe
2164	Mliibj32.exe
1736	Mfamko32.exe
1736	Mfamko32.exe
964	Mbhnpplb.exe
964	Mbhnpplb.exe
1528	Mhbflj32.exe
1528	Mhbflj32.exe
2680	Mdigakic.exe
2680	Mdigakic.exe
1680	Mdkcgk32.exe
1680	Mdkcgk32.exe
2124	Njjieace.exe
2124	Njjieace.exe
2820	Nqdaal32.exe
2820	Nqdaal32.exe
1044	Njmejaqb.exe
1044	Njmejaqb.exe
2828	Nfcfob32.exe
2828	Nfcfob32.exe
2736	Nbmcjc32.exe
2736	Nbmcjc32.exe
2716	Ombhgljn.exe
2716	Ombhgljn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Idjfdadn.dll	Leaallcb.exe
File created	C:\Windows\SysWOW64\Holjmiol.dll	Lolbjahp.exe
File created	C:\Windows\SysWOW64\Mhbflj32.exe	Mbhnpplb.exe
File created	C:\Windows\SysWOW64\Nqdaal32.exe	Njjieace.exe
File opened for modification	C:\Windows\SysWOW64\Ipgpcc32.exe	Imfgahao.exe
File created	C:\Windows\SysWOW64\Pdgldnpb.dll	Imfgahao.exe
File created	C:\Windows\SysWOW64\Gdilkpbo.dll	Kaieai32.exe
File opened for modification	C:\Windows\SysWOW64\Kpblne32.exe	Kbokda32.exe
File created	C:\Windows\SysWOW64\Ohnemidj.exe	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Njjieace.exe	Mdkcgk32.exe
File created	C:\Windows\SysWOW64\Epljpl32.dll	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe
File created	C:\Windows\SysWOW64\Imfgahao.exe	Inajql32.exe
File created	C:\Windows\SysWOW64\Dhkjod32.dll	Ilnqhddd.exe
File created	C:\Windows\SysWOW64\Jjhgdqef.exe	Jnafop32.exe
File opened for modification	C:\Windows\SysWOW64\Njmejaqb.exe	Nqdaal32.exe
File created	C:\Windows\SysWOW64\Cjqigm32.dll	Njmejaqb.exe
File created	C:\Windows\SysWOW64\Bogiic32.dll	Jnafop32.exe
File opened for modification	C:\Windows\SysWOW64\Johlpoij.exe	Jephgi32.exe
File created	C:\Windows\SysWOW64\Epinic32.dll	Klimcf32.exe
File opened for modification	C:\Windows\SysWOW64\Mliibj32.exe	Lcqdidim.exe
File created	C:\Windows\SysWOW64\Pbbfhefe.dll	Ombhgljn.exe
File opened for modification	C:\Windows\SysWOW64\Jjhgdqef.exe	Jnafop32.exe
File created	C:\Windows\SysWOW64\Kaieai32.exe	Johlpoij.exe
File opened for modification	C:\Windows\SysWOW64\Kbokda32.exe	Kpnbcfkc.exe
File created	C:\Windows\SysWOW64\Giiinjlg.dll	Lkccob32.exe
File created	C:\Windows\SysWOW64\Cjjdgm32.dll	Njjieace.exe
File created	C:\Windows\SysWOW64\Nfcfob32.exe	Njmejaqb.exe
File created	C:\Windows\SysWOW64\Ilnqhddd.exe	Ipgpcc32.exe
File opened for modification	C:\Windows\SysWOW64\Jephgi32.exe	Jjhgdqef.exe
File created	C:\Windows\SysWOW64\Fjdfae32.dll	Kpnbcfkc.exe
File created	C:\Windows\SysWOW64\Dbkgliff.dll	Lcqdidim.exe
File created	C:\Windows\SysWOW64\Ogpaem32.dll	Nqdaal32.exe
File created	C:\Windows\SysWOW64\Ipgpcc32.exe	Imfgahao.exe
File created	C:\Windows\SysWOW64\Pbfoci32.dll	Kbokda32.exe
File opened for modification	C:\Windows\SysWOW64\Mdigakic.exe	Mhbflj32.exe
File created	C:\Windows\SysWOW64\Jbkicgjf.dll	Mdigakic.exe
File created	C:\Windows\SysWOW64\Ehcibakq.dll	Kpblne32.exe
File created	C:\Windows\SysWOW64\Ljhppo32.exe	Lkccob32.exe
File opened for modification	C:\Windows\SysWOW64\Ljhppo32.exe	Lkccob32.exe
File created	C:\Windows\SysWOW64\Mdkcgk32.exe	Mdigakic.exe
File created	C:\Windows\SysWOW64\Jephgi32.exe	Jjhgdqef.exe
File opened for modification	C:\Windows\SysWOW64\Kaieai32.exe	Johlpoij.exe
File opened for modification	C:\Windows\SysWOW64\Kpnbcfkc.exe	Kaieai32.exe
File created	C:\Windows\SysWOW64\Kbokda32.exe	Kpnbcfkc.exe
File created	C:\Windows\SysWOW64\Nbmcjc32.exe	Nfcfob32.exe
File opened for modification	C:\Windows\SysWOW64\Ohnemidj.exe	Opcaiggo.exe
File created	C:\Windows\SysWOW64\Lolbjahp.exe	Leaallcb.exe
File opened for modification	C:\Windows\SysWOW64\Lcqdidim.exe	Ljhppo32.exe
File opened for modification	C:\Windows\SysWOW64\Mdkcgk32.exe	Mdigakic.exe
File opened for modification	C:\Windows\SysWOW64\Nqdaal32.exe	Njjieace.exe
File opened for modification	C:\Windows\SysWOW64\Ilnqhddd.exe	Ipgpcc32.exe
File opened for modification	C:\Windows\SysWOW64\Jnafop32.exe	Jplinckj.exe
File created	C:\Windows\SysWOW64\Kpblne32.exe	Kbokda32.exe
File opened for modification	C:\Windows\SysWOW64\Leaallcb.exe	Klimcf32.exe
File opened for modification	C:\Windows\SysWOW64\Lolbjahp.exe	Leaallcb.exe
File opened for modification	C:\Windows\SysWOW64\Lkccob32.exe	Lolbjahp.exe
File created	C:\Windows\SysWOW64\Ombhgljn.exe	Nbmcjc32.exe
File created	C:\Windows\SysWOW64\Jkokef32.dll	Nfcfob32.exe
File created	C:\Windows\SysWOW64\Dpeack32.dll	Nbmcjc32.exe
File opened for modification	C:\Windows\SysWOW64\Opcaiggo.exe	Ombhgljn.exe
File created	C:\Windows\SysWOW64\Aqkohg32.dll	Jplinckj.exe
File opened for modification	C:\Windows\SysWOW64\Klimcf32.exe	Kpblne32.exe
File created	C:\Windows\SysWOW64\Mbhnpplb.exe	Mfamko32.exe
File created	C:\Windows\SysWOW64\Lciijbkd.dll	Mbhnpplb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2100	1060	WerFault.exe	61

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbhnpplb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdkcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ombhgljn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jephgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Leaallcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljhppo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njjieace.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opcaiggo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Johlpoij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpblne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Klimcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcfob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohnemidj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Inajql32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbokda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nqdaal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mliibj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mfamko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdigakic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Njmejaqb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ilnqhddd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kaieai32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpnbcfkc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lolbjahp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Imfgahao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ipgpcc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcqdidim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbmcjc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jplinckj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkccob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhbflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jnafop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jjhgdqef.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklicbjm.dll"	Ipgpcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bogiic32.dll"	Jnafop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kaieai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkgliff.dll"	Lcqdidim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbhnpplb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdigakic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgldnpb.dll"	Imfgahao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ipgpcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqkohg32.dll"	Jplinckj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jjhgdqef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jephgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lcqdidim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nqdaal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpeack32.dll"	Nbmcjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmhhleb.dll"	Inajql32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpnbcfkc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lolbjahp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giiinjlg.dll"	Lkccob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mliibj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciijbkd.dll"	Mbhnpplb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nqdaal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Imfgahao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ipgpcc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jjhgdqef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpfk32.dll"	Jjhgdqef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kaieai32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdilkpbo.dll"	Kaieai32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jephgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogpaem32.dll"	Nqdaal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkokef32.dll"	Nfcfob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbmcjc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jplinckj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbokda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehcibakq.dll"	Kpblne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Leaallcb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Njmejaqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Imfgahao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jplinckj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblhqf32.dll"	Johlpoij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kpblne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplmhi32.dll"	Ljhppo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libghd32.dll"	Mdkcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjqigm32.dll"	Njmejaqb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfcfob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Inajql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilnqhddd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ljhppo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ljhppo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Njjieace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ombhgljn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll"	Opcaiggo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jnafop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjfdadn.dll"	Leaallcb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mhbflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjjdgm32.dll"	Njjieace.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfoci32.dll"	Kbokda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Klimcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbhnpplb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfcfob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2552	2792	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe	29
PID 2792 wrote to memory of 2552	2792	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe	29
PID 2792 wrote to memory of 2552	2792	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe	29
PID 2792 wrote to memory of 2552	2792	8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe	29
PID 2552 wrote to memory of 2868	2552	Inajql32.exe	30
PID 2552 wrote to memory of 2868	2552	Inajql32.exe	30
PID 2552 wrote to memory of 2868	2552	Inajql32.exe	30
PID 2552 wrote to memory of 2868	2552	Inajql32.exe	30
PID 2868 wrote to memory of 2844	2868	Imfgahao.exe	31
PID 2868 wrote to memory of 2844	2868	Imfgahao.exe	31
PID 2868 wrote to memory of 2844	2868	Imfgahao.exe	31
PID 2868 wrote to memory of 2844	2868	Imfgahao.exe	31
PID 2844 wrote to memory of 3024	2844	Ipgpcc32.exe	32
PID 2844 wrote to memory of 3024	2844	Ipgpcc32.exe	32
PID 2844 wrote to memory of 3024	2844	Ipgpcc32.exe	32
PID 2844 wrote to memory of 3024	2844	Ipgpcc32.exe	32
PID 3024 wrote to memory of 2776	3024	Ilnqhddd.exe	33
PID 3024 wrote to memory of 2776	3024	Ilnqhddd.exe	33
PID 3024 wrote to memory of 2776	3024	Ilnqhddd.exe	33
PID 3024 wrote to memory of 2776	3024	Ilnqhddd.exe	33
PID 2776 wrote to memory of 2832	2776	Jplinckj.exe	34
PID 2776 wrote to memory of 2832	2776	Jplinckj.exe	34
PID 2776 wrote to memory of 2832	2776	Jplinckj.exe	34
PID 2776 wrote to memory of 2832	2776	Jplinckj.exe	34
PID 2832 wrote to memory of 2692	2832	Jnafop32.exe	35
PID 2832 wrote to memory of 2692	2832	Jnafop32.exe	35
PID 2832 wrote to memory of 2692	2832	Jnafop32.exe	35
PID 2832 wrote to memory of 2692	2832	Jnafop32.exe	35
PID 2692 wrote to memory of 2808	2692	Jjhgdqef.exe	36
PID 2692 wrote to memory of 2808	2692	Jjhgdqef.exe	36
PID 2692 wrote to memory of 2808	2692	Jjhgdqef.exe	36
PID 2692 wrote to memory of 2808	2692	Jjhgdqef.exe	36
PID 2808 wrote to memory of 1844	2808	Jephgi32.exe	37
PID 2808 wrote to memory of 1844	2808	Jephgi32.exe	37
PID 2808 wrote to memory of 1844	2808	Jephgi32.exe	37
PID 2808 wrote to memory of 1844	2808	Jephgi32.exe	37
PID 1844 wrote to memory of 3048	1844	Johlpoij.exe	38
PID 1844 wrote to memory of 3048	1844	Johlpoij.exe	38
PID 1844 wrote to memory of 3048	1844	Johlpoij.exe	38
PID 1844 wrote to memory of 3048	1844	Johlpoij.exe	38
PID 3048 wrote to memory of 2540	3048	Kaieai32.exe	39
PID 3048 wrote to memory of 2540	3048	Kaieai32.exe	39
PID 3048 wrote to memory of 2540	3048	Kaieai32.exe	39
PID 3048 wrote to memory of 2540	3048	Kaieai32.exe	39
PID 2540 wrote to memory of 1148	2540	Kpnbcfkc.exe	40
PID 2540 wrote to memory of 1148	2540	Kpnbcfkc.exe	40
PID 2540 wrote to memory of 1148	2540	Kpnbcfkc.exe	40
PID 2540 wrote to memory of 1148	2540	Kpnbcfkc.exe	40
PID 1148 wrote to memory of 2488	1148	Kbokda32.exe	41
PID 1148 wrote to memory of 2488	1148	Kbokda32.exe	41
PID 1148 wrote to memory of 2488	1148	Kbokda32.exe	41
PID 1148 wrote to memory of 2488	1148	Kbokda32.exe	41
PID 2488 wrote to memory of 2480	2488	Kpblne32.exe	42
PID 2488 wrote to memory of 2480	2488	Kpblne32.exe	42
PID 2488 wrote to memory of 2480	2488	Kpblne32.exe	42
PID 2488 wrote to memory of 2480	2488	Kpblne32.exe	42
PID 2480 wrote to memory of 2056	2480	Klimcf32.exe	43
PID 2480 wrote to memory of 2056	2480	Klimcf32.exe	43
PID 2480 wrote to memory of 2056	2480	Klimcf32.exe	43
PID 2480 wrote to memory of 2056	2480	Klimcf32.exe	43
PID 2056 wrote to memory of 1552	2056	Leaallcb.exe	44
PID 2056 wrote to memory of 1552	2056	Leaallcb.exe	44
PID 2056 wrote to memory of 1552	2056	Leaallcb.exe	44
PID 2056 wrote to memory of 1552	2056	Leaallcb.exe	44

C:\Users\Admin\AppData\Local\Temp\8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe
"C:\Users\Admin\AppData\Local\Temp\8443c6ffc329f198e9e71c78d080b8bc47ef2529883dd5ad14b6cf12dfb73fdd.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\Inajql32.exe
  C:\Windows\system32\Inajql32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\Imfgahao.exe
    C:\Windows\system32\Imfgahao.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\SysWOW64\Ipgpcc32.exe
      C:\Windows\system32\Ipgpcc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\Ilnqhddd.exe
        
        C:\Windows\system32\Ilnqhddd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3024
      - C:\Windows\SysWOW64\Jplinckj.exe
        
        C:\Windows\system32\Jplinckj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\SysWOW64\Jnafop32.exe
        
        C:\Windows\system32\Jnafop32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Jjhgdqef.exe
        
        C:\Windows\system32\Jjhgdqef.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\Jephgi32.exe
        
        C:\Windows\system32\Jephgi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Johlpoij.exe
        
        C:\Windows\system32\Johlpoij.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Kaieai32.exe
        
        C:\Windows\system32\Kaieai32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Kpnbcfkc.exe
        
        C:\Windows\system32\Kpnbcfkc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Kbokda32.exe
        
        C:\Windows\system32\Kbokda32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Kpblne32.exe
        
        C:\Windows\system32\Kpblne32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\Klimcf32.exe
        
        C:\Windows\system32\Klimcf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Leaallcb.exe
        
        C:\Windows\system32\Leaallcb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\SysWOW64\Lolbjahp.exe
        
        C:\Windows\system32\Lolbjahp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Lkccob32.exe
        
        C:\Windows\system32\Lkccob32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:340
        
        C:\Windows\SysWOW64\Ljhppo32.exe
        
        C:\Windows\system32\Ljhppo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Lcqdidim.exe
        
        C:\Windows\system32\Lcqdidim.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Mliibj32.exe
        
        C:\Windows\system32\Mliibj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\Mfamko32.exe
        
        C:\Windows\system32\Mfamko32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\Mbhnpplb.exe
        
        C:\Windows\system32\Mbhnpplb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Mhbflj32.exe
        
        C:\Windows\system32\Mhbflj32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Mdigakic.exe
        
        C:\Windows\system32\Mdigakic.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2680
        
        C:\Windows\SysWOW64\Mdkcgk32.exe
        
        C:\Windows\system32\Mdkcgk32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Njjieace.exe
        
        C:\Windows\system32\Njjieace.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\Nqdaal32.exe
        
        C:\Windows\system32\Nqdaal32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Njmejaqb.exe
        
        C:\Windows\system32\Njmejaqb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Nfcfob32.exe
        
        C:\Windows\system32\Nfcfob32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\Nbmcjc32.exe
        
        C:\Windows\system32\Nbmcjc32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Ombhgljn.exe
        
        C:\Windows\system32\Ombhgljn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\Opcaiggo.exe
        
        C:\Windows\system32\Opcaiggo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Ohnemidj.exe
        
        C:\Windows\system32\Ohnemidj.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 140
        35⤵
        Program crash
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dhkjod32.dll

Filesize
7KB

MD5
5fd795f30456d42127fd370b7f3c927a

SHA1
4d1d2278797540944672016a59fb6496b7f20ec9

SHA256
2f6bd404a4ad2132b5fe963bea7af190afbf8e29c7ea357d47c2a805ac18b790

SHA512
da07682647d498f6f523b179af1d2ad46f799d5509bdbf1b9cc13f424f655672fa711a658d4672e0efd041c2a580ea77c678de80f2fbaf310c1026ef882d855f

Download Submit
C:\Windows\SysWOW64\Imfgahao.exe

Filesize
74KB

MD5
810671b257e75a726cd8003a5a9eb5f7

SHA1
142bc4a450ffa4b8bd8bd8a7fc8970b874f59c9a

SHA256
4a2bcd98dc28ff471bbe291a93eec0a484225e4257458535520d17958213354b

SHA512
6830ea1659741a61f5b59ee11174305bec61d5feb0f920deec776d719d353f28a0e2dbed00997cd199aca0f0e7f8cc1e9a2dbad2f90f783685262c0c20d947f8

Download Submit
C:\Windows\SysWOW64\Inajql32.exe

Filesize
74KB

MD5
b632229c46a0ee6a7aa389b37330cc12

SHA1
efe71e2f21c767244178d6282036efea7b6645de

SHA256
1f368c358f1747dd3a7d097a2a51762393d8c9f6f9089541fdc9111c0e171400

SHA512
bc4320f114d35829a9d4b3842a990b10ea517f157875889fa7e3881547c317f1706391162dba14b18a8ed5d0571634c87c0b92ca60fc17a74dce55ffcdc11d81

Download Submit
C:\Windows\SysWOW64\Ipgpcc32.exe

Filesize
74KB

MD5
a1f1411e4bb6ce9b82a7566f0cfc3bc3

SHA1
10af611039b7b4e1400e4d8ff3ba6960a2eb1ee5

SHA256
8960dfad709ea87de967f9347b696949f5fded41d89bd5930f4e419ab401dbb6

SHA512
ba2d9d582e35d6304658ad68c802d8043926c26ec061a2aa037fc05df714c2fecd8978b7a5ba1d773c8f1c40c47fb1e7da0642f9c61976d65e0937c8326a5a35

Download Submit
C:\Windows\SysWOW64\Kbokda32.exe

Filesize
74KB

MD5
f8e950931659d320fb8963dba59a3636

SHA1
68e3d5b401bb1b7823ab5fad3c0aa6611a0b634f

SHA256
4657d8e4700546b0fe3b11312c84373fd5aa1210c4d7baefd6f5efa75a7c746e

SHA512
93acff9ad2a8aa1bc31b2630d238fe3361c2887685805846f61c474d0edccd4cc57b4591e3624c865a15d14d7d4d58908e5658f8f807e9d4e181406d74e1f9c7

Download Submit
C:\Windows\SysWOW64\Lcqdidim.exe

Filesize
74KB

MD5
4d9a2ea326226b866b86ec92cda375d9

SHA1
5c365482e4cf62ba5962a4ba61e1042b432e7e01

SHA256
a34d6a163bf554ed83aa0e936e89b5f305ba62b6c0f38b4f717315c8f384a1c6

SHA512
3897c768b2a632ae5a49fb040fe3a9a2aa8f09c66f72e471c72fb521a065bdfe1e93bcc968e3591e583ed17b58c9b663883317277b64cc35669f1b087137569b

Download Submit
C:\Windows\SysWOW64\Ljhppo32.exe

Filesize
74KB

MD5
0f7cc5db1f86a02f9b26c2de25c4ea56

SHA1
8a931dae62ade1b7439a132a7bb7e948a53939d6

SHA256
4c84b64708b49e827b3bb8b0dbbfc0f681bc264a4321bd913d6a42bd62420c90

SHA512
0dc8d083fa0c159ba31db7fc07c7cd8a5e9b3bd014cb3db9433e7f4f491f218bbb50d8412fba2052453a25998a11c4240592357d9018e86306da96cfe762d075

Download Submit
C:\Windows\SysWOW64\Lkccob32.exe

Filesize
74KB

MD5
75220183876b027c61054647bad3fc5a

SHA1
6d280b67e9531aa0b1b8f9cabe2af50efc820799

SHA256
455050c9a87d3a55cb2af99c34de2ccb683939e9a07ebe472791e105b96d46b6

SHA512
75a0a68109cdb782cd03098e0a012ebda0429f8289ba341af6f9f1b20cf5331e1665bfecdd5d5b63b3e0305881f0dada5a0d4bfe5b9f6fbf76d6d4322d43b9ff

Download Submit
C:\Windows\SysWOW64\Mbhnpplb.exe

Filesize
74KB

MD5
02bfba1e5e53053afca98aff5408483c

SHA1
6d81a4b1919e35f5ab1ea2706f7d04eff3c4712e

SHA256
82fe10831b1001c1e2d592f947ce268aec342cae09b9a63280651d85f53bdade

SHA512
2ef91c9c97b56baba69a802c80e2462540e279838b914f9a1742f53baecbeafcb482619f8bcd9494752a55aafe2ab4c15be97db18e197a732a21c190ed88a20c

Download Submit
C:\Windows\SysWOW64\Mdigakic.exe

Filesize
74KB

MD5
8d9ab45ee8f34cec89b6a46eb98b5ae5

SHA1
be6dccb15567c09ce00b6ff53b2315cd3da0276d

SHA256
3a38dd4e077a5f92ba8156994f822b0fbbeed3a9055b26efadf757d6c487a96c

SHA512
76c17aa4fea8f201d1a930e188c5b0d0aa7bb8a99d3c105913707a1941ddbb530a14a4f4d7c9c49a9c64c92cde99ae30e3ceb10e40659f7d5727da6591929098

Download Submit
C:\Windows\SysWOW64\Mdkcgk32.exe

Filesize
74KB

MD5
d84e1f7265dea0c150d38e11a6bc86bc

SHA1
386133deb6156f3499a281f888a1e7550fa90a35

SHA256
7bdff197d8f8d19d80a38e9c7f785287299f7ddb764f832012636ce385f48474

SHA512
46ad61e0f664581529c41722de1363df2afa170bd57676097e5ffce2022bc8ea04d8952a0540c91c56734f12a24c9812efc874e72c9336f26c98dafe33f1bded

Download Submit
C:\Windows\SysWOW64\Mfamko32.exe

Filesize
74KB

MD5
97723dc20560945699a84a1b51a695b3

SHA1
37774f5f22468f2843170857aa128e17704390c2

SHA256
f45c609258d4e89a1d5951a1aa5a0134f743fd7c19fbd0255070d1ef9ff44b58

SHA512
a49faab3cd0b61c74e4a998b85439dc272d5e99147260dd633b1f5493477c96b154eff1175b46b87168bde5453480d715224ac04c04231cd8a73e84002fc9a6f

Download Submit
C:\Windows\SysWOW64\Mhbflj32.exe

Filesize
74KB

MD5
b00bc8f1db8948b824e9523226b332b5

SHA1
78548de2dbc5eef9bd5f6f3802782655448b9c7f

SHA256
7b2497430142ca625298c25744fe2abc88b361ef6b67d0e1121af91197fd9b42

SHA512
ecaf7d5a88a89dc11e54dd950950f1bf087ed5a6933457fbeae6bb53823b4270c2f70a10030456957a5e8f408d4482523590957f06c20105ac1b63019e7dfd4f

Download Submit
C:\Windows\SysWOW64\Mliibj32.exe

Filesize
74KB

MD5
ce19cfd5bdec4679c207dbbc3357da5f

SHA1
a1f41ad3144b112920425168543c7d02a0af895b

SHA256
4c99c59d58821b1b97eeedf5fb30b0fd5da8d8224926b3335aefa3de2559c994

SHA512
273543aa89b496d810657b81ce46ad517c4311478bb891ed799f24bc57033f146f0935e501ee57a4907c971df12672bbad6575a4e5dd4e6a422fc8e82f40cc12

Download Submit
C:\Windows\SysWOW64\Nbmcjc32.exe

Filesize
74KB

MD5
0ced8c7d9de3c3dda13db2207d0c9276

SHA1
c5de3f99dda0e6974836467a46692aa1709cd554

SHA256
076d22296b1094a56adc8f02d49298c3ec9b116a9ca927a3702e133403ead1d4

SHA512
4c74ec53821fb0125657c0a350ac4ab26c4e8c3847a531abb2df2d194b9061a98dd58242d47dd5d9c71dcfba1556917f4afa40fc7d2e9fa6601a98270056a544

Download Submit
C:\Windows\SysWOW64\Nfcfob32.exe

Filesize
74KB

MD5
8a20f9ccbaa5e2b13ff765fc768ed301

SHA1
3778babb613a6cd61f2b31f22a454bef38eb3620

SHA256
71430cc5aa1075330bb670cee32e9b7c5b22359e567a3d460afb4e513e1a435f

SHA512
d470a0e95be3e21cb408b86241aaabf0381acfeee7f6cba8752ae36450b554ffa4688d6eadd763e33b029444094468980fbeba18ac0366965d43416a0268bbd1

Download Submit
C:\Windows\SysWOW64\Njjieace.exe

Filesize
74KB

MD5
105d7e5356ac5d8e90e850ef15d09e47

SHA1
7271c1e03191f9bd42b039cc22c94c4a03e77d1b

SHA256
b5740c7a2fd1c1b6cb56c373bb0853f5a21bc3813402fdec23936083b2f35958

SHA512
a50fcc8e562d790c0963fdd344b33d17e55d3e11cba494228187fba9489484ec4ed8825e87db3f8d68af010f25ab48f053cb76c1979c9a8fb2e8f328b3bb9dc3

Download Submit
C:\Windows\SysWOW64\Njmejaqb.exe

Filesize
74KB

MD5
d351721b510c03b26a7563ddbfd42c64

SHA1
6f35aa7d4d2a6bcc09ce2c1347b31ce45755de47

SHA256
cab6a2ebec3e0f38080a19d0e0b86fc6823f0d79c35ad5139e35d91b9db03076

SHA512
be2e327a8c036c5bfcd91f071cdd2c8ea1a5aaeb8ab71f7737d1a9c13c7753604fd70319dff963dde18be22bccc922c0972a95894819992f80616d068e2e5727

Download Submit
C:\Windows\SysWOW64\Nqdaal32.exe

Filesize
74KB

MD5
71b8e968dadc2ad9bd0877def763cf35

SHA1
ab82081f4390826fe27cdd294b3800127d0e054f

SHA256
040f9d1faf14a5a8f20ad5d1d30fcdc57990b7a2f83b2e1c3a8f70065859aefc

SHA512
b9351295a65b7352c5ef24a8d4b76e22209a1dcca1d1d0a25c8f00abcea9d8dfd8a674267f912749f6ad4c6b4d24c7365245b10e79edc0b3c6ae165f9dc3997d

Download Submit
C:\Windows\SysWOW64\Ohnemidj.exe

Filesize
74KB

MD5
88569f2bce4516dc56c39702a624b7c4

SHA1
0587c3ebbef3ba7c94659e5dedf347552302fcde

SHA256
a378c4a8d832e0ef387d09e33a0f5a6cd6034a0d3c4f84f5f7e578a7e0e40a7a

SHA512
5e323aa60fcf26724512c3b191a3838cfea0704818d2e4a7191621bab0e84b449c59b43c91494ea2425ba6315e6adbdef962075d685c4a67c1a28eca8a966e5a

Download Submit
C:\Windows\SysWOW64\Ombhgljn.exe

Filesize
74KB

MD5
3ef5e84e76fd998bcf624b2def47b3aa

SHA1
872eb62a32c8f1da774cb69a4534d67c86c17c65

SHA256
eff45b5404aba4fc3c75d7d66ef7805465299096a6864eb50fd23bdedadbc332

SHA512
778e8c771bc438a26e5bd2ac5c31911278accff40f6dd3f21b0a939e7af8a18a547c3e7a0ceacc81ab88568ea5896f20636dbaa0dbe9a6824b03effe5980919a

Download Submit
C:\Windows\SysWOW64\Opcaiggo.exe

Filesize
74KB

MD5
ac07db18a7bf5afb41c65dd82e95f021

SHA1
44f61eabe00ca98745949e12d0bbdec759bc41ee

SHA256
3e0c7b7778bf50d60774c5b8d31268dc07dcb5e86de458726da774cc4e3b9e97

SHA512
8912ae31434cb829956dde3f96bec9dee0e2203d34d3c9ec2294fa81ee7bf21760c83b15396699d16a16acef629b489836b23b20b6bba906830e5c32d0a42efc

Download Submit
\Windows\SysWOW64\Ilnqhddd.exe

Filesize
74KB

MD5
36268d2c95428b2450227055e51832d3

SHA1
fb1b70764dbd57ea04af2c7faa1928ca635e596a

SHA256
fbf41841f1e05b2690ff0fa0161347e690b2fd121abce8dd479dcc5ca740e6cb

SHA512
3c15ea225c44b599a934bae39c4913811310cb38f23c5f3dfc559edd8b42618f0c9f75a4e461296ea393beec480f4b537439453fcaf485dc86b9788a7fdaca84

Download Submit
\Windows\SysWOW64\Jephgi32.exe

Filesize
74KB

MD5
77e9a2d8779e613121416c5e1e67e18b

SHA1
7f90a2068439291f1e81b4c0d69a9bf7a5ae150c

SHA256
ba35ad882ab0d926cc3a39a3acab9bbf0bc2d190dfa419da5d4416b032c41bd6

SHA512
07f04a38110611b595af8bf64b9dc629a899575ea54371e0c7ab7cb5ed9e3b0f2185eb3dfabd0311c2f76dda6d0b4dc9b92e086e6bc39ba83428c91a783574d5

Download Submit
\Windows\SysWOW64\Jjhgdqef.exe

Filesize
74KB

MD5
b52d06e1e764fe2e9f75547bfb172460

SHA1
43a96c2d7e107dc39a56813db324737d94b4d98f

SHA256
ac8dbaafbd949296e25ddb70d7c87a93554eb03f281c6359f7915490d168b1ad

SHA512
10d8ace0ca29e5c2f3d1af4f3b5b6c64163226e889ff54ca48650d65ccaa03d2c87752b97ec085c98a45c3ebd76c223c4249e1199f7d8530000e4c63269cc2a8

Download Submit
\Windows\SysWOW64\Jnafop32.exe

Filesize
74KB

MD5
40f23160691dacf539d3f7ac9a653e82

SHA1
0f9e33fa4d558dc4787d098ebb424aa0f70d06cc

SHA256
4e0e5871eda05d4a4f39398a64cc9a029f866a33228d78b6bb73511aa0be25f6

SHA512
fc142a0d43cf343de6ce7feddd47d1254dfbff61615def72f869b576d91d2fa94770519a07f6c9159d270f89d16f4bb6bc8169f408d2acaa042c3d9900c73bb1

Download Submit
\Windows\SysWOW64\Johlpoij.exe

Filesize
74KB

MD5
82cc342a8340068f52b5656785aa99ef

SHA1
baa7d60bbe7ee2c81658e38766c8309b55b10b70

SHA256
3fb2f8f734dab492372717be1cff5f76c92bdf8f22d1b9c82ab89a3a77e48fee

SHA512
140cf16f56e869ac26fc1e61c3ec5e6c58f3c24dc9672a1ecdcd8f938448c29b2328c4ad98e430a0b73e8c60c590d2b65fe526eb7ae5c10d2fe1ec1a4ce5204f

Download Submit
\Windows\SysWOW64\Jplinckj.exe

Filesize
74KB

MD5
9cafab9fff5234a0d4692a223d0ed25d

SHA1
81b28306f98041c638e1c99b2e3338a05288980a

SHA256
25839b096365eaaa36d92642550901dcceca0eedcaa3e96b2505392f17e4e585

SHA512
24561cdef9d2120f82026d3b5dd155375254199c5e0b7835b8b70b1f2572a02d46f11ffe8d3bf5317cba39484cdcadd0bc494b1d61c6033c62d06e4b30f8a126

Download Submit
\Windows\SysWOW64\Kaieai32.exe

Filesize
74KB

MD5
b7b8c04342fb180b5cd22e1414ae6d05

SHA1
058c900fb420541659e6dde1d70227ae5ea841d0

SHA256
44a494878d5bdc476cd609e2ef0b6ffe71088c0b2f0eb74ab3dc0c714291fecf

SHA512
8450f61c1e6acf9e4c7c665b95baad25eb425c81cc124600333d960b2486bfbf44b723ccefb33ef628112a436967ec6486bf89cf22e82e352c78edcd25c5c830

Download Submit
\Windows\SysWOW64\Klimcf32.exe

Filesize
74KB

MD5
b17c468aa75f9fbb2c4ced805b247fe1

SHA1
f480c59854af258a3f2a35efe7f5900fd98bb6b0

SHA256
83f769cd6611bd614b6de492368b7afe163648561b7b889e61bb31091feb47c1

SHA512
27f12a8f33f1ae9a430c999c839ff848655686ff34a711563a7b29b9959a9dc56a1ab4847d4071c7c97feaf8164ecbf75a5657d4bf43023750193893b3ed2073

Download Submit
\Windows\SysWOW64\Kpblne32.exe

Filesize
74KB

MD5
fe2a6b3507ae122a98f4cf34d9610437

SHA1
a045b0c81047957fb68832642385846a6cc8e8cf

SHA256
5c0a5c3606d1e560aca9c21d0dffdeff58807e880b96a9ba6b38aaeb856830b9

SHA512
7e1fc690503cf56020648edcf1a42e1f963d11e1ce49ff5d36a673e60703717a7b52f77137ab58012c9d0be2e933fd39d36565d951b9013b9f094e035c2d6e0c

Download Submit
\Windows\SysWOW64\Kpnbcfkc.exe

Filesize
74KB

MD5
e9b5df94baae1c38042a16a32a648816

SHA1
67a0e30617f50d8819e74384cb0dcd654a645aca

SHA256
0fe3b7966e3c7164fff897594af67ad664ff6bd06121f688da934bb8502b78d3

SHA512
b9e0729d559770cb1e816d7d6f5e21b15bd8b16fbd2dd1359cb1314aaae0563ebca3012e2907321c793333ad553a0cb46658b480500ba9b0dfa9464e7627aaf2

Download Submit
\Windows\SysWOW64\Leaallcb.exe

Filesize
74KB

MD5
db82e4a393c852dd5ef0eede98dc4183

SHA1
d9e322f5a8b9e223b6df9e91a333bb610b0b3577

SHA256
4e4a5141fc49694c368f01579fbbc88c1cebe21f5d01799b53206d7024ac153c

SHA512
6945ff705482a9366b74f4658d54cb81d6526fb360f178d0cb866bdfceaf9f940bbb0dd6e6045fabbf8225c9f583cbf51408586384e6d17603be61698ffd204b

Download Submit
\Windows\SysWOW64\Lolbjahp.exe

Filesize
74KB

MD5
0faebb5279f62a2c329a08d872a6b5c6

SHA1
fc292d036fd90a41a170cea4637531d58d69f9ea

SHA256
2e1fbc5f0b3b87c6f0fc5a1b7eee11d03dfb2fa0a07bd2fd7c37ebc8718524b8

SHA512
275b3b0e8141df87f54f55be8b21ee6e442cf90a1d45a97f9b714f024fb5e678053062e8a8da60cf85e58274d4b5dcd2ec513a25de34fa55c87b51896b3fa931

Download Submit
memory/340-416-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/640-246-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/640-412-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/964-285-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/964-279-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/964-408-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/964-284-0x00000000002D0000-0x0000000000307000-memory.dmp

Filesize
220KB

Download
memory/1044-346-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/1044-350-0x0000000000310000-0x0000000000347000-memory.dmp

Filesize
220KB

Download
memory/1044-406-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1044-340-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1052-417-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1052-236-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1052-242-0x0000000000230000-0x0000000000267000-memory.dmp

Filesize
220KB

Download
memory/1060-398-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-163-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1148-171-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/1528-296-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1528-404-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1528-295-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/1528-286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1552-221-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1552-414-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1552-224-0x0000000000250000-0x0000000000287000-memory.dmp

Filesize
220KB

Download
memory/1680-317-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/1680-403-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1680-308-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1680-321-0x00000000002F0000-0x0000000000327000-memory.dmp

Filesize
220KB

Download
memory/1736-274-0x0000000000230000-0x0000000000267000-memory.dmp

Filesize
220KB

Download
memory/1736-264-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1736-411-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1736-270-0x0000000000230000-0x0000000000267000-memory.dmp

Filesize
220KB

Download
memory/1844-122-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1844-135-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1844-129-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2056-203-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2056-211-0x00000000003A0000-0x00000000003D7000-memory.dmp

Filesize
220KB

Download
memory/2124-328-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2124-327-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2164-410-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2164-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2480-197-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-415-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2488-184-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2540-418-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2540-151-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2552-386-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2552-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2608-401-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2608-396-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2608-391-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2680-297-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2680-307-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2680-405-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2680-303-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2692-95-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2692-422-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2692-103-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2716-384-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2716-373-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2716-383-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2716-407-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2736-362-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2736-372-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/2736-371-0x0000000000300000-0x0000000000337000-memory.dmp

Filesize
220KB

Download
memory/2736-413-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2776-421-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2776-67-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2776-79-0x00000000002A0000-0x00000000002D7000-memory.dmp

Filesize
220KB

Download
memory/2792-12-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2792-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2792-385-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2792-13-0x0000000000440000-0x0000000000477000-memory.dmp

Filesize
220KB

Download
memory/2792-379-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2808-110-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2820-338-0x0000000000230000-0x0000000000267000-memory.dmp

Filesize
220KB

Download
memory/2820-409-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2820-329-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2820-339-0x0000000000230000-0x0000000000267000-memory.dmp

Filesize
220KB

Download
memory/2828-351-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2828-360-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2828-402-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2828-361-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/2832-82-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2832-89-0x00000000002A0000-0x00000000002D7000-memory.dmp

Filesize
220KB

Download
memory/2832-420-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-400-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-40-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2844-48-0x0000000000260000-0x0000000000297000-memory.dmp

Filesize
220KB

Download
memory/2868-397-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2868-27-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2868-399-0x00000000001B0000-0x00000000001E7000-memory.dmp

Filesize
220KB

Download
memory/3024-66-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/3024-423-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3048-419-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3048-142-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads