berbew | 67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
07-12-2024 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
Size

896KB
MD5

af77bfacfbc90c2d194b40b12f9fe920
SHA1

1c8b048b257cb411e8eb7f5cd0c1a9476b86f603
SHA256

67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25
SHA512

4ee3cc069d29335bf86bcbc81121b40f330f58465d679cb3a7d28d1678fb28a7cda3c90db2e09fd20ca3b6549068e19b68252babfb0f05187ff374872d7b2ded
SSDEEP

12288:y10cWFMusMH0QiRLsR4P377a20R01F50+5:+0cWILX3a20R0v50+5

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kffldlne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pojecajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbfook32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqpflg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbjeinje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpgobc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofkha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnkffeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omklkkpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obhdcanc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqpflg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obhdcanc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcbhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpgobc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nnafnopi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ljddjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbfook32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbjeinje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhnkffeo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agolnbok.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agolnbok.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adlcfjgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kffldlne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ljddjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nnafnopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aakjdo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmhdpnc.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 29 IoCs

pid	Process
372	Kffldlne.exe
2892	Ljddjj32.exe
2904	Lhnkffeo.exe
2984	Lbfook32.exe
2876	Mqpflg32.exe
2756	Mpgobc32.exe
2292	Nbjeinje.exe
1200	Nnafnopi.exe
2060	Omklkkpl.exe
2444	Obhdcanc.exe
1984	Pofkha32.exe
2000	Pojecajj.exe
2948	Qcogbdkg.exe
2744	Agolnbok.exe
3052	Aakjdo32.exe
2256	Adlcfjgh.exe
1764	Bgaebe32.exe
1556	Bgcbhd32.exe
1788	Boogmgkl.exe
1232	Bbmcibjp.exe
1740	Ccmpce32.exe
2408	Cfkloq32.exe
2364	Cfmhdpnc.exe
2600	Cileqlmg.exe
2352	Cnimiblo.exe
2340	Caifjn32.exe
1940	Calcpm32.exe
2464	Ccjoli32.exe
2852	Dpapaj32.exe

Loads dropped DLL 61 IoCs

pid	Process
2672	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
2672	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
372	Kffldlne.exe
372	Kffldlne.exe
2892	Ljddjj32.exe
2892	Ljddjj32.exe
2904	Lhnkffeo.exe
2904	Lhnkffeo.exe
2984	Lbfook32.exe
2984	Lbfook32.exe
2876	Mqpflg32.exe
2876	Mqpflg32.exe
2756	Mpgobc32.exe
2756	Mpgobc32.exe
2292	Nbjeinje.exe
2292	Nbjeinje.exe
1200	Nnafnopi.exe
1200	Nnafnopi.exe
2060	Omklkkpl.exe
2060	Omklkkpl.exe
2444	Obhdcanc.exe
2444	Obhdcanc.exe
1984	Pofkha32.exe
1984	Pofkha32.exe
2000	Pojecajj.exe
2000	Pojecajj.exe
2948	Qcogbdkg.exe
2948	Qcogbdkg.exe
2744	Agolnbok.exe
2744	Agolnbok.exe
3052	Aakjdo32.exe
3052	Aakjdo32.exe
2256	Adlcfjgh.exe
2256	Adlcfjgh.exe
1764	Bgaebe32.exe
1764	Bgaebe32.exe
1556	Bgcbhd32.exe
1556	Bgcbhd32.exe
1788	Boogmgkl.exe
1788	Boogmgkl.exe
1232	Bbmcibjp.exe
1232	Bbmcibjp.exe
1740	Ccmpce32.exe
1740	Ccmpce32.exe
2408	Cfkloq32.exe
2408	Cfkloq32.exe
2364	Cfmhdpnc.exe
2364	Cfmhdpnc.exe
2600	Cileqlmg.exe
2600	Cileqlmg.exe
2352	Cnimiblo.exe
2352	Cnimiblo.exe
2340	Caifjn32.exe
2340	Caifjn32.exe
1940	Calcpm32.exe
1940	Calcpm32.exe
2464	Ccjoli32.exe
2464	Ccjoli32.exe
2900	WerFault.exe
2900	WerFault.exe
2900	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Adlcfjgh.exe	Aakjdo32.exe
File created	C:\Windows\SysWOW64\Bgcbhd32.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Ibcihh32.dll	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Lhnkffeo.exe	Ljddjj32.exe
File created	C:\Windows\SysWOW64\Henjfpgi.dll	Lbfook32.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Cnimiblo.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Mpgobc32.exe	Mqpflg32.exe
File created	C:\Windows\SysWOW64\Pojecajj.exe	Pofkha32.exe
File opened for modification	C:\Windows\SysWOW64\Omklkkpl.exe	Nnafnopi.exe
File created	C:\Windows\SysWOW64\Ekndacia.dll	Qcogbdkg.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Adlcfjgh.exe
File created	C:\Windows\SysWOW64\Djbfplfp.dll	Ljddjj32.exe
File created	C:\Windows\SysWOW64\Cddoqj32.dll	Mqpflg32.exe
File created	C:\Windows\SysWOW64\Omklkkpl.exe	Nnafnopi.exe
File created	C:\Windows\SysWOW64\Peblpbgn.dll	Pojecajj.exe
File opened for modification	C:\Windows\SysWOW64\Agolnbok.exe	Qcogbdkg.exe
File opened for modification	C:\Windows\SysWOW64\Adlcfjgh.exe	Aakjdo32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cfkloq32.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Nbjeinje.exe	Mpgobc32.exe
File created	C:\Windows\SysWOW64\Pjdjea32.dll	Mpgobc32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Boogmgkl.exe	Bgcbhd32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cnimiblo.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Nnafnopi.exe	Nbjeinje.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Adlcfjgh.exe
File opened for modification	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Lbfook32.exe	Lhnkffeo.exe
File created	C:\Windows\SysWOW64\Obhdcanc.exe	Omklkkpl.exe
File opened for modification	C:\Windows\SysWOW64\Cnimiblo.exe	Cileqlmg.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnimiblo.exe
File opened for modification	C:\Windows\SysWOW64\Lbfook32.exe	Lhnkffeo.exe
File created	C:\Windows\SysWOW64\Aakjdo32.exe	Agolnbok.exe
File opened for modification	C:\Windows\SysWOW64\Mqpflg32.exe	Lbfook32.exe
File created	C:\Windows\SysWOW64\Pfebhg32.dll	Nbjeinje.exe
File created	C:\Windows\SysWOW64\Bbnnnbbh.dll	Omklkkpl.exe
File created	C:\Windows\SysWOW64\Ciohdhad.dll	Calcpm32.exe
File opened for modification	C:\Windows\SysWOW64\Ljddjj32.exe	Kffldlne.exe
File created	C:\Windows\SysWOW64\Kcnfobob.dll	Lhnkffeo.exe
File created	C:\Windows\SysWOW64\Lhnkffeo.exe	Ljddjj32.exe
File created	C:\Windows\SysWOW64\Nbjeinje.exe	Mpgobc32.exe
File created	C:\Windows\SysWOW64\Nnafnopi.exe	Nbjeinje.exe
File opened for modification	C:\Windows\SysWOW64\Obhdcanc.exe	Omklkkpl.exe
File created	C:\Windows\SysWOW64\Oqlecd32.dll	Obhdcanc.exe
File opened for modification	C:\Windows\SysWOW64\Pojecajj.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Ekohgi32.dll	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
File created	C:\Windows\SysWOW64\Ljddjj32.exe	Kffldlne.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Cfmhdpnc.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\Cfmhdpnc.exe	Cfkloq32.exe
File created	C:\Windows\SysWOW64\Qgejemnf.dll	Cfkloq32.exe
File opened for modification	C:\Windows\SysWOW64\Qcogbdkg.exe	Pojecajj.exe
File created	C:\Windows\SysWOW64\Mpgobc32.exe	Mqpflg32.exe
File created	C:\Windows\SysWOW64\Giddhc32.dll	Nnafnopi.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Boogmgkl.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Mqpflg32.exe	Lbfook32.exe
File opened for modification	C:\Windows\SysWOW64\Pofkha32.exe	Obhdcanc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	2852	WerFault.exe	59

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nbjeinje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boogmgkl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmpce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kffldlne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpgobc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pojecajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmhdpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ljddjj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adlcfjgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhnkffeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aakjdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agolnbok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcbhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obhdcanc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcogbdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omklkkpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfkloq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caifjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbfook32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqpflg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnimiblo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnafnopi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbjeinje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nnafnopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agolnbok.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfkloq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kffldlne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqpflg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omklkkpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhnkffeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhnkffeo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnafnopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obhdcanc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Peblpbgn.dll"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qcogbdkg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Adlcfjgh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Boogmgkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnimiblo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Obhdcanc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghnkh32.dll"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjeilhc.dll"	Kffldlne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbfook32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqpflg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdjea32.dll"	Mpgobc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll"	Aakjdo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgejemnf.dll"	Cfkloq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekohgi32.dll"	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll"	Nnafnopi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ljddjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnnnbbh.dll"	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll"	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pobghn32.dll"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfplfp.dll"	Ljddjj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pofkha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pojecajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekndacia.dll"	Qcogbdkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Cfmhdpnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnimiblo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpgobc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqlecd32.dll"	Obhdcanc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmhdpnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Henjfpgi.dll"	Lbfook32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll"	Bgcbhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Boogmgkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccjoli32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 372	2672	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe	31
PID 2672 wrote to memory of 372	2672	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe	31
PID 2672 wrote to memory of 372	2672	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe	31
PID 2672 wrote to memory of 372	2672	67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe	31
PID 372 wrote to memory of 2892	372	Kffldlne.exe	32
PID 372 wrote to memory of 2892	372	Kffldlne.exe	32
PID 372 wrote to memory of 2892	372	Kffldlne.exe	32
PID 372 wrote to memory of 2892	372	Kffldlne.exe	32
PID 2892 wrote to memory of 2904	2892	Ljddjj32.exe	33
PID 2892 wrote to memory of 2904	2892	Ljddjj32.exe	33
PID 2892 wrote to memory of 2904	2892	Ljddjj32.exe	33
PID 2892 wrote to memory of 2904	2892	Ljddjj32.exe	33
PID 2904 wrote to memory of 2984	2904	Lhnkffeo.exe	34
PID 2904 wrote to memory of 2984	2904	Lhnkffeo.exe	34
PID 2904 wrote to memory of 2984	2904	Lhnkffeo.exe	34
PID 2904 wrote to memory of 2984	2904	Lhnkffeo.exe	34
PID 2984 wrote to memory of 2876	2984	Lbfook32.exe	35
PID 2984 wrote to memory of 2876	2984	Lbfook32.exe	35
PID 2984 wrote to memory of 2876	2984	Lbfook32.exe	35
PID 2984 wrote to memory of 2876	2984	Lbfook32.exe	35
PID 2876 wrote to memory of 2756	2876	Mqpflg32.exe	36
PID 2876 wrote to memory of 2756	2876	Mqpflg32.exe	36
PID 2876 wrote to memory of 2756	2876	Mqpflg32.exe	36
PID 2876 wrote to memory of 2756	2876	Mqpflg32.exe	36
PID 2756 wrote to memory of 2292	2756	Mpgobc32.exe	37
PID 2756 wrote to memory of 2292	2756	Mpgobc32.exe	37
PID 2756 wrote to memory of 2292	2756	Mpgobc32.exe	37
PID 2756 wrote to memory of 2292	2756	Mpgobc32.exe	37
PID 2292 wrote to memory of 1200	2292	Nbjeinje.exe	38
PID 2292 wrote to memory of 1200	2292	Nbjeinje.exe	38
PID 2292 wrote to memory of 1200	2292	Nbjeinje.exe	38
PID 2292 wrote to memory of 1200	2292	Nbjeinje.exe	38
PID 1200 wrote to memory of 2060	1200	Nnafnopi.exe	39
PID 1200 wrote to memory of 2060	1200	Nnafnopi.exe	39
PID 1200 wrote to memory of 2060	1200	Nnafnopi.exe	39
PID 1200 wrote to memory of 2060	1200	Nnafnopi.exe	39
PID 2060 wrote to memory of 2444	2060	Omklkkpl.exe	40
PID 2060 wrote to memory of 2444	2060	Omklkkpl.exe	40
PID 2060 wrote to memory of 2444	2060	Omklkkpl.exe	40
PID 2060 wrote to memory of 2444	2060	Omklkkpl.exe	40
PID 2444 wrote to memory of 1984	2444	Obhdcanc.exe	41
PID 2444 wrote to memory of 1984	2444	Obhdcanc.exe	41
PID 2444 wrote to memory of 1984	2444	Obhdcanc.exe	41
PID 2444 wrote to memory of 1984	2444	Obhdcanc.exe	41
PID 1984 wrote to memory of 2000	1984	Pofkha32.exe	42
PID 1984 wrote to memory of 2000	1984	Pofkha32.exe	42
PID 1984 wrote to memory of 2000	1984	Pofkha32.exe	42
PID 1984 wrote to memory of 2000	1984	Pofkha32.exe	42
PID 2000 wrote to memory of 2948	2000	Pojecajj.exe	43
PID 2000 wrote to memory of 2948	2000	Pojecajj.exe	43
PID 2000 wrote to memory of 2948	2000	Pojecajj.exe	43
PID 2000 wrote to memory of 2948	2000	Pojecajj.exe	43
PID 2948 wrote to memory of 2744	2948	Qcogbdkg.exe	44
PID 2948 wrote to memory of 2744	2948	Qcogbdkg.exe	44
PID 2948 wrote to memory of 2744	2948	Qcogbdkg.exe	44
PID 2948 wrote to memory of 2744	2948	Qcogbdkg.exe	44
PID 2744 wrote to memory of 3052	2744	Agolnbok.exe	45
PID 2744 wrote to memory of 3052	2744	Agolnbok.exe	45
PID 2744 wrote to memory of 3052	2744	Agolnbok.exe	45
PID 2744 wrote to memory of 3052	2744	Agolnbok.exe	45
PID 3052 wrote to memory of 2256	3052	Aakjdo32.exe	46
PID 3052 wrote to memory of 2256	3052	Aakjdo32.exe	46
PID 3052 wrote to memory of 2256	3052	Aakjdo32.exe	46
PID 3052 wrote to memory of 2256	3052	Aakjdo32.exe	46

C:\Users\Admin\AppData\Local\Temp\67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe
"C:\Users\Admin\AppData\Local\Temp\67b4710c71b10a529a01b61faddc71d736ae1e7ff19a6c27334efdd1b1fb8a25.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\SysWOW64\Kffldlne.exe
  C:\Windows\system32\Kffldlne.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:372
- - C:\Windows\SysWOW64\Ljddjj32.exe
    C:\Windows\system32\Ljddjj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\Lhnkffeo.exe
      C:\Windows\system32\Lhnkffeo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\Lbfook32.exe
        
        C:\Windows\system32\Lbfook32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\SysWOW64\Mqpflg32.exe
        
        C:\Windows\system32\Mqpflg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Mpgobc32.exe
        
        C:\Windows\system32\Mpgobc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Nbjeinje.exe
        
        C:\Windows\system32\Nbjeinje.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Nnafnopi.exe
        
        C:\Windows\system32\Nnafnopi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Omklkkpl.exe
        
        C:\Windows\system32\Omklkkpl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Obhdcanc.exe
        
        C:\Windows\system32\Obhdcanc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\Pofkha32.exe
        
        C:\Windows\system32\Pofkha32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\Pojecajj.exe
        
        C:\Windows\system32\Pojecajj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\SysWOW64\Qcogbdkg.exe
        
        C:\Windows\system32\Qcogbdkg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Agolnbok.exe
        
        C:\Windows\system32\Agolnbok.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\Aakjdo32.exe
        
        C:\Windows\system32\Aakjdo32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Adlcfjgh.exe
        
        C:\Windows\system32\Adlcfjgh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\Bgcbhd32.exe
        
        C:\Windows\system32\Bgcbhd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Boogmgkl.exe
        
        C:\Windows\system32\Boogmgkl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1232
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\Cfkloq32.exe
        
        C:\Windows\system32\Cfkloq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2408
        
        C:\Windows\SysWOW64\Cfmhdpnc.exe
        
        C:\Windows\system32\Cfmhdpnc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Cnimiblo.exe
        
        C:\Windows\system32\Cnimiblo.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 144
        31⤵
        Loads dropped DLL
        Program crash
        
        PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adlcfjgh.exe

Filesize
896KB

MD5
bb4d13e287e60ff17457b723314f24e5

SHA1
e73a11e2629e0272143f6998cd274d886daa6089

SHA256
90aad1ae53cbac06ca796ed320fab438871d6f1bb280723f6c2e5b4f782e3aa5

SHA512
c1a2e2c1ef652e6127723e6d2bf2bb5b844c4bb2026541f210bd862d223acab4bf5bde50701a27afd29b633cb94201504b3ca189f505294c3f4faaa12421992b

Download Submit
C:\Windows\SysWOW64\Bbmcibjp.exe

Filesize
896KB

MD5
e4f6f2b61354e4ddebe9a1cb6327aeba

SHA1
62de5bb42787c9e8704fe42c8b3ada97107f7531

SHA256
0b84440141eada10e6c08bda855151d7522c6bfba550941990e6df0bec00e346

SHA512
05b214a827a7599275ce204fa6ecc7d697c80c8e3f64d2714ed53a145c5160c5770030b4391a7b456a7f4ec0ab4e93a8574495a6d496ff2129245b882738bb19

Download Submit
C:\Windows\SysWOW64\Bgaebe32.exe

Filesize
896KB

MD5
6eb526f76eaf4b3df42162d411553310

SHA1
9d8eb42d1b3bfe889e8320e7b386b43f35fb8e20

SHA256
6cea63d27ddad2ef4d3369d8eba47903a63b8ee382fbde6fc203370001e72673

SHA512
25629358d28c862a1e43f81fd8a8d2231d4b5b7e2a5ef494746f2bf72d2fd147d555e1b692931aab1875cba33060d865722ad386e4fb813d975a1036efa60f7a

Download Submit
C:\Windows\SysWOW64\Bgcbhd32.exe

Filesize
896KB

MD5
90c503d8610e6e9520c4c0b24fa56aff

SHA1
886109203ffb8ec8aaa63565a6e5745cda3d6690

SHA256
9626d1a4c295f7216ab199009ed45c96440cca0e2b3bf84761bf436e2f492381

SHA512
57ca153344a380cc3749328c6c119b1bdce9613c7f9445a2b7ba705e94cf5ed2ee88d2b865026621a2c12d465ea755cf00cf41cb840f4f74925f9d40c5e6abd7

Download Submit
C:\Windows\SysWOW64\Boogmgkl.exe

Filesize
896KB

MD5
3e99ac39e6c4c3f0bdafb2b5341871ae

SHA1
26b0cbe62614cc6d3c4960ecf57552f2e681fe09

SHA256
8a9578da823d563e728d0f3bb61e07908911bc1fd08decbfd70ef7de255e867f

SHA512
89c46ee91eee6e8eb1c198eeed9f05ef81d423be28b52b87fa6ae50da8087a57d8c37e6e804732c1b3d5b62ea8a629539b440e55dd64cd88195cdd054fca12bb

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
896KB

MD5
359e3295df1d26bb669d4c696fc8d869

SHA1
649a0f567658c7d227ec38a36b8528413e619c81

SHA256
8e55b9451da21bee6fe19158c7d837c60e55e92acb7789deef1be1ad26c5b053

SHA512
32c4a5cbff15a72c56b9fa4804c027a7daf07a3108a6a16d4fa159b68a4b7cbe12b689d00e78c04463d2c79d15626a8158254d9beb9aebbeff4d15d0cb457e91

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
896KB

MD5
f5bb9439f7a225fc9153f8ed051c0d34

SHA1
1b5a92064d5ca37db2a2306ff1c1cf8f31e4af4d

SHA256
b9882a36e8087a953a907c09bab9e660e83666baec7346739caffdbc625a0ba9

SHA512
1bed844ef28fc56cca2abad14acd363dfb1934299c85d552e0a1bd3bbef374eda9f393181d241d9e80473b21a345ffea5af9a7cb2191b13363a6b36202cc2b3e

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
896KB

MD5
cef1c7573809676a2b4ace02c16f9669

SHA1
5b4e0177ae0d4b8824a0859a6626dd29574f2628

SHA256
60a8838b1f835e135e23c50622c09a2ad646e1e45730ac18b62be00afbaeb5e1

SHA512
edfa60049542fdfcd634a7f59c54e181784bd9b33342092edc97e837d52fa2424721635182214cc6bd22d018295f36bd6cc39c2f1b36c2e68595ea557e0ad683

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
896KB

MD5
9b2193ff538979ac26ccbe8621e915b8

SHA1
6afcd68832928feb7976c4d9c11c1a4613ba10a3

SHA256
322437fc9db73c1690218e88ad8f6bf6fdfbdc2b919a604df07eaa0bcb2b6070

SHA512
d7ddc2518e740e4ceeeb9282323faaf73afb57d998b2ddcc8f2957cc994425a52d7e11882ddda24f86ac16326c4e0e6c55569d71b127a7dd6c32174803210f43

Download Submit
C:\Windows\SysWOW64\Cfkloq32.exe

Filesize
896KB

MD5
c14d57cbf5594a2095c9718992fcb87c

SHA1
021dcd2a0f649724134dff343105f4f3d1b2da9d

SHA256
f97e6d3e5b0220a16077d485d1ffc027e45fa703e3781d9114052c6834d92d45

SHA512
202b8aebda2aa48d0d8dfed43d76087990c96c40fe74c11f295e4f063d1a288cedfe701236023cbfdc81ac7f3455489e7c96ef166e83a14e57bafed841fa816a

Download Submit
C:\Windows\SysWOW64\Cfmhdpnc.exe

Filesize
896KB

MD5
772f58b23d49251d67175101b5f6cf4f

SHA1
01b51831e881365a479515c8e13d8cd24951f094

SHA256
5dde631991e08ec699c8177141152193c293bec88e07c77ca4240b95e2f57796

SHA512
0c7dc64814b783f16b42f6d6a9d48a6f15ccc3a522119d49bd58ad2a5346e872d06ca75b38afce96b374b31165932702ad132bd3730f91ebcd6c2ff3982eea0f

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
896KB

MD5
b9c38832297f5c2f03ef269ce181473d

SHA1
2f45186b65a846db0822e362667803ec370d7279

SHA256
cdba88245911e4242dd9201327346b3cde3ed17e053c3ca4ede8924434c6e17f

SHA512
a2963198acb1ac768a15d2aafd91aee1f75225afed9849e6b77231125fea5793dc13c49ab95418356a6fc0687b83a36ca725cb6d903cbc610548081f62cc7110

Download Submit
C:\Windows\SysWOW64\Cnimiblo.exe

Filesize
896KB

MD5
025855f1b0349dff718cf0b18d29c323

SHA1
a3bbda37138d753377fb849f94921c9f4f6eb191

SHA256
660a7673309ae79c8a0bae7377bb33096b05b02537450e58589b1d687faa83b9

SHA512
e6c2262452afb5394bacf94fedbe87345f0576e9ed978e5de4e071197fcdab080c86089a22fe691e68945db8110246c3b6f3a7d2994af40a76212416bda756bd

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
896KB

MD5
fe721023539b75ea75b440c2d8fe3a0d

SHA1
f6a1d0985369642bfd4674a496bb58184d4588ab

SHA256
daf0dee9a6d64a830ed59865a12321d304a50a3ad9152eb3e3ff82510c5a87b4

SHA512
662badd1786a2b15fb1b1bb23c30b2ce63920f1ca2132da1c4338bc4897b7b190a622137405a7e2fad5d3abb43ab4cc6276e566ec732459f705644aa0aaf5a12

Download Submit
C:\Windows\SysWOW64\Lbfook32.exe

Filesize
896KB

MD5
d723184ae8d05e50d1fbbc1692ea513c

SHA1
9579a812c06e5660294c6cda4cc31c09c71cee13

SHA256
09376158bb77755a676e91f46c69ba96583d6c015cb636858cd5a811e62d7e91

SHA512
875e8ea12adf17604ea2e5965daf19d958b1c815e4b80da4662a4de3e4f11f7714f48ae945adcdca7e98fb9ef8ddd852095f639705a97d93c456edbc5b5d8590

Download Submit
C:\Windows\SysWOW64\Mpgobc32.exe

Filesize
896KB

MD5
99563bc6dc9a8f7388b9361584713632

SHA1
4b29408e010348332b8aedff8ab92aebf24fdd0c

SHA256
68a76ca07e012bed6036015bd9672b27e5f781130d83c3a2919a10c24442a4e9

SHA512
b9e8341455e13a2024d741aebb7e9add911d2519647d73ec3a56b9a7181684506033819cc7e6a8e626da50fa5c1623204b38c47ee981798560100e95c9f6223b

Download Submit
C:\Windows\SysWOW64\Obhdcanc.exe

Filesize
896KB

MD5
2d604b63791c0c53e06b769ddf2c48d7

SHA1
51848b4ce5f57e0f794b5878ba4ddcbd8bb4e3d7

SHA256
5aeba20a2bd98de744a623184fb05ff1bc5af737d33df5899b44aad9278faf74

SHA512
6bff09de0966203a59ef56095624886e75805e3d1d8259db69e62b89f2c5301f0987ef42ba8c22237d3915790849e4220158a90a501805753b5f01e6cff0e2a9

Download Submit
C:\Windows\SysWOW64\Pofkha32.exe

Filesize
896KB

MD5
6cf08e44805a64469d796b06eca33efb

SHA1
ebc6ee5086e38c5131a5da9f4d7678b792950fb7

SHA256
3bf3b8f2c44a801bc1e81a758bb1236ddb3ab25117a602cfc2c396e2709e1acb

SHA512
6fed8b7892c5516bf0579933e1931421cf64c1a88cef178666cf9e62bf36b482dd892ef11ab994037693f32883fc7d83434b554adf2a47fdf61251c0e2576bfb

Download Submit
C:\Windows\SysWOW64\Pojecajj.exe

Filesize
896KB

MD5
a3e349a48bf9e4836c173ebcdec67a99

SHA1
10c61f974682a74d7df7c1a54e45ec57c13c0d0c

SHA256
b1351c235f7e040eae1b7834bdf9b4c4d34aa8e21ee5f8465dfe1936d3e124de

SHA512
dedeb60f1f964f7b2108f9b3f7347833de91fbd20e486bdf3c9338f1a113918528da6df49b123969d974d1db1f3a9df512426dc96a1a2e881cf5d5fa7530c3d4

Download Submit
\Windows\SysWOW64\Aakjdo32.exe

Filesize
896KB

MD5
3552f4bd63cb7793134ef092ead8bcb9

SHA1
ecb7cc4293f706a9b1d89eb0580f45392e52acac

SHA256
324a35c03950f3e8684baa6d025bb48dda9508fa1f44506da445a95c19fb8c4a

SHA512
1458273496014bf96070e0bee6874f6eb5ecd6b709930a58dbe54700da2f14ae2162494a8e0323c36b47c389168b7b6353721b74eb5e3ead8cb98442da18933f

Download Submit
\Windows\SysWOW64\Agolnbok.exe

Filesize
896KB

MD5
d620a8c744a014ff77f8608b08d74718

SHA1
4188a541b646478d03b4fbbc30c6e04424746265

SHA256
97a47512e9b60208f030779795f56602cdbd42d8613ecc76210c649f2e492ed5

SHA512
3dc685f7f1b28d42d09d941e4a9ab628cac2afd87864e6ce4dbb5cf1ff9c95dbe093424af08c31333a83fd8e1afad7e34c0be84a279516535c75733e3584394b

Download Submit
\Windows\SysWOW64\Kffldlne.exe

Filesize
896KB

MD5
558344529f3541c0528cf2ea7aa3ba37

SHA1
ecba5acd755160c4963dd372b55ef25083c8a317

SHA256
f9483f690cf90aa933f3bb2e8fe931e1b3fd03ddb7162d30c7ea5da4a949a613

SHA512
5adbe8aa3a819963f6524b5f5c9c14838b9e75b9fa8586daafd4195908180a04cd2fbb40a2cabf6594c833caf6ab3be09d41d6853218eb7cd3bfb24e8678bd04

Download Submit
\Windows\SysWOW64\Lhnkffeo.exe

Filesize
896KB

MD5
c8254cd448f61316bcef8930eff9380b

SHA1
9ab0c01fef110cd4fe4731ac4c8e9d1f6fab6054

SHA256
9a762ad338eda243c28ee686ae8d5af74f58371b1edb1fbdd201c17f047ff5ff

SHA512
93a412ec3945788e4f7b4ab82e9259552b05f84ba1f45512911dd9c20891ac78740a2748f3a90a0915a66c5891beb398bbef9e734edad510398c512ffa83c545

Download Submit
\Windows\SysWOW64\Ljddjj32.exe

Filesize
896KB

MD5
d0e9a7d1a6acfc9e14546a6c063684f1

SHA1
14e41448ba2b3c17820fc1d5364a70fed7e80169

SHA256
e64ed2981c0bd8cc35a8484bc39f9e158fe39cd481d21483c7e34ad8e2e5b3f0

SHA512
58a34b036eed76ad57896777537ea362c89ae442363b3f735707e382a8ad1ac81602c4f11a86a032a44c5cfd47ce87b6c3a4e8d6979ddf6f86f53f3d22714bac

Download Submit
\Windows\SysWOW64\Mqpflg32.exe

Filesize
896KB

MD5
bf2c68ec43c4f22afa62be9e39bfc243

SHA1
6bc3f173e8081e796c00649e9e87e241fe2875b3

SHA256
a9c2b901cecf4a129a7d8f8a9acb384948742141675630694d567119c94f97b7

SHA512
a5d374822c64b3c59591fbab3de9042508b309dffe7a10f21d89c9a1d786026d6bcf33a7042b5ec1de20216aa63b465f9ab5fde11f230c31f30e4556d93d2650

Download Submit
\Windows\SysWOW64\Nbjeinje.exe

Filesize
896KB

MD5
2c497b8621ae0b2b9aea273b353e83ef

SHA1
71e4d3057492962aaf80a2f67212b55e754477c4

SHA256
a5b82029d71849fed64b50ffb2df6b6af1087100f8a4f2c4400d4e504a27c936

SHA512
6fb7a45a9f5ab47fd9dfacb32adb4ebd47bab92fff843bfa9a68cc323e247e2c9d162bf17c57aacbfada947b68548fe73f0b6e3e53516bad907c344f1a8142b8

Download Submit
\Windows\SysWOW64\Nnafnopi.exe

Filesize
896KB

MD5
177cd2718792812e1b26cb11d85b77b1

SHA1
0c45ed551fcca44f8680537ebbb5ca19b5a08e73

SHA256
9bc6e95b5bd7fae0a5e284c18c71f916d32cfdb89104d3f8e27035c9fecb662c

SHA512
bf7720a547e3ad89ea77994b1139599a21caedba4e2b8f672626c1bb19c56286f0fd201b24d0020e1ba27e60b0b521c20ff894c609cf5c3a4dc5dadf59eaf6ea

Download Submit
\Windows\SysWOW64\Omklkkpl.exe

Filesize
896KB

MD5
8ffd0a072fd32a13c4d5dfdd889f3d31

SHA1
f763de843aefe11f433d3720e6f97cec611892ee

SHA256
1d222eb04b2f7de8e7e263a2f07767f3e4c05cd6b7d8478d7c0ad3ef9e4dd1e1

SHA512
4b9d880bfb9823804d24a0e998949235f7a05fe740559500da029690dbaa75db38af6b909d07be546fcc1caf4656e28ae0a5e2744357246d1b2c480dd2f8428c

Download Submit
\Windows\SysWOW64\Qcogbdkg.exe

Filesize
896KB

MD5
7a3a73233a9b0800a402d15ecca06a41

SHA1
cd6d19b59fc1e64ceb0f2cba9ed3b06e84b46255

SHA256
fdcbbccfdf5b097615dc40e2f051680531982d3124b6ddc952a1b8ca81a90ac9

SHA512
715a992065284c1b8319427c1ef93999fcfb3d470b9d03de4fdbf5ed3bf3f136628aa8bbe3cde5dce7a2a3df36adb80751158586a6dfdd0c1ecb14793c18f4c3

Download Submit
memory/372-345-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/372-20-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/372-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/372-346-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/1200-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1200-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1556-240-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1556-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1740-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1764-231-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1764-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1788-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1940-334-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1940-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-148-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1984-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2000-173-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/2000-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-221-0x0000000001F60000-0x0000000001F93000-memory.dmp

Filesize
204KB

Download
memory/2292-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2340-323-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2340-322-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/2352-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-312-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2352-311-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2352-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-289-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2364-290-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2364-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2408-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-146-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2444-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2464-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-300-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2600-301-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2672-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-6-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2672-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-196-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2756-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-88-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2852-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2852-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-68-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-34-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2892-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-351-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2904-52-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2904-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2948-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-66-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2984-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-54-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads