berbew | a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
Size

2.9MB
MD5

81fcff1847b8d6c5b8f30552f9f06960
SHA1

ffd17ff5550b4a3968fb2547dc77079394f88179
SHA256

a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a
SHA512

0eba29732764ed80d36251d13d725408d6c39b9b529c21d882142fd4d609c4f2743542f20b6264ca3894f749ce3cb9520cff3908ab749ae7c524ffb1beb646b8
SSDEEP

49152:kqXjkj/nUkjkj/npfjkj/nUkjkj/nqkjkj/nUkjkj/npfjkj/nUkjkj/nKjkj/nL:kIjkjfUkjkjfpfjkjfUkjkjfqkjkjfU/

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obbdml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgiaefgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccgklc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glnhjjml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohbikbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkknac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgiaefgg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mcfemmna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omhhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emaijk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcgqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iikkon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikldqile.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glnhjjml.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emaijk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpgmpk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Khgkpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obbdml32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqmcj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eogolc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldmopa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcfemmna.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofqmcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcgqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lekghdad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhfjjdjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eogolc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmipdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omhhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohbikbkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nflchkii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nflchkii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccgklc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kpieengb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ldmopa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkknac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhfjjdjf.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 28 IoCs

pid	Process
2700	Ldmopa32.exe
2676	Mcfemmna.exe
2828	Mhfjjdjf.exe
1312	Nflchkii.exe
2724	Obbdml32.exe
2588	Omhhke32.exe
2104	Ofqmcj32.exe
828	Ohbikbkb.exe
2868	Bkknac32.exe
1484	Ccgklc32.exe
1820	Dgiaefgg.exe
1768	Emaijk32.exe
1720	Eogolc32.exe
2176	Glnhjjml.exe
2424	Gcgqgd32.exe
936	Iikkon32.exe
640	Ikldqile.exe
1804	Jmipdo32.exe
2516	Jllqplnp.exe
1516	Jpgmpk32.exe
2964	Kbjbge32.exe
2388	Khgkpl32.exe
2984	Kmfpmc32.exe
1944	Kipmhc32.exe
1848	Kpieengb.exe
2928	Llbconkd.exe
1032	Lekghdad.exe
2736	Lepaccmo.exe

Loads dropped DLL 60 IoCs

pid	Process
2212	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
2212	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
2700	Ldmopa32.exe
2700	Ldmopa32.exe
2676	Mcfemmna.exe
2676	Mcfemmna.exe
2828	Mhfjjdjf.exe
2828	Mhfjjdjf.exe
1312	Nflchkii.exe
1312	Nflchkii.exe
2724	Obbdml32.exe
2724	Obbdml32.exe
2588	Omhhke32.exe
2588	Omhhke32.exe
2104	Ofqmcj32.exe
2104	Ofqmcj32.exe
828	Ohbikbkb.exe
828	Ohbikbkb.exe
2868	Bkknac32.exe
2868	Bkknac32.exe
1484	Ccgklc32.exe
1484	Ccgklc32.exe
1820	Dgiaefgg.exe
1820	Dgiaefgg.exe
1768	Emaijk32.exe
1768	Emaijk32.exe
1720	Eogolc32.exe
1720	Eogolc32.exe
2176	Glnhjjml.exe
2176	Glnhjjml.exe
2424	Gcgqgd32.exe
2424	Gcgqgd32.exe
936	Iikkon32.exe
936	Iikkon32.exe
640	Ikldqile.exe
640	Ikldqile.exe
1804	Jmipdo32.exe
1804	Jmipdo32.exe
2516	Jllqplnp.exe
2516	Jllqplnp.exe
1516	Jpgmpk32.exe
1516	Jpgmpk32.exe
2964	Kbjbge32.exe
2964	Kbjbge32.exe
2388	Khgkpl32.exe
2388	Khgkpl32.exe
2984	Kmfpmc32.exe
2984	Kmfpmc32.exe
1944	Kipmhc32.exe
1944	Kipmhc32.exe
1848	Kpieengb.exe
1848	Kpieengb.exe
2928	Llbconkd.exe
2928	Llbconkd.exe
1032	Lekghdad.exe
1032	Lekghdad.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe
2684	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kipmhc32.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ldmopa32.exe	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
File created	C:\Windows\SysWOW64\Obbdml32.exe	Nflchkii.exe
File opened for modification	C:\Windows\SysWOW64\Eogolc32.exe	Emaijk32.exe
File created	C:\Windows\SysWOW64\Dokggo32.dll	Emaijk32.exe
File created	C:\Windows\SysWOW64\Glnhjjml.exe	Eogolc32.exe
File created	C:\Windows\SysWOW64\Gcgqgd32.exe	Glnhjjml.exe
File opened for modification	C:\Windows\SysWOW64\Jmipdo32.exe	Ikldqile.exe
File created	C:\Windows\SysWOW64\Qaamhelq.dll	Llbconkd.exe
File opened for modification	C:\Windows\SysWOW64\Lepaccmo.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Bkknac32.exe	Ohbikbkb.exe
File created	C:\Windows\SysWOW64\Icjgpj32.dll	Ohbikbkb.exe
File created	C:\Windows\SysWOW64\Ikldqile.exe	Iikkon32.exe
File created	C:\Windows\SysWOW64\Jmipdo32.exe	Ikldqile.exe
File opened for modification	C:\Windows\SysWOW64\Jllqplnp.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Kkijcgjo.dll	Mcfemmna.exe
File opened for modification	C:\Windows\SysWOW64\Ohbikbkb.exe	Ofqmcj32.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbge32.exe	Jpgmpk32.exe
File created	C:\Windows\SysWOW64\Lepaccmo.exe	Lekghdad.exe
File created	C:\Windows\SysWOW64\Mcfemmna.exe	Ldmopa32.exe
File created	C:\Windows\SysWOW64\Kbjbge32.exe	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Kpieengb.exe	Kipmhc32.exe
File created	C:\Windows\SysWOW64\Kcadppco.dll	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Mmfejo32.dll	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
File created	C:\Windows\SysWOW64\Nflchkii.exe	Mhfjjdjf.exe
File created	C:\Windows\SysWOW64\Ofqmcj32.exe	Omhhke32.exe
File created	C:\Windows\SysWOW64\Pdfndl32.dll	Eogolc32.exe
File created	C:\Windows\SysWOW64\Iikkon32.exe	Gcgqgd32.exe
File opened for modification	C:\Windows\SysWOW64\Jpgmpk32.exe	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Khgkpl32.exe	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Llbconkd.exe	Kpieengb.exe
File created	C:\Windows\SysWOW64\Lekghdad.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Dgiaefgg.exe	Ccgklc32.exe
File opened for modification	C:\Windows\SysWOW64\Dgiaefgg.exe	Ccgklc32.exe
File created	C:\Windows\SysWOW64\Emaijk32.exe	Dgiaefgg.exe
File created	C:\Windows\SysWOW64\Mobafhlg.dll	Jpgmpk32.exe
File opened for modification	C:\Windows\SysWOW64\Lekghdad.exe	Llbconkd.exe
File created	C:\Windows\SysWOW64\Mhfjjdjf.exe	Mcfemmna.exe
File created	C:\Windows\SysWOW64\Glcgij32.dll	Dgiaefgg.exe
File created	C:\Windows\SysWOW64\Eogolc32.exe	Emaijk32.exe
File created	C:\Windows\SysWOW64\Ojacgdmh.dll	Glnhjjml.exe
File created	C:\Windows\SysWOW64\Lpmdgf32.dll	Iikkon32.exe
File created	C:\Windows\SysWOW64\Jpgmpk32.exe	Jllqplnp.exe
File opened for modification	C:\Windows\SysWOW64\Kipmhc32.exe	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Ofqmcj32.exe	Omhhke32.exe
File opened for modification	C:\Windows\SysWOW64\Bkknac32.exe	Ohbikbkb.exe
File created	C:\Windows\SysWOW64\Ccgklc32.exe	Bkknac32.exe
File opened for modification	C:\Windows\SysWOW64\Ccgklc32.exe	Bkknac32.exe
File created	C:\Windows\SysWOW64\Ecfgpaco.dll	Gcgqgd32.exe
File created	C:\Windows\SysWOW64\Jofial32.dll	Ldmopa32.exe
File opened for modification	C:\Windows\SysWOW64\Obbdml32.exe	Nflchkii.exe
File created	C:\Windows\SysWOW64\Dkpnde32.dll	Kmfpmc32.exe
File opened for modification	C:\Windows\SysWOW64\Mhfjjdjf.exe	Mcfemmna.exe
File opened for modification	C:\Windows\SysWOW64\Omhhke32.exe	Obbdml32.exe
File created	C:\Windows\SysWOW64\Ohbikbkb.exe	Ofqmcj32.exe
File created	C:\Windows\SysWOW64\Ghdjfq32.dll	Bkknac32.exe
File opened for modification	C:\Windows\SysWOW64\Glnhjjml.exe	Eogolc32.exe
File opened for modification	C:\Windows\SysWOW64\Iikkon32.exe	Gcgqgd32.exe
File created	C:\Windows\SysWOW64\Npdfik32.dll	Mhfjjdjf.exe
File created	C:\Windows\SysWOW64\Jgifkl32.dll	Obbdml32.exe
File created	C:\Windows\SysWOW64\Jllqplnp.exe	Jmipdo32.exe
File created	C:\Windows\SysWOW64\Pcdapknb.dll	Kbjbge32.exe
File opened for modification	C:\Windows\SysWOW64\Kmfpmc32.exe	Khgkpl32.exe
File created	C:\Windows\SysWOW64\Ldmopa32.exe	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2684	2736	WerFault.exe	57

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ikldqile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kbjbge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iikkon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mcfemmna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohbikbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkknac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glnhjjml.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jllqplnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldmopa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqmcj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Khgkpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kmfpmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kpieengb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llbconkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nflchkii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eogolc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcgqgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lekghdad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emaijk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lepaccmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhfjjdjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmipdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipmhc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obbdml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccgklc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgiaefgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpgmpk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omhhke32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmdgf32.dll"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kipmhc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ldmopa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdfik32.dll"	Mhfjjdjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icjgpj32.dll"	Ohbikbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfndl32.dll"	Eogolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknbhi32.dll"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ikldqile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfejo32.dll"	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohbikbkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emaijk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohbikbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokggo32.dll"	Emaijk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jpgmpk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nflchkii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omhhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdiedagc.dll"	Omhhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emaijk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacgdmh.dll"	Glnhjjml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Iikkon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdpojm32.dll"	Nflchkii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nflchkii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjfq32.dll"	Bkknac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipmhc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcakqmpi.dll"	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kpieengb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkknac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kpieengb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcgqgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll"	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll"	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmipdo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Khgkpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofqmcj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccgklc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccgklc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obbdml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kbjbge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eogolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oldhgaef.dll"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkijcgjo.dll"	Mcfemmna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhfjjdjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofqmcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll"	Llbconkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ldmopa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ikldqile.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jllqplnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eogolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kmfpmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lekghdad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofial32.dll"	Ldmopa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nijjkf32.dll"	Ofqmcj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgifkl32.dll"	Obbdml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omhhke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glcgij32.dll"	Dgiaefgg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glnhjjml.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll"	Gcgqgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhfjjdjf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2700	2212	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe	30
PID 2212 wrote to memory of 2700	2212	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe	30
PID 2212 wrote to memory of 2700	2212	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe	30
PID 2212 wrote to memory of 2700	2212	a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe	30
PID 2700 wrote to memory of 2676	2700	Ldmopa32.exe	31
PID 2700 wrote to memory of 2676	2700	Ldmopa32.exe	31
PID 2700 wrote to memory of 2676	2700	Ldmopa32.exe	31
PID 2700 wrote to memory of 2676	2700	Ldmopa32.exe	31
PID 2676 wrote to memory of 2828	2676	Mcfemmna.exe	32
PID 2676 wrote to memory of 2828	2676	Mcfemmna.exe	32
PID 2676 wrote to memory of 2828	2676	Mcfemmna.exe	32
PID 2676 wrote to memory of 2828	2676	Mcfemmna.exe	32
PID 2828 wrote to memory of 1312	2828	Mhfjjdjf.exe	33
PID 2828 wrote to memory of 1312	2828	Mhfjjdjf.exe	33
PID 2828 wrote to memory of 1312	2828	Mhfjjdjf.exe	33
PID 2828 wrote to memory of 1312	2828	Mhfjjdjf.exe	33
PID 1312 wrote to memory of 2724	1312	Nflchkii.exe	34
PID 1312 wrote to memory of 2724	1312	Nflchkii.exe	34
PID 1312 wrote to memory of 2724	1312	Nflchkii.exe	34
PID 1312 wrote to memory of 2724	1312	Nflchkii.exe	34
PID 2724 wrote to memory of 2588	2724	Obbdml32.exe	35
PID 2724 wrote to memory of 2588	2724	Obbdml32.exe	35
PID 2724 wrote to memory of 2588	2724	Obbdml32.exe	35
PID 2724 wrote to memory of 2588	2724	Obbdml32.exe	35
PID 2588 wrote to memory of 2104	2588	Omhhke32.exe	36
PID 2588 wrote to memory of 2104	2588	Omhhke32.exe	36
PID 2588 wrote to memory of 2104	2588	Omhhke32.exe	36
PID 2588 wrote to memory of 2104	2588	Omhhke32.exe	36
PID 2104 wrote to memory of 828	2104	Ofqmcj32.exe	37
PID 2104 wrote to memory of 828	2104	Ofqmcj32.exe	37
PID 2104 wrote to memory of 828	2104	Ofqmcj32.exe	37
PID 2104 wrote to memory of 828	2104	Ofqmcj32.exe	37
PID 828 wrote to memory of 2868	828	Ohbikbkb.exe	38
PID 828 wrote to memory of 2868	828	Ohbikbkb.exe	38
PID 828 wrote to memory of 2868	828	Ohbikbkb.exe	38
PID 828 wrote to memory of 2868	828	Ohbikbkb.exe	38
PID 2868 wrote to memory of 1484	2868	Bkknac32.exe	39
PID 2868 wrote to memory of 1484	2868	Bkknac32.exe	39
PID 2868 wrote to memory of 1484	2868	Bkknac32.exe	39
PID 2868 wrote to memory of 1484	2868	Bkknac32.exe	39
PID 1484 wrote to memory of 1820	1484	Ccgklc32.exe	40
PID 1484 wrote to memory of 1820	1484	Ccgklc32.exe	40
PID 1484 wrote to memory of 1820	1484	Ccgklc32.exe	40
PID 1484 wrote to memory of 1820	1484	Ccgklc32.exe	40
PID 1820 wrote to memory of 1768	1820	Dgiaefgg.exe	41
PID 1820 wrote to memory of 1768	1820	Dgiaefgg.exe	41
PID 1820 wrote to memory of 1768	1820	Dgiaefgg.exe	41
PID 1820 wrote to memory of 1768	1820	Dgiaefgg.exe	41
PID 1768 wrote to memory of 1720	1768	Emaijk32.exe	42
PID 1768 wrote to memory of 1720	1768	Emaijk32.exe	42
PID 1768 wrote to memory of 1720	1768	Emaijk32.exe	42
PID 1768 wrote to memory of 1720	1768	Emaijk32.exe	42
PID 1720 wrote to memory of 2176	1720	Eogolc32.exe	43
PID 1720 wrote to memory of 2176	1720	Eogolc32.exe	43
PID 1720 wrote to memory of 2176	1720	Eogolc32.exe	43
PID 1720 wrote to memory of 2176	1720	Eogolc32.exe	43
PID 2176 wrote to memory of 2424	2176	Glnhjjml.exe	44
PID 2176 wrote to memory of 2424	2176	Glnhjjml.exe	44
PID 2176 wrote to memory of 2424	2176	Glnhjjml.exe	44
PID 2176 wrote to memory of 2424	2176	Glnhjjml.exe	44
PID 2424 wrote to memory of 936	2424	Gcgqgd32.exe	45
PID 2424 wrote to memory of 936	2424	Gcgqgd32.exe	45
PID 2424 wrote to memory of 936	2424	Gcgqgd32.exe	45
PID 2424 wrote to memory of 936	2424	Gcgqgd32.exe	45

C:\Users\Admin\AppData\Local\Temp\a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe
"C:\Users\Admin\AppData\Local\Temp\a6dabf31e96cf8ba42bb0448e1f787e6b894367d63688ae65d7f2ca16b67f51a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\Ldmopa32.exe
  C:\Windows\system32\Ldmopa32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\Mcfemmna.exe
    C:\Windows\system32\Mcfemmna.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Mhfjjdjf.exe
      C:\Windows\system32\Mhfjjdjf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\Nflchkii.exe
        
        C:\Windows\system32\Nflchkii.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\SysWOW64\Obbdml32.exe
        
        C:\Windows\system32\Obbdml32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\SysWOW64\Omhhke32.exe
        
        C:\Windows\system32\Omhhke32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Ofqmcj32.exe
        
        C:\Windows\system32\Ofqmcj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Ohbikbkb.exe
        
        C:\Windows\system32\Ohbikbkb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Bkknac32.exe
        
        C:\Windows\system32\Bkknac32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Ccgklc32.exe
        
        C:\Windows\system32\Ccgklc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\Dgiaefgg.exe
        
        C:\Windows\system32\Dgiaefgg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Emaijk32.exe
        
        C:\Windows\system32\Emaijk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Eogolc32.exe
        
        C:\Windows\system32\Eogolc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1720
        
        C:\Windows\SysWOW64\Glnhjjml.exe
        
        C:\Windows\system32\Glnhjjml.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Gcgqgd32.exe
        
        C:\Windows\system32\Gcgqgd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Iikkon32.exe
        
        C:\Windows\system32\Iikkon32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Ikldqile.exe
        
        C:\Windows\system32\Ikldqile.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Jmipdo32.exe
        
        C:\Windows\system32\Jmipdo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1804
        
        C:\Windows\SysWOW64\Jllqplnp.exe
        
        C:\Windows\system32\Jllqplnp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Jpgmpk32.exe
        
        C:\Windows\system32\Jpgmpk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Kbjbge32.exe
        
        C:\Windows\system32\Kbjbge32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Khgkpl32.exe
        
        C:\Windows\system32\Khgkpl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2388
        
        C:\Windows\SysWOW64\Kmfpmc32.exe
        
        C:\Windows\system32\Kmfpmc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2984
        
        C:\Windows\SysWOW64\Kipmhc32.exe
        
        C:\Windows\system32\Kipmhc32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Kpieengb.exe
        
        C:\Windows\system32\Kpieengb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\Llbconkd.exe
        
        C:\Windows\system32\Llbconkd.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2928
        
        C:\Windows\SysWOW64\Lekghdad.exe
        
        C:\Windows\system32\Lekghdad.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\Lepaccmo.exe
        
        C:\Windows\system32\Lepaccmo.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2736 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bkknac32.exe

Filesize
2.9MB

MD5
d28a89c8c92282bfbc93c19f1809b91c

SHA1
c6d431882e01bd9eb2c1d98386870e9e12bbd822

SHA256
575ed1efbf3674eb1a7776d71efedfc4eac2bb53de886e6462a540788bca41ab

SHA512
4653a3503eb1fbeec74feb720b752deee103e73cc7e8e7e47d6167337e9c51d61c8b38068a379a4d3a38af2a71ad25aaa2fccbe23432c262fe9d37f736ce4ae6

Download Submit
C:\Windows\SysWOW64\Dgiaefgg.exe

Filesize
2.9MB

MD5
4f0479fbf4520e214b6f1d9e642368a0

SHA1
c975df242812d9902830e0e588891a41d97ca102

SHA256
cd98fc72557a8d251ba0e38e6b60f596f2082f9d5deb250375ed51352d09f879

SHA512
a4d2d4981ca748637cdc9bc4ddefda2e1eb729869ca553bcc8672864705211bcd1097c8d9407c01876ed79c34328eabc3c77681c7eb594d6b85243766bce8d7b

Download Submit
C:\Windows\SysWOW64\Gcgqgd32.exe

Filesize
2.9MB

MD5
b88acbfa98e88767f3d1433fe06f03eb

SHA1
26236bde67ef44bd0ea4d3fa4d4625e02972e9a0

SHA256
edb688def5f3768799e2810bc76a75f06d0ca117bcfb401bde14e57a3590dfd1

SHA512
da21bcf08a8f3340d31a084ce7eb66d542464d49709c98eaf044188b117de9468907193e6130fe75a5bb206f4103350a69383bd1dd6d79c621ffac7ac80fe27f

Download Submit
C:\Windows\SysWOW64\Glnhjjml.exe

Filesize
2.9MB

MD5
835eadf6c04e4cce8e79622ae770fcb2

SHA1
d1eade97c8ffaab2312ab6da568df26469f54fde

SHA256
978f760316c9275ecd525060133585daccf8c2b17d3c529076cc9baef4cfddf5

SHA512
3aeee1ecaadb6f0bb1d00d97d63871ba8f9351290bd0b46b44c2c12e59c88ae41268ea26818f106b48f7d3a94452b442dc3c01e7ac476873107f0c7899653275

Download Submit
C:\Windows\SysWOW64\Ikldqile.exe

Filesize
2.9MB

MD5
92d349b1d535f9734b6cea54b7027d43

SHA1
57590f46f44761b3775b5a03741a7729de8ecd10

SHA256
3dd144442326e7608db01c5424b3e177fd24d59c81a0575437f4cddbed5371f4

SHA512
62f65c5e28f2be906157d651a07fc598efc0a2133f4154a9d86ab414f38487962b7338518694cce8a7ce297853efd4ce85aacf600b1db06c1da4e5774e7c10f7

Download Submit
C:\Windows\SysWOW64\Jllqplnp.exe

Filesize
2.9MB

MD5
011622fa5d13fae1529584d7d987f43a

SHA1
37d229f24e9ce36f8e018aae9b99f4286f22b325

SHA256
2f3eebf9d91d98184dfe3782f86b384c862255aa50f7a504d692a81951311ffa

SHA512
7a9cdd6a37a5a2542dda8277d9e1fce353bdd54b551462ec7c4dc1fce0514269189b903b63957771c6e4143b6568f2e14a5bcdb169123f9c1d6816b74303c795

Download Submit
C:\Windows\SysWOW64\Jmipdo32.exe

Filesize
2.9MB

MD5
1e5ce7e600448eaaa91ca4f7631eb290

SHA1
ce539fa48f99fc9a5d3625b8d262c0b02a120965

SHA256
f104ce742b5955472992a9d5a4c910f6dd9b09c5b4c64f38ea28f235a677e450

SHA512
abdb4b29ee116a46596637ac551a7e5b7e9dca3629aa03626f118b9f48c631cdd789ffdce98f164182daac23b01c2ca3b5743553de24c41ef3caa58be69c6b30

Download Submit
C:\Windows\SysWOW64\Jpgmpk32.exe

Filesize
2.9MB

MD5
3cbff6e6e3397d076e8ab25d8d022bda

SHA1
c2cab1de45e125f42a0d3b981396ce4e5084428a

SHA256
770dc790811c66c5df258618d3a0635f641559cdb7110e36125915cd06e096ae

SHA512
d8e233d1fb6c788e5a2c73b1eac0ceb72f7ee6aaca142d4307c8e63adc752306e5b04b2cc7ebf67bfeac748fb0d3f080de4274e2d8b4e9fbf6834081d40b6bd0

Download Submit
C:\Windows\SysWOW64\Kbjbge32.exe

Filesize
2.9MB

MD5
4d9520475ef62896726b7b4d7abd5d40

SHA1
5e6b4b0a41b64a7d1a69fa227762cfb697fa5e1e

SHA256
f53cb9e26217926740270af0a6f62659825df9c2d57dbb92a74f4ef6247bc22e

SHA512
1538469bf85dc2ed59c712345e8bbeba75c4cf7d8cb4d9ebf5d0252694a2f05ceb907c5eb9264322ab67f6399e3b0dfc04118cacd3a4ba2f9c64b868b1d6c14b

Download Submit
C:\Windows\SysWOW64\Khgkpl32.exe

Filesize
2.9MB

MD5
bf31a8398251fd74bc8eff48e2925866

SHA1
d37c51daa4001e773168cbe4d968cb6e5c176e00

SHA256
3094ab4907dde2424be5b593e4842fcc408e94e733858bb0d5c09db8b39b9801

SHA512
b1c9a7e3c98989f489bbbaca96f8992cf2f8bfe2d34879d3955d1dc9887407462b7dffc0067ab9fcdb8c61dc50b97263c7720b4c3093d526b4bd6734415b65e7

Download Submit
C:\Windows\SysWOW64\Kipmhc32.exe

Filesize
2.9MB

MD5
9524db7dc7611446caca087807f18925

SHA1
45ae752bef2bc7792f043edf1532565524ba159e

SHA256
4c565bc5b891889735fe000637638aba01c3b531e81d66cf54c981ac998c4935

SHA512
e74f3d31474f58fe992b188952984ece68ef0de80001fae29ac238f2d093548e5918a81ec68eed0d00533f46f21f45c55cd58d2a2b4ed764904d6f16cffb727d

Download Submit
C:\Windows\SysWOW64\Kmfpmc32.exe

Filesize
2.9MB

MD5
dcdb886bb6ec17f4f3372d007313964c

SHA1
8dca1ee2916a6075fe580ebf187fba66f5aab7b7

SHA256
fa57e9396d9b187b0a3f849fa2182063a196b9693a55c51fedcd6c2b584e7fa3

SHA512
54a0aa8cd983fc94105d56dc4ad67dbecd8d2d17e4886a4873dee7c1e01f174102f3f6c8f00b96035f9227070a9946fc30fbcf35ef2429e7698010a9a3984e86

Download Submit
C:\Windows\SysWOW64\Kpieengb.exe

Filesize
2.9MB

MD5
73f355f402764724981912b6893b7669

SHA1
058f27d665c7ba1edd41ca2524e0b2351c6cb8b4

SHA256
ec73cf3bad33e77bcbaadb7c9ec3e54437a103f1f2ea55931dcdcb34fbd06f12

SHA512
6fe2351005aded3ad1363b1ba6fcfb9496624bdaa625957b5ee4b73056d5c19cfcd2a3cf608cab3f3cae2f9947c93906705e44d21e9853d6f8c49f0bfbddf1f9

Download Submit
C:\Windows\SysWOW64\Lekghdad.exe

Filesize
2.9MB

MD5
b7958c8106113fc12ecfd48350438949

SHA1
59690c3e92d13c8412228bf5b05e8b71df073772

SHA256
cc9daf2ca74cc836df3ec2666516f71af9fd2536f51fc595c6d0a5dd18453123

SHA512
9f018d4ec0dcbab6d7310ba7788ab6dc6d8ee945982232c0356f76b88774c1a66d718224411e0114888907e72ac3697386cea326b866e4569f458f820f55df84

Download Submit
C:\Windows\SysWOW64\Lepaccmo.exe

Filesize
2.9MB

MD5
6421888bc4ecec4cb8e0f8bbab60fa27

SHA1
6e23b792ab06743769567cc813935333d5794ebd

SHA256
dacae3c64636e757209ffe6e0ae43cf5fc9bab98c58b6ee19d5199fa03e04013

SHA512
a0ced6b06cf1956eafa2a8dd22d4f448a2cb617ab374e0496d11e1ae262c90be137a5fd09d3393effc4745815df5d8d47e8e43dc73d5e63a76813b4102b4b8e2

Download Submit
C:\Windows\SysWOW64\Llbconkd.exe

Filesize
2.9MB

MD5
e4ddf841d8dc47084e102567f76b2dd8

SHA1
e106219552377749cf2ace8ef0e7794d028ee005

SHA256
dcf72d66f79f6587e64c6bbb42c3f4835121b03a7ea4e62b513730a010444778

SHA512
aff6ec2cef0f2339ab77d7ee93311a79fbb26b3c6807acd028268ae701220c5c32937b0667579fc70b1570fcf6c88c96c2967fca89cb9fb9b349dbe75c10191b

Download Submit
C:\Windows\SysWOW64\Mhfjjdjf.exe

Filesize
2.9MB

MD5
589071c521f0349d6825b7c5364b7cfd

SHA1
51eef5ea0a74730f2d5267d15aadb2533adfa275

SHA256
40bbd03d37b0a6052ca6d6da4a488888366c0aec366d13176f49364be128dbf7

SHA512
1f3db3450c36dfa1c948a77723d4f7eaf85b246a502385d0ccf4ab6bec86d0d3384ec2584575cd60ad6f2835978fcdeb06569771d10e005efa0c438f3ba4c606

Download Submit
C:\Windows\SysWOW64\Obbdml32.exe

Filesize
2.9MB

MD5
9ff03072bd89916a6749b9917dfb2057

SHA1
9417d5b667ae6dc51719b746b743eacd14da934e

SHA256
e1778db93e0dae3f763db8886569eb0786c050d5e452ca410995712b9cac3024

SHA512
ea619c4ee732357707863e42ed5807bbb114b553ce2ce377a1b706075ab00fa84624bdeb0f15fe180068d0372ab9cd98a1237f0a99ed2a4bc975d9225b3febaf

Download Submit
C:\Windows\SysWOW64\Ofqmcj32.exe

Filesize
2.9MB

MD5
6c953e6eb521935bf3a12c4d63708dfc

SHA1
7f35d67df30b93c3f30c7fa166a54d07d2efc6f1

SHA256
c3f0a527631306317e7dd95ec5a67cc1013be0cf8a8e20926225e44ea38fea3c

SHA512
693a0b105ba99f399d231002d62f92c8d1f13f1b7fd77463f354413ff282e04798236d7c29818238069423e6bd49e4bda13182dbed30466c1c22e726bf8a8af6

Download Submit
C:\Windows\SysWOW64\Omhhke32.exe

Filesize
2.9MB

MD5
967678195ffb1f325e98a12eb966de56

SHA1
b569ab07aefa7d5d52d0595d54b92689e370b461

SHA256
f4716191c4723f16a87482fdd55eb764c80859d6ac870449aa30e03b7bb342c6

SHA512
504d1a72b3534221e9e4bf72790a3f443c40cba406cc7d6a5bd23111ab31149525a9ee057945b8b15b3f0a81e9aa0aa7213eead00415f5bfd71cf9df4e98f162

Download Submit
\Windows\SysWOW64\Ccgklc32.exe

Filesize
2.9MB

MD5
5709e016836bb0ff47dbc7e5c807216c

SHA1
6ab8df6d7ed0b5a713a3a1691ab5080317e5c2d1

SHA256
686c5f3aadd4b8466c05e3c470c69da9cab03a0cde14da21c3f52a750e63ab56

SHA512
4281420d17b8348fb0d36b7e627dca92df069a567a0659ec172cab7d10b48f09ba5f3fa2de3b2f6aded9cbf0c6c9be86a693ae8e80a838fd75a48190fae8c481

Download Submit
\Windows\SysWOW64\Emaijk32.exe

Filesize
2.9MB

MD5
998d843f3cffee3a31f9485c2d46d43c

SHA1
1e860ab34f15cbdcea29388b117ad492fc022704

SHA256
87cbe8a88182b87b78151668b5917244602a8edd3efe589d175cf44117fea0ff

SHA512
e0876d94adf77cc4c13626df8e5166befa299002665b47441a7d9bb0cab07b244be8e4e4016a482e07af9274c86b53480f566ff4fd99687c5003cf5630aed201

Download Submit
\Windows\SysWOW64\Eogolc32.exe

Filesize
2.9MB

MD5
1a09dbd914ca721bbbecee21522ef1ac

SHA1
d218255e99c7a26780569125247f4fc339f55265

SHA256
6492e5024bcf1cabb1e3849358c79d9d16851454c496658eaaa3419f1e915458

SHA512
12fc1e7382323bf6b9f763b5a4cef13012da74c0a013fad64739722748bc18a84fd5594f27294a48e8e0145159314199aa7fde0ec9b6bcf5185e9876dd5a2732

Download Submit
\Windows\SysWOW64\Iikkon32.exe

Filesize
2.9MB

MD5
09302aa8c4495c2754578a4eb67cd3a4

SHA1
46fe4f80769094aa2439bf5d059c8a12e459a1f4

SHA256
99c4c1202a10fd980c73c99ecd6ff03d9d0f9002611f26aa087e317af1d52050

SHA512
c47b843d861e21fe361504669dffa384743e1f80b11c8a9601e1d6e8279a8681cfa31ad9a8c90e95cbc8e7ac49eea70e8947b4beac7e3e1f30d435496f4e411a

Download Submit
\Windows\SysWOW64\Ldmopa32.exe

Filesize
2.9MB

MD5
52c6b321e06cd26fb7485f25cbe11a11

SHA1
070d319a98ff858ee214ff386cb0d98de72e94a0

SHA256
6732a60e89a13c7b80d28da6bcfa400efed44f3ce087727d3fb7b181e51027e9

SHA512
c4c5c451e8d1e023098e24c0ae320ec885b16ccb301d4c272885f054af1de36eb272c76ac54806b65ced7009d3bc7b40ab4f1b74e14e2790cb014ee7f58c5dbe

Download Submit
\Windows\SysWOW64\Mcfemmna.exe

Filesize
2.9MB

MD5
42e0f62bcf43c007e1eb2fd3118a4980

SHA1
1f4ba0dfd828f64bc97c266fe148ea23207fa6de

SHA256
44e5f5eed353108005f6ad194a3629cfd87514ed83825fe03ace24164785e5ed

SHA512
05764c891d1f6dd49b9acbb5cdccdfb97dad37e72aad4d69cfee9bacd8762e11652a181ff5854ea124c6a67a78efe8c31eacbc091ea06fd8582ec61bd60f0a99

Download Submit
\Windows\SysWOW64\Nflchkii.exe

Filesize
2.9MB

MD5
9f4e4f079a7680ed81f285b47e0602be

SHA1
3ed1462724c6c45bc67f4174b5d2893c75982e78

SHA256
6e10d186e37f8eea05f76b3f1c46274fe6f88b67f3207215e9f0488f5ec05e55

SHA512
c60abe616eca135424aafd0509a796d5e9aaa5ea788ce4aacf4afa25237e1c045098d1ae62192e7390511b5b24420f44a036199507904e9807466796cdf64e2b

Download Submit
\Windows\SysWOW64\Ohbikbkb.exe

Filesize
2.9MB

MD5
ef8a46027e52812a8d5e6ec5406ae132

SHA1
2977fcdaa4ac7adb049dd9b81b846e75c463aa0d

SHA256
43ebe51791fc1980b847e2c164a4ab60df830fd999c770883f5ea490d7a3cc52

SHA512
cc3fed639bd7cd8b1f7ecde01f9b1d9cbf17b1fb848d543c782f83c0410c1631fa52f529ff935f43d450581434ba9a167a66f51ec8b55d55cf14365409f490e6

Download Submit
memory/640-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-123-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/828-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-124-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/936-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/936-237-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/936-236-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1032-350-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1032-348-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1032-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-69-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1312-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-140-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-152-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1484-153-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1516-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-191-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1720-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1720-196-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1720-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1768-177-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1804-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-166-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1820-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1820-167-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1848-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-323-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1848-331-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1848-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-315-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1944-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-311-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2104-110-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2104-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-109-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2104-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-211-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2176-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-210-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2212-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2212-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2212-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2212-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2388-292-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2388-293-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2424-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-219-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2516-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2516-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2676-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2700-27-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2700-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2736-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-49-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2828-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2828-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-133-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2868-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2928-334-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2928-339-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2928-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-303-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2984-304-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads