berbew | 2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-01-2025 09:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
Size

96KB
MD5

e9a23c06e5afd9b9afa6291d821dd320
SHA1

513edf31f902b603587d23049551c471d98f9dbe
SHA256

2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010
SHA512

21f182a1bf2ce9a2a2d3ae899c1377a9c3eae5b1314bb24a99d15b1a689cd4d937c847b07da04820309c14245feaa1c1e5629f1c41826f5a9640de3dcc9a40ac
SSDEEP

1536:Vg5itfmZzgcr5b1suZ7pG+2LA7RZObZUUWaegPYAW:C5OfmBgcNbq4pkAClUUWaeF

Score

10^/10

berbew backdoor discovery persistence

Malware Config

Extracted

Family

berbew

http://crutop.nu/index.php

http://crutop.ru/index.php

http://mazafaka.ru/index.php

http://color-bank.ru/index.php

http://asechka.ru/index.php

http://trojan.ru/index.php

http://fuck.ru/index.php

http://goldensand.ru/index.php

http://filesearch.ru/index.php

http://devx.nm.ru/index.php

http://ros-neftbank.ru/index.php

http://lovingod.host.sk/index.php

http://www.redline.ru/index.php

http://cvv.ru/index.php

http://hackers.lv/index.php

http://fethard.biz/index.php

http://ldark.nm.ru/index.htm

http://gaz-prom.ru/index.htm

http://promo.ru/index.htm

http://potleaf.chat.ru/index.htm

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Naimccpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mhloponc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mieeibkn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Migbnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nhaikn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Naimccpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcfqkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Migbnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niikceid.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlcnda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcagpl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlekia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mhloponc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcnda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngkogj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhaikn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magqncba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mponel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Niebhf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngkogj32.exe

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew

Executes dropped EXE 32 IoCs

pid	Process
2688	Lcagpl32.exe
2564	Laegiq32.exe
2772	Lfbpag32.exe
2252	Llohjo32.exe
604	Lcfqkl32.exe
328	Libicbma.exe
2076	Mpmapm32.exe
2060	Mieeibkn.exe
1252	Mponel32.exe
2828	Moanaiie.exe
2872	Migbnb32.exe
2480	Mkhofjoj.exe
2344	Mbpgggol.exe
1976	Mhloponc.exe
2632	Mkklljmg.exe
2424	Mdcpdp32.exe
3000	Mgalqkbk.exe
2120	Magqncba.exe
852	Ndemjoae.exe
764	Nhaikn32.exe
1468	Nkpegi32.exe
2360	Naimccpo.exe
2320	Ndhipoob.exe
272	Ngfflj32.exe
1140	Niebhf32.exe
2776	Nlcnda32.exe
2804	Npojdpef.exe
2576	Nekbmgcn.exe
3068	Nlekia32.exe
2136	Ngkogj32.exe
576	Niikceid.exe
2108	Nlhgoqhh.exe

Loads dropped DLL 64 IoCs

pid	Process
2756	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
2756	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
2688	Lcagpl32.exe
2688	Lcagpl32.exe
2564	Laegiq32.exe
2564	Laegiq32.exe
2772	Lfbpag32.exe
2772	Lfbpag32.exe
2252	Llohjo32.exe
2252	Llohjo32.exe
604	Lcfqkl32.exe
604	Lcfqkl32.exe
328	Libicbma.exe
328	Libicbma.exe
2076	Mpmapm32.exe
2076	Mpmapm32.exe
2060	Mieeibkn.exe
2060	Mieeibkn.exe
1252	Mponel32.exe
1252	Mponel32.exe
2828	Moanaiie.exe
2828	Moanaiie.exe
2872	Migbnb32.exe
2872	Migbnb32.exe
2480	Mkhofjoj.exe
2480	Mkhofjoj.exe
2344	Mbpgggol.exe
2344	Mbpgggol.exe
1976	Mhloponc.exe
1976	Mhloponc.exe
2632	Mkklljmg.exe
2632	Mkklljmg.exe
2424	Mdcpdp32.exe
2424	Mdcpdp32.exe
3000	Mgalqkbk.exe
3000	Mgalqkbk.exe
2120	Magqncba.exe
2120	Magqncba.exe
852	Ndemjoae.exe
852	Ndemjoae.exe
764	Nhaikn32.exe
764	Nhaikn32.exe
1468	Nkpegi32.exe
1468	Nkpegi32.exe
2360	Naimccpo.exe
2360	Naimccpo.exe
2320	Ndhipoob.exe
2320	Ndhipoob.exe
272	Ngfflj32.exe
272	Ngfflj32.exe
1140	Niebhf32.exe
1140	Niebhf32.exe
2776	Nlcnda32.exe
2776	Nlcnda32.exe
2804	Npojdpef.exe
2804	Npojdpef.exe
2576	Nekbmgcn.exe
2576	Nekbmgcn.exe
3068	Nlekia32.exe
3068	Nlekia32.exe
2136	Ngkogj32.exe
2136	Ngkogj32.exe
576	Niikceid.exe
576	Niikceid.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mkhofjoj.exe	Migbnb32.exe
File opened for modification	C:\Windows\SysWOW64\Mkhofjoj.exe	Migbnb32.exe
File created	C:\Windows\SysWOW64\Fpahiebe.dll	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Diceon32.dll	Ndemjoae.exe
File opened for modification	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Nlekia32.exe	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Llohjo32.exe	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Lcfqkl32.exe	Llohjo32.exe
File created	C:\Windows\SysWOW64\Mieeibkn.exe	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Nhaikn32.exe	Ndemjoae.exe
File created	C:\Windows\SysWOW64\Nlcnda32.exe	Niebhf32.exe
File created	C:\Windows\SysWOW64\Ogjgkqaa.dll	Niebhf32.exe
File created	C:\Windows\SysWOW64\Nekbmgcn.exe	Npojdpef.exe
File opened for modification	C:\Windows\SysWOW64\Ngkogj32.exe	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Lfbpag32.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Libicbma.exe	Lcfqkl32.exe
File opened for modification	C:\Windows\SysWOW64\Magqncba.exe	Mgalqkbk.exe
File created	C:\Windows\SysWOW64\Fcihoc32.dll	Ngfflj32.exe
File opened for modification	C:\Windows\SysWOW64\Mbpgggol.exe	Mkhofjoj.exe
File created	C:\Windows\SysWOW64\Dhffckeo.dll	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Libicbma.exe	Lcfqkl32.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Mgalqkbk.exe	Mdcpdp32.exe
File opened for modification	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Kklcab32.dll	Nlekia32.exe
File opened for modification	C:\Windows\SysWOW64\Lcagpl32.exe	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
File opened for modification	C:\Windows\SysWOW64\Laegiq32.exe	Lcagpl32.exe
File created	C:\Windows\SysWOW64\Mponel32.exe	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Cpbplnnk.dll	Moanaiie.exe
File created	C:\Windows\SysWOW64\Lnlmhpjh.dll	Migbnb32.exe
File created	C:\Windows\SysWOW64\Mhloponc.exe	Mbpgggol.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Naimccpo.exe
File created	C:\Windows\SysWOW64\Niebhf32.exe	Ngfflj32.exe
File created	C:\Windows\SysWOW64\Lcfqkl32.exe	Llohjo32.exe
File created	C:\Windows\SysWOW64\Kbelde32.dll	Lcfqkl32.exe
File created	C:\Windows\SysWOW64\Niikceid.exe	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Moanaiie.exe	Mponel32.exe
File opened for modification	C:\Windows\SysWOW64\Ndemjoae.exe	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Nlekia32.exe	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Niikceid.exe
File created	C:\Windows\SysWOW64\Lfbpag32.exe	Laegiq32.exe
File created	C:\Windows\SysWOW64\Effqclic.dll	Mieeibkn.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	Mgalqkbk.exe
File opened for modification	C:\Windows\SysWOW64\Nkpegi32.exe	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Naimccpo.exe
File created	C:\Windows\SysWOW64\Phmkjbfe.dll	Nekbmgcn.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Libicbma.exe
File opened for modification	C:\Windows\SysWOW64\Mkklljmg.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Mkklljmg.exe	Mhloponc.exe
File created	C:\Windows\SysWOW64\Oaajloig.dll	Mhloponc.exe
File opened for modification	C:\Windows\SysWOW64\Mdcpdp32.exe	Mkklljmg.exe
File opened for modification	C:\Windows\SysWOW64\Ngfflj32.exe	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Npojdpef.exe	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Ngkogj32.exe	Nlekia32.exe
File created	C:\Windows\SysWOW64\Lcagpl32.exe	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
File created	C:\Windows\SysWOW64\Djmffb32.dll	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
File created	C:\Windows\SysWOW64\Olliabba.dll	Lfbpag32.exe
File created	C:\Windows\SysWOW64\Migbnb32.exe	Moanaiie.exe
File created	C:\Windows\SysWOW64\Afdignjb.dll	Nhaikn32.exe
File created	C:\Windows\SysWOW64\Eqnolc32.dll	Nlcnda32.exe
File created	C:\Windows\SysWOW64\Dnlbnp32.dll	Ngkogj32.exe
File created	C:\Windows\SysWOW64\Khqpfa32.dll	Laegiq32.exe
File created	C:\Windows\SysWOW64\Llohjo32.exe	Lfbpag32.exe
File opened for modification	C:\Windows\SysWOW64\Mhloponc.exe	Mbpgggol.exe

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcagpl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mieeibkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkklljmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Naimccpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndhipoob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpmapm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mhloponc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niebhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbpgggol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlekia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nhaikn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkpegi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Niikceid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Laegiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mponel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Migbnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkhofjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndemjoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlhgoqhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcfqkl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nekbmgcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llohjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Libicbma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Moanaiie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcnda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngkogj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lfbpag32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdcpdp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mgalqkbk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magqncba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngfflj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npojdpef.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Libicbma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpahiebe.dll"	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnqkpajk.dll"	Mbpgggol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdcpdp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjclpeak.dll"	Npojdpef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndemjoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbpgggol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll"	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngfflj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olliabba.dll"	Lfbpag32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbelde32.dll"	Lcfqkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Moanaiie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhffckeo.dll"	Mdcpdp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Naimccpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjgkqaa.dll"	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll"	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mhloponc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Negoebdd.dll"	Llohjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbplnnk.dll"	Moanaiie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcihoc32.dll"	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmkjbfe.dll"	Nekbmgcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Libicbma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mgalqkbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nekbmgcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngkogj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Niikceid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Naimccpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Laegiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lfbpag32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mieeibkn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnlmhpjh.dll"	Migbnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndemjoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcagpl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngfflj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kklcab32.dll"	Nlekia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eppddhlj.dll"	Nkpegi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nkpegi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Niebhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkhofjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpbgnedh.dll"	Mponel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeaceffc.dll"	Mkklljmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaajloig.dll"	Mhloponc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2688	2756	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe	30
PID 2756 wrote to memory of 2688	2756	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe	30
PID 2756 wrote to memory of 2688	2756	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe	30
PID 2756 wrote to memory of 2688	2756	2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe	30
PID 2688 wrote to memory of 2564	2688	Lcagpl32.exe	31
PID 2688 wrote to memory of 2564	2688	Lcagpl32.exe	31
PID 2688 wrote to memory of 2564	2688	Lcagpl32.exe	31
PID 2688 wrote to memory of 2564	2688	Lcagpl32.exe	31
PID 2564 wrote to memory of 2772	2564	Laegiq32.exe	32
PID 2564 wrote to memory of 2772	2564	Laegiq32.exe	32
PID 2564 wrote to memory of 2772	2564	Laegiq32.exe	32
PID 2564 wrote to memory of 2772	2564	Laegiq32.exe	32
PID 2772 wrote to memory of 2252	2772	Lfbpag32.exe	33
PID 2772 wrote to memory of 2252	2772	Lfbpag32.exe	33
PID 2772 wrote to memory of 2252	2772	Lfbpag32.exe	33
PID 2772 wrote to memory of 2252	2772	Lfbpag32.exe	33
PID 2252 wrote to memory of 604	2252	Llohjo32.exe	34
PID 2252 wrote to memory of 604	2252	Llohjo32.exe	34
PID 2252 wrote to memory of 604	2252	Llohjo32.exe	34
PID 2252 wrote to memory of 604	2252	Llohjo32.exe	34
PID 604 wrote to memory of 328	604	Lcfqkl32.exe	35
PID 604 wrote to memory of 328	604	Lcfqkl32.exe	35
PID 604 wrote to memory of 328	604	Lcfqkl32.exe	35
PID 604 wrote to memory of 328	604	Lcfqkl32.exe	35
PID 328 wrote to memory of 2076	328	Libicbma.exe	36
PID 328 wrote to memory of 2076	328	Libicbma.exe	36
PID 328 wrote to memory of 2076	328	Libicbma.exe	36
PID 328 wrote to memory of 2076	328	Libicbma.exe	36
PID 2076 wrote to memory of 2060	2076	Mpmapm32.exe	37
PID 2076 wrote to memory of 2060	2076	Mpmapm32.exe	37
PID 2076 wrote to memory of 2060	2076	Mpmapm32.exe	37
PID 2076 wrote to memory of 2060	2076	Mpmapm32.exe	37
PID 2060 wrote to memory of 1252	2060	Mieeibkn.exe	38
PID 2060 wrote to memory of 1252	2060	Mieeibkn.exe	38
PID 2060 wrote to memory of 1252	2060	Mieeibkn.exe	38
PID 2060 wrote to memory of 1252	2060	Mieeibkn.exe	38
PID 1252 wrote to memory of 2828	1252	Mponel32.exe	39
PID 1252 wrote to memory of 2828	1252	Mponel32.exe	39
PID 1252 wrote to memory of 2828	1252	Mponel32.exe	39
PID 1252 wrote to memory of 2828	1252	Mponel32.exe	39
PID 2828 wrote to memory of 2872	2828	Moanaiie.exe	40
PID 2828 wrote to memory of 2872	2828	Moanaiie.exe	40
PID 2828 wrote to memory of 2872	2828	Moanaiie.exe	40
PID 2828 wrote to memory of 2872	2828	Moanaiie.exe	40
PID 2872 wrote to memory of 2480	2872	Migbnb32.exe	41
PID 2872 wrote to memory of 2480	2872	Migbnb32.exe	41
PID 2872 wrote to memory of 2480	2872	Migbnb32.exe	41
PID 2872 wrote to memory of 2480	2872	Migbnb32.exe	41
PID 2480 wrote to memory of 2344	2480	Mkhofjoj.exe	42
PID 2480 wrote to memory of 2344	2480	Mkhofjoj.exe	42
PID 2480 wrote to memory of 2344	2480	Mkhofjoj.exe	42
PID 2480 wrote to memory of 2344	2480	Mkhofjoj.exe	42
PID 2344 wrote to memory of 1976	2344	Mbpgggol.exe	43
PID 2344 wrote to memory of 1976	2344	Mbpgggol.exe	43
PID 2344 wrote to memory of 1976	2344	Mbpgggol.exe	43
PID 2344 wrote to memory of 1976	2344	Mbpgggol.exe	43
PID 1976 wrote to memory of 2632	1976	Mhloponc.exe	44
PID 1976 wrote to memory of 2632	1976	Mhloponc.exe	44
PID 1976 wrote to memory of 2632	1976	Mhloponc.exe	44
PID 1976 wrote to memory of 2632	1976	Mhloponc.exe	44
PID 2632 wrote to memory of 2424	2632	Mkklljmg.exe	45
PID 2632 wrote to memory of 2424	2632	Mkklljmg.exe	45
PID 2632 wrote to memory of 2424	2632	Mkklljmg.exe	45
PID 2632 wrote to memory of 2424	2632	Mkklljmg.exe	45

C:\Users\Admin\AppData\Local\Temp\2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe
"C:\Users\Admin\AppData\Local\Temp\2f2e48f7eae4a4c3f8b805d95e1d61a4720ed06ecf68d1392588954d2d74c010N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\Lcagpl32.exe
  C:\Windows\system32\Lcagpl32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\Laegiq32.exe
    C:\Windows\system32\Laegiq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\Lfbpag32.exe
      C:\Windows\system32\Lfbpag32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Windows\SysWOW64\Llohjo32.exe
        
        C:\Windows\system32\Llohjo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Windows\SysWOW64\Lcfqkl32.exe
        
        C:\Windows\system32\Lcfqkl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Windows\SysWOW64\Libicbma.exe
        
        C:\Windows\system32\Libicbma.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\SysWOW64\Mieeibkn.exe
        
        C:\Windows\system32\Mieeibkn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Mponel32.exe
        
        C:\Windows\system32\Mponel32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\SysWOW64\Moanaiie.exe
        
        C:\Windows\system32\Moanaiie.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Migbnb32.exe
        
        C:\Windows\system32\Migbnb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Mkhofjoj.exe
        
        C:\Windows\system32\Mkhofjoj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Mbpgggol.exe
        
        C:\Windows\system32\Mbpgggol.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Mhloponc.exe
        
        C:\Windows\system32\Mhloponc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Mkklljmg.exe
        
        C:\Windows\system32\Mkklljmg.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\SysWOW64\Mdcpdp32.exe
        
        C:\Windows\system32\Mdcpdp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Mgalqkbk.exe
        
        C:\Windows\system32\Mgalqkbk.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Ndemjoae.exe
        
        C:\Windows\system32\Ndemjoae.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Nhaikn32.exe
        
        C:\Windows\system32\Nhaikn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\Nkpegi32.exe
        
        C:\Windows\system32\Nkpegi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Naimccpo.exe
        
        C:\Windows\system32\Naimccpo.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Ngfflj32.exe
        
        C:\Windows\system32\Ngfflj32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:272
        
        C:\Windows\SysWOW64\Niebhf32.exe
        
        C:\Windows\system32\Niebhf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1140
        
        C:\Windows\SysWOW64\Nlcnda32.exe
        
        C:\Windows\system32\Nlcnda32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Npojdpef.exe
        
        C:\Windows\system32\Npojdpef.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\Nekbmgcn.exe
        
        C:\Windows\system32\Nekbmgcn.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2576
        
        C:\Windows\SysWOW64\Nlekia32.exe
        
        C:\Windows\system32\Nlekia32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Ngkogj32.exe
        
        C:\Windows\system32\Ngkogj32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Niikceid.exe
        
        C:\Windows\system32\Niikceid.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Magqncba.exe

Filesize
96KB

MD5
c5747d2fc4043a2dace5fc2d9fa9c208

SHA1
74cedad3067eff57eb8035e5a3b64a0b361bccfe

SHA256
b81c6d64245aae45c12a37d81d353c10dfc5e30ab460f5debc768e781b413b20

SHA512
819e4fd8c4ca459e8942d5d0e73b4fc02da5f37445111a2e0c0665e9cec6e1b8984408d45baa3d8a310d2fdcfa28bf152683d6d2e516f2f951962d55e3390d64

Download Submit
C:\Windows\SysWOW64\Mbpgggol.exe

Filesize
96KB

MD5
b08f77bc00ae5579e47178853918619e

SHA1
07ce8c1a98fdbcf0ae9569426ec2e2fa5335980d

SHA256
ab6ee7b3b677a99df67af71361161cc147de9da6f9afd276870d755ccfdfbcda

SHA512
4d2a1d6c19c67be7a5a9f3f5731533ce345c5c213a79cb74c75bf67ea340b3883a55e54c73e94a1c8ca69a4bb881e251e7f834a3fd7f7b67eb6fb6da555e40bb

Download Submit
C:\Windows\SysWOW64\Mgalqkbk.exe

Filesize
96KB

MD5
b87b4f3120f59a55dabd061df1554f63

SHA1
1b99f99e5a8348d2decb5ad94bb812879aa5302b

SHA256
6e1a061cf61b1a54b75365f82bd26d54d9d1045fe3ed48c9c8eb08d993bc1e9b

SHA512
2e6ea13a45011ea92ce3c1ce346b80d2e9ef33d7631e80829ea8491ff96d91cf9872f46035d7c819572bc9d9d3cd1c9623c224618a2948939089f187f8699345

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
96KB

MD5
85f293eea582fb3c2fc0426af33c34c3

SHA1
4fef2b289dd8d6d0e153f3945b8f3d2750cf0276

SHA256
a0f840431e3887dbf9e7eff482547ec86b9f3ea438127a09277ce68f9440fc29

SHA512
d2421773fdafdf8dacc1c0fa2ae5bd8cf97450066a1d9abbfc91a896503db3c8183248ad8dde2eacaf87cc6fb6605023e222bbe46e28ec5d0c40a48019650c3a

Download Submit
C:\Windows\SysWOW64\Mponel32.exe

Filesize
96KB

MD5
20254d97cb628c3eb0e95a5dd81d19bb

SHA1
fb3e311d1004e070a0980cc924f8d33b9caf4f31

SHA256
c38da0b31cda3a87e2c8b3453e24ed4801afca3c08faf246c3212c38088daaf3

SHA512
16b5e407ab2f15244b5895a715117191efc6502102a95935ede8b615dd29a16291840be9f200e8ed94a02e7df19a08941935cc8f80cc534e32db72f3c3144a8d

Download Submit
C:\Windows\SysWOW64\Naimccpo.exe

Filesize
96KB

MD5
e18a0b61247c090820cbb4ba8a74668f

SHA1
10c8275c847dbbf0777169208f1219875bf184ff

SHA256
91ff26414ac8e43c38a3eeac403c6f087289af12a1d85dc00564021b53e7010d

SHA512
b6193f7fcbc032564d729ae88914dfe7debe24648d96ded6f98c22df275014781c73ab7a7ffc1e7d90d87b1ecbd3d4682a3af1d2de872efc63860274536ff131

Download Submit
C:\Windows\SysWOW64\Ndemjoae.exe

Filesize
96KB

MD5
60b754b8d494486164bc5b375c93bcef

SHA1
08b559e0f11da530787747b43a0c55d615633cd4

SHA256
0e6503b96bfc9edec8e6cb691e8bd01b5d19709f9f9261f484733766cd1528b1

SHA512
b218751d33ccd7ae86b5a9c06c251970dbb22532b06630c9e3d8ee6bd8d45375400cd463fb9b6a74ea6fa12d2b0e40346537bb28092d5c5aba6fdaf0e647bb08

Download Submit
C:\Windows\SysWOW64\Ndhipoob.exe

Filesize
96KB

MD5
0f321d2df214734a4e92d17ad13e1fcf

SHA1
cb34628f5996a42510fe31420ece6c16a6b372c4

SHA256
5e0920b2e819366470842a0f478dfd6d89c038a1065db8d408e1f2736e9ec99a

SHA512
6f315b531e1a57bb26f472b5de096eef2bbf12adb951612db26d97f210c8d9a0861cd85db2826254eede3deb6f91055289a262ed1ec671e21b971d9ad59f2516

Download Submit
C:\Windows\SysWOW64\Nekbmgcn.exe

Filesize
96KB

MD5
2c6ba1364c3d5290db3698441f665b05

SHA1
3fdeb7150dc71289b8a68e3a0f76e7334522e496

SHA256
ac3167025758ff25b422a38ef664e29dcd46bddc295365eb17e18ddbefc8a25c

SHA512
fa1f1b5c341c428e677c57520773c4fbb4d2c53bf62d6ce45becbe40de9db5ab6d6088f50f9e144761fff2e8f3936ed1bac6ff7b4c8abb27be5402dde70a95c8

Download Submit
C:\Windows\SysWOW64\Ngfflj32.exe

Filesize
96KB

MD5
7a4e56b0c09d9a7caa323227df5a6d55

SHA1
c1abcc7dbb71727158981e2d1f9afa79a67918fb

SHA256
97545ee3740a4bfc2bf106d163104754f65e8a09627c54325868211282bc45bc

SHA512
bba96c0559d2fbb3c3140bea9f41fdf86a36f25034e6b84186fe87378d31934b009b80b41ee54b4113a13e5f23b8c2cd55e3c5597bf5c6a33fae26d2f63d00dd

Download Submit
C:\Windows\SysWOW64\Ngkogj32.exe

Filesize
96KB

MD5
1eddc07be3d7780897dd36cbd3ba6ba0

SHA1
06d9acbe76c3ccd1e9a6e36d564565ab1c0e7c80

SHA256
7152f2fabd468be786ea19636f79948890debb326cc2cb6d77609fe972f265ca

SHA512
a9bb6d8234b6e8072346d569d978f907fc91b54a365ec74ee29553187398dadac5b838da97feb2dc63458b820d53edc2bcd46cfc9c062ed4b4312e9c7dc04c48

Download Submit
C:\Windows\SysWOW64\Nhaikn32.exe

Filesize
96KB

MD5
b5851b6234e17bc0d75306415ffb6c02

SHA1
bfaf3e005ab5f8362dc2119745e3eda1f575c903

SHA256
11bb56c9972a669b8ea140b92d93f489e9297105a36b24cd55b4928a8cf07998

SHA512
5f838c6a58427449b4c720c7917ce582f6997e10209e1ba09961562b5fcc29234a1d677d83410e57b44effe8e39b74c50a6dbe0c40f15a69156f3189055c3cf9

Download Submit
C:\Windows\SysWOW64\Niebhf32.exe

Filesize
96KB

MD5
6a7c5de7b1cf553c36f0cfeeeecb11a1

SHA1
518c9cf1a6ad6ca7150b8b7e08cdbf59708a28aa

SHA256
073ee4df8c7eb3dfe971a05edf9f960330968c0d52ea112d830cff561e3b85d0

SHA512
0c8624f1ed6b2f99a126513c26416d61b6eaafeba6640ed065c44136379b8355e49c999334312e3ec90746c6c8d117197fcb46a47e0bdf54576f68fd1075988a

Download Submit
C:\Windows\SysWOW64\Niikceid.exe

Filesize
96KB

MD5
c3c0035546e7081b9f8cd1310806d555

SHA1
2b3517b7453f99da47d95b2ce30a90e0e2f20ed5

SHA256
ffaa71d39cf64edfbefe0497dbcd19ae334d4f9452a7fce78c006d3254934da6

SHA512
66a8be975a1f0cd9e96bcce4f90bef64ebf3d706df46845367b0944c8cfaa2a61ba512f1aeb5ac73e858115eda1de526f13729d0f5fc859120a5adb9391baafc

Download Submit
C:\Windows\SysWOW64\Nkpegi32.exe

Filesize
96KB

MD5
ffc65c81b6c7b03d0c024d169714a227

SHA1
59030f0acf6c12d59f5e5ce1ab39885e346cd385

SHA256
12ba38142366b0f40eeb5397901135a1b2c154a0ab1a37f6ec956de71cfe4a19

SHA512
8fe395c1d07528e036e8a7885e5e3148b80dd4a1959f20c95b02cc7ef702e2434ffc594243b4ff473918d3305733bbe0ca5818ec39d6e9d33e71053c547e3a33

Download Submit
C:\Windows\SysWOW64\Nlcnda32.exe

Filesize
96KB

MD5
74da9acb3066815f9da314dabe479a14

SHA1
4df0464fc3518f4334ef27c47758451f048f9542

SHA256
d13174acc7914b510b566f36c5a8171c35bd4ea1d8f1d01df6a69f03d56e85bf

SHA512
6dd0473f089c2b50023b0413af4858ec67e4e8397af6da08144161b3b2ea52b2bf5a2e425536ea86287ca03ddcd101199075dbac39f7d2812fc59f41be18c246

Download Submit
C:\Windows\SysWOW64\Nlekia32.exe

Filesize
96KB

MD5
813de9342c330f63b8d9cabe65826e59

SHA1
91fd62bf08c38a3beb1c1dc0962c7df3001e941e

SHA256
23a0ef2517dbd214df793423745b085925f6b7a8423e969674fe230bc552fdf3

SHA512
017c00e60c2426fc2fd81de0dd4c16bf3602b7a78386dc3429f4708c93703cd37bb7632318708dcfc2968cb1149bd35dcb7f356f8147598144fd104b406df4e4

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
96KB

MD5
710dce2bae4ea5219cfc302b4d8ef151

SHA1
f3828c415cbafc1dc0d0bb74a7c4a0dcb321b59c

SHA256
f78096b74320c93b45125d65e390f3d5489a4722690e7ea14b12c5ea787212c8

SHA512
2eaae270a11e1dd97ccb8f8fab951aa63e3c8392b88ac0b6de3645f98deacfb261cbad3bdcc1ba077e3c0e39e6713e19039a37b63c5f0376648e8dab2b69dda3

Download Submit
C:\Windows\SysWOW64\Npojdpef.exe

Filesize
96KB

MD5
111fb4e3c63a05dde162106b4e242eef

SHA1
4f32c62366334f9c1ea95df16d06f2d5f5387c53

SHA256
519c3906437fda20902d23c3ef411dadd853e19bc15cd4396e4e8451fce885c6

SHA512
f74449fa3b0584f79e4f37cf929ef2ebc5a555765fc1318642d7436dc56c82a1394bb9b22b80286ffebbd6012f1bd356e03a3a9916408adada2bfcbd754c89a4

Download Submit
\Windows\SysWOW64\Laegiq32.exe

Filesize
96KB

MD5
9367658594fc6e4a9b07c6c715dba456

SHA1
a787a6863d148c19fd33f19c25e46fe4499c70a0

SHA256
1b061dd0d98d813b966552e430a7085f211558fd58ea9e534f30db65956a4a54

SHA512
4e8e850eb0f95fb7db8db94f2f255f5b37fa51ab5819f506f48c6b7f1f933936386914469425efb11c2a79bfe30c118ca377ac4bbae04ca174c43eacf587f8a1

Download Submit
\Windows\SysWOW64\Lcagpl32.exe

Filesize
96KB

MD5
e8ea987a5b97be424f65512349181f99

SHA1
bc868c6ee09c00180fedc0fe4c8258c07008558b

SHA256
beaa3fb48b6f9a593ac2c66180fc293114b248275e0f4420bc6271b08900cd4e

SHA512
511bf6f3342b47e2599bd0a3eac8d912cd2b8e45809f6052997c4a58437983fb4c8d3a53d61c40a4056906ff26309af5b7127edf464deb9ff52ebd3350edcb63

Download Submit
\Windows\SysWOW64\Lcfqkl32.exe

Filesize
96KB

MD5
f3fe1c28e6062365a08b76baa578b84e

SHA1
600ee2f673b7b2c2d458540d7b137f0da82d505b

SHA256
711453bc235529d583ef74a869347fbb4f65cc42439157704a6ccb4a81305308

SHA512
ea22a6192e61d2ef65a620bc9839f95fa595d6591fc3f7be37ec42f24d3bbf6e32ff7da6d1fab74d8c0c55af8e3fbc36936e22e5da9c7756ff7bbbea29ce27d8

Download Submit
\Windows\SysWOW64\Lfbpag32.exe

Filesize
96KB

MD5
3556c1775b268cfe8c37ccda64157633

SHA1
055d3f8682d436a56a9556bb334064a3e4f3fecd

SHA256
42788114a5419001376c4a941a9392a6c101850148933d4f5bdf3ea830c9ffd0

SHA512
589573b0c3edc2f3e484cef985797105d1b0f3fd1b22e4289b989503945b5ca539b02e74252cc7ec01f442d61d569b37096f6e6b22263d9e18b0603e421ce37f

Download Submit
\Windows\SysWOW64\Libicbma.exe

Filesize
96KB

MD5
e042ed8f40c5e3c391ce725859fb85db

SHA1
ad88e4af8bdde29d37d3b2142a1924710fe77eb4

SHA256
3c4fe41ae534bc8d61e84268fa38b40c8a9b3d0c7557455f80b08122602b9303

SHA512
f066ec544bb85ce4bdbf84116a3a3326a14265f24fcde58efecce11a6a5bfa8e2b599a824f8f2549e49c1714f6dface73d35a2086a632cad32df3a5fc76d3e2a

Download Submit
\Windows\SysWOW64\Llohjo32.exe

Filesize
96KB

MD5
1f1c1570a2b32641ec5274ae1976c5fd

SHA1
312ab005e96faa7cb9150f7a6380c117bdc4fc90

SHA256
5ce7215b62c183cfa90a56a6d7d231099d68aafcb5fac2ce529db29ffbb5f130

SHA512
08653a8bd4fd0f0c9e8740260f604c501c46288f2906a535e6fcce7b62f96acafd4e84099b7738a95a55dd2458028a0322c71e3d9cfb858219e84ea2f90f1e11

Download Submit
\Windows\SysWOW64\Mdcpdp32.exe

Filesize
96KB

MD5
486f39d334d98dcf9f42b2a010083d73

SHA1
1395e635c991fa5c08991619da3c44f0f58b2f36

SHA256
51f28da99179f71b0a9c18e740ec0833f22510533b5442263f168078063eb5a0

SHA512
e54c7454914aeac2e9dbb6a1b2b450fe42295b2e1d467b75572fc8419afc14958a794b8edf9069fbca5b25883674590229ea1f2e88006ae15925626f1cf44457

Download Submit
\Windows\SysWOW64\Mhloponc.exe

Filesize
96KB

MD5
7c399749a6e25db327715e3b31fb668d

SHA1
3d8c391073022d04aaf2439e2c4bb5e5aa273d6c

SHA256
fe1f3da63ca4ebe9f84aa2f504bf95d811a0938c40cded85a9b46bbd325f757a

SHA512
905fc8026d945d34a993eb971938225e3cc7a993e329b51949ab935e2e4a5ea07465a977aa3b80a310abc23dbfbacd30f9df515831fc2a145892027230f22031

Download Submit
\Windows\SysWOW64\Mieeibkn.exe

Filesize
96KB

MD5
7f8ab966880c9f33b8d64bc8804f304e

SHA1
cb8c1af5f49349208af7798ff92020a47a2b24fb

SHA256
a20234e31e2313eff93312f608eb6e6c4bc590784789052ad567a1ca2cf5734a

SHA512
7ab699874e2adaddf34bbe3b457f07e0455b6ed27df346489f170484122da61413169381da7b06964d976d197c30e75823c351730933eb5a4c0face98efecf21

Download Submit
\Windows\SysWOW64\Migbnb32.exe

Filesize
96KB

MD5
9b3576e4a947dcfbc5b94d58997dcdad

SHA1
75b571d67af641530eddfdfdbfcce83e57492476

SHA256
203f0a29438969d5747d0e9d98d41d3f631ef0c622f9e406a69596e3db673014

SHA512
11aa9739848eda415c178d97beeb508bcb5062de602e934637c0206a2f0cf3c0e4c43bef0a0f36688b4a69e7ecb259e12227b3e6720ce881668432f539d875d4

Download Submit
\Windows\SysWOW64\Mkhofjoj.exe

Filesize
96KB

MD5
1e0c7c176637bfaf3b8fb4d79404af7d

SHA1
6b75a96cdae312aa5964c8af922fa3165b7e6438

SHA256
138f00f71787338a7af78b9dedff3feb4f3d5f4375f265f90654d6512bfcbbd2

SHA512
bd6a52ab3f54f3619a747b0cb6f00ca495f7fae3a12b979a5ceafeafba8b6c3d2e401c811ef9337a634106ca096b6b76950dcf4933d1e9c351d9bc8900b8a9b3

Download Submit
\Windows\SysWOW64\Mkklljmg.exe

Filesize
96KB

MD5
04c76a1d0500318bce119100fa1f2285

SHA1
d017506c6292717619cfb2d6914accd9634e87b2

SHA256
2cd70788121f8b879106511f6d3dee4e41acfe5facedbc3cb88fd721787ad4e2

SHA512
f9b325ccc297f66c8c49a99331f1bf86f5262a256edc885c57e2a7d3caac50fe42e172d14a97af85b39b13c17ea67c879ea3259cb42b7ffdf75d6a5f7ac3a69c

Download Submit
\Windows\SysWOW64\Moanaiie.exe

Filesize
96KB

MD5
33ebd2b376e45f86715b350c00517d81

SHA1
cc925e6257187244a2dba92f10059df207206a94

SHA256
24ac1a71afb33dddeb613a3996fa95859bec538893e10f1384f67b0b82dc7cfd

SHA512
c395352599423c1d4c152c062ed593f7f18d399d03d11aaa99995608781c6ecd5ccf01bf547677c672cae308d822b55359fdcb5f4688e2c316c426aac773d77f

Download Submit
memory/272-303-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/272-290-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/272-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/272-305-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/328-94-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/328-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/328-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/576-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/604-74-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/764-259-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/764-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/852-250-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/852-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-306-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1140-310-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1140-311-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1252-128-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1252-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1976-414-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-103-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2076-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2120-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-362-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2136-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-367-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2252-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2252-62-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2320-289-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2320-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-416-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-185-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2344-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-187-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2360-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2360-280-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2360-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-27-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-40-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-344-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-340-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2576-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-202-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2688-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2688-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-7-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2756-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-49-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2772-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2772-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-312-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2776-322-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2776-321-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2804-332-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2804-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2804-333-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2828-422-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-147-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-420-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2872-159-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3000-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-410-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-231-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3068-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-359-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3068-354-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3068-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads